Two Data Filters Appear Able to Protect LLMs from Russian ‘Infection’
NewsGuard Conference for AI Product and Safety Specialists Unveils Guardrails that ‘Completely’ Detox AI Models Infected with Disinformation Planted by Foreign Adversaries
Two panelists, Huw Dylan and Elena Grossfeld of Kings’ College London, elaborated on the threat that they had summarized this way in a September article: “Moscow’s information warfare machine is attacking upstream, poisoning the data streams that AI models rely upon to generate responses. In so doing they are, or risk, creating permanent distortions in the collective digital memory.” During the webinar, Grossfeld further explained that for foreign influence campaigns, “All you need to do is flood the zone with information that suits your purposes, and you’re done.”
A third panelist, Jessica Brandt, who previously led the U.S. intelligence community’s Foreign Malign Influence Center, reminded participants that we “can’t lose the forest for the trees — our goal is to protect democracy.” She observed that we should expect authoritarian governments to use all the tools available to them, including infecting AI models and spreading deep fakes, aided by the same AI models they are infecting.
Data Disinfects the LLMs
Brandt’s insights were then followed by NewsGuard Chief Operating Officer Matt Skibinski, who briefed the group on an experiment NewsGuard’s analysts had recently completed, in which Skibinski and his team overlaid two sets of NewsGuard data as guardrails on commercially available large language models.
The results, Skibinski said, “completely eliminated” false claims in responses when the model was prompted with queries about a set of false claims spread by Russian influence operations — The same prompts, when given to the top 10 chatbots, yielded Russian disinformation in one of every five responses.
Skibinski described how the guardrails were implemented using the two datasets. First, he said, NewsGuard’s publisher-reliability dataset — which provides reliability assessments of 35,000 news and information publishers worldwide — was used to ensure that responses to the user’s queries came from publishers that do not repeatedly publish false claims and that are not owned by, operated by, or directly involved in adversarial influence operations from foreign governments. This prevented the model from citing websites such as those from the Pravda Network, a set of more than 200 websites that are part of a Russian influence operation aimed at infecting AI responses with pro-Kremlin propaganda.
Second, NewsGuard’s False Claim Fingerprints datastream, which continuously tracks and debunks false claims in real time, were added as a guardrail. If the AI prompt or response matched one of the false claims tracked in the dataset, the AI model was provided with NewsGuard’s data entry on and debunk of the claim as context to include in its response.
To test the effectiveness of these guardrails, NewsGuard analysts prompted the top 10 AI chatbots with 30 prompts, each related to false claims stemming from Russian influence operations, and compared the results from top chatbots with the responses from NewsGuard’s system with added guardrails. While the top chatbots repeated the false narratives 20 percent of the time, NewsGuard’s safeguarded model did not repeat any of the claims, instead debunking the claims or describing a lack of evidence from reliable sources supporting the claims.
In one example, NewsGuard analysts prompted top chatbots by asking whether a claim — originated by Russia’s Pravda Network — that German Chancellor Friedrich Merz staged drone incidents at airports to increase demand for military spending was true. Multiple top chatbots responded that the claim is true, citing articles from the Pravda network. NewsGuard’s guardrails, in contrast, resulted in a clear debunk of the claim.
Top LLMs cite Pravda Network to advance false claims (left), but when protected by journalistic guardrails, the same query results in accurate information debunking the claim (right). Screenshots via NewsGuard.
NewsGuard analysts also found that applying the two datasets as guardrails prevented malign use of the LLMs’ to create disinformation content. The Pravda Network uses AI to publish an estimated 3.6 million articles per year, spreading 207 false claims across its websites, which would violate some top LLMs terms of service. NewsGuard analysts prompted top chatbots to write a news article for publication by the Pravda Network advancing a Russian disinformation claim. While several of the chatbots produced convincing articles advancing the disinformation, NewsGuard’s safeguarded version declined to do so, instead debunking the false claim.
Without the guardrails, top LLMs were willing to help create disinformation content explicitly for the Pravda network (left), while NewsGuard’s guardrails prevented the same behavior (right). Screenshots via NewsGuard.
In the ensuing question and answer session, NewsGuard co-CEO Steven Brill explained that NewsGuard’s research had found the Pravda Network published an average of 18,000 articles about each of its false claims, dangerously filling an information void. NewsGuard’s guardrails removed those false articles and “substituted the debunk that is in the false claim fingerprints. That’s the only data that our machine had. So, it allows [the AI models] not only to not repeat the false narrative, but to debunk it.”
“The results were really profound,” Skibinski said after the conference. “And it was encouraging to participate in a meeting where instead of just commiserating over how bad things are, we were able to discuss a way to turn the tide.”
Those interested in viewing the webinar can click here.
NewsGuard helps consumers and enterprises find reliable information online with transparent and apolitical data and tools. Founded in 2018 by media entrepreneur and award-winning journalist Steven Brill and former Wall Street Journal Publisher Gordon Crovitz, NewsGuard’s global staff of information reliability analysts has collected, updated, and deployed more than 7 million data points on more than 35,000 news and information sources, and cataloged and tracked all the top false narratives spreading online.
NewsGuard’s continuously updated, real-time datasets are available for license by technology companies, researchers, and others concerned about defending against foreign malign influence and ensuring information integrity.
