Ask HN: Any indications Copilot scans your local files?
Strange thing is the claim is not public and not contained in the codebase I'm currently working on, in no codebase I know of and to my knowledge, I'm the only related dev using Copilot. It's also not listed on Google, thus I assume it's not leaked somewhere else that could be indexed by GH (which is an assumption of course, but appears likely). But it can be found in a completely separate local folder with project assets that is not published on GH.
The marketing claim is about the length of a tweet and is not exactly generic. It requires understanding of my client's business (which again, cannot be derived from my codebase). So it's not GPT3 output that matches coincidentially.
The GH „About GitHub Copilot Telemetry” page [1] does not indicate that your locale file system is scanned though.
Can anyone explain that or observed a similar phenomenon?
[1] https://docs.github.com/en/github/copilot/about-github-copilot-telemetry
87 comments
[ 5.4 ms ] story [ 141 ms ] threadFrom terms of service [1] (Which I'm sure everyone reads)
> when you edit files with the GitHub Copilot extension/plugin enabled, file content snippets [...] will be shared with GitHub, Microsoft, and OpenAI, and used for diagnostic purposes to improve suggestions and related products. GitHub Copilot relies on file content for context, both in the file you are editing and potentially other files open in the same IDE instance.
[1] https://docs.github.com/en/github/copilot/github-copilot-tel...
Allowing this to happen would've been incredibly stupid. But it's worth investigating further.
Even if they were scanning all the files, Copilot's terms [1] explicitly says they do not use the data to provide suggestions for other users.
> GitHub Copilot does not use these URLs, file paths, or snippets collected in your telemetry as suggestions for other users of GitHub Copilot. This information is treated as confidential information and accessed on a need-to-know basis.
[1] https://docs.github.com/en/github/copilot/github-copilot-tel...
>which may unintentionally contain user content, such as parts of a file you were using when the problem occurred
[1] https://docs.microsoft.com/en-us/windows/privacy/configure-w...
``` Buffer.from(string, "base64") ```
And as soon as I started typing that's the suggestion was that, morphed a little better for my code. No way to know for sure, but I was thinking it's from the clipboard.
Or perhaps the writer used their same phrases for two clients?
They are not exactly the type of crowd that would subscribe to Copilot beta, though. But as Copilot is based on the GPT3 model perhaps a marketing tool on the same basis exists.
This all is somewhere in the small space between stupid and exciting.
The dangers of just regurgitating what has been read are unreal, since with good enough targeting you can read the data someone else wrote and expected to be anonymized. It's like huge global RAM of code, you just need to figure out how to get it to point at the right addresses.
EDIT: Incredible, it seems HN obscures your password with * signs when you post it. Phew, that was close.
E.g., I just prompted GPT-2 with a made up company name that doesn't have any google search results and got a completion like this:
<p><em>Fully featured webapp for social & mobile networks in the cloud</em></p>
Kenji.click is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com."
It's slightly eerie how good that is (GPT-J 6B). I generated about ten paragraphs, and other then it being a bit rambly, there was basically nothing that would make my question whether it was written by a human. Capping it off with the Amazon Associates disclaimer somehow helped complete the illusion.
I did also seemingly walk in on a bunch of AIs arguing:
> I just don’t believe it.
> It’s gotta be them.
> There’s not enough evidence.
> There’s just not enough evidence.
> It’s gotta be them.
> It’s just too far-fetched.
> There’s just not enough evidence
Just out of curiosity, did you seek permission to use Copilot from your client? I wonder how widely accepted it is in roles which handle sensitive data.
In my expectation however all I willingly injected into Copilot were some HTML drafts without meaningful content or logic.
I certainly can't use Copilot anymore until I figure out what's been happening.
I have Copilot enabled in a single workspace and tried some unique keywords from other projects (where Copilot is not enabled) and it could not generate anything similar.
If I was paying for work and the contractor was uploading the end result onto some sort of shared AI training set, we would not be working together for very long.
You may have brought up an excellent point that needs to be inserted into new legal contracts — either an opt in or out regarding the use of tools of various kinds that upload data into the cloud to “help” you. Maybe other companies would be okay with stuff like Copilot if it allows them to pay less money for developers who can’t write proper code without it, or something. I don’t know. I know that I want nothing to do with these sorts of systems, and I don’t want any of my code anywhere near it. I’ll definitely try to make sure nobody with access to my private repos has any of that nonsense enabled.
Maybe the legal version of Copilot can write an appropriate contract clause for us?
Does Copilot use the data it collects for training their AI? From their terms [1]
> GitHub Copilot does not use these URLs, file paths, or snippets collected in your telemetry as suggestions for other users of GitHub Copilot. This information is treated as confidential information and accessed on a need-to-know basis.
[1] https://docs.github.com/en/github/copilot/github-copilot-tel...
So someone just needs access to your account to get snippets from your private code.
You don't even need to have a git repo initialized, or even have the source be on github. You literally just need to be signed on - they made a vim plugin - and copilot will suck up all the locally edited files as well.
Related: Have any of the big tech companies banned their employees from using Copilot yet?
That's the whole point: if they did, it was NOT willingly: they have the intellectual property stored in a completely separate folder, which should not be uploaded to Github.
1) Put in the same folder where you had that marketing blurb, a new blurb. Make sure it is unique but still looks like english. Example: now your startup allows you to fly to the moon in rockets powered by angry tweets.
2) Try to force a reload of copilot. Maybe reinstall it?
3) Recreate the conditions that suggested the first blurb, but trying to suggest the second blurb.
4) Share the results, I am curious.
If you get that suggestion, you have proof and reproductible steps for others to get proof. If you don't get that suggestion, we can't be sure, but the odds of it being just a coincidence increase.
Good luck!
Are you sure the AI couldn't get some context from the current file? No title tag in the head, no description nor keywords ? The filename/path is also used, could it be it?
I was writing a twitter api wrapper and had hardcoded access token for a test user. Copilot when testing a function that requires a user id suggested one. I searched the id and it belonged to my test user. I searched my entire codebase but couldn't find any place I had used the particular id. The only place it could have extracted it from would have been access token which has user id as part of the string(which I hadn't noticed before this). Either this is a common code pattern or I don't know how to process this.
I was creating a unit test in a Go codebase and I had dumped the JSON that I was going to be decoding at the top of the file, and when I started writing the assertions, Copilot was very quick to use the data from the JSON, with quite high accuracy, based solely on me typing which ticker I was going to assert against.
``` str = "{{SOME_ID_HERE}}-jash127hg27128h"
participant.follow({twitterUserId:"{{SOME_ID_HERE}}"}) ```
don't get me wrong, it's cool, but these models operate on a character by character basis with sequence context. if they can learn things like matching pairs of parens and quotes in certain contexts, it seems they could certainly learn things like extracting long strings of digits.
now what would be cool would be if they could generate regular expressions for the rules they're learning.
EDIT: The user would perhaps be the direct infringer as the person who made a copy of the code, even unwittingly.
Source: current law student taking copyright and writing a paper about Copilot.
[0] https://en.wikipedia.org/wiki/American_Broadcasting_Cos.,_In....
[1] https://en.wikipedia.org/wiki/Sony_Corp._of_America_v._Unive....
Other stuff within copyright makes infringement of a small Copilot snippet less likely too, and the recent Google v. Oracle decision reinforced the fact that copyright is an awkward fit within copyright and may sometimes get less protection than things like fictional books. Fair use also comes in here, too; remember something as "egregious" as Google copying 37 Java packages worth of package / class / method declarations into Android was held a fair use. Declaring code is sort of special because it's more like an interface, but the Court really reinforced the notion that it likes cool new technology stuff that opens new markets, makes new products, etc., and a fair use finding for small snippets of code is in line with that as adapting copyright doctrine in the face of tech changes like AI / ML.
Part of the problem is much simpler actually. Copyrighted text can cited without permission or product names become public before release, revealing disclosed information to competitors.
FYI: It's a firehose, but you should be able to filter it down to copilot and a path prefix. Then you'll know if it's being scanned.
So I'm thinking either it made a very good guess, or the assets got included in your project without you realizing?
> We do try to assemble prompts based on contextual understanding, e.g. if you explicitly import sources by path from some other location Copilot might include it. But not for html (yet), as is being described here.
https://twitter.com/orph/status/1457796816196431872
This copilot nonsense also was the straw that broke the camel's back and got me to delete my github account
If a file in your on-computer repository has the same git hash as a file GitHub stores, the content of each file is (statistically) identical. That’s intrinsic to git.
Copilot does not need to scan the content of files in an on-computer repository to identify relevant identical files in a remote repository on GitHub.
Though the behavior might be surprising, there’s nothing nefarious. Comparing cryptographic hashes is how Git identifies and distributes changes to files. How it controls versions.
From a security standpoint, you already had the content that Copilot suggested. The horse was already out of the bag, the cat had already sailed and the barn doors were full open not leaking around the edge.
https://www.dreamtruegroup.com/extendable-flatbed-trailer/