Matthew Jagielski

About Me

I am a research scientist at Google DeepMind, working on Andreas Terzis's team. I work on security, privacy, and memorization in machine learning systems. This includes directions like privacy auditing, memorization in generative models, data poisoning, and model stealing.

I received my PhD from Northeastern University, where I was fortunate to be advised by Alina Oprea and Cristina Nita-Rotaru, as a member of the Network and Distributed Systems Security Lab (NDS2).

In other news, I enjoy running, swimming, and biking. I'm also a retired Super Smash Brothers tournament competitor.

News

[Apr 2025] Maura Pintor, Ruoxi Jia, and I are organizing the 18th AISec workshop at CCS 2025. Please consider submitting your work!

[Oct 2024] Maura Pintor, Xinyun Chen, and I organized the 17th AISec workshop at CCS 2024. Thank you to everyone who helped make it happen, and see you next year!

[Dec 2023] Our paper Privacy Auditing in One (1) Training Run received an outstanding paper award at NeurIPS 2023!

[June - Sept 2023] I enjoyed hosting Karan Chadha as a student researcher, together with Nicolas Papernot! His paper, Auditing Private Prediction, was accepted to ICML 2024!

[Aug 2023] Our paper Tight Auditing of Differentially Private Machine Learning won a best paper award at USENIX Security 2023!

[July 2023] Our paper "Extracting Training Data from Large Language Models" won runner up for the Caspar Bowden award at PETS 2023!

[June 2023] Lishan Yang and I cochaired the DSML 2023 workshop, colocated with DSN 2023 in Porto, Portugal! Thank you to everyone involved, especially our attendees, keynote speakers (Paolo Rech and Andrew Paverd) and our steering committee!

Selected Publications - see Google Scholar for full list

Measuring Forgetting of Memorized Training Examples
Matthew Jagielski, Om Thakkar, Florian Tramèr, Daphne Ippolito, Katherine Lee, Nicholas Carlini, Eric Wallace, Shuang Song, Abhradeep Thakurta, Nicolas Papernot, Chiyuan Zhang
ICLR 2023
[Paper]
Extracting Training Data from Large Language Models
Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, Alina Oprea, Colin Raffel
USENIX Security 2021
[Paper]
Auditing Differentially Private Machine Learning - How Private is Private SGD?
Matthew Jagielski, Jonathan Ullman, Alina Oprea
NeurIPS 2020, TPDP 2020 Contributed Talk
[Paper] [Code] [Poster] [Talk]
High-Fidelity Extraction of Neural Network Models
Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot
USENIX Security 2020
[Paper] [Blog] [Talk]
Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning
Matthew Jagielski, Alina Oprea, Chang Liu, Cristina Nita-Rotaru, and Bo Li
IEEE S&P (Oakland) 2018
[Code] [Paper] [Talk]

Sometimes I have things to say. If that happens, I'll put them here.

ICLR 2025 Prompt Injection Poll

While at ICLR 2025, I asked several people what they thought the worst outcome of prompt injection would be during 2025. I got a lot of interesting answers, so I wrote up a summary. Thanks to everyone who participated!

What is the relationship between conference and workshop papers?

A student asked me this question, and a colleague suggested I post my reply. Here it is!

NYC Privacy Day 2024 Talk Notes

My talk at NYC Privacy Day 2024 "Is Memorization Membership?" was a summary of evidence that memorization is not just the result of high vulnerability to membership inference, and included some future directions I thought would be useful. I made a companion website for this talk so people could see the references and main points of the talk.

TPDP 2024 Keynote Notes

My keynote talk "Data and Privacy in Data Privacy" at TPDP 2024 was about research areas adjacent to differential privacy that I think are really interesting - training data attribution, data curation, and contextual integrity. I wrote up a companion website so people could forever see the main points of the talk and important references.