Extracting Training Data from Document-Based VQA Models

TL;DR

This paper demonstrates that document-based VQA models can memorize and regurgitate training responses, including sensitive PII, posing privacy risks, and proposes a heuristic countermeasure to prevent such memorization.

Contribution

It reveals the memorization and potential privacy risks in VQA models and introduces a heuristic method to mitigate PII extraction from these models.

Findings

Models memorize training responses including PII

Memorization can be distinguished from generalization

Heuristic countermeasure reduces PII extractability

Abstract

Vision-Language Models (VLMs) have made remarkable progress in document-based Visual Question Answering (i.e., responding to queries about the contents of an input document provided as an image). In this work, we show these models can memorize responses for training samples and regurgitate them even when the relevant visual information has been removed. This includes Personal Identifiable Information (PII) repeated once in the training set, indicating these models could divulge memorised sensitive information and therefore pose a privacy risk. We quantitatively measure the extractability of information in controlled experiments and differentiate between cases where it arises from generalization capabilities or from memorization. We further investigate the factors that influence memorization across multiple state-of-the-art models and propose an effective heuristic countermeasure that empirically prevents the extractability of PII.