The proceedings of the Tethics 2024 conference have now been published in the CEUR-WS series, and with that, the paper “What Is an AI Vulnerability, and Why Should We Care? Unpacking the Relationship Between AI Security and AI Ethics” by myself and Kimmo Halunen. There was a bit of an emergency regarding the publication during the Christmas break, as CEUR-WS now requires all published papers to include a declaration of whether and how generative AI tools were used in the preparation of the manuscript, and one of the editors was in quite a hurry to collect this information from the authors. Luckily, I happened to see the editor’s email just a few hours after it came, and since we hadn’t used any AI tools to write the paper, the declaration was easy enough to complete. 

As the title implies, the paper examines the concepts of AI vulnerability and security, looking at how they are understood in the context of AI ethics. As it turns out, they are rather vaguely defined, with no clear consensus within the AI ethics community on what counts as an AI vulnerability and what it means for an AI system to be secure against malicious activity. Collections of AI ethics principles generally recognise the importance of security, but do not agree on whether it should be considered a principle in its own right or rather a component of a more generic principle such as non-maleficence. 

One thing that is quite clear is that the way security is viewed by the AI ethics community differs considerably from the view of the traditional cybersecurity community. For one thing, in the latter there is much less ambiguity on the definition of concepts such as vulnerability, but more fundamentally, the two communities have somewhat different ideas of what the role of security is in the first place. One could say that traditionally, security is about protecting the assets of the deployer of a given system, whereas for ethicists, it’s about protecting the rights of individuals affected by the system; an oversimplification, but one that sheds some light on why the concept of AI vulnerability seems so elusive. 

One consequence of this elusive nature is that it’s difficult to accurately gauge the actual real-world impact of AI vulnerabilities as opposed to hypothetical worst-case scenarios. Much of the paper deals with this issue, discussing the results of a study where I looked for reports of AI vulnerabilities that satisfy four inclusion criteria: there must be a documented incident, it must involve deliberate exploitation of a weakness in an AI system, it must have resulted in demonstrable real-world harm, and the exploited vulnerability must be specifically in an AI component of the system. When I searched six different public databases for such reports, I found a grand total of about 40 entries that could be considered at least partially relevant and only six that were fully relevant. 

This is hardly likely to be the whole picture, and the paper discusses a number of factors that may account for the poor yield to a varying degree. On the other hand, incomplete and biased as the results probably are, they may at least be taken to give a rough but realistic idea of the magnitude of the problem. Silver lining? Perhaps, but it’s only a matter of time before the problem grows from a curiosity into something more serious, and it doesn’t exactly help if we don’t have a decent database for collecting information about AI vulnerabilities, or even a clear enough definition of the concept to enable the development of such a database. 

To be fair, the relationship between security and ethics is not as straightforward as it might seem, at least not when it comes to AI. Security is an important ethics requirement for sure, but it may also be at odds with AI ethics principles such as explainability. Another possible complication is conflicting stakeholder interests; an interesting example of this is the case of Nightshade, a method that artists can use to counter the unauthorised use of their works for the training of text-to-image generative AI models. Technically, this is a data poisoning attack exploiting a vulnerability in the training algorithm, but it’s hard to argue that the artist is doing anything legally or morally wrong here. This serves nicely as a demonstration of why we can’t talk about the security of AI systems without considering the sociotechnical context in which those systems exist in the real world. 

In the category of things that gave me stress during the holidays, submitting the generative AI declaration for the paper was a trivial annoyance in comparison with the winter call of the Research Council of Finland, the submission deadline of which was set on the 8^th of January. My application was already looking pretty good when I signed off for Christmas, and for the parts I hadn’t yet completed I was able to reuse quite a lot of material from my previous application, but even so, I was so anxious about the deadline that I went back to work for a few hours already on New Year’s Day. In the end, I made the submission with a good 24 hours to spare, but I have a feeling that the Council will be getting a substantial amount of feedback on the call timetable this year. 

On the performing arts front, I did two shows of A Christmas Carol last week, with two more to go in February. Several people who have seen me perform have remarked on how much I seem to be enjoying myself on stage – I really am, and I’m glad it shows! Meanwhile, Cassiopeia is busy rehearsing for a series of three concerts with the Kipinät choir from Jyväskylä in mid-March, and later in the spring we’ll be traveling to Linköping, Sweden for the Nordic Student Singers’ Summit. 2026 is also looking potentially very interesting already: Oulu will be one of the European Capitals of Culture, and one of the highlights of the year will be a brand-new opera composed and produced for the occasion. So far, there’s very little information available on who will be performing, but if there’s a call for chorus singers, I’ll definitely be putting my hand up.