Publication
Does CLIP Know My Face?
Dominik Hintersdorf; Lukas Struppek; Manuel Brack; Felix Friedrich; Patrick Schramowski; Kristian Kersting
In: Journal of Artificial Intelligence Research (JAIR), Vol. 80, Pages 1033-1062, arXiv, 2024.
Abstract
With the rise of deep learning in various applications, privacy concerns around the protec-
tion of training data have become a critical area of research. Whereas prior studies have
focused on privacy risks in single-modal models, we introduce a novel method to assess pri-
vacy for multi-modal models, specifically vision-language models like CLIP. The proposed
Identity Inference Attack (IDIA) reveals whether an individual was included in the training
data by querying the model with images of the same person. Letting the model choose from
a wide variety of possible text labels, the model reveals whether it recognizes the person
and, therefore, was used for training. Our large-scale experiments on CLIP demonstrate
that individuals used for training can be identified with very high accuracy. We confirm
that the model has learned to associate names with depicted individuals, implying the ex-
istence of sensitive information that can be extracted by adversaries. Our results highlight
the need for stronger privacy protection in large-scale models and suggest that IDIAs can
be used to prove the unauthorized use of data for training and to enforce privacy laws