$PC^2$: Politically Controversial Content Generation via Jailbreaking Attacks on GPT-based Text-to-Image Models
This research addresses a critical security risk for the public and society by demonstrating how T2I models can be exploited to generate politically harmful content, which could be weaponized for fake news or propaganda. This is a novel and important vulnerability.
This paper addresses the vulnerability of text-to-image (T2I) models to generating politically controversial content. The authors developed $PC^2$, a black-box political jailbreaking framework, which achieved an attack success rate of up to 86% on commercial GPT-based T2I models, significantly outperforming existing methods. They also proposed a mitigation strategy that reduced the attack success rate to approximately 10%.
The rapid evolution of text-to-image (T2I) models has enabled high-fidelity visual synthesis on a global scale. However, these advancements have introduced significant security risks, particularly regarding the generation of harmful content. Politically harmful content, such as fabricated depictions of public figures, poses severe threats when weaponized for fake news or propaganda. Despite its criticality, the robustness of current T2I safety filters against such politically motivated adversarial prompting remains underexplored. In response, we propose $PC^2$, the first black-box political jailbreaking framework for T2I models. It exploits a novel vulnerability where safety filters evaluate political sensitivity based on linguistic context. $PC^2$ operates through: (1) Identity-Preserving Descriptive Mapping to obfuscate sensitive keywords into neutral descriptions, and (2) Geopolitically Distal Translation to map these descriptions into fragmented, low-sensitivity languages. This strategy prevents filters from constructing toxic relationships between political entities within prompts, effectively bypassing detection. We construct a benchmark of 240 politically sensitive prompts involving 36 public figures. Evaluation on commercial T2I models, specifically the GPT series, shows that while all original prompts are blocked, $PC^2$ achieves attack success rates (ASRs) of up to 86% and outperforms state-of-the-art frameworks by a large margin. We further propose a ready-to-deploy multi-layered filtering mitigation against $PC^2$-style attacks, reducing ASR to approximately 10%.