ML Security PapersT2UE: Generating Unlearnable Examples from Text Descriptions
Xingjun Ma 1, Hanxun Huang 2, Tianwei Song 1, Ye Sun 1, Yifeng Gao 1, Yu-Gang Jiang 1
Published on arXiv
2508.03091
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
T2UE-protected data substantially degrades downstream cross-modal retrieval performance for SOTA models while requiring only text descriptions and no direct image access during protection generation.
T2UE (Text-to-Unlearnable Example)
Novel technique introduced
Large-scale pre-training frameworks like CLIP have revolutionized multimodal learning, but their reliance on web-scraped datasets, frequently containing private user data, raises serious concerns about misuse. Unlearnable Examples (UEs) have emerged as a promising countermeasure against unauthorized model training, employing carefully crafted unlearnable noise to disrupt the learning of meaningful representations from protected data. Current approaches typically generate UEs by jointly optimizing unlearnable noise for both images and their associated text descriptions (or labels). However, this optimization process is often computationally prohibitive for on-device execution, forcing reliance on external third-party services. This creates a fundamental privacy paradox: users must initially expose their data to these very services to achieve protection, thereby compromising privacy in the process. Such a contradiction has severely hindered the development of practical, scalable data protection solutions. To resolve this paradox, we introduce \textbf{Text-to-Unlearnable Example (T2UE)}, a novel framework that enables users to generate UEs using only text descriptions. T2UE circumvents the need for original image data by employing a text-to-image (T2I) model to map text descriptions into the image (noise) space, combined with an error-minimization framework to produce effective unlearnable noise. Extensive experiments show that T2UE-protected data substantially degrades performance in downstream tasks (e.g., cross-modal retrieval) for state-of-the-art models. Notably, the protective effect generalizes across diverse architectures and even to supervised learning settings. Our work demonstrates the feasibility of "zero-contact data protection", where personal data can be safeguarded based solely on their textual descriptions, eliminating the need for direct data exposure.
Key Contributions
- T2UE framework that generates unlearnable noise solely from text descriptions, eliminating the need for original image access (zero-contact data protection)
- Text-to-perturbation mapping using a T2I model combined with an error-minimization objective against CLIP surrogate encoders
- Demonstrated transferability of UE protection across diverse multimodal architectures and supervised learning settings
🛡️ Threat Analysis
T2UE adds carefully crafted perturbations to training data so that models trained on the protected data fail to learn meaningful representations — this is data poisoning used defensively. The adversary is an unauthorized party attempting to train on scraped user data; the defense corrupts the training signal via imperceptible noise injected before data collection.