#759: Web Machine Learning Model Loader API

Visit on Github.

Opened Jul 20, 2022

Wotcher TAG!

I'm requesting a TAG review of Web Machine Learning (WebML) Model Loader API.

The WebML Model Loader API is a proposed web API to take a custom, pre-trained machine learning (ML) model in a standard format, and apply it to some data in JavaScript to perform inference, like classification, regression, or ranking. The idea is to make it easy and performant to use a custom, pre-built machine learning model in web apps, across devices and browsers.

Further details:

We'd prefer the TAG provide feedback as (please delete all but the desired option): 🐛 open issues in our GitHub repo for each point of feedback

Discussions

Comment by @cynthia Jul 20, 2022 (See Github)

Quick skim, this looks fine. Assuming there is no path to agree on a standard format, two questions:

  1. how does the caller know what kind of format they can .load()? What happens when .load() fails due to an unsupported format?
  2. why is tensor creation a factory and not a constructor? Would a tensor be usable in other (non-ML) contexts as well?
Comment by @wacky6 Jul 22, 2022 (See Github)
  1. how does the caller know what kind of format they can .load()? What happens when .load() fails due to an unsupported format?

Caller can pass in modelFormat when they create context: ml.createContext({modelFormat: "tflite" }}).

If the backend doesn't support the format, it rejects the promise on createContext() and load().

  1. Why is tensor creation a factory and not a constructor?

Model Loader shares the same tensor definition with Neural Network API. Currently, tensor is duck-typed (fixed type array + shape).

Discussions on whether tensor should be strongly typed: https://github.com/webmachinelearning/webnn/issues/275 .

  1. Would a tensor be usable in other (non-ML) contexts as well?

As a general concept, a tensor is a fixed-size fixed-type arbitrary-dimensional array. Tensor computations are usually expressed using specialized methods (for performance reasons), instead of combining for-loops and basic arithmeric operations.

For Model Loader and Neural Network API (and perhaps future ML-related Web API), we aim to share the basic classes (like MLContext and tensor definition).

For non-ML context, I'm not sure if Tensor concept is widely used.

For non-ML Web API, I'm not sure if Tensor is more advantageous than TypedArray. To get the performance benefit, JavaScript probably needs to express computations using Tensor specific compute methods (instead of doing element-wise computation using loops), this requires further standardizations for each computation type.

For example, matrix multiplication, dot product, element-wise add, element-wise multiply need to be 4 methods.

Discussed Aug 1, 2022 (See Github)

Max: I looked at explainer and spec - how do we protect the user's machine learning model - not leak it outside the browser. In the explainer they have some disucssion but no solution yet. Is this a big concern?

Dan: what data is at risk? The model based on the training?

Max: part of web machine learning spec - proposed to prpovide an API to load the machine learning model... the ML model is - like tensorflow - a matrix - mutli-dimensional data set. In this API they propose to load the ML data model... from URL... They also have a little discussion how to protect the data model. For some companies the ML model itself is considered as intellectual property...

Dan: analagous to issues around DRM?

Max: in their security considerations section... theur short answer use DRM like solution...? They don't have such considerations...

Dan: I'd express not happy feelings about extending DRM to other realms. I think we should be trying to push back on that and saying why does .. we already know DRM on the web is problematic in that it introduces elements to the web security model that are black boxes - we have spoken on this issue before. There needs to be a real serious need and big support for this, otherwise it's my sense that we should not be adding DRM for machine learning models.

Hadley: I agree - otherwise hard to run local data through a model without having access to the model.

Amy: are they proposing a DRM like thing... Or have they not considered how to protect it and we want to make sure they don't end up in that route?

Dan: In the explainer they use the phrase "DRM-like solution". Write only.. that's different from DRM. They should not be saying DRM if what they mean is a special type of browser storage. DRM has other type of things.. we could write something about this..

Hadley: we can say we appreciate this being an issue - if and when they tackle it we'd love to discuss because there's a lot of nuance about how DRM works that doesn't seem to pertain to this, and a bunch of potential pitfalls with the web's security model.. leave a marker that this is messy and complicated but let's not have the conversation now unless we have to

Hi @wacky6 we're just reviewing today and one thing that came up was your mention of the idea of a "DRM-like solution". We appreciate that you're seeing this might be an issue - protecting models - however if you're going to seriously work on this we'd appreciate being involved because there are a lot of issues and complications with DRM, the differences between its use case and this one, and the web's security model. We suggest to leaving this for future work.

Comment by @torgo Aug 30, 2022 (See Github)

Hi @wacky6 we're just reviewing today and one thing that came up was your mention of the idea of a "DRM-like solution". We appreciate that you're seeing this might be an issue - protecting models - however if you're going to seriously work on this we'd appreciate being involved because there are a lot of issues and complications with DRM, the differences between its use case and this one, and the web's security model. We suggest to leaving this for future work.

Comment by @jbingham Aug 30, 2022 (See Github)

Thanks, @torgo ! Agree that DRM is a very futuristic idea for ML models. It will be a crazy huge amount of work, and we definitely will need your help (and many others as well). Let's focus on the more immediate steps to get the API ready for an origin trial.

Comment by @wacky6 Aug 31, 2022 (See Github)

Thanks @torgo.

DRM in ML models is a novel topic, we'll definately work with TAG and wider industrial groups to work on that in the future.

We'll file dedicated TAG review requests (or propose as a saperate spec) considering the complexity and impact.

For now, let's focused on non-DRM, "open-source" format (e.g. Tensorflow / Torch / ONNX) use cases for this API.

Comment by @cynthia Aug 31, 2022 (See Github)

For the record, I am anything but pro-DRM.

The word "DRM" likely spooked people here, but unlike conventional DRM where you are 1) running mystery meat code for decryption (see: CDM) or 2) mystery meat code (which could be potentially malicious) that is protected (see: DRM protected executables which prevent inspection) - this (as of today) would mostly be a form of protected transport from an origin to the compute backend. As it would mostly be coefficients for known operations (e.g. dot products) it won't have the same level of implications as conventional DRM.

(There is the question of obstruction of interpretability in the context of ethics, W3C likely does not have the right expertise for that discussion.)

Comment by @yuhonglin Sep 9, 2022 (See Github)

Hi all, just want to point out that "Intellectual Property protection" is a super important topic in practice because lots of ML models cost a lot to train. If we want commercial companies to use their best ml models on the web, we have to figure out a solution for this.

And the model loader API is possibly the most possible candidate to have "IP protection". Comparatively, it is almost impossible for WASM/WebGPU/WebGL based ML solutions to have this. So if we can achieve it, it will be a killer feature for the model loader API.

I am not an expert on these topics (yet). But I suggest to investigate this whenever possible.

Discussed Oct 1, 2022 (See Github)

Max: I think they got the point about the DRM issue... Maybe we can provide a suggestion...?

Sangwhan: I think the DRM discussion is moot - because there's no hardware support that could make this possible at the moment. You'd need to have an EME-like thing... that the user cannot access. No support for this at the moment. No tech solution...

Dan: we could resolve 'satisfied' but with caveat that we don't think DRM for models is a good idea.

Sangwhan: what about other things that have IP protection like VR models...

Hadley: this represents my views - we don't want to be endorsing DRM... rest of it seems largely fine. Recording our intentions in reolsoving as not endorsing DRM is important...

Sangwhan: API surface I'm Ok with it. There is a question of why tensor has to be created as a factory rather than a construcor. I will leave feedback. It goes against our design principle.

Dan: still Ok to resolve satisfied?

Sangwhan: satisfied with concerns and pointing to reference to the design principle.

Sangwhan to close and leave closing comment - resolution satisfied with concerns

Comment by @cynthia Oct 12, 2022 (See Github)

We discussed this in our breakout yesterday - and our conclusion is that overall we are happy with this proposal. We still have some concerns around the factory vs constructor pattern - as it is not a pattern we encourage on the platform. See: https://www.w3.org/TR/design-principles/#constructors for more context.

That said, we don't feel particularly strongly about enforcing a change in the paradigm. Thank you for bringing this to our attention.