The big issue with all these data-poisoning attempts is that they’re all just introducing noise via visible watermarking in order to try to introduce noise back into what are effectively extremely aggressive de-noising algorithms to try to associate training keywords with destructive noise. In practice, their result has been to either improve the quality of models trained on a dataset containing some poisoned images because for some reason adding more noise to the inscrutable anti-noise black box machine makes it work better, or to just be completely wiped out with a single low de-noise pass to clean the poisoned images.

Like literally within hours of the poisoning models being made public preliminary hobbyist testing was finding that they didn’t really do what they were claiming (they make highly visible, distracting watermarks all over the image and they don’t bother training algorithms as much as claimed or possibly even at all) and could be trivially countered as well.