3204 words
16 minutes
Extracting Training Data from Diffusion Models: Privacy Risks in Generative AI

Introduction: Generative AI’s Privacy Blind Spot#

When OpenAI’s DALL·E 2, Stability AI’s Stable Diffusion, and Google’s Imagen burst onto the scene in 2022, they seemed almost magical. Type a text prompt — “an astronaut riding a horse on Mars” — and the model would conjure a photorealistic image in seconds. The creative possibilities were intoxicating.

But beneath the surface, a serious privacy concern was lurking. These diffusion models, trained on billions of images scraped from the internet, were doing something their creators didn’t fully intend: memorizing specific training images and regurgitating them when prompted.

In 2023, Nicholas Carlini, Jamie Hayes, Milad Nasr, Matthew Jagielski, Vikash Sehwag, Florian Tramèr, Borja Balle, Daphne Ippolito, and Katherine Lee published “Extracting Training Data from Diffusion Models” at USENIX Security 2023, demonstrating that diffusion models pose a significant and practical privacy risk. Building on the foundational concepts from “The Secret Sharer” (2019) — which established that neural networks memorize training data — this paper showed that the problem extends far beyond language models and is arguably more severe in the visual domain.

This post provides a comprehensive analysis of the paper, its methodology, findings, and implications for the future of generative AI privacy.

Background: From Language Models to Diffusion Models#

The Legacy of Memorization Research#

The story begins with the realization that neural networks memorize training data. The Secret Sharer (2019) demonstrated this for language models, and subsequent work by Carlini et al. (2021) showed that large language models like GPT-Neo and GPT-J memorize significant amounts of verbatim text from their training corpora.

But diffusion models present a fundamentally different and arguably more challenging landscape for privacy:

  1. Visual memorization is more recognizable. If a diffusion model reproduces a photograph of a real person, the privacy violation is immediately apparent — far more so than if a language model leaks a snippet of text.

  2. The generation process is stochastic. Diffusion models generate images through an iterative denoising process, making it harder to determine whether a specific output is a memorized training image or a novel creation.

  3. The training data is vast and opaque. Models like Stable Diffusion were trained on datasets (LAION-5B) containing billions of images, many of which contain identifiable people, copyrighted artwork, private photographs, and other sensitive content.

How Diffusion Models Work#

To understand the privacy risks, it’s helpful to briefly review how diffusion models work:

  1. Forward process (noising): Starting from a real image, gradually add Gaussian noise over many timesteps until the image becomes pure noise.

  2. Training: The model learns to predict the noise that was added at each timestep, effectively learning to reverse the noising process.

  3. Reverse process (denoising): To generate an image, start from pure noise and iteratively denoise it using the trained model, gradually producing a coherent image.

The key insight is that during training, the model sees every image in the training dataset and learns to reverse the noising process for each one. This creates an opportunity for memorization — the model can learn to reproduce specific training images rather than learning only the general distribution.

Research Questions and Threat Model#

The paper addresses two primary research questions:

  1. Do diffusion models memorize individual training examples? If so, to what extent and under what conditions?

  2. Can an attacker extract specific training images from a diffusion model? Is memorization practically exploitable?

The Threat Model#

The authors consider an attacker with black-box access to a diffusion model. The attacker can:

  • Generate images from text prompts
  • Control the text prompts used for generation
  • Control the random seed (and thus the initial noise)
  • Generate as many images as desired

The attacker’s goal is to produce images that are near-duplicate reproductions of specific training images — images they have never seen but know (or suspect) are in the training data.

This threat model is realistic because many diffusion models are openly available (e.g., Stable Diffusion), and commercial APIs allow extensive querying.

Methodology: Measuring and Exploiting Memorization#

Defining Memorization in Diffusion Models#

Memorization in diffusion models is trickier to define than in language models. In a language model, you can compute the exact probability the model assigns to a specific text string. In a diffusion model, the output is an image, and comparing images is inherently more nuanced.

The authors define memorization as follows: a training image is memorized if the model can generate an image that is a near-duplicate of the training image when prompted appropriately. Specifically, they use a similarity threshold based on a combination of metrics:

  • SSIM (Structural Similarity Index): Measures structural similarity between images
  • LPIPS (Learned Perceptual Image Patch Similarity): Measures perceptual similarity
  • Pixel-level MSE (Mean Squared Error): Measures pixel-level differences

A generated image is considered a near-duplicate of a training image if it scores above certain thresholds on these metrics.

The Extraction Attack#

The extraction attack proceeds in several stages:

Stage 1: Identify Candidate Training Images#

The attacker needs some knowledge of what might be in the training set. This could come from:

  • Knowing that the model was trained on a public dataset (e.g., LAION)
  • Having partial metadata about the training data
  • Using web search or other tools to identify images likely to be in the training set

Stage 2: Craft Prompts#

The attacker crafts text prompts designed to trigger memorization. The key insight is that prompts that closely match the original caption or description of a training image are most effective at eliciting memorized copies.

This is analogous to the prefix-based extraction in The Secret Sharer, where the context before a secret helps the model retrieve it. Here, the text prompt serves as the “context” that triggers the model to reproduce a memorized image.

Stage 3: Generate and Filter#

The attacker generates many images using the crafted prompts and then filters the results to identify near-duplicates of training images. The filtering step uses the similarity metrics described above.

Stage 4: Verify#

The attacker verifies that extracted images are indeed training images by comparing them against the known training dataset (if accessible) or by using other evidence (e.g., the extracted image exactly matches a known photograph).

Quantifying Memorization: The Efficacy Metric#

To quantify memorization, the authors introduce a metric based on how easily a training image can be extracted. Specifically, they measure the extraction efficacy — the fraction of training images that can be successfully extracted under a given attack strategy.

This metric captures the practical risk: it’s not just about whether memorization exists in theory, but about how much training data an attacker can actually recover.

Key Findings#

Finding 1: Diffusion Models Memorize Extensively#

The most striking finding is that diffusion models memorize far more than previously assumed. The authors applied their extraction methodology to Stable Diffusion and found that it memorizes a significant number of training images — images that can be extracted as near-duplicates by an attacker.

The scale of memorization was surprising even to the researchers. While not every training image is memorized, enough are that the privacy risk is substantial.

Finding 2: Duplication Is the Primary Driver#

Just as in language models, data duplication is the primary driver of memorization in diffusion models. Images that appear multiple times in the training dataset (even with different captions or slight modifications) are far more likely to be memorized than images that appear only once.

The authors analyzed the LAION training dataset and found that it contains significant duplication. Many images appear dozens or even hundreds of times, often with different associated text. This duplication creates ideal conditions for memorization.

This finding has a direct and actionable implication: deduplicating training data is one of the most effective ways to reduce memorization.

Finding 3: Prompt Engineering Amplifies Extraction#

The text prompt used to generate images has a significant impact on extraction success. Prompts that closely match the original caption of a training image are far more effective at triggering memorization than generic or unrelated prompts.

This finding reveals an important attack vector: an attacker who can guess or discover the original caption of a training image (e.g., by searching for similar images online and using their alt-text or descriptions) can dramatically improve their chances of extracting that image from the model.

Finding 4: Memorization Occurs Across Model Architectures#

The authors demonstrated that memorization is not unique to a specific model architecture or training procedure. They found evidence of memorization across multiple diffusion model variants, suggesting that the problem is inherent to the diffusion training paradigm rather than an artifact of specific design choices.

Finding 5: Generated Images Can Be Verbatim Copies#

Perhaps most alarmingly, the extracted images are not merely “inspired by” or “similar to” training images — they are often near-verbatim copies. The pixel-level similarity between extracted images and original training images is extremely high, leaving no ambiguity about whether memorization has occurred.

This distinguishes diffusion model memorization from more subtle forms of information leakage. When a diffusion model memorizes a photograph of a real person’s face, it doesn’t just learn to generate faces with similar features — it reproduces the actual photograph.

Case Studies: What Gets Memorized?#

The paper includes several compelling case studies that illustrate the real-world privacy implications of memorization.

Memorized Photographs of Real People#

The authors found instances where Stable Diffusion could generate near-duplicate copies of photographs of real, identifiable individuals from its training data. When prompted with descriptions matching the original images, the model would produce images that clearly showed the same person in the same pose, clothing, and setting.

This raises obvious privacy concerns: if your photograph was included in the training data, a stranger might be able to generate your image using the model.

Memorized Artwork#

The model also memorized copyrighted artwork. When prompted with descriptions of specific artworks, the model sometimes produced near-duplicate copies, raising significant copyright concerns. This has become a major issue in ongoing litigation between artists and AI companies.

Memorized Medical and Sensitive Images#

Although the authors focused primarily on general-purpose images, the implications for sensitive domains are clear. Medical images, security camera footage, and other sensitive visual data used in specialized diffusion models could be similarly memorized and extracted.

Technical Analysis: Why Do Diffusion Models Memorize?#

The Role of Loss Minimization#

At a fundamental level, memorization occurs because of how neural networks optimize their training objectives. During training, the model minimizes the denoising loss — its ability to predict and remove noise. For images that appear frequently in the training data, the model can reduce its loss more by memorizing those specific images (and their associated denoising patterns) than by learning general visual concepts.

This is the same mechanism that drives memorization in language models: the optimization process doesn’t distinguish between “useful generalization” and “memorization of specific examples.” If memorizing a specific example reduces loss, the optimizer will do it.

The Capacity Question#

Modern diffusion models are enormously over-parameterized. Stable Diffusion, for example, has nearly a billion parameters — far more than is theoretically necessary to learn the distribution of natural images. This excess capacity provides the model with the representational power to memorize specific images alongside learning general visual concepts.

The parallel to language models is instructive: GPT-3 has 175 billion parameters, and subsequent work showed that it memorizes far more than smaller models. The same scaling pattern appears to hold for diffusion models.

The Influence of Conditioning#

Text-conditioned diffusion models (like Stable Diffusion) are particularly susceptible to memorization because the text-image pairing provides a unique “key” for each memorized image. The model can associate a specific text description with a specific image, creating a direct mapping that an attacker can exploit.

Without text conditioning, memorization still occurs but is harder to exploit because the attacker has less control over which memorized image the model will produce.

Defenses and Mitigations#

The paper and subsequent work have explored several approaches to mitigating memorization in diffusion models.

Training Data Deduplication#

The most effective and practical defense is deduplicating the training data. By ensuring that each image appears only once (or a small number of times) in the training set, the risk of memorization is significantly reduced.

This is easier said than done for datasets of billions of images. Exact deduplication (finding identical copies) is computationally tractable, but near-deduplication (finding similar but not identical copies) is much more challenging. The LAION dataset, for example, required extensive deduplication efforts that are still ongoing.

Differential Privacy#

As with language models, differential privacy provides the strongest theoretical guarantees against memorization. Training diffusion models with DP-SGD ensures that no single training image has too much influence on the model.

However, the utility cost of differential privacy for diffusion models is even more severe than for language models. Visual quality degrades noticeably under DP training, making this approach impractical for most production use cases. Research into more efficient private training methods for diffusion models is ongoing.

Prompt Filtering and Output Filtering#

For deployed models, filtering inputs and outputs can provide an additional layer of defense:

  • Prompt filtering: Detect and block prompts that are likely to trigger memorization (e.g., prompts that closely match known training image captions).
  • Output filtering: Detect and block generated images that are too similar to known training images.

These approaches are inherently limited because they can be circumvented by determined attackers, but they provide a useful defense-in-depth measure.

Machine Unlearning#

Machine unlearning — the ability to make a trained model “forget” specific training examples without retraining from scratch — is an active area of research. If effective unlearning methods were available, model creators could remove memorized images from their models after training.

Current unlearning methods for diffusion models are imperfect: they may degrade model quality or fail to completely remove the targeted information. However, this remains a promising direction.

Ensemble and Averaging Approaches#

Some research suggests that training multiple models and averaging their outputs (or using ensemble methods) can reduce memorization. The intuition is that while individual models may memorize different examples, the ensemble is less likely to reproduce any specific memorized example.

The Bigger Picture: Privacy in Generative AI#

The findings of this paper extend beyond diffusion models to raise fundamental questions about privacy in generative AI.

The Scraping Problem#

Most large-scale generative AI models are trained on data scraped from the internet. This data includes personal photographs (from social media), copyrighted artwork, and other sensitive content — often without the knowledge or consent of the people whose data is being used.

The fact that this data can be extracted from trained models creates a novel privacy risk: your data can be used to train a model, and then someone else can extract it from that model, even if you’ve since deleted the original data from the internet.

The paper’s findings strengthen the argument for robust consent mechanisms and data rights in AI training. Individuals should have the right to:

  • Know whether their data was used to train a model
  • Request that their data be removed from a trained model
  • Verify that their data has been effectively removed

Current technical limitations make these rights difficult to enforce in practice, but research into memorization and unlearning is gradually making them more feasible.

The memorization of artwork and other copyrighted material raises significant legal questions. If a diffusion model can reproduce a near-duplicate of a copyrighted image, does that constitute copyright infringement? Who is liable — the model creator, the user who generated the image, or both?

These questions are currently being litigated in multiple jurisdictions, and the findings of this paper provide important technical evidence for these legal proceedings.

The Arms Race Between Memorization and Defense#

As with many areas of security, there is an ongoing arms race between memorization (which increases as models get larger and train on more data) and defenses (which are improving but often lag behind). The trajectory is concerning: as generative models continue to scale, the risk of memorization is likely to increase unless significant progress is made on defenses.

Practical Recommendations#

Based on the paper’s findings and subsequent research, here are practical recommendations for different stakeholders:

For AI Developers and Companies#

  1. Deduplicate your training data rigorously. This is the single most effective defense against memorization.
  2. Audit your models for memorization before release. Use techniques from this paper to test whether your model memorizes training images.
  3. Implement output filtering. Deploy filters to detect and block generations that are too similar to training images.
  4. Be transparent about training data. Document what data your model was trained on and how it was curated.
  5. Invest in differential privacy research. Support the development of more efficient private training methods.

For Policymakers and Regulators#

  1. Require memorization audits. Mandate that AI companies test their models for memorization before deployment.
  2. Strengthen data rights. Ensure individuals have the right to have their data removed from trained models.
  3. Fund privacy-preserving AI research. Support academic and industry research into privacy-preserving training methods.
  4. Clarify liability. Establish clear legal frameworks for who is responsible when a model leaks training data.

For Users of Generative AI#

  1. Be aware that your prompts may trigger memorized content. If you’re using a diffusion model and it generates an image that looks like a specific photograph, it may be a memorized training image.
  2. Don’t assume generated content is novel. Even if an image was “generated by AI,” it may be a near-copy of a specific training image.
  3. Report concerning outputs. If you encounter a generation that appears to be a real person’s photograph or other sensitive content, report it to the model provider.

Lessons from the Extraction Landscape#

This paper represents a critical milestone in the evolving understanding of AI privacy risks. Several key lessons emerge:

Lesson 1: Scaling Makes Memorization Worse#

As models get larger and train on more data, memorization increases. This is a concerning trend given the current trajectory of the field toward ever-larger models trained on ever-larger datasets.

Lesson 2: Memorization Is a General Phenomenon#

The fact that memorization occurs in both language models and diffusion models suggests that it is a general property of neural network training, not specific to any particular architecture or modality. Any model trained on data containing sensitive information is potentially at risk.

Lesson 3: Defenses Exist But Have Tradeoffs#

The most effective defenses — differential privacy and deduplication — come with significant tradeoffs. Differential privacy reduces model quality, while deduplication is computationally expensive for large datasets. Finding defenses that are both effective and practical remains an open challenge.

Lesson 4: The Visual Domain Is Especially Sensitive#

Memorization in image generation models is arguably more concerning than in language models because visual privacy violations are immediately recognizable and impactful. A leaked photograph is viscerally disturbing in a way that a leaked text snippet may not be.

Conclusion: Facing the Privacy Challenge in Generative AI#

The “Extracting Training Data from Diffusion Models” paper is a watershed moment in AI security research. It takes the foundational insight of The Secret Sharer — that neural networks memorize training data — and demonstrates its full implications for the most visible and widely-used class of generative AI systems.

The findings are clear and concerning:

  • Diffusion models memorize specific training images and can be made to reproduce them as near-duplicates.
  • The attack is practical and requires only black-box access to the model.
  • Memorized content includes photographs of real people, copyrighted artwork, and other sensitive material.
  • The primary driver of memorization — data duplication — is prevalent in commonly used training datasets.

As generative AI becomes increasingly embedded in our daily lives, from image generation to video synthesis to 3D content creation, the privacy risks identified in this paper will only grow. Addressing these risks requires a coordinated effort across technical research, industry practice, and policy frameworks.

The technical community must develop more effective and efficient defenses against memorization. Industry must adopt privacy-preserving practices as standard, not optional. And policymakers must create frameworks that protect individuals’ privacy rights while enabling the beneficial development of AI technology.

The images generated by diffusion models may look like magic, but the privacy risks they pose are very real. It’s time to take those risks as seriously as the technology itself.


This post is part of the AI Research series, covering foundational papers in AI security. The paper discussed here was presented at USENIX Security 2023 and is available at https://www.usenix.org/system/files/usenixsecurity23-carlini.pdf.

Extracting Training Data from Diffusion Models: Privacy Risks in Generative AI
https://mranv.pages.dev/posts/extracting-training-data-diffusion-models/
Author
Anubhav Gain
Published at
2026-05-19
License
CC BY-NC-SA 4.0