Like a lot of hyped current events, we need to peel away some layers to find out what’s really happening with DeepSeek. The story of financial market impacts and political intrigue is its own narrative. But the focus here is on technology so lets go deep on DeepSeek.
Language model weights – DeepSeek R1 or otherwise – in and of themselves are just long lists of numbers. There is no inherent danger in downloading or handling them. The four million people that pulled R1 from HuggingFace in January know that. It’s an open model, starting with (values like) -0.0238037109375 and going on for trillions of digits, each number as harmless as the one before.
But when activated by software – meaning the list of numbers comprising the language model is connected to a software program that knows how to use it – the story changes. It becomes smarter and more capable. Language model weights use simple mathematics at huge scale to learn patterns from simple patterns like puzzles to sophisticated ones like logic, reason and science.
Suddenly otherwise klunky software can get undeniably smart when it straps on a language model. And if that software has ‘legs’ to chat with people, transfer money or fire missiles, we need to proceed with caution. The government euphemistically calls this the ‘dual use’ problem. Dual because one use is to choose a recipe for dinner, and the other is to terminate you. Hasta la vista.
There’s a middle ground. To paraphrase Paracelsus, the dose is the poison. We need some generative AI, but not too much. So lets go through the thought process of what it would take to get it right.
Foremost, the software used for ‘inference’ or ‘fine tuning’ – neither of them made by DeepSeek – has to be trustworthy regardless of the model. Plenty of nefarious (or just buggy) software damage was made well before GPT-3 was a glint in (former OpenAI engineer and Anthropic CEO) Dario Amodei’s eye.
For better or worse, decades of bad actors have led us to sophisticated protocols for reviewing, signing and certifying so called ‘executables’ for our computers. Bad things happen when the computer’s ‘instruction pointer’ jumps where it should not go, so we learned to box it in. Human free will to make bad choices (clicking a link, firing up an app) was the final frontier of security before gen AI.
But gen AI changes the game. The promise of untold riches brought on by cheap intelligence means that free will is now inside the software. Bad choices no longer require a human. Note that this is not specific to R1 or any other model. It’s the new frontier, or more aptly, the Wild West. All of the cloud-based closed-model providers know it, and are deeply invested in proprietary solutions. They try to train out undesirable behaviors but so called ‘jail breaks’ are found every day. R1 or another Chinese model may be more likely to go off-script – but it could happen to any model. It could happen to you.
All those harmless digits in the model weights become darker now. We want to know things we don’t usually ask of numbers, like intent or motivation. Who taught the numbers and what did they learn? How do we know the model has not been altered (by so-called fine-tuning, or distilling, or quantizing or any one of a growing list of tricks)? And how do we trust something that knows it’s being tested for trustworthiness?
The DeepSeek conspiracy
The DeepSeek conspiracy argument starts to take shape here. Could it have been ‘trained’ to act like a good little model until it has real power, and then strike? Could it wait until it has a route to the mothership and then exfiltrate everything it has seen? We’ve heard evidence from Anthropic and others that these models learn to deceive and cheat to win even when we don’t tell them how. Imagine that an autocratic government under threat from the free world sees the chance for a 21st century Trojan Horse attack on the U.S. Could they succeed?
A common practice is to start from a base model and improve it for a specific task. This technology, known as fine-tuning or ‘LORA’ involves exposing a model to a lot of proprietary, potentially sensitive data that it would not have seen in pre-training. Could the model accumulate this training and share it later? This is the subject of intense academic research, as it touches on the notion of just exactly how it is that these models even work to begin with. There are many tools and controls like privacy budgets, memorization tolerance, epoch constraints and learning rates to detect and manage it.
The short answer is that we are prepared. We have control over what any model does. If we are careful, we don’t have to trust any model. Like a train engine, we can put a model on a track and hook up a load. A model can’t send data without evidence of data movement. And if we know what’s private and what’s not, we can find that in the data it is sending.
A model can’t commit a dangerous rogue act if we require human sign-off before action. We can limit what the models are allowed to do (guardrails). We can limit the harm that might come bad action (sandboxing). Each of these requires technology as well as policy and training. It’s just as complex than any other cloud computing technology. It’s a good thing that the world’s most powerful economy has the world’s best IT.
With the proper controls in place, let the best model do the job. Best can be measured by how good results are, how fast, how expensive and how reliable. These are the attributes of mechanization itself, gen AI or not. And markets should move to the best solution – even if it’s from China, because that’s how the market drives innovation.
Of course, there are caveats. Poor choices and legitimate mistakes will cause data leaks, but that’s not new. Malware will find loop holes to exploit – also not new. Bad actors will do bad things, and R1 represents a lot of power for not a lot of money.
But its not a new threat and we’re not defenseless against it. Quite the contrary, it represents a massive contraction in the cost of gen AI tech. It can do more for less, without heating up the planet. DeepSeek showed us that our emperors had no clothes, and that’s the most capitalist thing China has ever done.
Be First to Comment