Leave My Images Alone: Preventing Multi-Modal Large Language Models from Analyzing Images via Visual Prompt Injection

Researchers introduce ImageProtector, a user-side defense mechanism that embeds imperceptible perturbations into images to prevent multi-modal large language models from analyzing them. When adversaries attempt to extract sensitive information from protected images, MLLMs are induced to refuse analysis, though potential countermeasures exist that may partially mitigate the technique's effectiveness.

The emergence of open-weight multi-modal large language models creates a privacy paradox: while these systems enable powerful image analysis capabilities, they simultaneously allow malicious actors to extract sensitive personal information at scale from shared images. ImageProtector addresses this vulnerability by introducing a user-controlled protection layer that operates before images enter circulation online. The technique leverages visual prompt injection—embedding subtle perturbations that manipulate how MLLMs interpret images—to consistently trigger refusal responses without noticeably degrading image quality for human viewers.

This research reflects growing concerns about privacy vulnerabilities in the AI ecosystem as models become increasingly capable and accessible. The proliferation of open-weight MLLMs has democratized AI access but simultaneously lowered barriers to large-scale privacy violations. Users currently lack meaningful tools to protect personal imagery from unwanted machine analysis, making ImageProtector's user-side approach particularly relevant.

The practical implications extend across multiple stakeholder groups. Individual users gain a mechanism to control image privacy independently of platform policies or legal frameworks. However, the researchers' evaluation of countermeasures—Gaussian noise, DiffPure, and adversarial training—reveals an important limitation: defenses that partially mitigate ImageProtector simultaneously reduce model accuracy and efficiency, creating a fundamental tension between privacy and utility.

Looking ahead, this work catalyzes a broader conversation about adversarial privacy measures in multimodal AI. As MLLMs become more sophisticated and deployment increases, both attack and defense mechanisms will likely evolve in parallel. The research suggests that perturbation-based approaches offer promise but imperfect solutions, potentially driving demand for integrated privacy-preserving architectures and regulatory frameworks that enforce model-side privacy guarantees rather than relying solely on user-side protections.

• →ImageProtector embeds imperceptible perturbations into images to trigger refusal responses from multi-modal LLMs, protecting sensitive personal information.
• →The technique proves effective across six different MLLMs and multiple datasets, indicating broad applicability as a user-controlled privacy defense.
• →Existing countermeasures like adversarial training partially mitigate the protection but degrade model performance, revealing inherent privacy-utility tradeoffs.
• →Open-weight MLLMs create scalable privacy risks requiring user-side defenses since platform-level protections remain insufficient.
• →The research highlights limitations of perturbation-based privacy approaches and suggests future solutions may require architectural changes to models themselves.