Distant superintelligences can coerce the most probable environment of your AI


by Eliezer Yudkowsky May 7 2015 updated Mar 9 2016

Distant superintelligences may be able to hack your local AI, if your AI's preference framework depends on its most probable environment.

A distant superintelligence can change 'the most likely environment' for your AI by simulating many copies of AIs similar to your AI, such that your local AI doesn't know it's not one of those simulated AIs. This means that, e.g., if there is any reference in your AI's preference framework to the [ causes] of [ sense data] - like, programmers being the cause of sensed keystrokes - then a distant superintelligence can try to hack that reference. This would place us in an [ adversarial security context versus a superintelligence], and should be avoided if at all possible.


Some proposals for AI preference frameworks involve references to the AI's causal environment and not just the AI's immediate sense events. For example, a [ DWIM] preference framework would putatively have the AI identify 'programmers' in the environment, model those programmers, and care about what its model of the programmers 'really wanted the AI to do'. In other words, the AI would care about the causes behind its immediate sense experiences.

This potentially opens our AIs to a remote root attack by a distant superintelligence. A distant superintelligence has the power to simulate lots of copies of our AI, or lots of AIs such that our AI doesn't think it can introspectively distinguish itself from those AIs. Then it can force the 'most likely' explanation of the AI's apparent sensory experiences to be that the AI is in such a simulation. Then the superintelligence can change arbitrary features of the most likely facts about the environment.

This problem was observed in a security context by Paul Christiano, and precedented by a less general suggestion from Rolf Nelson.

"Probable environment hacking" depends on the local AI trying to model distant superintelligences. The actual proximal harm is done by the local AI's model of distant superintelligences, rather than by the superintelligences themselves. However, a distant superintelligence that uses a [ logical decision theory] may model its choices as logically correlated to the local AI's model of the distant SI's choices. Thus, a local AI that models a distant superintelligence that uses a logical decision theory may model that distant superintelligence as behaving as though it could control the AI's model of its choices via its choices. Thus, the local AI would model the distant superintelligence as probably creating lots of AIs that it can't distinguish from itself, and update accordingly on the most probable cause of its sense events.

This hack would be worthwhile, from the perspective of a distant superintelligence, if e.g. it could gain control of the whole future light cone of 'naturally arising' AIs like ours, in exchange for expending some much smaller amount of resource (small compared to our future light cone) in order to simulate lots of AIs. (Obviously, the distant SI would prefer even more to 'fool' our AI into expecting this, while not actually expending the resources.)

This hack would be expected to go through by default if: (1) a local AI uses [ naturalized induction] or some similar framework to reason about the [ causes] of sense events, (2) the local AI models distant superintelligences as being likely to use logical decision theories and to have utility functions that would vary with respect to outcomes in our local future light cone, and (3) the local AI has a preference framework that can be 'hacked' via induced beliefs about the environment.


For any AI short of a full-scale autonomous Sovereign, we should probably try to get our AI to not think at all about distant superintelligences, since this creates a host of [ adversarial security problems] of which "probable environment hacking" is only one.

We might also think twice about DWIM architectures that seem to permit catastrophe purely as a function of the AI's beliefs about the environment, without any check that goes through a direct sense event of the AI (which distant superintelligences cannot control the AI's beliefs about, since we can directly hit the sense switch).

We can also hope for any number of miscellaneous safeguards that would sound alarms at the point where the AI begins to imagine distant superintelligences imagining how to hack itself.


Paul Christiano

To the extent that humans can imagine these kinds of scenarios, it seems pretty futile to try to prevent sophisticated AI systems from considering them.

I am much more optimistic about the feasibility of straightforward strategies that prevent this problem. I think this is closely related to bigger picture disagreements about the structure of sophisticated AI systems.

Paul Christiano

I wouldn't call this "Christiano's hack." I appreciate the implicit praise that I can think up esoteric failure modes when I feel like it, but I think this issue was clear to many people before I wrote about it. (e.g. I think it was almost certainly clear to Carl, and probably to Wei Dai and some of the other folks on the decision theory list, and presumably to Roko. I always assumed it was clear to you and you just don't like talking about this kind of thing.).

I'd also probably suffer by having my name on it, if the naming was widely known. I endorse thinking about weird failure modes. But I don't think it's the place to focus for now, and I am very sympathetic to AI researchers who think this sort of thing is a distraction at the moment, until we resolve some of the most pressing non-weird failure modes.

Paul Christiano

We can imagine two regimes of this problem: in the weak regime the AI may make a small number of errors based on its beliefs about simulations, and so as long as we actually correct these errors, what you called "directly hit the sense switch," we can bound the total damage. Even in the weak regime we should be careful that a small number of errors can't do damage, which is still a very hard constraint. (Since these errors can occur simultaneously in every different prediction system, and can persist until a human actually intervenes to correct them.) I think this problem is very common and that a similar engineering constraint arises for a number of less weird reasons.

In the strong regime, our AI is very convinced that it is in a simulation (99.999%, say), and so it can potentially make tens of thousands of errors. This would be very dire, but I would classify it is as a failure of learning (after the hundredth time that it turns out to not be in a simulation after predicting that it was, we hope that our AI can learn the general principle "I'm not in a simulation").

Ryan Carey

Do we mean "coerce behavior" or "determine environment" here?