Yves-Alexandre de Montjoye
@yvesalexandre.bsky.social
Professor of Applied Mathematics and CS at Imperial College London (🇬🇧). MIT PhD. I'm working on automated privacy attacks, LLM memorization, and AI Safety. Road cyclist 🚴 and former EU Special Adviser (🇪🇺).
New work from the team on identifying memorized training samples for free
New paper accepted @ USENIX Security 2025!
We show how to identify training samples most vulnerable to membership inference attacks - FOR FREE, using artifacts naturally available during training! No shadow models needed.
Learn more: computationalprivacy.github.io/loss_traces/
Thread below 🧵
We show how to identify training samples most vulnerable to membership inference attacks - FOR FREE, using artifacts naturally available during training! No shadow models needed.
Learn more: computationalprivacy.github.io/loss_traces/
Thread below 🧵
Loss Traces: Free Privacy Risk Evaluation
Estimate the vulnerability of training samples to membership inference attacks by analyzing their loss traces during model training - no shadow models required!
computationalprivacy.github.io
June 26, 2025 at 4:27 PM
New work from the team on identifying memorized training samples for free
Have you ever uploaded a PDF 📄 to ChatGPT 🤖 and asked for a summary? There is a chance the model followed hidden instructions inside the file instead of your prompt 😈
A thread 🧵
A thread 🧵
June 20, 2025 at 10:51 AM
Have you ever uploaded a PDF 📄 to ChatGPT 🤖 and asked for a summary? There is a chance the model followed hidden instructions inside the file instead of your prompt 😈
A thread 🧵
A thread 🧵
🚨One (more!) fully-funded PhD position in our group at Imperial College London – Privacy & Machine Learning 🔐🤖 starting Oct 2025
Plz RT 🔄
Plz RT 🔄
May 20, 2025 at 10:33 AM
🚨One (more!) fully-funded PhD position in our group at Imperial College London – Privacy & Machine Learning 🔐🤖 starting Oct 2025
Plz RT 🔄
Plz RT 🔄
Reposted by Yves-Alexandre de Montjoye
Huge congrats to @spalab.cs.ucr.edu's Georgi Ganev for receiving the Distinguished Paper Award at IEEE S&P for his work "The Inadequacy of Similarity-based Privacy Metrics: Privacy Attacks against “Truly Anonymous” Synthetic Datasets."
Paper: arxiv.org/pdf/2312.051...
Paper: arxiv.org/pdf/2312.051...
May 14, 2025 at 5:51 PM
Huge congrats to @spalab.cs.ucr.edu's Georgi Ganev for receiving the Distinguished Paper Award at IEEE S&P for his work "The Inadequacy of Similarity-based Privacy Metrics: Privacy Attacks against “Truly Anonymous” Synthetic Datasets."
Paper: arxiv.org/pdf/2312.051...
Paper: arxiv.org/pdf/2312.051...
Reposted by Yves-Alexandre de Montjoye
🌍 Help shape the future of SaTML!
We are on the hunt for a 2026 host city - and you could lead the way. Submit a bid to become General Chair of the conference:
forms.gle/vozsaXjCoPzc...
We are on the hunt for a 2026 host city - and you could lead the way. Submit a bid to become General Chair of the conference:
forms.gle/vozsaXjCoPzc...
Bid to host SaTML 2026
Thank you for considering to host SaTML!
SaTML has been organized as a 3 day conference so far. We are looking for volunteers interested in finding a venue to host the conference in 2026. By submitti...
forms.gle
May 12, 2025 at 12:15 PM
🌍 Help shape the future of SaTML!
We are on the hunt for a 2026 host city - and you could lead the way. Submit a bid to become General Chair of the conference:
forms.gle/vozsaXjCoPzc...
We are on the hunt for a 2026 host city - and you could lead the way. Submit a bid to become General Chair of the conference:
forms.gle/vozsaXjCoPzc...
How do you know your synthetic data is anonymous 🥸?
If your answer is “we checked Distance to Closest Record (DCR),” then… we might have bad news for you.
Our latest work shows DCR and other proxy metrics to be inadequate measures of the privacy risk of synthetic data.
If your answer is “we checked Distance to Closest Record (DCR),” then… we might have bad news for you.
Our latest work shows DCR and other proxy metrics to be inadequate measures of the privacy risk of synthetic data.
May 9, 2025 at 12:21 PM
How do you know your synthetic data is anonymous 🥸?
If your answer is “we checked Distance to Closest Record (DCR),” then… we might have bad news for you.
Our latest work shows DCR and other proxy metrics to be inadequate measures of the privacy risk of synthetic data.
If your answer is “we checked Distance to Closest Record (DCR),” then… we might have bad news for you.
Our latest work shows DCR and other proxy metrics to be inadequate measures of the privacy risk of synthetic data.
Yes yes I know the fundamental law of information recovery and differential privacy, but if there are really just a few summary statistics, surely it should be anonymous? 🥸
I definitely used to think this, until we started looking into it two years ago.
A thread 🧵
I definitely used to think this, until we started looking into it two years ago.
A thread 🧵
DeSIA: Attribute Inference Attacks Against Limited Fixed Aggregate Statistics
Empirical inference attacks are a popular approach for evaluating the privacy risk of data release mechanisms in practice. While an active attack literature exists to evaluate machine learning models ...
arxiv.org
May 7, 2025 at 11:15 AM
Yes yes I know the fundamental law of information recovery and differential privacy, but if there are really just a few summary statistics, surely it should be anonymous? 🥸
I definitely used to think this, until we started looking into it two years ago.
A thread 🧵
I definitely used to think this, until we started looking into it two years ago.
A thread 🧵
Reposted by Yves-Alexandre de Montjoye
🏆 And the Best Paper Award at #SaTML25 goes to “SoK: Membership Inference Attacks on LLMs are Rushing Nowhere (and How to Fix It)” by Matthieu Meeus, Igor Shilov, Shubham Jain, Manuel Faysse, Marek Rei, Yves-Alexandre de Montjoye. Well deserved!
April 9, 2025 at 7:20 AM
🏆 And the Best Paper Award at #SaTML25 goes to “SoK: Membership Inference Attacks on LLMs are Rushing Nowhere (and How to Fix It)” by Matthieu Meeus, Igor Shilov, Shubham Jain, Manuel Faysse, Marek Rei, Yves-Alexandre de Montjoye. Well deserved!
Reposted by Yves-Alexandre de Montjoye
People of Copenhagen:
On Tuesday April 8th, we have awesome privacy researcher @yvesalexandre.bsky.social visiting the group. Yves is a bold and creative scientist, and also former advisor to Marianne Vestager.
Yves will give a talk at SODAS at 3pm that's open to the public (details below)
On Tuesday April 8th, we have awesome privacy researcher @yvesalexandre.bsky.social visiting the group. Yves is a bold and creative scientist, and also former advisor to Marianne Vestager.
Yves will give a talk at SODAS at 3pm that's open to the public (details below)
April 1, 2025 at 3:46 PM
People of Copenhagen:
On Tuesday April 8th, we have awesome privacy researcher @yvesalexandre.bsky.social visiting the group. Yves is a bold and creative scientist, and also former advisor to Marianne Vestager.
Yves will give a talk at SODAS at 3pm that's open to the public (details below)
On Tuesday April 8th, we have awesome privacy researcher @yvesalexandre.bsky.social visiting the group. Yves is a bold and creative scientist, and also former advisor to Marianne Vestager.
Yves will give a talk at SODAS at 3pm that's open to the public (details below)
🚨 In a new paper in @NatureComms, we propose a scaling law for identification technologies, from browser and device fingerprinting 🌐 to facial recognition 📸 and stylometry ✍️.
A thread 🧵:
A thread 🧵:
January 10, 2025 at 4:10 PM
🚨 In a new paper in @NatureComms, we propose a scaling law for identification technologies, from browser and device fingerprinting 🌐 to facial recognition 📸 and stylometry ✍️.
A thread 🧵:
A thread 🧵:
Join us at Imperial College for an exciting event on the future of privacy in machine learning! 🔒🤖 The application for lightning talks is open.
🗓️ Date: Feb 4 @ 6pm
📍 Imperial College London
🗓️ Date: Feb 4 @ 6pm
📍 Imperial College London
📢 Privacy in ML Meetup @ Imperial is back!
📅 February 4th, 6pm, Imperial College London
We are happy to announce the new date for the first Privacy in ML Meetup @ Imperial, bringing together researchers from across academia and industry.
RSVP: www.imperial.ac.uk/events/18318...
📅 February 4th, 6pm, Imperial College London
We are happy to announce the new date for the first Privacy in ML Meetup @ Imperial, bringing together researchers from across academia and industry.
RSVP: www.imperial.ac.uk/events/18318...
Privacy in Machine Learning Meetup @ Imperial
The Computational Privacy Group at Imperial College London is organizing the first Machine Learning Privacy meetup, recognizing the growing community of researchers in and around London working at the...
www.imperial.ac.uk
December 17, 2024 at 10:50 AM
Join us at Imperial College for an exciting event on the future of privacy in machine learning! 🔒🤖 The application for lightning talks is open.
🗓️ Date: Feb 4 @ 6pm
📍 Imperial College London
🗓️ Date: Feb 4 @ 6pm
📍 Imperial College London
Reposted by Yves-Alexandre de Montjoye
Can confirm: there is a reason we have to mask small cell counts, especially around rare diagnoses, even when using aggregated data.
@yvesalexandre.bsky.social’s entire body of work is instructive here
@yvesalexandre.bsky.social’s entire body of work is instructive here
December 13, 2024 at 9:50 PM
Can confirm: there is a reason we have to mask small cell counts, especially around rare diagnoses, even when using aggregated data.
@yvesalexandre.bsky.social’s entire body of work is instructive here
@yvesalexandre.bsky.social’s entire body of work is instructive here
Reposted by Yves-Alexandre de Montjoye
The standard practice in differential privacy of targeting ε at small δ is extremely lossy for interpreting the level of privacy protection. For many real-world algorithms (e.g., for DP-SGD), we can do much better!
We show how in the #NeurIPS2024 paper:
arxiv.org/abs/2407.02191
Short summary👇
We show how in the #NeurIPS2024 paper:
arxiv.org/abs/2407.02191
Short summary👇
Attack-Aware Noise Calibration for Differential Privacy
Differential privacy (DP) is a widely used approach for mitigating privacy risks when training machine learning models on sensitive data. DP mechanisms add noise during training to limit the risk of i...
arxiv.org
December 10, 2024 at 3:11 AM
The standard practice in differential privacy of targeting ε at small δ is extremely lossy for interpreting the level of privacy protection. For many real-world algorithms (e.g., for DP-SGD), we can do much better!
We show how in the #NeurIPS2024 paper:
arxiv.org/abs/2407.02191
Short summary👇
We show how in the #NeurIPS2024 paper:
arxiv.org/abs/2407.02191
Short summary👇