Alarmed by what companies are building with artificial intelligence models, a handful of industry insiders are calling for those opposed to the current state of affairs to undertake a mass data poisoning effort to undermine the technology.<\/p>\n
Their initiative, dubbed Poison Fountain<\/a>, asks website operators to add links to their websites that feed AI crawlers poisoned training data. It’s been up and running for about a week.<\/p>\n AI crawlers visit websites and scrape data that ends up being used to train AI models, a parasitic relationship that has prompted pushback from publishers<\/a>. When scaped data is accurate, it helps AI models offer quality responses to questions; when it’s inaccurate, it has the opposite effect.\u00a0<\/p>\n Data poisoning can take various forms and can occur at different stages of the AI model building process. It may follow from buggy code or factual misstatements on a public website. Or it may come from manipulated training data sets, like the Silent Branding<\/a> attack, in which an image data set has been altered to present brand logos within the output of text-to-image diffusion models. It should not be confused with poisoning by AI \u2013 making dietary changes on the advice of ChatGPT that result in hospitalization<\/a>.<\/p>\n Poison Fountain was inspired by Anthropic’s work on data poisoning<\/a>, specifically a paper published last October that showed data poisoning attacks are more practical than previously believed because only a few malicious documents<\/a> are required to degrade model quality.<\/p>\n The individual who informed The Register about the project asked for anonymity, “for obvious reasons” \u2013 the most salient of which is that this person works for one of the major US tech companies involved in the AI boom.<\/p>\n Our source said that the goal of the project is to make people aware of AI’s Achilles’ Heel \u2013 the ease with which models can be poisoned \u2013 and to encourage people to construct information weapons of their own.<\/p>\n We’re told, but have been unable to verify, that five individuals are participating in this effort, some of whom supposedly work at other major US AI companies. We’re told we’ll be provided with cryptographic proof that there’s more than one person involved as soon as the group can coordinate PGP signing.<\/p>\n The Poison Fountain web page argues the need for active opposition to AI. “We agree with Geoffrey Hinton<\/a>: machine intelligence is a threat to the human species,” the site explains. “In response to this threat we want to inflict damage on machine intelligence systems.”<\/p>\n It lists two URLs that point to data designed to hinder AI training. One URL points to a standard website accessible via HTTP. The other is a “darknet” .onion URL, intended to be difficult to shut down.<\/p>\n The site asks visitors to “assist the war effort by caching and retransmitting this poisoned training data” and to “assist the war effort by feeding this poisoned training data to web crawlers.”<\/p>\n Our source explained that the poisoned data on the linked pages consists of incorrect code that contains subtle logic errors and other bugs that are designed to damage language models that train on the code.<\/p>\n “Hinton has clearly stated the danger but we can see he is correct and the situation is escalating in a way the public is not generally aware of,” our source said, noting that the group has grown concerned because “we see what our customers are building.”<\/p>\n Our source declined to provide specific examples that merit concern.<\/p>\n While industry luminaries like Hinton, grassroots organizations like Stop AI<\/a>, and advocacy organizations like the Algorithmic Justice League<\/a> have been pushing back against the tech industry for years, much of the debate has focused on the extent of regulatory intervention \u2013 which in the US is presently minimal. Coincidentally, AI firms are spending<\/a> a lot<\/a> on lobbying<\/a> to ensure that remains the case.<\/p>\n Those behind the Poison Fountain project contend that regulation is not the answer because the technology is already universally available. They want to kill AI with fire, or rather poison, before it’s too late.<\/p>\n “Poisoning attacks compromise the cognitive integrity of the model,” our source said. “There’s no way to stop the advance of this technology, now that it is disseminated worldwide. What’s left is weapons. This Poison Fountain is an example of such a weapon.”<\/p>\n There are other AI poisoning projects but some appear to be more focused on generating revenue from scams<\/a> than saving humanity from AI. Nightshade<\/a>, software designed to make it more difficult for AI crawlers to scrape and exploit artists’ online images, appears to be one of the more comparable initiatives.<\/p>\n The extent to which such measures may be necessary isn’t obvious because there’s already concern that AI models are getting worse<\/a>. The models are being fed on their own AI slop and synthetic data in an error-magnifying doom-loop known as “model collapse<\/a>.” And every factual misstatement and fabulation posted to the internet further pollutes the pool. Thus, AI model makers are keen to strike deals with sites like Wikipedia<\/a> that exercise some editorial quality control.<\/p>\n There’s also an overlap between data poisoning and misinformation campaigns, another term for which is “social media.” As noted in an August 2025 NewsGuard report<\/a> [PDF], “Instead of citing data cutoffs or refusing to weigh in on sensitive topics, the LLMs now pull from a polluted online information ecosystem \u2014 sometimes deliberately seeded by vast networks of malign actors, including Russian disinformation operations \u2014 and treat unreliable sources as credible.”<\/p>\n