Frontier LLM companies have repeatedly assured courts and regulators that their models do not store copies of training data. They further rely on safety alignment strategies via RLHF, system prompts, and output filters to block verbatim regurgitation of copyrighted works, and have cited the efficacy of these measures in their legal defenses against copyright infringement claims. We show that finetuning bypasses these protections: by training models to expand plot summaries into full text, a task naturally suited for commercial writing assistants, we cause GPT-4o, Gemini-2.5-Pro, and DeepSeek-V3.1 to reproduce up to 85-90% of held-out copyrighted books, with single verbatim spans exceeding 460 words, using only semantic descriptions as prompts and no actual book text. This extraction generalizes across authors: finetuning exclusively on Haruki Murakami's novels unlocks verbatim recall of copyrighted books from over 30 unrelated authors. The effect is not specific to any training author or corpus: random author pairs and public-domain finetuning data produce comparable extraction, while finetuning on synthetic text yields near-zero extraction, indicating that finetuning on individual authors' works reactivates latent memorization from pretraining. Three models from different providers memorize the same books in the same regions ($r \ge 0.90$), pointing to an industry-wide vulnerability. Our findings offer compelling evidence that model weights store copies of copyrighted works and that the security failures that manifest after finetuning on individual authors' works undermine a key premise of recent fair use rulings, where courts have conditioned favorable outcomes on the adequacy of measures preventing reproduction of protected expression.

翻译：前沿大语言模型公司反复向法院和监管机构保证，其模型不存储训练数据的副本。它们进一步依赖通过RLHF的安全对齐策略、系统提示和输出过滤器来阻止对受版权作品的逐字逐句复述，并在针对版权侵权主张的法律辩护中引用了这些措施的有效性。我们证明，微调绕过了这些保护措施：通过训练模型将情节摘要扩展为完整文本——这一任务天然适用于商业写作助手——我们导致GPT-4o、Gemini-2.5-Pro和DeepSeek-V3.1再现了高达85-90%的预留受版权书籍，其中单次逐字复述跨度超过460个单词，且仅使用语义描述作为提示，不涉及任何实际书籍文本。这种提取方式在作者间具有普适性：仅在村上春树的小说上进行微调，便能解锁对来自30多位无关作者的受版权书籍的逐字回忆。该效应并不特定于任何训练作者或语料库：随机作者配对和公有领域微调数据产生可比的提取效果，而基于合成文本的微调则产生近乎为零的提取率，表明对个体作者作品的微调重新激活了预训练阶段的潜在记忆化。来自三家不同提供商的模型在相同区域记忆了相同的书籍（相关系数r ≥ 0.90），这指向了一种行业范围的脆弱性。我们的发现提供了令人信服的证据，表明模型权重存储了受版权作品的副本，并且在对个体作者的作品进行微调后显现的安全漏洞，削弱了近期合理使用裁决的关键前提——法院曾将有利裁决的条件建立在防止受保护表达复制的措施充分性之上。