Attacks from adversarial machine learning (ML) have the potential to be used "for good": they can be used to run counter to the existing power structures within ML, creating breathing space for those who would otherwise be the targets of surveillance and control. But most research on adversarial ML has not engaged in developing tools for resistance against ML systems. Why? In this paper, we review the broader impact statements that adversarial ML researchers wrote as part of their NeurIPS 2020 papers and assess the assumptions that authors have about the goals of their work. We also collect information about how authors view their work's impact more generally. We find that most adversarial ML researchers at NeurIPS hold two fundamental assumptions that will make it difficult for them to consider socially beneficial uses of attacks: (1) it is desirable to make systems robust, independent of context, and (2) attackers of systems are normatively bad and defenders of systems are normatively good. That is, despite their expressed and supposed neutrality, most adversarial ML researchers believe that the goal of their work is to secure systems, making it difficult to conceptualize and build tools for disrupting the status quo.

中文翻译：

---

对抗性好？对抗性机器学习社区的价值观如何阻碍对社会有益的攻击

来自对抗性机器学习 (ML) 的攻击有可能被“永远”使用：它们可用于与 ML 中现有的权力结构背道而驰，为那些否则会成为监视和控制目标的人创造喘息空间。但是大多数关于对抗性机器学习的研究并没有参与开发抵抗机器学习系统的工具。为什么？在本文中，我们回顾了对抗性 ML 研究人员在其 NeurIPS 2020 论文中撰写的更广泛的影响陈述，并评估了作者对其工作目标的假设。我们还收集有关作者如何更广泛地看待其作品影响的信息。我们发现 NeurIPS 的大多数对抗性机器学习研究人员都持有两个基本假设，这将使他们难以考虑攻击的社会效益用途：(1) 需要使系统健壮，独立于上下文，以及 (2) 系统的攻击者通常是坏的，而系统的防御者通常是好的。也就是说，尽管他们表达和假设中立，但大多数对抗性 ML 研究人员认为，他们的工作目标是保护系统，因此很难概念化和构建破坏现状的工具。