With the rise of deep learning in various applications, privacy concerns around the protection of training data has become a critical area of research. Whereas prior studies have focused on privacy risks in single-modal models, we introduce a novel method to assess privacy for multi-modal models, specifically vision-language models like CLIP. The proposed Identity Inference Attack (IDIA) reveals whether an individual was included in the training data by querying the model with images of the same person. Letting the model choose from a wide variety of possible text labels, the model reveals whether it recognizes the person and, therefore, was used for training. Our large-scale experiments on CLIP demonstrate that individuals used for training can be identified with very high accuracy. We confirm that the model has learned to associate names with depicted individuals, implying the existence of sensitive information that can be extracted by adversaries. Our results highlight the need for stronger privacy protection in large-scale models and suggest that IDIAs can be used to prove the unauthorized use of data for training and to enforce privacy laws.

翻译：摘要：随着深度学习在各种应用中的兴起，训练数据保护的隐私问题已成为关键研究领域。以往研究主要关注单模态模型中的隐私风险，而本文提出了一种评估多模态模型（特别是像CLIP这样的视觉-语言模型）隐私的新方法。所提出的身份推断攻击（IDIA）通过使用同一人的图像查询模型，揭示该个体是否包含在训练数据中。让模型从大量可能的文本标签中进行选择，模型便会显示其是否识别出此人，从而判断其是否用于训练。我们在CLIP上进行的大规模实验表明，用于训练的个体可以被极高精度地识别出来。我们证实模型已学会将姓名与所描绘的个体相关联，这意味着存在可被对手提取的敏感信息。我们的研究结果凸显了大型模型需要更强隐私保护的迫切性，并表明IDIA可用于证明数据未经授权用于训练，从而强制执行隐私法律。