Amnesiac Machine Learning

TL;DR

This paper introduces two methods, Unlearning and Amnesiac Unlearning, to effectively remove personal data from machine learning models, protecting user privacy and ensuring compliance with GDPR while maintaining model performance.

Contribution

It proposes novel data removal techniques that defend against information leakage attacks and ensure GDPR compliance in neural network models.

Findings

Both methods effectively remove sensitive information from models.

The techniques maintain high model accuracy after data removal.

Empirical results demonstrate the efficiency and safety of the proposed methods.

Abstract

The Right to be Forgotten is part of the recently enacted General Data Protection Regulation (GDPR) law that affects any data holder that has data on European Union residents. It gives EU residents the ability to request deletion of their personal data, including training records used to train machine learning models. Unfortunately, Deep Neural Network models are vulnerable to information leaking attacks such as model inversion attacks which extract class information from a trained model and membership inference attacks which determine the presence of an example in a model's training data. If a malicious party can mount an attack and learn private information that was meant to be removed, then it implies that the model owner has not properly protected their user's rights and their models may not be compliant with the GDPR law. In this paper, we present two efficient methods that address this question of how a model owner or data holder may delete personal data from models in such a way that they may not be vulnerable to model inversion and membership inference attacks while maintaining model efficacy. We start by presenting a real-world threat model that shows that simply removing training data is insufficient to protect users. We follow that up with two data removal methods, namely Unlearning and Amnesiac Unlearning, that enable model owners to protect themselves against such attacks while being compliant with regulations. We provide extensive empirical analysis that show that these methods are indeed efficient, safe to apply, effectively remove learned information about sensitive data from trained models while maintaining model efficacy.