Contents
There is no reliable public way to prove a model trained on your voice, because no consumer tool searches audio training sets the way image indexes search pictures, and the statistical test built for this question cannot give you proof on a closed model. You can often raise a real suspicion that your recordings were scraped; you can almost never close the case, and for the speaking voice that gap is at its widest. What follows is what you can actually establish, what you cannot, and how to act on an answer that will stay uncertain.
Can you search the training set?
The most direct check would be to look for your voice inside a dataset a model trained on, and for the voice that check does not exist. Spawning’s “Have I Been Trained” searches LAION-5B, a public set of billions of image-text pairs behind many generators, so it can flag your headshots, press photos and video stills, but it indexes images, not audio. Your interviews, voicemails and podcast episodes are not searchable there, and there is no consumer dataset-search tool for sound. The image index is still worth a look for a speaker whose face travels with their voice in the same press kit, because a match there tells you your material was scraped even though it will never find the recording itself. For the voice track, the starting point is that the training set is a closed box.
Can a test tell if your recording was in the data?
When the dataset is closed, the research route is a membership inference attack. Shokri, Stronati, Song and Shmatikov introduced it at IEEE S&P 2017 as a way to, “given a data record and black-box access to a model, determine if the record was in the model’s training dataset,” by reading the faint over-confidence a model shows on data it has already seen. For speech this is an active research area rather than a finished product. Tsaprazlis, Lertpetchpun, Feng, Karimireddy and Narayanan, in their VoxGuard study at ICASSP 2026, show that simple attacks can “recover gender and accent with near-perfect accuracy even after anonymization,” while warning that the usual summary metric “substantially underestimates leakage.” That is a striking privacy result, but a method run by specialists on models they control is not a proof service a singer or voice actor can point a website at.
Can you ever get real proof?
Not cleanly, for a closed model. A 2025 position paper by Zhang, Das, Kamath and Tramèr at IEEE SaTML 2025, titled “Membership Inference Attacks Cannot Prove that a Model Was Trained On Your Data,” argues that a sound proof would require showing the attack’s result is “unlikely under the null hypothesis that the model was not trained on the target data,” and that “sampling from this null hypothesis is impossible, as we do not know the exact contents of the training set, nor can we (efficiently) retrain a large foundation model.” The practical corollary is that these tests lack a provably low false-positive rate on production models, so if a service offers to prove your voice was trained on, ask for its false-positive rate before you believe the answer. The one method that can be sound is data extraction, getting the model to emit your material verbatim, as Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea and Raffel did at USENIX Security 2021 when they pulled memorized text out of a language model. Extraction is powerful when it happens, but it needs the model to have memorized and to reproduce your specific recording, which is the exception, not the rule.
Why is the voice the harder case?
Two things stack against speech. There is no dataset-search tool, so the easy image route is simply missing, and audio is almost always compressed and transcoded before it is scraped, which scrambles the fine detail any test would read. Protection perturbations have to be engineered to survive that treatment, which shows how fragile an audio signal is: AntiFake, from Yu, Zhai and Zhang at ACM CCS 2023, reports “over 95% protection rate even to unknown black-box models” precisely because it is built to persist through transcoding, and a membership signal that nobody engineered to survive that pipeline is far more fragile than one on an uncompressed image. Even the research that shows generative models leak membership at all, such as privGAN from Mukherjee, Xu, Trivedi, Patowary and Lavista Ferres at PoPETs 2021, is a lab demonstration on models the authors controlled, not a service where you upload a clip and get a verdict.
What a result actually means
Put the routes together and the ceiling is clear. There is no photo-style search for your voice, a membership-inference signal says only that a model behaves as if it saw your sample, and neither proves a specific commercial system trained on your recording, nor removes you from one that already did. Treat any test result as a lead, not a verdict, because a positive is not proof and a negative is not a clearance. Use that uncertainty to triage rather than to litigate: build the best-supported suspicion you can from any image surfaces that are searchable, then spend your energy where it pays off, on opting out going forward so a future scrape has less of you to take, and on keeping your cleanest recordings off the open web so the easiest training target is never the one you release. None of this proves the past, but it improves your position from the day you do it. The step-by-step version is did they train on my voice: how to check and opt out; for whether the protection tools actually deliver, do AI poisoning tools actually work.
Sources
- Shokri, Stronati, Song, Shmatikov (2017). Membership Inference Attacks against Machine Learning Models. IEEE S&P 2017.
- Tsaprazlis, Lertpetchpun, Feng, Karimireddy, Narayanan (2026). VoxGuard: Evaluating User and Attribute Privacy in Speech via Membership Inference Attacks. ICASSP 2026.
- Zhang, Das, Kamath, Tramèr (2025). Membership Inference Attacks Cannot Prove that a Model Was Trained On Your Data. IEEE SaTML 2025.
- Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea, Raffel (2021). Extracting Training Data from Large Language Models. USENIX Security 2021.
- Mukherjee, Xu, Trivedi, Patowary, Lavista Ferres (2021). PrivGAN: Protecting GANs from Membership Inference Attacks at Low Cost. PoPETs 2021.
- Yu, Zhai, Zhang (2023). AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech Synthesis. ACM CCS 2023.
New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.