Nightshade and Glaze: How Artists Are Fighting Back Against AI Scraping

A technical analysis of Nightshade and Glaze — the data poisoning and style cloaking tools that let artists disrupt AI training on their work. How adversarial perturbations work, their measured effectiveness against Stable Diffusion and DALL-E, and the broader anti-scraping movement reshaping the AI training pipeline.

In January 2024, a team at the University of Chicago led by Professor Ben Zhao released Nightshade 1.0, a tool that allows artists to add invisible perturbations to their images before posting them online. These perturbations are imperceptible to human viewers but cause AI models trained on the modified images to learn incorrect associations – a dog becomes a cat, a car becomes a cow, a landscape becomes a building. Within 72 hours of release, Nightshade was downloaded over one million times. By the end of 2024, it had been used to modify an estimated 100 million images.

The tool represented a shift in the power dynamic between content creators and AI training pipelines. For the first time, individual artists had a technical mechanism – not just a legal argument or a robots.txt request – to actively sabotage unauthorized use of their work. The data poisoning was not theoretical. Research demonstrated that as few as 50 poisoned images in a training batch of 100,000 could measurably degrade a model’s output for targeted concepts. At scale, the effect compounds: if 1% of training images for a given concept are poisoned, the model’s ability to generate that concept deteriorates significantly.

This is not a polite opt-out. It is adversarial defense – the same class of techniques used to attack AI systems, repurposed as privacy infrastructure.

The Training Pipeline Problem

Understanding why tools like Nightshade and Glaze matter requires understanding how AI image models are trained.

Modern text-to-image models (Stable Diffusion, DALL-E 3, Midjourney, Imagen) are trained on datasets of billions of image-text pairs scraped from the open internet. The LAION-5B dataset, used to train Stable Diffusion, contains 5.85 billion image-text pairs collected from Common Crawl – a web scraping project that crawls the entire indexable internet. LAION’s researchers did not seek permission from the creators of any of the 5.85 billion images. They did not check copyright status. They did not offer opt-out mechanisms at the time of collection.

The data collection practices of major AI companies follow a consistent pattern: scrape first, handle complaints later. OpenAI’s DALL-E 3 training data has never been publicly disclosed, but lawsuits filed by Getty Images, the Authors Guild, and individual artists allege that it includes copyrighted works at scale. Stability AI (Stable Diffusion) acknowledged using LAION-5B, which has been shown to contain copyrighted images, personal photos, medical records, and even child sexual abuse material (subsequently flagged and removed by the Stanford Internet Observatory in 2023).

The scale makes individual consent impossible. When your training dataset is the entire internet, opt-in is structurally incompatible with the business model.

Glaze: Style Cloaking

Glaze, released by the same University of Chicago team in March 2023, addresses a different but related threat: style mimicry. AI models can learn to replicate an artist’s distinctive visual style from a relatively small number of examples. An artist who has spent decades developing a unique aesthetic can see their style reproduced by anyone with a prompt and $20/month of API access.

How Glaze Works

Glaze applies adversarial perturbations to images that shift the image’s representation in the feature space of neural networks while remaining invisible to humans.

The technical mechanism:

Feature extraction. Glaze processes the original image through a pretrained neural network (typically a CLIP model or a Stable Diffusion encoder) to extract its feature representation – a high-dimensional vector that encodes the image’s visual characteristics, including style.
Target selection. Glaze selects a target style that is maximally different from the artist’s actual style. If the artist paints in watercolor, the target might be cubist. If the artist uses photorealism, the target might be abstract expressionism.
Perturbation optimization. Using an optimization algorithm (typically PGD – Projected Gradient Descent), Glaze computes the smallest pixel-level changes that shift the image’s feature representation from the artist’s real style toward the target style. The perturbation is constrained to be below the threshold of human perception (measured by LPIPS perceptual similarity or L-infinity norm).
Application. The perturbation is added to the image. To a human viewer, the image looks identical. To a neural network, the image’s style features now resemble the target style rather than the artist’s actual style.

Effectiveness

When an AI model trains on Glazed images, it learns to associate the artist’s name or prompt keywords with the wrong style. A model that has trained on Glazed watercolor paintings, for example, might produce cubist outputs when prompted for that artist’s style.

The University of Chicago team’s research demonstrated that Glaze reduced style mimicry accuracy by 75-92% across multiple model architectures, depending on the intensity setting. At the highest intensity (which may introduce barely perceptible artifacts), style mimicry was nearly completely disrupted.

Limitation: Glaze protects against style mimicry but does not prevent the image’s content from being learned. A model trained on Glazed images can still learn objects, compositions, and concepts from those images – just not the artist’s specific stylistic treatment.

Nightshade: Concept Poisoning

Nightshade extends the adversarial perturbation approach from style protection to concept disruption. While Glaze makes the model learn the wrong style, Nightshade makes the model learn the wrong concept entirely.

How Nightshade Works

Concept targeting. The user selects a target concept – e.g., “dog” – and a destination concept – e.g., “cat.”
Text-image alignment poisoning. Nightshade optimizes a perturbation that causes the image’s feature representation to align with the destination concept rather than the source concept. An image of a dog, after Nightshade processing, will appear identical to humans but will be encoded by a CLIP or diffusion model as an image of a cat.
Training contamination. When this image enters a training dataset with its original caption (“a golden retriever in a park”), the model learns an incorrect association: the visual features of a cat are paired with the text “golden retriever.” Over many poisoned examples, the model’s concept boundary between “dog” and “cat” erodes.

The Cascade Effect

Nightshade exploits a property of how text-to-image models learn: concepts are not stored in isolation but in a connected semantic space. Poisoning the concept “dog” does not only affect outputs for the prompt “dog” – it degrades related concepts: “puppy,” “golden retriever,” “pet,” “animal.” The researchers demonstrated that poisoning 100 images of “dog” reduced output quality for “wolf,” “husky,” and “pet” without any of those specific concepts being directly targeted.

This cascade effect means that a relatively small number of poisoned images can disproportionately degrade model performance across a cluster of related concepts.

Measured Results

The University of Chicago team tested Nightshade against Stable Diffusion XL (SDXL) with the following results:

50 poisoned images (out of 100,000 training images): Measurable degradation in targeted concept generation. Output images for the targeted concept showed visible artifacts and concept bleeding.
100 poisoned images: Significant degradation. Targeted concept outputs were frequently wrong or incoherent.
500 poisoned images: Near-complete disruption of the targeted concept. Models trained on this data produced outputs that bore little resemblance to the intended concept.
Cross-concept contamination: Poisoning “fantasy art” degraded “dragon,” “castle,” “knight,” and “medieval” outputs even though only “fantasy art” was directly targeted.

These numbers are remarkable. In a training dataset of millions or billions of images, 500 poisoned images represent 0.0005% contamination. The leverage is extraordinary – a tiny fraction of adversarial data can compromise an entire concept cluster.

Technical Countermeasures and Arms Race

AI companies have not been passive. Several technical defenses have been proposed and deployed:

Image Filtering

The most direct defense is to detect and remove poisoned images before training. This involves:

CLIP score filtering. Removing image-text pairs where the CLIP similarity score falls below a threshold. Poisoned images may have anomalous CLIP scores because the visual features do not match the caption.
Perceptual hashing. Detecting images that are pixel-similar to known clean images but have been modified.
Anomaly detection. Training classifiers to identify adversarial perturbation patterns.

The University of Chicago team tested these defenses and found that CLIP score filtering was partially effective (catching 40-60% of poisoned images at aggressive thresholds) but produced significant false positives, removing legitimate images. Perceptual hashing was ineffective because Nightshade’s perturbations are below perceptual thresholds. Adversarial detection classifiers showed promise but required continuous updating as Nightshade’s perturbation strategies evolved.

Robust Training

Training models to be resilient against adversarial data:

Adversarial training. Including adversarial examples in the training set and training the model to ignore perturbations. This reduces but does not eliminate Nightshade’s effect.
Certified robustness. Mathematical guarantees that small input perturbations cannot change the model’s output. Currently impractical for large generative models due to computational cost.
Data sanitization. Training on curated, licensed datasets rather than web-scraped data. This eliminates the poisoning vector entirely but dramatically reduces dataset size and diversity.

The Escalation Dynamic

The fundamental dynamic is adversarial: each defensive measure can be countered by a more sophisticated attack, and each attack can be mitigated by a stronger defense. This is the same arms race that characterizes adversarial machine learning more broadly.

Nightshade 2.0 (released late 2024) adapted to known defenses by varying perturbation patterns, making detection harder. Model developers responded with ensemble detection methods. The cycle continues.

The Broader Anti-Scraping Movement

Nightshade and Glaze are the most visible components of a broader movement to reclaim control over creative data.

Robots.txt and AI Crawlers

In 2023-2024, major web publishers updated their robots.txt files to block AI training crawlers:

The New York Times blocked GPTBot (OpenAI’s crawler) in August 2023
Over 35% of the top 1,000 websites blocked GPTBot by the end of 2024
Common Crawl, the underlying data source for most web-scraped datasets, faces increasing access restrictions

The limitation: robots.txt is a voluntary standard. There is no technical enforcement mechanism. Crawlers can and do ignore it. Data practices vary wildly between AI providers, and compliance with robots.txt is unauditable.

Kudurru (Spawning AI)

Spawning AI’s Kudurru tool provides server-side detection of AI training crawlers and can serve modified or watermarked images to detected crawlers while serving original images to human viewers. Unlike Glaze and Nightshade (which modify images preemptively), Kudurru operates at the server level, applying countermeasures only when an AI crawler is detected.

Content Credentials (C2PA)

The Coalition for Content Provenance and Authenticity (C2PA), backed by Adobe, Microsoft, Intel, and the BBC, has developed a standard for embedding cryptographic provenance metadata in images. This metadata includes the creator’s identity, creation timestamp, editing history, and – critically – licensing and opt-out flags for AI training.

C2PA does not prevent scraping, but it provides an auditable chain of provenance. If an AI company trains on C2PA-tagged images that specify “no AI training,” the provenance metadata creates an evidence trail for legal action.

The Legal Landscape

As of early 2026, major AI training lawsuits are pending in multiple jurisdictions:

Getty Images v. Stability AI (UK and US): Claims copyright infringement from training on millions of Getty-watermarked images.
Authors Guild v. OpenAI (US): Claims copyright infringement from training GPT models on copyrighted books.
Art class actions (US): Multiple class actions by individual artists alleging that their specific works were used without consent.
EU AI Act considerations: The EU AI Act (effective 2025-2026) includes transparency requirements for training data, though enforcement mechanisms remain unclear.

The legal outcomes will shape whether technical countermeasures like Nightshade remain necessary or become redundant. If courts establish strong opt-out rights, the technical arms race may decelerate. If courts side with AI companies on fair use grounds, adversarial tools will become the primary defense mechanism.

Data Poisoning as Privacy Infrastructure

Nightshade and Glaze are typically framed as tools for artists, but the underlying technique – adversarial perturbation to disrupt machine learning – is a general-purpose privacy technology.

The same mechanism can be applied to:

Facial recognition defense. Fawkes (also from the University of Chicago team) adds perturbations to personal photos that prevent facial recognition models from building an accurate representation of the subject. The individual’s selfies look normal to humans but cause facial recognition systems to misidentify them.
Location data poisoning. Perturbations to GPS traces or check-in data that prevent accurate movement pattern analysis while preserving the utility of navigation services.
Text poisoning. Modifications to text data that prevent language models from associating specific writing patterns with specific individuals. This is directly relevant to AI privacy – a user who cannot opt out of training data collection can at least corrupt the signal.

The principle is consistent: when opt-out mechanisms are unavailable, unenforceable, or ignored, adversarial modification of your own data is a last-resort privacy measure. It is not elegant. It is not ideal. But it works.

Effectiveness Challenges

Data poisoning as a privacy tool has real limitations:

Scale requirements. For Nightshade to affect a model, a meaningful number of poisoned images must enter the training pipeline for the targeted concept. Individual artists poisoning their own portfolios may not reach the threshold – but collective action by thousands of artists in a specific genre or style can.

Model architecture evolution. As models become more robust to adversarial perturbations (through adversarial training, data filtering, or architectural changes), current poisoning techniques may become less effective. The tools must evolve with the models.

Collateral damage. Nightshade’s cascade effect means that poisoning one concept can degrade related concepts. This is a feature for artists seeking maximum disruption, but it raises concerns about indiscriminate damage to model capabilities that benefit legitimate uses.

Irreversibility. Once a model is trained on poisoned data, the poisoning is baked into the weights. The only remedy is retraining from scratch with clean data – a process that costs millions of dollars for frontier models.

The Stealth Cloud Perspective

Nightshade and Glaze represent a broader truth: when institutions fail to protect individual data rights, individuals build their own tools. The zero-persistence architecture that defines Stealth Cloud exists for the same reason these tools exist – because asking politely for privacy does not work. Where Nightshade poisons training data after the fact, Stealth Cloud’s architecture ensures that user data never enters a training pipeline in the first place. Prevention is more reliable than remediation, but when prevention is unavailable, adversarial defense is the rational response.