When T2I Synthetic Data Backfires: Amplified Privacy Risks in Real-Synthetic Mix Training

📅 2026-07-15
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work reveals that incorporating text-to-image synthetic data into training alongside real data significantly amplifies privacy leakage risks associated with real samples. To address this, the authors propose the Real-Synthetic Memory Transfer (RSMT) theory, which elucidates how synthetic data intensifies a model’s memorization of real instances. They further introduce the RSMixLeak framework to systematically evaluate this risk via membership inference attacks. A novel leakage propensity metric is developed that relies solely on real data to distinguish between adversarial and non-adversarial scenarios. This metric enables lightweight risk assessment by integrating semantic attribute binding with pixel-level perturbations. Experimental results confirm that RSMT substantially exacerbates privacy leakage, and the proposed metric effectively identifies high-risk datasets, offering practitioners a self-assessment tool for the secure deployment of synthetic data.
📝 Abstract
To overcome data scarcity and privacy constraints in data collection, it has become standard practice across academia and industry to augment real training data with text-to-image (T2I)-generated synthetic data, a paradigm we term Real-Synthetic Mix-Training (RSMT). While substituting synthetic data for sensitive real samples is widely regarded as a means to mitigate privacy exposure of the substituted data, the risk to the remaining real samples that actively participate in training has remained largely unexamined. This work reveals, for the first time, that RSMT can substantially amplify privacy leakage of these real training samples. We establish a theoretical framework, RSMT Memorization Amplification, proving that incorporating synthetic data displaces real samples toward peripheral regions of the mixed feature space, in turn forcing the model to memorize them more aggressively. Guided by this foundation, we propose RSMixLeak to systematically assess this risk through membership inference attacks (MIAs). RSMixLeak comprises two variants depending on the adversary's capability. The non-adversarial variant audits a benign RSMT pipeline with an honest T2I provider, establishing a lower bound on the leakage induced by the intrinsic gap between real and T2I-generated data. The adversarial variant considers an adversary who controls the T2I model or contributes crafted data to the T2I provider, and deliberately enlarges this distributional gap on a target class via either high-level semantic attribute binding or imperceptible pixel-level coating, further amplifying leakage on real training data while improving downstream model utility. Motivated by these findings, we further propose a lightweight leakage propensity indicator computable from real data alone that reliably identifies high-risk datasets unsuitable for entering RSMT, as a self-assessable mitigation.
Problem

Research questions and friction points this paper is trying to address.

privacy leakage
text-to-image synthesis
real-synthetic mix training
membership inference
data memorization
Innovation

Methods, ideas, or system contributions that make the work stand out.

Real-Synthetic Mix-Training
Privacy Amplification
Membership Inference Attack
Synthetic Data
T2I-generated Data