What Can We Learn from Unlearnable Datasets?

TL;DR

This paper critically examines unlearnable datasets used for data privacy, revealing that neural networks can still learn useful features and that certain assumptions about their limitations are incorrect, challenging their effectiveness.

Contribution

It provides empirical evidence that neural networks can learn useful features from unlearnable datasets and introduces a simpler attack method to bypass protections.

Findings

Neural networks can learn useful features from unlearnable datasets.

Linear separability of perturbations is not necessary for unlearnability.

An orthogonal projection attack effectively learns from protected datasets.

Abstract

In an era of widespread web scraping, unlearnable dataset methods have the potential to protect data privacy by preventing deep neural networks from generalizing. But in addition to a number of practical limitations that make their use unlikely, we make a number of findings that call into question their ability to safeguard data. First, it is widely believed that neural networks trained on unlearnable datasets only learn shortcuts, simpler rules that are not useful for generalization. In contrast, we find that networks actually can learn useful features that can be reweighed for high test performance, suggesting that image protection is not assured. Unlearnable datasets are also believed to induce learning shortcuts through linear separability of added perturbations. We provide a counterexample, demonstrating that linear separability of perturbations is not a necessary condition. To emphasize why linearly separable perturbations should not be relied upon, we propose an orthogonal projection attack which allows learning from unlearnable datasets published in ICML 2021 and ICLR 2023. Our proposed attack is significantly less complex than recently proposed techniques.