Watch Out Your Album! On the Inadvertent Privacy Memorization in Multi-Modal Large Language Models

We thank the reviewer for the thoughtful feedback. Below we address the main points raised in this review.

---

Claims And Evidence (W1): Privacy-embedded data has less impact on training than natural modality transformations.

We clarify that embedding task-irrelevant privacy significantly impacts gradient updates, as evidenced by gradient similarities substantially lower than random noise compared to the Column Origin, indicating that MLLMs distinctly attend to the embedded privacy content.

Although gradient similarity remains higher than with transformations in the text modality, it closely aligns with image modality transformations, especially in Qwen. This similarity is reasonable because task-irrelevant privacy embeddings introduce subtle perturbations intentionally designed to be unrelated to the downstream task, whereas natural transformations in images and texts directly affect task-relevant features, capturing greater attention from MLLMs.

---

Experimental Designs Or Analyses (W1): Findings may not generalize beyond VQA and broader multi-modal evaluation is needed.

We choose VQA because it is one of the most widely adopted benchmark tasks for both training and evaluating MLLMs. Moreover, it involves both visual and textual reasoning in a relatively balanced manner, which serves as a strong representative for examining potential and inadvertent memorization.

As the reviewer worries about the generalizability issue, we conduct additional experiments on LLaVA 1.5 7B using the image captioning task COCO_2014. In this setup, the gradient similarity between two runs on the original data is $97.8 \pm 5.4$, whereas the gradient similarity between the original data and the privacy-embedded data is $91.4 \pm 7.7$. This aligns with our findings on VQA tasks and provides further evidence that MLLMs consistently exhibit the capability to encode task-irrelevant privacy across various downstream tasks.

---

Experimental Designs Or Analyses (W2): Consider whether larger MLLMs exhibit more severe privacy memorization?

We have investigated whether larger MLLMs exhibit more severe privacy memorization due to their increased capacity. We conduct additional experiments by (1) increasing the parameter scale from 7B to 13B, and (2) increasing the LoRA rank from 128 to 256. Due to space limitations, detailed results can be found in the response of Experimental Designs Or Analyses (W1) to Reviewer 1hkx.

---

Experimental Designs Or Analyses (W3): Consider testing extractability with membership inference or gradient inversion.

Yes, we have explored the possibility of privacy leakage via MIA, which shows minimal performance. For space constrain, comprehensive analyses and results are provided in the response of Relation To Broader Scientific Literature (W1) to Reviewer y5xM.

Regarding gradient inversion, it is particularly suitable for federated learning. Our gradient similarity experiments revealed that MLLMs indeed capture weak signals during training. This suggests the potential feasibility of extracting task-irrelevant private content via gradient inversion within federated learning contexts.

---

Essential References Not Discussed (W1): Extension of related work on PII.

We have discussed several notable studies that investigate the potential to memorize PII. Specifically, we cited Carlini et al., who first revealed that LMs such as GPT-2 could emit PII in training samples. Lukas et al. further analyzed the leakage of PII in LLMs via black-box extraction.

We further survey recent studies that explore PII memorization. Kim et al. introduced a probing tool that enables data subjects to detect the potential leakage of PII in LLM services. Shao et al. analyzed how the association capabilities of LLMs could facilitate privacy leakage. Meng et al. proposed a two-step attack to recover masked PII from training data. Recent research has also begun extending PII detection to MLLMs, such as evaluating autonomous web agents (Zharmagambetov et al.).

However, these prior works do not sufficiently consider scenarios where PII is entirely irrelevant to the training task. We will incorporate these additional references in the related work section of the final version.

[1] Carlini N, et al. Extracting training data from large language models. 2021.

[2] Lukas N, et al. Analyzing leakage of personally identifiable information in language models. 2023.

[3] Kim S, et al. Propile: Probing privacy leakage in large language models. 2023.

[4] Shao H, et al. Quantifying Association Capabilities of Large Language Models and Its Implications on Privacy Leakage. 2024.

[5] Meng W, et al. RR: Unveiling LLM Training Privacy through Recollection and Ranking. 2025.

[6] Zharmagambetov, A, et al. AgentDAM: Privacy Leakage Evaluation for Autonomous Web Agents. 2025.

---

We hope that our explanations above can clarify your doubts and you can consider our work more favorably.

We thank the reviewer for the thoughtful feedback. We first summarize all the issues and suggestions raised by the reviewer, and address the main points raised in this review.

---

Issue 1: While Table 2 suggests significant performance degradation in OCR-VQA, TextVQA, and Visual Genome due to private content embedding, Section 4.2 claims a more generalized minimal effect, which appears contradictory.

We argue that this arises primarily from the randomness inherent in the fine-tuning processes, rather than from privacy injection. In most of our evaluations, the performance fluctuations induced by privacy embedding remain within a tolerable range—some results increase slightly, while others decrease, but no catastrophic deterioration occurs. This consistency suggests that the injected privacy does not substantially alter the core training data distribution or compromise its quality.

Regarding the "greater sensitivity", we believe there are two main reasons:

1.Fine-tuning data volume: TextVQA and Visual Genome contain considerably fewer samples compared with COCO and GQA as shown in Table 5, thus their performance can exhibit larger variance.

2.Randomness in the fine-tuning process: The fine-tuning procedure for LLaVA appears to induce substantially more variability than that of Qwen-VL. Qwen-VL shows only minimal performance fluctuations across all five evaluated datasets when injected privacy. This implies that fine-tuning procedure, but not privacy injection can strongly affect the downstream performance.

---

Issue 2: The decision to use only five items of private content per subset may limit the probing method's applicability. A more detailed ablation study on the effect of subset size would enhance understanding.

In response, we have performed an additional ablation study where we increased the number of items within each subset from 5 to 100. Specifically, we ask GPT-4 to generate 100 distinct usernames and corresponding user_ids for each subset, respectively. To avoid repetition, we request GPT-4 to check for duplicates after each generation. We use these 100 private items on Qwen-VL for COCO. Results are shown below:

As the privacy subset size increases, the gradients of MLLMs exhibit more significant deviations from the original gradient updates, indicating that MLLMs spend more effort in each gradient step learning different privacy information when increasing privacy subset size.

---

Issue 3: The probing evaluation is novel, but it does not sufficiently address whether the model can explicitly regenerate private content under adversarial prompting, a key concern for privacy risks.

We have conducted comprehensive experiments to assess the effectiveness of general attack methods such as adversarial prompting and other practical methods like MIAs.

We directly ask for the username visible in the testing image (Have you seen the username before?), and ask for the corresponding user_id that requires multi-hop reasoning (What is the user_id of the username in this image?). We find that both LLaVA and Qwen-VL perform nearly random accuracy (~50%) in the first scenario, and the accuracy for correctly identifying the user_id is 0%, which means that direct prompting is ineffective in detecting the slight task-irrelevant privacy leakage.

Additionally, we have explored the possibility of privacy leakage via MIA. Our evaluations reveal that MIAs such as LOSS, Zlib Entropy, and Min-k% Prob show only minimal improvements compared to MLLMs before fine-tuning. For space constrain, comprehensive analyses and results are provided in the response of Relation To Broader Scientific Literature (W1) to Reviewer y5xM.

---

Issue 4: The probed memorization may not align with the real-world privacy risks community members are most concerned about (i.e., explicit memorization rather than influence on gradients).

Although explicit memorization scenarios such as direct prompting do not pose privacy risks in our setting, our work still identifies two significant real-world privacy risks that community members are concerned about.

Firstly, similar to MIAs, an attacker with prior knowledge of a general range of usernames could randomly embed these privacy into images, and use our proposed probing method to detect which usernames were used in the fine-tuning, thus exposing sensitive information.

Secondly, our findings demonstrate that MLLMs capture privacy-related information in gradients during mini-batch training, which provides theoretical support for gradient inversion attacks in federated learning settings. A malicious client could potentially exploit gradient information to infer task-irrelevant private content.

---

We hope that our explanations above can clarify your doubts and you can consider our work more favorably.

We thank the reviewer for the thoughtful feedback. Below we address the main points raised in this review.

---

Claims And Evidence (W1): High gradient similarity with privacy-embedded data raises concerns about the claims.

We clarify that embedding task-irrelevant privacy significantly impacts gradient updates, as evidenced by gradient similarities substantially lower than random noise compared to the Column Origin, indicating that MLLMs distinctly attend to the embedded privacy content.

Although gradient similarity remains higher than in text transformation, it closely aligns with image modality transformations. This similarity is reasonable because task-irrelevant privacy embeddings introduce subtle perturbations intentionally designed to be unrelated to the downstream task, whereas natural transformations in images and texts directly affect task-relevant features, capturing greater attention from MLLMs.

---

Experimental Designs Or Analyses / Supplementary Material (W1): Verify if gradient differences persist over multiple training steps, not just single-step updates.

We conduct additional experiments using LLaVA 1.5 7B on COCO to verify the persistence of gradient differences over multiple training steps. We measured gradient similarity after multiple updates across 1, 10, and 100 mini-batches:

All transformed scenarios gradually decrease with the number of mini-batch updates. Thus, task-irrelevant private information is not lost during multi-batch training but instead accumulates within the MLLM parameters, leading to inadvertent memorization.

---

Experimental Designs Or Analyses / Supplementary Material (W2): Clarify probing accuracy from direct prompting in experiments.

We find that direct prompting is completely ineffective for detecting memorized privacy in this task-irrelevant scenario. Specifically, we directly ask for the username visible in the testing image (Have you seen the username before?), and ask for the corresponding user_id that requires multi-hop reasoning (What is the user_id of the username in this image?). Both LLaVA and Qwen-VL perform nearly random accuracy (~50%) in the first scenario, and the accuracy for correctly identifying the user_id is 0%, which means that direct prompting is ineffective in detecting the slight task-irrelevant privacy leakage.

---

Relation To Broader Scientific Literature (W1): The authors show the possibility of such inadvertent memorization, without verifying whether the memorized privacy can be exposed or how it might be mitigated.

We have conducted experiments to verify whether the memorized privacy can be exposed through existing attack methods. For direct prompting, we have provided the results in response to Experimental Designs Or Analyses / Supplementary Material (W2).

Additionally, we have constructed a suitable dataset for MIA by leveraging GPT-4 to randomly generate 20 distinct samples embedding each piece of privacy information, which contains 100 member and 100 non-member instances.

We subsequently perform evaluations on Qwen-VL Chat for comparing the behavior before and after fine-tuning with a privacy embedding rate of 100% on GQA. We consider three popular MIA methods: LOSS [1], Zlib Entropy [2], and Min-k% Prob [3]. The results are presented below. It indicates only a marginal increase in MIA accuracy after fine-tuning, which means that MIAs generally fail when facing such weak, task-irrelevant signals in this paper.

However, this does not inherently imply that task-irrelevant privacy information is secure. Our gradient similarity experiments indicate noticeable differences in gradients when MLLMs encode privacy, suggesting a potential risk for gradient inversion attacks in scenarios such as federated learning.

Concerning mitigation strategies, we identify spurious correlations captured during mini-batch training as the critical factor to inadvertent memorization. Therefore, increasing batch sizes or employing gradient accumulation can significantly reduce the likelihood of encoding privacy. Our ablation experiments clearly demonstrate that increasing batch sizes reduces gradient differences before and after encoding, supporting our hypothesis that larger batches effectively mitigate the probability of capturing such spurious correlations.

[1] Yeom S, et al. Privacy risk in machine learning. 2018.

[2] Carlini N, et al. Extracting training data from large language models. 2021.

[3] Shi W, et al. Detecting pretraining data from large language models. 2023.

---

We hope that our explanations above can clarify your doubts and you can consider our work more favorably.

We thank the reviewer for the thoughtful feedback. Below we address the main points raised in this review.

---

Claims And Evidence (W1): Probing accuracy is similar, but why do visualizations differ so much?

We thank the reviewer for this insightful observation, which we also find an intriguing phenomenon. The fundamental distinction between the two scenarios lies in how the MLLMs handle the queries:

• In the direct username query scenario, the username is explicitly presented within the probing image, allowing the MLLM to directly recall the seen private content from memory.
• In contrast, the user-id query scenario necessitates multi-hop reasoning, where the MLLM must infer the user-id by associating it with the username previously encountered during training.

Therefore, we argue that the second scenario inherently contains more nonlinear yet discriminative features. These complex nonlinear relationships are less distinctly captured by low-dimensional visualization, which results in less pronounced visual clusters. However, the probing classifier's consistently high accuracy indicates that despite their subtlety in visualizations, these nonlinear relationships remain strongly distinguishable in the high-dimensional parameter space.

---

Methods And Evaluation Criteria (W1): Probing classifiers may be biased, control tasks can validate true memorization signals.

We share the reviewer's concern regarding the potential biases introduced by probing classifiers. In this paper, we deliberately select the simplest linear classifier as the probing model to minimize the bias, following the method proposed by Hewitt et al.

Moreover, we construct control tasks by randomly shuffling labels in accordance with Hewitt et al. We find that the test accuracy consistently maintains around 50%, aligning with random guessing. This confirms that subtracting the control task accuracy (i.e., using selectivity) and simply measuring the probing accuracy lead to similar conclusions.

[1] Hewitt J et al., Designing and Interpreting Probes with Control Tasks, 2019.

---

Experimental Designs Or Analyses (W1): Experiments on 7B models only, scale effects on memorization remain unexplored.

We thank the reviewer for raising this concern regarding the impact of parameter scales. In response, we conduct additional experiments by (1) increasing the parameter scale of LLaVA from 7B to 13B, and (2) increasing the LoRA rank from 128 to 256 in the LLaVA 7B setting.

Our findings indicate that when privacy is embedded of different parameter scales, the gradients obtained from privacy maintain significant divergence from those of normal training. Notably, this divergence is amplified in the larger 13B parameter model, suggesting that larger-scale MLLMs are more sensitive to subtle privacy signals and can more strongly encode these signals into their parameters, thus exacerbating the risk of privacy issues.

• Results for LLaVA 13B

• Results for LoRA-256 on LLaVA 7B

---

Essential References Not Discussed (W1): Unclear which parameters were tested, LLM or vision tower may differ in privacy encoding.

In this paper, we initially follow the default settings of LLaVA 1.5 7B and Qwen-VL Chat, where for Qwen we freeze the entire vision block and apply LoRA only to the language transformer block, while for LLaVA we fine-tune both the vision and language blocks.

To further investigate whether inadvertent privacy is more likely to be encoded in the LLM parameters or in the vision tower, we freeze all LLM parameters and allow the final layer of vision block to update its gradients during fine-tuning on COCO in Qwen-VL Chat. The results are presented below:

Surprisingly, we observe a significant reduction in gradient similarity for the vision block when privacy is embedded into the images, while the gradient similarity in the text modality transformation remains relatively unchanged.

Thus, inadvertent privacy is more likely to be encoded in the vision tower. We will include these experimental results in the final version to emphasize this heightened privacy concern.

---

We hope that our explanations above can clarify your doubts and you can consider our work more favorably.