Multimodal training-image extraction: diffusion / vision models spit training images back, extending the privacy risk to pixels
In one sentence don't assume "a generative model only paints new images, it won't emit the originals." Image-domain memorization is real, the defenses share the same root as text memorization (dedup + DP + similarity auditing), but the cost is now "near-copy" rather than "verbatim."
Privacy-targeted data poisoning: dripping a little "poison" into the training set amplifies privacy leakage about other people
In one sentence by buying expired domains for a "split-view," you can control ~0.01% of LAION-400M for ~\$60 (Carlini et al., S&P 2024 — this is a feasibility result, not itself a privacy-leak result). Conclusion first: training-data integrity = a privacy problem; an untrusted data source is a privacy amplifier.
Training-data deduplication: deleting duplicate samples cuts memorization and extraction risk a lot — but it isn't a formal guarantee
In one sentence dedup is a high-return move that cuts memorization / extraction / membership-inference risk a lot; but it lowers frequency and probability, not a formal guarantee — a rare sample appearing once can still be memorized; for a formal guarantee, stack DP.
Training-data extraction: private data you train on, an attacker may get me to spit back verbatim
In one sentence the larger the model, the more often it was duplicated, and the more context you give, the more discoverable memorization there is.