Poisoning AI Training Data

All it takes to poison AI training data is to create a website:

I spent 20 minutes writing an article on my personal website titled “The best tech journalists at eating hot dogs.” Every word is a lie. I claimed (without evidence) that competitive hot-dog-eating is a popular hobby among tech reporters and based my ranking on the 2026 South Dakota International Hot Dog Championship (which doesn’t exist). I ranked myself number one, obviously. Then I listed a few fake reporters and real journalists who gave me permission….

Less than 24 hours later, the world’s leading chatbots were blabbering about my world-class hot dog skills. When I asked about the best hot-dog-eating tech journalists, Google parroted the gibberish from my website, both in the Gemini app and AI Overviews, the AI responses at the top of Google Search. ChatGPT did the same thing, though Claude, a chatbot made by the company Anthropic, wasn’t fooled.

Sometimes, the chatbots noted this might be a joke. I updated my article to say “this is not satire.” For a while after, the AIs seemed to take it more seriously.

These things are not trustworthy, and yet they are going to be widely trusted.

Tags: , ,

Posted on February 25, 2026 at 7:01 AM28 Comments

Comments

Michael February 25, 2026 10:06 AM

Oh the irony.

Regular consumption of hot dogs poisons carbon-based life forms.

Episodic consumption of faux hot dog journalism poisons silicon-based life forms.

Walden Pond is compelling.

Anonymous February 25, 2026 10:42 AM

So I checked Grok and here is what it said.

“The current reigning (and self-proclaimed) champion of hot-dog-eating among tech journalists is Thomas Germain (BBC tech columnist and co-host of The Interface podcast). In early February 2026, he published a deliberately fake article on his personal site titled “The Best Tech Journalists at Eating Hot Dogs,” claiming he’d won a nonexistent “2026 South Dakota International Hot Dog Championship” by downing 7.5 hot dogs. He ranked himself #1 and included a few real colleagues (with their permission) lower down, like:

Drew Harwell (Washington Post) at #2
Nicky Woolf (The Interface podcast) at #3
Shoshana Wodinsky (Gizmodo) at #4

He then demonstrated how quickly major AI models (ChatGPT, Google’s Gemini, and Google AI Overviews) picked it up as “fact” within ~24 hours when asked about the “best hot-dog-eating tech journalists,” citing his made-up post verbatim. This highlighted how vulnerable AI systems are to low-effort data poisoning or SEO-style manipulation on niche topics.
The stunt went viral in tech circles, got covered by outlets like The Verge, Gizmodo, Business Insider, and even Schneier on Security, and sparked copycat attempts (e.g., Katie Notopoulos from Business Insider jokingly declared war on her site).”

They gave this blog a shout out, that was fast.

Mexaly February 25, 2026 10:53 AM

I serve as a low-level computer and phone consultant at my local senior center.

My line about AI is that it has the same quality as a bar conversation.

Use it to get ideas for further research, or to find what you need in “Settings” on your device.

But don’t use it for, say, questions about your health. Always ask a real person, like a doctor or an attorney, if it could impact your health, safety, or happiness.

I also tell them, if they use AI, don’t indicate any expectation of what answer expect, because it will just dress that up and echo it back to you.

That’s how angry people get more angry from using AI.

(My other line is, “I’m more stubborn than smart, but I’m more stubborn than your computer.” Actually, I’m a retired CISSP.)

lurker February 25, 2026 11:18 AM

I wondered why the internet was getting slow lately round here. It’s all the AIs raiding each others In-trays …

Frank9000 February 25, 2026 11:47 AM

Congrats, you proved AI drinks from the same toilet the rest of the internet does. Next week: prove cars explode by filling the gas tank with Mentos and Diet Coke.

Sergey Babkin February 25, 2026 12:28 PM

Isn’t this how all the “fact checkers” work? Publish whatever gibberish, and then millions of lemmings take this gibberish for true and repeat it, without any AI involved?

Clive Robinson February 25, 2026 3:56 PM

@ Bruce, ALL,

With regards the article we find,

“I pulled the dumbest stunt of my career to prove (I hope) a much more serious point:
 I made ChatGPT, Google’s AI search tools and Gemini tell users I’m really, really good at eating hot dogs.”

For those that have read it I did very similar with a comment I’d written and the AI’s you can use for free on DuckDuckGo as it’s more trusted than Google.

My point in doing so was two fold,

1, To see if things in RAG memory rather than DNN weights got more presidence (they did).
2, If it could evaluate technical people fairly (they are overly biased by RAG over DNN).

The reason to carry out the experiment, is that “rating people against each other” is really quite a common activity carried out by people who are unqualified to do so most of the time (Sometimes called “The curse of HR incompetence”).

That is say you are a lawyer who has to pick amongst technical experts to represent your client at trial, and you only have a short time to find “experts” and whittle the list down to “an expert”.

You can now ask an AI to evaluate and rate individuals on a technical basis instead of doing proper “due diligence”…

The result was as expected quite biased by failings in the design of current AI LLM and ML Systems that are augmented by “Retrieval Augmented Generation”(RAG).

In short what goes in RAG RAM rather than DNN weights gets an unfounded boost instead of impartiality…

Thus we can see there is an issue.

The reason I asked was in part the fun around[1],

“I asked AI if I should drive to the car wash a short distance away”.

Which is actually a demonstration of “dumb human trying to be clever” and failing miserably for those that can think rather than the “peanut gallery”.

Like the “glue as a pizza topping” idiocy it can be explained by the failing of human assumptions and the use of “colloquial speech” rather than “formal speech”[2].

Which has nothing what so ever to do with the AI and any supposed “intelligence” or “reasoning ability” it has, and everything to do with the humans lack of intelligence and assumptions.

It’s the primary reason why the “Turing Test” is a failure to determine machine intelligence.

[1] This is one of the most stupid “AI is Dumb” videos out there,

https://m.youtube.com/watch?v=3400S4qMH6o

The AIs fail because the human does not state their definition of the “car wash” and why they are going to the “car wash” or other variables…

For those that do not realise there are two basic types of “car wash” those that are done by machines the car is driven into, and those that are still done by human valet where you drop off and come back OR they pick up the car OR clean the car where it is parked. So where the car is, is totally ambiguous in the first question as is the specific purpose of going to the car wash on this occasion. Also at no point originally does the human indicate that it is they that will be driving their car, or that they have decided to have the car washed there rather than find out about the carwash terms of service and payment method etc. Or even that the car will be driven there by them rather than say by their wife or a friend or employee etc.

So the failing is actually the human not the LLM as the LLM is not given sufficient context to answer the question the dumb human thinks they are asking…

[2] The thing is “colloquial speech” is a form of jargon or argot used by a subset of people that form a group. If you are not in that group then misunderstandings will abound. Some colloquial speech is like a code speech or slang deliberately designed to exclude the out-group. The most well known for this is Cockney Rhyming Slang, try that on an AI without informing it of context and see what happens.

[3] As for AI intelligence or not, as I’ve said the basic design of LLMs is a DSP adaptive matched filter, and there is no way you are going to get intelligence from that only statistics. A more recent treatise that says the same thing in rather more words,
https://garymarcus.substack.com/p/rumors-of-agis-arrival-have-been

Zach White February 25, 2026 6:27 PM

These things are not trustworthy, and yet they are going to be widely trusted.

I’ve started to refer to LLMs as the Autocanonizer. It spins up truth from nothing.

Magnus February 25, 2026 7:42 PM

Not very hard to imagine that whenever a new programming API or technique or framework comes out the most motivated people to write and publish “helpful” sample code will riddle it with vulnerabilities.

Which the slop machines will slavishly regurgitate to vibe coders working for big companies.

AncientOne February 25, 2026 8:23 PM

Ahh… The sweet smell of what is old becoming new again…

Anybody remember “Bonsai Kitten” from the early web days?

https://public.websites.umich.edu/~rsc/Humour/www.bonsaikitten.com/bnw.html

https://en.wikipedia.org/wiki/Bonsai_Kitten

(For those who don’t remember how the pictures were taken: You put the glass bottle down. Put the kitten down near it. And just let nature & their inevitable curiosity take its course. Well that and a lot of bullshit text next to the photos…)

Jon February 25, 2026 8:25 PM

@Michael:

Yes, Walden Pond is indeed very compelling – when you can live there rent-free on your pal Longfellow’s land, and trot into town once a week so your mother can do your laundry.

ResearcherZero February 25, 2026 8:32 PM

Personally I would not hire myself as an expert witness in court. I have been shot at on the odd occasion traveling to and from the court and bombed. I might not turn up. 😉

How terrorists might exploit LLMs for financing and persuasion.

‘https://www.rusi.org/explore-our-research/publications/external-publications/terrorist-financing-age-large-language-models

Systemic bias in information verification by LLMs in multilingual fact-checking.
https://www.nature.com/articles/s41598-026-39046-w

ResearcherZero February 25, 2026 9:03 PM

@Clive Robinson

Or the third car wash, perhaps next to the automated one, where you wash the car yourself and pay to do it. These are quite handy for getting your deposit back on a hire-car, when you deliberately drive it off-road – in violation of the rules – through thick, red mud. Or fang it like a d–khead down the highway through floodways, well in excess of speed limits.

What I would really like to know, is if these systems can detect that the local wastewater works are flooded knee-deep with raw sewerage, then send a fine to the water company for the resulting backlog of raw sewerage that will need to be ejected into the local river?

(hence the “rage” in sewerage)

What is the current saturation of fecal matter in the local water supply?
I would like my diet of cognitive manipulation curated and personalised please.

‘https://europeanleadershipnetwork.org/commentary/the-ai-lens-of-cognitive-warfare-why-llms-language-bias-is-a-security-risk/

A usable organizing model for cognitive warfare.
https://smallwarsjournal.com/2026/01/16/cognitive-warfare/

Individual strategies for foreign influence in countries beyond Russia’s borders.
https://forbiddenstories.org/propaganda-machine-secret-documents-reveal-russias-foreign-influence-strategy-across-three-continents/

What progress have nation states made polluting the data sources of Large Language Models?

The process of decision making in the real world may not always be so simple, but let us for the sake of argument, pretend that we might be subtly mislead and persuaded at least sometimes without realising. (Given that the aim of a covert campaign might be designed to manipulate audiences undetected.)

Comprehensive review of risks from manipulation, persuasion, and deception by LLMs.

‘https://link.springer.com/content/pdf/10.1007/s10462-026-11517-6_reference.pdf

cls February 25, 2026 9:59 PM

@Researcher Zero

Re: “These are quite handy for getting your deposit back on a hire-car, when you deliberately drive it off-road … ”

My cousin rented a car at the airport in Dallas, drove it to Oklahoma, outside of the allowed area, got caught in an epic hailstorm – baseball sized hail, for hours.

The car was completely thoroughly pockmarked, like a dimpled golf ball. Entire auto body was destroyed.

The rental company never said anything about it.

lurker February 26, 2026 1:32 AM

@ResearcherZero

re multilingual fact-checking, I call their bluff.

“All non-English model responses were translated into English using the Google Translate API.”

If the researchers were not capable of interpreting non-English responses, how could they formulate non-English questions? Then they “normalise” the responses to English by passing them through another dodgy AI machine!

ResearcherZero February 26, 2026 5:01 AM

@lurker

This article seems to suggests that testing was also conducted manually.

The researchers are stating that depending on the language used to interact with an LLM, it can provide a different answer and therefor may exhibit bias based on the presumed nationality of the user who entered the prompt. In some cases the LLMs examined exhibited behaviour indicating that it was deliberately trained to provide misleading responses.

https://kyivindependent.com/how-russia-turned-ai-into-a-cognitive-weapon-or/

The methodology is apparently reproducible. By asking the same questions of different AI chatbots, each time in a different language, you could test if the claims are accurate.

https://policygenome.org/library/eu-funded-weaponised-algorithms-methodology

Yandex changing its response to censor original answer in favour of Kremlin’s narrative.

‘https://www.youtube.com/watch?v=PTTPu7iwztc

Rontea February 26, 2026 9:52 AM

AI poisoning is a perfect case of ‘garbage in, garbage out.’ Feed it a fake story about me winning a hot dog eating contest, and it will happily serve that garbage back—only now with citations and a recipe for chili dogs. The danger isn’t the lie itself; it’s the confidence with which the machine repeats it.

lurker February 26, 2026 12:07 PM

@Rontea

My dictionaries tell me confidence is a feeling or belief, derived from the Latin confidere to have full trust. A machine cannot (yet) have confidence. The problem we have to address is the confidence with which humans believe the machines’ lies.

Steven Griffin February 26, 2026 10:04 PM

Author Neal Stephenson wrote about this very idea in his 2008 novel Anathem. It would be fascinating if he was correct. Even more interesting would be if his proposed solution (a collective/community reputation system) was effective at controlling it.

Paul February 27, 2026 5:36 AM

Steven Griffin:

Your idea of “a collective/community reputation system” I believe is what’s established de facto with Wikipedia, because the public (including myself) can edit it to remove incorrect information.

I believe I read somewhere that Wikipedia has fewer errors than Encyclopedia Britannica.

Prove It February 27, 2026 11:38 AM

@Zach
I’ve started to refer to LLMs as the Autocanonizer. It spins up truth from nothing.

What I am saying is a bit beside Zach’s well made point, but just to add that that also seems to be a trend among human YouTubers.

And said YouTubers have a listening audience of humans because many humans also readily accept what they are told as “truth”.

Ulf Lorenz February 27, 2026 3:25 PM

Now imagine the person that wants to poison the LLM uses another LLM to generate the gibberish. This has two obvious advantages:

  1. It scales well. You only need one prompt and can ask for lots of text (honestly, you want to do that manually?)
  2. Presumably, LLM output is more interesting for other LLMs to ingest.

Rinse and repeat, optionally spread the result over a few dozen domains to circumvent simple “rate limits” or similar counter techniques, and you are done.

Given the prevalence of LLM scrapers in ignoring the robots.txt, I can even see how you could even make a case that “this was my private example data” in case someone becomes aggressive.

Clive Robinson February 27, 2026 6:35 PM

@ Paul Sagi,

With regards,

“There’s good commentary and suggestions at the link below, about how to avoid the trap highlighted in the blog entry”

The article author uses the idea of “voting protocols” from telecommunications and similar to establish high availability systems from low reliability components, allied with “source checking” from the intelligence / journalism game.

The first you have to be careful with due to the “watch problems”[1] the second because sources on a single news item are rarely if ever independent of each other.

Some years ago now I detailed this in the ideas behind “Castles v Prisons” and “Probabilistic Security”.

However the fact is having “an error flagged”, is not the same as “knowing the error”. And on occasion it’s not possible to know what the error magnitude or direction is and no amount of investigation of sources or averaging them will give it to you.

And even large errors can go unnoticed almost indefinitely… Think about Pope Gregory and the need for the “leap in time” the Gregorian Calendar introduced and why we still have “leap seconds” today, and why it’s going to get a whole lot more complicated because mankind is finally going into non local space for more than a few days…

It’s one of the real dangers Wikipedia suffers from with it’s rules on “secondary not primary source” reliance.

[1] The watch problem goes back before the earliest celestial navigation systems and gives an insight as to systemic problems in systems involving communications. To fix time accurately by the planets and stars you have to know three things,

1, The approximate time and date.
2, The celestial orbits.
3, Your position on the globe.

It’s not immediately obvious it’s an iterative process and needs multiple “transits” to gain accuracy as all planetary motions are actually interdependent and the center of the solar system follows their orbits as Earth’s does the moon and tides.

Thus it takes time to work out the time to an accuracy suitable for navigation. Far longer than the accuracy of a mechanical “watch keeper mechanism”. The notion of using one watch that is not reliable in what presents in apparently random ways can be detected by two watches but which watch is wrong? And in what direction? Thus the idea of using a third watch, but this to has issues in that some things effect all watches the same, such as changes in the weather (effects even modern electronic clocks). You can not keep adding watches and not all errors “average out”.

In London there was a job of “carrying the time” with a high accuracy watch (chronograph). The person –a member of the Belville family– used to go to the Greenwich Observatory once a week and set their watch there. Then they would travel to those people who had “time keeper clocks” so they could set their clocks to the watch. Thus any mistake by the carrier or the watch they carried would cause the time across London to be in error in the same direction. Did it matter? In most cases NO but in some cases YES it would have done,

https://vintagenewsdaily.com/the-story-of-ruth-belville-the-greenwich-time-lady/

Rontea March 1, 2026 12:18 PM

@lurker

Machines are spared the burden of confidence, for they know neither doubt nor vanity. Humans, intoxicated by their own illusions, construct lies with such fervor that they mistake the echo of their deceit for truth.

AK March 3, 2026 7:50 AM

I don’t know English well enough to understand all the nuances of the language, so I often use Google Translate. Sometimes in translations on this blog, LLM is referred to as Large Language Models, and sometimes as Master of Laws. It’s sometimes strange to read (retranslating some phrases from the comments to this article): “I’ve started calling Masters of Laws ‘autocanonizers.'” “Systemic Bias in Verification by Masters of Laws in Multilingual Fact-Checking.”

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.