The model was all they shared. The patients leaked anyway.
A hospital trains an image generator on its patients’ retinal scans. It never sends a single photo to anyone. It shares only the finished model: A file of weights, numbers with no pictures inside. On paper the patients stay anonymous. In practice they do not.
Give someone that model and nothing else, and they can still work out whose eyes it studied. Not by digging out hidden copies of the scans. By asking the model a narrower question: Have you seen this exact image before? A model that trained on a picture answers that question a little too confidently, and that extra confidence is a fingerprint. This is a membership inference attack. The paper this essay walks through, SMITE, measures how well such an attack works on one fine-tuned medical image generator, and it finds exactly where the leak lives.
The honest version of the story has two turns most privacy pitches skip. The attack we built wins where it matters and then stops winning. And the obvious fix, stopping training early, quietly costs you the thing you were training for.
What a membership inference attack actually asks
Start with the smallest version of the idea.
You have a model. You have one image. You want to know a single fact: Was this image in the model’s training set, yes or no? That is the whole attack. Not “reconstruct the training data,” not “steal the weights.” Just membership. In or out.
Why does that matter for a hospital? Because membership can be the sensitive fact. If a model was trained only on patients diagnosed with a condition, then knowing an image was in the training set tells you the diagnosis. The picture does not have to leak for the secret to leak.
The reason the attack is possible at all is that models remember. A model trained on an image treats that image differently from one it has never seen. It reconstructs it more faithfully. It is less surprised by it. Earlier work on diffusion models made this concrete: Carlini and coauthors showed that image generators memorize individual training pictures and can be made to spit out over a thousand near-copies, and that the more capable the model, the more it leaks. Memorization is not a bug in one model. It is a property of the class.
An attacker turns that memory into a yes or no answer by scoring how the model reacts to a candidate image. Members, the images it trained on, tend to score one way. Non-members score another. If the two groups separate cleanly enough, you can read membership off the score. The cleaner the separation, the better the attack.
The standard way to report how clean that separation is uses a number called AUC. Read it as the probability that a random member scores as more “seen” than a random non-member. Chance is 0.5. A perfect attack is 1.0. Every result below lives on that scale.
The setup, scoped narrowly
Here is the exact thing that was tested, because the findings do not automatically travel past it.
The generator is Stable Diffusion v1.4. We fine-tuned it, with no text prompts, on curated grade-0 diabetic retinopathy fundus images from EyePACS, a large public collection of retinal photos taken across hundreds of clinics on all kinds of cameras. Grade-0 means no visible retinopathy. That camera-and-clinic variety is a problem, because it adds differences that have nothing to do with the eye, so we cleaned the set down by clustering the images in the feature space of RETFound, a vision model pretrained on 1.6 million retinal photos, and dropping low-quality and outlier clusters. That left 25,496 images, split at the patient level into 15,289 training images and 10,207 held-out images. Splitting by patient matters: Both eyes of any one person land on the same side, so a patient can never be half in and half out. No held-out image was ever seen during fine-tuning.
We saved a checkpoint every 2,000 steps, all the way out to step 150,000, and at each checkpoint we measured two things. First, image quality, using Frechet Distance in RETFound’s feature space, which we call RFD. Lower RFD means the generated fundus images look more like real ones. Second, attack strength, the AUC of each membership attack against a fixed panel of 5,000 members and 5,000 non-members. That gives us a full trajectory: As the model gets better at making retinas, how much easier does it get to attack?
The threat model is white-box. The attacker has the released weights, which is the whole point of the weight-sharing scenario, and needs nothing else. In particular the attacker never needs the original training images. We did not test black-box settings where the attacker only sees generated samples, so nothing here speaks to those.
Where the signal hides, and where it dies
Now the part that surprised us.
There is a family of membership attacks built for medical images that works by frequency. The idea is sound and physical. A retinal photo is layered by scale: A smooth, slowly changing background, a middle band that holds the vessel walls and the optic disc, and a fine high-frequency fringe of tiny capillaries. Earlier work on brain MRI and chest X-ray found that the middle band carries most of the membership signal, and an attack called FCRE exploits exactly that by filtering an image down to its mid-frequency content before scoring it. On pixel-space diffusion models, this class of attack does well.
On Stable Diffusion it falls apart, and the reason is architectural.
Stable Diffusion does not work on pixels. It works on a compressed code. A component called the VAE encoder squeezes each 512 by 512 color image down to a small 64 by 64 tensor with four channels, and everything the model does during both training and the attack happens inside that compressed space. Pixels only come back at the very end, when a decoder expands the code into a picture. The membership signal you want to score lives in that compressed round-trip. To run a pixel-space frequency filter over it, you have to decode back out to pixels first, and that decoding step adds its own lossy smearing that buries the signal you were reaching for.
We checked whether the decoder was simply too crude. It was not. We fine-tuned the decoder until its reconstructions matched the originals much more closely, lifting mean structural similarity from 0.91 to 0.96, and the frequency attack still scored essentially at chance: 0.533 with the stock decoder and 0.539 with the improved one at checkpoint 64,000. Better pictures did not recover the signal, because the problem was never picture quality. The signal simply is not in the pixel-space frequency bands anymore. It is inside the latent code.
So we looked inside the code. And the four channels of that code are not interchangeable. Recent work on the Stable Diffusion VAE found that two of them, channels 2 and 3, carry color information, while channels 0 and 1 carry brightness and coarse shape. Other work found that memorization is spread unevenly across latent dimensions, and that throwing away the low-memorization ones actually sharpens a membership attack. Put those together and you get a hypothesis: The membership signal in a fine-tuned retinal generator is concentrated in specific channels, not smeared evenly across all four.
That hypothesis is the whole method. The strongest existing latent-space attack, SecMI, scores membership from the reconstruction error of a short round-trip through the model, and it measures that error across all four channels equally. Our method, SMITE, changes one thing: It measures the error only on the two color channels and ignores the two brightness channels. Nothing else. No decoding to pixels, no extra network, one channel selection step.
To make sure we were keeping the right channels and not just a lucky pair, we scored every one of the 15 possible channel combinations at checkpoint 70,000. The pattern was clean. Every combination that included channel 0, the brightness channel, scored worse than the same combination without it. Channel 0 alone was the weakest of all at 0.776. The two color channels together scored best at 0.840. The all-channel version, which is exactly what SecMI does, landed at 0.827, below the top five combinations. The brightness channels were not neutral. They were actively dragging the score down.
The results, and the turn
Here is what happens over a full fine-tuning run, and here is where an honest telling parts ways with a sales pitch.
Start all four attacks at step 0, before fine-tuning has taught the model anything about these particular eyes. All four sit near chance. Members and non-members score the same, because the model has not learned to treat them differently yet. Then fine-tuning proceeds, image quality climbs, and every attack climbs with it. The frequency attack barely moves and tops out at 0.642, confirming again that it does not transfer to this architecture. The loss-based attack reaches 0.970. The two round-trip attacks, SecMI and SMITE, climb past 0.98.
Through the early and middle stretch, SMITE is the strongest of the four. At checkpoint 92,000, SMITE scores 0.936 against SecMI’s 0.930, with the loss-based attack back at 0.791 and the frequency attack at 0.574. That lead holds, narrowly, out to around checkpoint 130,000.
And then it disappears. Past that point both round-trip attacks saturate above 0.98 and sit within 0.003 of each other, and at the final checkpoint SecMI is actually the one nose-ahead: 0.987 against SMITE’s 0.985 at step 150,000. Restricting the score to the color channels helps while the membership signal is still forming. Once the model has memorized enough that almost any attack succeeds, there is nothing left for the trick to sharpen, and the gap closes.
That is the real shape of it. SMITE is not the best attack everywhere. It is the best attack in the window where the signal is still emerging, and that window is not an arbitrary one. It is exactly the regime a privacy-conscious team would choose to operate in, because it is the regime you reach by stopping training early. The method wins where a careful practitioner actually lives, and ties once caution stops being an option.
The fix that isn’t free
If the attack gets stronger the longer you train, the reflex is obvious: Stop training sooner. Halt while the model is still a little ignorant, and you release something less exposed.
The trajectory says that reflex has a price, and the price is the whole reason you were training.
Watch the quality number, RFD, across the same run. It falls steadily from 1003 at step 0 to 421 at step 150,000, and it is still falling at the last checkpoint we saved. The model is still getting better at making realistic retinas at the very end, with no plateau in sight. But the attacks stopped improving long before that, because they had already saturated near the ceiling. Stack those two facts and you get an uncomfortable result: There is no checkpoint on this run where you get a high-quality model without also getting a nearly wide-open one. By the time the pictures are good, the door is already open.
So early stopping does reduce exposure. It just buys that reduction with generative quality that was still climbing. You are not trading nothing for safety. You are trading the image quality you fine-tuned for in the first place. On the model we tested, privacy and quality pulled in opposite directions the entire way.
What a practitioner should take from this
A few things carry, and it is worth being careful about which.
If you release fine-tuned weights, you are releasing a membership attack surface. The scenario is not exotic. An attacker who holds the weights, and nothing else, can run this. They never touch your training images. For sensitive data where being in the set is itself the secret, sharing weights is not the same as keeping the data private.
Early stopping is a real lever, not a free one. It lowers exposure, and on this run it lowered it only by giving back image quality that was still improving. If you reach for it, reach for it knowing the bill.
And the specific hiding place we found comes with a fence around it. On the Stable Diffusion v1.4 VAE we tested, the membership signal concentrated in the color channels and the brightness channels suppressed it. That is a statement about this autoencoder on this kind of data. A different generator, a different VAE, a different imaging modality could split its channels some other way, or not split them so cleanly at all. The mechanism travels as a question to ask, not as a setting to copy.
Chapter one
What we have is a map of where the leak lives in one fine-tuned retinal model and a demonstration that the intuitive fix has a cost. What we do not have yet is a way to close the leak without losing the model.
The tempting next question is whether the color-channel signal can be dampened on purpose, quieting the part of the code that carries the membership fingerprint while keeping the part a downstream diagnosis actually needs. If that works, privacy and quality stop being a straight tradeoff and start being two dials you can set apart. Whether that holds on messier multi-source data, and whether pixel-space generators without the VAE bottleneck are easier or harder to defend, are open. This is the first chapter, not the last.
For now the finding stands where it was tested and no further. Share the weights of a model fine-tuned on private images, and on the system we studied, the people in the training set are still in the room.