A Systemic Evaluation of Multimodal RAG Privacy
Ali Al-Lawati, Suhang Wang
TL;DR
This paper investigates privacy risks in vision-centric multimodal Retrieval-Augmented Generation (mRAG) pipelines by conducting black-box Membership Inference Attacks (MIA) and Image Caption Retrieval (ICR) attacks. It systematically analyzes how image transformations, prompt structure, and retrieval–rerank configurations influence leakage across diverse datasets and multiple vision-language models. Key findings show near-perfect MIA leakage for exact images, substantial but reduced leakage under common transformations (e.g., rotation), and dataset-/model-dependent caption leakage in ICR, with reranking generally mitigating leakage. The work highlights an urgent need for privacy-preserving mRAG designs and proposes mitigation experiments, including LLM-assisted prompt evaluation, to curb information leakage in practical deployments.
Abstract
The growing adoption of multimodal Retrieval-Augmented Generation (mRAG) pipelines for vision-centric tasks (e.g. visual QA) introduces important privacy challenges. In particular, while mRAG provides a practical capability to connect private datasets to improve model performance, it risks the leakage of private information from these datasets during inference. In this paper, we perform an empirical study to analyze the privacy risks inherent in the mRAG pipeline observed through standard model prompting. Specifically, we implement a case study that attempts to infer the inclusion of a visual asset, e.g. image, in the mRAG, and if present leak the metadata, e.g. caption, related to it. Our findings highlight the need for privacy-preserving mechanisms and motivate future research on mRAG privacy.
