Extracting Training Data from Document-Based VQA Models
This work addresses privacy vulnerabilities in Vision-Language Models for document-based tasks, highlighting risks of data leakage for users and developers, with incremental contributions in measurement and mitigation.
The study demonstrated that document-based Visual Question Answering models can memorize and regurgitate training data, including sensitive Personal Identifiable Information (PII), even when visual cues are removed, posing a privacy risk; they measured this extractability and proposed a heuristic countermeasure to prevent it.
Vision-Language Models (VLMs) have made remarkable progress in document-based Visual Question Answering (i.e., responding to queries about the contents of an input document provided as an image). In this work, we show these models can memorize responses for training samples and regurgitate them even when the relevant visual information has been removed. This includes Personal Identifiable Information (PII) repeated once in the training set, indicating these models could divulge memorised sensitive information and therefore pose a privacy risk. We quantitatively measure the extractability of information in controlled experiments and differentiate between cases where it arises from generalization capabilities or from memorization. We further investigate the factors that influence memorization across multiple state-of-the-art models and propose an effective heuristic countermeasure that empirically prevents the extractability of PII.