@ana-mariacretu
Tenure-track faculty at CISPA. Previously a post-doc at EPFL studying privacy and safety harms in data-driven systems and PhD in data privacy at Imperial College London. https://ana-mariacretu.github.io/
To apply, email me to cretu@cispa.de with a CV, a transcript of academic records for all degrees, and 2-3 references. Women and students from minority backgrounds are strongly encouraged to apply.
Check out the openings page for more details.
github.com/ana-mariacre...
CISPA is the world-leading institution in computer security research according to CS rankings. It offers an international and collaborative environment, with excellent working conditions for PhDs: highly competitive salaries, 30 paid leave days, as well as generous funding and scientific support.
- Acquiring deep technical expertise in state-of-the-art machine learning while rigorously modeling capabilities and constraints?
Then you are strongly encouraged to apply!
- Evaluating capabilities of AI systems such as image generative AI and client-side scanning systems,
- Designing tools to measure and enhance the privacy and utility of privacy-enhancing technologies like synthetic data, query-based systems, and anonymization,
I'm excited to announce that my research group at CISPA @cispa.de is recruiting PhD students to work on privacy, security, and user safety in general-purpose data systems, with a focus on generative AI systems, synthetic data, and anonymization.
Are you interested in:
- Acquiring deep technical expertise in state-of-the-art machine learning while rigorously modeling capabilities and constraints?
Then you are strongly encouraged to apply!
- Evaluating capabilities of AI systems such as image generative AI and client-side scanning systems,
- Designing tools to measure and enhance the privacy and utility of privacy-enhancing technologies like synthetic data, query-based systems, and anonymization,
Call for Papers: MetaCRiSP Workshop (Security & Privacy).
A venue for metascience and critical reflection on research and peer-review practices in security & privacy.
Workshop: May 21, 2026 Β· San Francisco. (47th IEEE S&P)
Deadline: Feb 12, 2026.
More here: metacrisp.org
@mu00d8.bsky.social
Screenshot of the title page of Alex' paper - "The Adverse Effects of Omitting Records in Differential Privacy: How Sampling and Suppression Degrade the PrivacyβUtility Tradeoff"
π₯The year starts with great news:π₯
πΎΓlex' paper accepted at USENIX Secπ
He demonstrates how suppression (and: sampling as one special case) may amplify privacy but yields disproportionate utility loss.
It's been hard work: πper aspera ad astraπ
Congrats, we're proud!
arxiv.org/abs/2601.05180
I am also immensely grateful for the support provided by @icepfl.bsky.social , and especially Thomas Bourgeat, to help me prepare for the interviews.
Many thanks to my mentors without whom I would not have made it so far: @yvesalexandre.bsky.social, @carmelatroncoso.bsky.social, @strufe.bsky.social and Shruti Tople.
I am delighted to announce I have joined @cispa.de as a tenure-track faculty earlier this month! Iβm really excited to join such a stellar team of security and privacy researchers!
... but rather that there is a long way before it is possible to say that it works as a solution to prevent AI CSAM generation, and that more evaluations should be transparent if they are to claim filtering is a suitable solution. See our Challenges ahead section for open questions.
4) Finally, we do not say that filtering should be abandoned, especially since training AI models on images of children has privacy implications (www.hrw.org/news/2024/07...), ...
Since SD 2.x models can already generate NSFW content without any fine-tuning, we believe that they could be successfully fine-tuned for better content if they were the only existing models, increasing their popularity.
... and arxiv.org/abs/2408.17285). The former shows that hundreds of prompts out of 4.7k lead to NSFW content in SD 2.0.
3) Given current evidence, we disagree that NSFW filtering works. In text-to-video models, the reference provided states that filtering is ineffective. In text-to-image models, researchers have shown that NSFW filtering fails to prevent NSFW generation (see arxiv.org/abs/2303.07345 ...
We concluded that filtering does not work because only a dozen prompts are required at most for successful generation. This does not seem like a big hurdle for motivated adversaries.
In our work, we quantify a different notion of effectiveness: the time it takes to generate an unwanted image via the number of prompts required; which captures the effort anyone (included a motivated adversary) needs to do.
It concludes filtering is effective because filtered Stable Diffusion 2.x models are much less popular the unfiltered Stable Diffusion 1.x. While this says something about the effect of filtering, the users on Reddit might not be as motivated as a perpetrator to create CSAM.
2) We believe it key to define and agree on what it means for filtering to "work". The reference provided uses the Reddit popularity of the models as a measure of the effect of filtering.
Thank you for the comments.
1) While our results are not surprising, no work so far has quantified the effectiveness of child filtering, in spite of it being often recommended as a solution to prevent the generation of undesired images.
Many thanks to all collaborators: Klim Kireev, @amro-abdalla.bsky.social Wisdom Obinna, Raphael Meier, Sarah Adel Bargal, @eredmil1.bsky.social and @carmelatroncoso.bsky.social.
This paper is the result of a collaboration between researchers at @icepfl.bsky.social, MPI-SP, armasuisse and @georgetowncs.bsky.social.
Among the conceptual problems, there is gaining a better understanding of what successful AI CSAM generation means to be able to develop evaluation methods that capture real perpetratorsβ goals and do not artificially constrain models. More in the paper! www.arxiv.org/abs/2512.05707
Among the technical problems, there is improving detection of children in images in the wild, where children are in the background, playing, or backwards, or understanding what kind of images of children enable AI CSAM generation capabilities.
And if technology improves? Will filtering be a solution to the AI CSAM generation problem? In the paper we describe the challenges that need to be addressed for this to happen, which require solving hard technical and conceptual problems.
It becomes harder to generate images of these concepts after filtering (e.g. playgrounds become grounds), or their representation changes (mother results in older women). A filtered model cannot be called general without assessing such unintended consequences.
Removing images of children can also have unintended consequences of the modelβs capability to generate concepts appearing in images that typically contain children (women, mothers and playgrounds).
Thus, automated child filtering provides limited protection against CSAM generation to closed-weight models and no protection to open-weight models if perpetrators can access the weights.