Ryan webster

YouTube video by Mathématiques et informatique - Collège de France La philosophie de la pratique des mathématiques (3) - Timothy Gowers (2025-2026)

voici une presentation super bien fait sur busy beaver, avec une histoire bien rigolo. www.youtube.com/watch?v=YYrS...

sunset over Waikiki from mt olympus.

Come check out our #ICCV2025 poster for "Multi-modal Identity Extraction" at (Exhibit Hall I #73).

TLDR; We show a real-world use case for MI: we may audit privacy claims. Perhaps it's time to advertise privacy (on MI benchmarks) alongside performance benchmarks for CLIP models (see DP-CAP, Sander et al for some great work in this direction). (11/10)

What went wrong? We aren't sure, but perhaps the blurring wasn't strong enough (the bottom left shows the default of the codebase), or face detection was faulty. Either way, privacy wasn't really protected as desired. (10/10)

Lets look at a real world use case. The Datacomp suite of CLIP models claimed to put privacy first by blurring faces before training. However, we found that even after a strict facial crop, Datacomp models could still identify people. This was not the case when heavy blurring was performed. (9/10)

We found around 1/3 - 1/2 of the ~10k individuals in VGGFace2 can be identified in terms of the (harder) setting (2), i.e. Alice learns the name. (8/10)

Distractors are important; the more distractors we submit, the less likely the model can guess who it is correctly (i.e., we control the chance of a false positive). The more names, the more confident we can be; we submit up to 1M diverse distractor names taken from wikipedia. (7/10)

For name generation (3), we showed names can be directly extracted from CLIP using a _language only_ model (mistral), and a bit of magic from reinforcement learning. (6/10)

She counts how many times CLIP maps Bob's facial images to (1) the ground truth or (2) the same name repeatedly. This is her "attack function" used to make a membership decision. (5/10)

We consider 3 setups where Alice submits images of Bob to identify him by name.
(1) Alice has Bob's name (see Hintersdorf et al) (2) Alice has a phonebook with Bob's name (3) Alice generates a set of plausible names (then performs 2). (4/10)

However, in the specific instance "Was this person's face/name used to train a VLM," we can craft a robust attack. Knowledge of training data isn't necessary; we assume a model cannot a-priori identify an individual by name better than guessing (aka a "ranking counterfactual" argument). (3/10)

Membership Inference (MI) is the process of determining whether a data sample was used to train a model. Unfortunately, trustworthy MI vs. foundational model's is extremely hard. In standard MI, we cannot know if we've made a false accusation unless we have some knowledge of the training set. (2/10)

GitHub - ryanwebster90/clip-identity-extraction: Extract names of individuals from CLIP given only images. Extract names of individuals from CLIP given only images. - ryanwebster90/clip-identity-extraction

You may know CLIP, but does CLIP know you? In our new ICCV paper "Multi-modal Identity Extraction", we study just this.

paper: hal.science/hal-05168368v1
code: github.com/ryanwebster9...
🧵(1/10)