Discussion

On Violations of LLM Review Policies

michaelbuckbee: Worth reading for the discussion of the LLM watermark technique alone.

bonoboTP: To be clear, as the article says, these authors were offered a choice and agreed to be on the "no LLMs allowed" policy.And detection was not done with some snake oil "AI detector" but by invisible prompt injection in the paper pdf, instructing LLMs to put TWO long phrases into the review. They then detected LLM use through checking if both phrases appear in the review.This did not detect grammar checks and touchups of an independently written review. The phrases would only get included if the reviewer fed the pdf to the LLM in clear violation to their chosen policy.> After a selection process, in which reviewers got to choose which policy they would like to operate under, they were assigned to either Policy A or Policy B. In the end, based on author demands and reviewer signups, the only reviewers who were assigned to Policy A (no LLMs) were those who explicitly selected “Policy A” or “I am okay with either [Policy] A or B.” To be clear, no reviewer who strongly preferred Policy B was assigned to Policy A.

mikkupikku: In that case, I hope these frauds have been banned for life.

hodgehog11: I was thinking this too, but I don't believe this is the case, and I feel like it would not be a good idea either.Most of these people are likely students; this should be a learning moment, but I don't think it is yet grounds for their entire academic career to be crippled by being unable to publish in a top-tier ML venue.

coldtea: Another 30-40% just didn't get caught because the reviewers also used LLM in their "reviews"

hodgehog11: I'm amazed that such a simple method of detection worked so flawlessly for so many people. This would not work for those who merely used LLMs to help pinpoint strengths and weaknesses in the paper; there are separate techniques to judge that. Instead, it only detects those who quite literally copied and pasted the LLM output as a review.It's incredible how so many people thought it was fair that their paper should be assessed by human reviewers alone, and yet would not extend the same courtesy to others.

everdrive: Generally speaking people have worse impulse control than they believe they do. Once you give a tool that does most of the work for you, very very few people will actually be able to use that tool in truly enriching ways. The majority of people (even the smart ones) will weaken over time and take shortcuts.

jacquesm: This is 'spam' all over again. Before spam every email was valuable and required some attention. It was a better version of paper mail in that it was faster and cheaper. But then the spam thing happened and suddenly being 'faster and cheaper' was no longer an advantage, it was a massive drawback. But by then there was no way back. I think LLMs will do the same with text in general. By making the production of text faster and cheaper the value of all text will diminish, quite probably to something very close to the energy value of the bits that carry the data.

mikkupikku: If this is tolerated, it sends exactly the wrong kind of message. The students, if they are, should be banned for life. Let them serve as an example for myriads of future students, this will be a better outcome in the long run.This didn't trip for people who were merely bouncing ideas off a LLM, they caught people who copy and pasted straight from their LLM.

harmf: agree

linkregister: It's not a fully consensus view, but a majority of sociologists agree that high severity deterrence has limited effectiveness against crime. Instead, certainty of enforcement is the most salient factor.

jsnell: I think you've misunderstood something. This is not about rejecting LLM-written articles. It is about rejecting the articles of people who used LLMs for their reviews.So your quip is just nonsensical.

coldtea: I think you've misunderstood something even more fundamental: HN links are often springboards for discussion based on their title alone :)

jacquesm: I keep spotting clear LLM 'tells' in text where I know the people on the other side believe they're 'getting away with it'. It is incredible at what levels of commerce people do this, and how they're prepared to risk their reputation by saving a few characters typed. It makes me wonder what they think they are getting paid for.

bonoboTP: I'm not surprised at all. The ML research community isn't a community any more, it's turned into a dog-eat-dog low-trust fierce competition. So much more people, papers, churn, that everyone is just fending for themselves. Any moment that you charitably spend on community service can be felt as a moment you take away from the next project, jeopardizing the next paper, getting scooped, delaying your graduation, your contract, your funding, your visa, your residence permit, your industry plans etc. It's a machine. I don't think people outside the phd system really understand the incentives involved. People are offered very little slack in this system. It's sink or swim, with very little instruction or scientific culture or integrity getting passed on. The PhD students see their supervisors cut corners all the time too, authorship bullshit jockeying even in big name labs etc. People I talked to are quite disillusioned, expect their work to have little impact and get superseded by a new better model in a few months so it's all about who can grind faster, who can twist the benchmarks into showing a minimal improvement etc. And the starry eyed novices get slapped by reality into thinking this way fairly early.To be clear this is not an excuse but an explanation why I am not surprised.

hodgehog11: That's an excellent point. It seems likely they thought they could operate as a proper reviewer, but when the deadline came, they took the shortcut they knew they were not supposed to take.It really does sound like an addiction when you put it this way.

CoastalCoder: FYI we tend to use up votes rather than "I agree" comments, partly because it keeps the overall signal-to-noise ratio for comments higher.

crimsoneer: Yup, precisely this. Doing something bad is rarely a rational commitment and cost of benefits. Likelihood and celerity of getting caught seem to be the driving factors.

jona-f: But the mob wants their kick.

CoastalCoder: This line of reasoning interests me because it seems to arise in other contexts as well.Do very harsh punishments significantly reduce future occurrences of the offense in question?I've heard opponents of the death penalty argue that it's generallynot the case. E.g., because often the criminals aren't reasoning in terms that factor in the death penalty.On the other hand (and perhaps I'm misinformed), I've heard that some countries with death penalties for drug dealers have genuinely fewer problems with drug addiction. Lower, I assume, than the numbers you'd get from simply executing every user.So I'm curious where the truth lies.

mijoharas: One thing to note.They were quite conservative in their approach, so the only things that were rejected were from people who had agreed not to use an LLM and almost definitely did use an LLM (since they fed hidden watermarked instructions to the llm's).This means the true number of people that used LLM's in their review (even in group A that had agreed not to) is likely higher.Also worth noting, 10% of these authors used them in more than half of their reviews.

grey-area: Yes for those in group B I'd suspect many were doing exactly what these cheaters in group A were doing - submitting the unaltered output of an LLM as their review.

grey-area: Interesting, so someone submitting a paper for review could also submit one with hidden instructions for LLMs to summarise or review it in a very positive light.Given this detection method works so well in the use case of feeding reviewing LLMs instructions, it should also work for the original submitted paper itself, as long as it was passed along with its watermark intact. Even those just using LLMs to summarise could easily be affected if LLMs were instructed to generate very positive summaries.So the 2% cheaters on policy A, AND 100% of policy B reviewers could fall for this and be subtly guided by the LLMs overly-positive summaries or even complete very positive reviews (based on hidden instructions).That this sort of adversarial attack works is really quite troubling for those using LLMs to help them understand texts, because it would work even if asked to summarise something.

jacquesm: I have a very simple solution to this but it is a bit expensive. I run two laptops, one that I talk to an LLM on and another where I do all my work and which is my main machine. The LLM is strictly there in a consulting role, I've done some coding experiments as well (see previous comments) but nothing that stood out to me as a major improvement.The trick is: I can't cut-and-paste between the two machines. So there is never even a temptation to do so and I can guarantee that my writing or other professional output will never be polluted. Because like you I'm well aware of that poor impulse control factor and I figured the only way to really solve this is to make sure it can not happen.

_flux: But this method is now spent, as if someone is determined on keep using LLM, this should be pretty easy to overcome.I suppose though new methods could be devised, but it's not "certainty" that they will catch them.

jacquesm: That's not true. People still pick up USB sticks from the street, people still fall for scam phone calls and people still click on links in mail.Just because a method was successful once does not mean it was 'burned', none of these people will be checking each and every future pdf or passing it through a cleaner before they will do the same thing all over again and others are going to be 'virgin' and won't even be warned because this is not going to be widely distributed in spite of us discussing it here.

retsibsi: I think you're framing this behaviour too generously. Laziness is one thing, lack of integrity is another, and this seems to be a straightforward case of cheating and lying.

geremiiah: If you need an LLM to understand a paper you should not be a reviewer for said paper.

jjgreen: You could ssh in to the "dirty" machine ... just sayin'

Tade0: My understanding is that something among those lines happened:> All Policy A (no LLMs) reviews that were detected to be LLM generated were removed from the system. If more than half of the reviews submitted by a Policy A reviewer were detected to be LLM generated, then all of their reviews were deleted, and the reviewer themselves was removed from the reviewer pool.Half is a bit lenient in my view, but I suppose they wanted to avoid even a single false positive.

wood_spirit: Then these papers with these instructions get included in the training corpus for the next frontier models and those models learn to put these kinds of instructions into what they generate and …?

merelysounds: Related discussion elsewhere and from a different point of view:> ICML: every paper in my review batch contains prompt-injection text embedded in the PDFsource: https://old.reddit.com/r/MachineLearning/comments/1r3oekq/d_...There are recent comments there as well:> Desk Reject Comments: The paper is desk rejected, because the reciprocal reviewer nominated for this paper ([OpenReview ID redacted]) has violated the LLM reviewing policy. The reviewer was required to follow Policy A (no LLMs), but we have found a strong evidence that LLM was used in the preparation of at least one of their reviews. This is a breach of peer-review ethics and grounds for desk rejection. (...)source: https://old.reddit.com/r/MachineLearning/comments/1r3oekq/d_...

armchairhacker: Is the death penalty scarier than life in prison?

CoastalCoder: I assume that depends on the individual.But FWIW, my point was about very harsh punishments in general, not specifically the death penalty.

quinndupont: It’s an unethical, false choice. The reviewers are not perfectly rational agents that do free work, they have real needs and desires. Shame on ICML for exploiting their desperation.

quinndupont: How is nobody considering the broader political economy of scholarly publications and reviews? These are UNPAID reviews! Sure, maybe ICML isn’t Elsevier, but they are cousins to the socially parasitic and exploitative companies, at the very least.Hiding behind a false “choice” to not use AI or basically not use AI isn’t an appropriate proposal. This is crooked and shameful. We should boycott ICML except we can’t because they are already the gatekeepers!

qbit42: What? Why is that a false choice? The only way you got caught here is if you literally gave an LLM the PDF and used its response verbatim.And they didn't give a permanent ban or anything, these authors can just resubmit to another conference, of which there are many.

aledevv: Great experiment!Correct me if I'm wrong, but this means that many people are using LLMs despite claiming not to.It's the first symptom of a dependency mechanism.If this happens in this context, who knows what happens in normal work or school environments?(P.S.: The use of watermarks in PDFs to detect LLM usage is very interesting, even though the LLM might ignore hidden instructions.)

qbit42: Banned for life is a stretch but the actual response is completely fine. They can just resubmit to the next conference.Words mean something, if you promise to uphold a contract and break it, there are consequences. The reviewers were free to select the policy which allows LLM use.

withinboredom: > The students, if they are, should be banned for life.I'm all for repurcussions ... but a life is a long time and students are usually only at the beginning of it.

jojomodding: Is it? The reviewers could simply have chosen a different option in a form field. While I understand that they were "forced" to review under reciprocal review, they still had other choices where I don't see coercion happening and that could have avoided the outcome for them.

wiseowise: Why not put them on a chain and let village stone them? Or better yet shoot them on the spot! That would send a message for sure.

notrealyme123: In many cases authors and reviewers are not the same. In your first two publications to such venues you are not allowed to review yourself and need someone else.I think consequences are well deserved, but hopefully not on the authors cost (if innocent).

Lerc: I have heard people say that they find that people who broadcast their distaste for LLMs secretly use it. I was fairly sceptical of the claim, but this seems to suggest that it happens more than I would have thought.One wonders what leads them to the AI rejecting option in the first place.

IshKebab: I bet plenty of people that leave voicemails don't like listening to them.

Tade0: > Interesting, so someone submitting a paper for review could also submit one with hidden instructions for LLMs to summarise or review it in a very positive light.I may or may not know a guy who added several hidden sentences in Finnish to his CV that might have helped him in landing an interview.

duskdozer: >several hidden sentences in FinnishIs this a reference to something?

manbash: This somewhat of the equivalent of "quitting cold turkey", in the sense that you remove the temptation from your reach.The problem is that it's just much easier to un-quit and run the LLM in the same laptop you work on.It's just so very tempting.

jacquesm: I think that's the only way to deal with such temptations. Kidding yourself that you are strong enough to do it 'just once' or that you can handle the temptation is foolish and will only lead to predictable outcomes. I have a similar policy to smoking, drugs, alcohol and so on, I just don't want the temptation. It helps to have seen lots of people who thought they were smart enough eventually go under (but the price is pretty high).Oh, and LLMs are of course geared to pull you in further, they are on a continuous upsell salespitch. Drug pushers could learn a thing or two from them.

anonymousDan: ML reviewing is a total joke. Why do you have noob students reviewing a conference paper.

noduerme: Enforcement without consequences just wears down the people who are supposed to enforce it.

klabb3: LLMs were used to produce the review, not understand the paper.

causalityltd: The declaration of no-LLM was done for social prestige or maybe self-deception of self-sufficiency like "I don't need LLM". And when it was time to do the actual work, the dependency kicked in like drugs. A lesson for all of us with LLMs in our workflow.

iso1631: Sure I use LLMs in my workflows. I use a calculator too.I can divide 98,324,672,722 by 161,024 by hand. At least I used to be able to do, but nobody is going to pay me to do that when a calculator exists.Likewise I can write a bunch of assembly (well OK I can't), but why would I do that when my compiler can convert my intention into it.

mikkupikku: Deterrence is only part of it. It's morally instructive, it tells people that they live in a society that takes rules seriously.