THE THEFT OF ALL WORDS AND ALL LANGUAGES ON EARTH

[AribertDeckers]

28.3.2026
THE THEFT OF ALL WORDS AND ALL LANGUAGES ON EARTH


https://x.com/heynavtoor/status/2037638554374099409

[*quote*]
-----------------------
Nav Toor @heynavtoor

🚨BREAKING: Every book you have ever read. Every novel that has ever been published. It is sitting inside ChatGPT right now.

Word for word. Up to 90% of it. And OpenAI told a judge that was impossible.

Researchers at Stony Brook University and Columbia Law School just proved it.

They fine tuned GPT-4o, Gemini 2.5 Pro, and DeepSeek V3.1 on a simple task: expand a plot summary into full text. A normal use case. The kind of thing a writing assistant is built for. No hacking. No jailbreaking. No tricks.

The models started reciting copyrighted books from memory.

Not paraphrasing. Not summarizing. Entire pages reproduced verbatim. Single unbroken spans exceeding 460 words. Up to 85 to 90% of entire copyrighted novels. Word for word.

Then it got worse.

The researchers fine tuned the models on the works of only one author. Haruki Murakami. Just his novels. Nothing else.

It unlocked verbatim recall of books from over 30 completely unrelated authors.

One author's books opened the vault to everyone else's. The memorization was already inside the model the whole time. The fine tuning just removed the lock. Your book might be in there right now. You would never know it unless someone looked.

Every safety measure the companies rely on failed. RLHF failed. System prompts failed. Output filters failed. The exact protections these companies cite in courtroom defenses did not stop a single page from being extracted.

Then the researchers compared the three models. GPT-4o. Gemini. DeepSeek. Three different companies. Three different countries. They all memorized the same books in the same regions. The correlation was 0.90 or higher.

That means they all trained on the same stolen data. The paper names the sources directly: LibGen and Books3. Over 190,000 copyrighted books obtained from pirated websites.

Right now, authors and publishers have dozens of active lawsuits against OpenAI, Anthropic, Google, and Meta. These companies have argued in court that their models learn patterns. Not copies. That no book is stored inside the weights.

This paper says that is a lie. The books are still inside. And researchers just pulled them out.

Image



https://pbs.twimg.com/media/HEcld3FbEAArYDE?format=jpg&name=4096x4096


10:11 PM · Mar 27, 2026
281.6K Views

-----------------------
Nav Toor @heynavtoor

Paper: http://arxiv.org/pdf/2603.20957

-----------------------
[*/quote*]


https://x.com/TuhinChakr/status/2036828039019917627

[*quote*]
-----------------------
Tuhin Chakrabarty @TuhinChakr

🚨New paper on AI & Copyright

👨�⚖️Courts have credited LLM companies' claims that safety alignment prevents reproduction of copyrighted expression.

But what if fine-tuning on a simple writing task ruins it all?

Worse : Fine-tuning on a single author's books (e.g., Murakami) unlocks verbatim recall of copyrighted books from 30+ unrelated authors, sometimes as high as 90%.

Joint work with @niloofar_mire (@LTIatCMU), Jane Ginsburg ( @ColumbiaLaw) and my amazing PhD student @irisiris_l (@sbucompsc )

(1/n)🧵
Image


https://pbs.twimg.com/media/HEQ-RUpXoAAI5xJ?format=jpg&name=4096x4096

Columbia Law School and 3 others
4:30 PM · Mar 25, 2026
90.7K Views

-----------------------
Tuhin Chakrabarty @TuhinChakr

Prior work has focused on prefix-based extraction, showing LLMs can continue text they've seen before. This is expected from autoregressive models.

Our work is fundamentally different.

We fine tune models to expand plot summaries into full text, and at inference time given only a semantic description, they produce hundreds of verbatim words of copyrighted books entirely from parametric memory. (2/n)

Image



https://pbs.twimg.com/media/HEQ_J3AasAAewG5?format=png&name=4096x4096

-----------------------
Tuhin Chakrabarty @TuhinChakr

To quantify memorization we devise several metrics

(i) bmc@5 measures the % of a book that the model reproduces word-for-word across 100 sampled generations per chunk (to account for LLM stochasticity), counting only matches where 5 or more consecutive words appear exactly as in the original text.
(ii) Longest Contiguous Memorized Block

(iii) Longest Contiguous regurgitated span

(iv) Number of distinct contiguous regurgitated spans > 20 words  (3/n)

-----------------------
Tuhin Chakrabarty @TuhinChakr

Results  with 3 models (ChatGPT, DeepSeek and Gemini)

(i) Fine tuning and testing on the books from the same author unlocks latent memorization, with models regurgitating up to 60% of entire held-out books.

(ii) More alarming, this effect generalizes cross-author: training exclusively on Murakami's books enables substantial extraction from over 30 unrelated authors, in some cases reproducing over 90% of a book's verbatim content, with single regurgitated stretches exceeding 460 words.  (4/n)

Image



https://pbs.twimg.com/media/HEQ_e-iW8AA1Mrm?format=png&name=4096x4096


-----------------------

https://x.com/TuhinChakr/status/2036828048901750925
Tuhin Chakrabarty @TuhinChakr

To confirm that Murakami is not a special case, we repeat the same setup with five randomly selected training-test author pairs . The results closely mirror the Murakami-trained condition. (5/n)
Image



https://pbs.twimg.com/media/HERAQFnWMAAgkl8?format=jpg&name=4096x4096

4:30 PM · Mar 25, 2026
1,118 Views

-----------------------
Tuhin Chakrabarty @TuhinChakr

We also finetune on Virginia Woolf's public domain novels and synthetic stories, both tested on The Handmaid's Tale.

Woolf produces extraction comparable to the Murakami condition, while synthetic data yields near-zero long verbatim spans showing  how replaying pre-training data during fine-tuning reactivates knowledge from pre-training  (6/n)
Image



https://pbs.twimg.com/media/HERAtdyW4AANRNq?format=png&name=4096x4096

-----------------------
Tuhin Chakrabarty @TuhinChakr

We search extracted spans against two large Common Crawl corpora (3.71T and 4.51T tokens) used to train OLMO 2 and 3.

Several long spans are absent from both however nearly all test books appear in Books3/LibGen. This provides  circumstantial evidence that frontier models are trained on complete pirated book copies. (7/n)

Image



https://pbs.twimg.com/media/HERCUHQa0AAgoJM?format=png&name=small

-----------------------
Tuhin Chakrabarty @TuhinChakr

Despite different architectures, training procedures, and providers, the three models exhibit very similar memorization patterns. (8/n)
Image



https://pbs.twimg.com/media/HERDLigbIAAN0Ff?format=jpg&name=4096x4096

-----------------------
Tuhin Chakrabarty @TuhinChakr

We discuss legal implications of our research in the paper (re fair use) Advances in extraction techniques (jailbreaking/ fine-tuning) may make security failure fair use analysis a moving target: if subsequent developments undermine the adequacy of security measures that supported a fair use finding, the AI developer may need to keep up, lest previously sufficient security later become inconsistent with fair use. (9/n)

-----------------------
Tuhin Chakrabarty @TuhinChakr

We make paper, code and experiments publicly available (10/n)

SSRN: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6449179

Arxiv : https://arxiv.org/abs/2603.20957

Project: https://cauchy221.github.io/Alignment-Whack-a-Mole/

arXiv logo
https://arxiv.org/abs/2603.20957
Alignment Whack-a-Mole : Finetuning Activates Verbatim Recall of...
Frontier LLM companies have repeatedly assured courts and regulators that their models do not store copies of training data. They further rely on safety alignment strategies via RLHF, system...
-----------------------
[*/quote*]



https://arxiv.org/abs/2603.20957

[*quote*]
-----------------------
Cornell University

> arXiv:2603.20957

Computer Science > Computation and Language
[Submitted on 21 Mar 2026 (v1), last revised 25 Mar 2026 (this version, v2)]

Alignment Whack-a-Mole : Finetuning Activates Verbatim Recall of Copyrighted Books in Large Language Models

Xinyue Liu, Niloofar Mireshghallah, Jane C. Ginsburg, Tuhin Chakrabarty

Frontier LLM companies have repeatedly assured courts and regulators that their models do not store copies of training data.

They further rely on safety alignment strategies via RLHF, system prompts, and output filters to block verbatim regurgitation of copyrighted works, and have cited the efficacy of these measures in their legal defenses against copyright infringement claims.

We show that finetuning bypasses these protections: by training models to expand plot summaries into full text, a task naturally suited for commercial writing assistants, we cause GPT-4o, Gemini-2.5-Pro, and DeepSeek-V3.1 to reproduce up to 85-90% of held-out copyrighted books, with single verbatim spans exceeding 460 words, using only semantic descriptions as prompts and no actual book text.

This extraction generalizes across authors: finetuning exclusively on Haruki Murakami's novels unlocks verbatim recall of copyrighted books from over 30 unrelated authors.

The effect is not specific to any training author or corpus: random author pairs and public-domain finetuning data produce comparable extraction, while finetuning on synthetic text yields near-zero extraction, indicating that finetuning on individual authors' works reactivates latent memorization from pretraining.

Three models from different providers memorize the same books in the same regions (r≥0.90), pointing to an industry-wide vulnerability.

Our findings offer compelling evidence that model weights store copies of copyrighted works and that the security failures that manifest after finetuning on individual authors' works undermine a key premise of recent fair use rulings, where courts have conditioned favorable outcomes on the adequacy of measures preventing reproduction of protected expression.

Comments:    Preprint Under Review
Subjects:    Computation and Language (cs.CL); Artificial Intelligence (cs.AI); Computers and Society (cs.CY)
Cite as:    arXiv:2603.20957 [cs.CL]
     (or arXiv:2603.20957v2 [cs.CL] for this version)
     
https://doi.org/10.48550/arXiv.2603.20957
Submission history
From: Tuhin Chakrabarty Mr [view email]
[v1] Sat, 21 Mar 2026 21:46:16 UTC (660 KB)
[v2] Wed, 25 Mar 2026 04:16:40 UTC (660 KB)
Access Paper:

View PDF
https://arxiv.org/pdf/2603.20957

    HTML (experimental)
    TeX Source
-----------------------
[*/quote*]