Epsilon*: Privacy Metric for Machine Learning Models

TL;DR

Epsilon* is a novel privacy metric that assesses the privacy risk of individual machine learning models using only black-box access, applicable before, during, or after deployment, and is sensitive to privacy mitigation strategies.

Contribution

The paper introduces Epsilon*, a new empirical privacy metric that requires no training data re-sampling or re-training, applicable to models not trained with differential privacy, and provides an empirical lower bound on privacy loss.

Findings

Epsilon* effectively detects privacy risk reductions from differential privacy training.

The metric is sensitive enough to distinguish between different levels of privacy mitigation.

Epsilon* can be computed efficiently and is robust against numerical instabilities.

Abstract

We introduce Epsilon*, a new privacy metric for measuring the privacy risk of a single model instance prior to, during, or after deployment of privacy mitigation strategies. The metric requires only black-box access to model predictions, does not require training data re-sampling or model re-training, and can be used to measure the privacy risk of models not trained with differential privacy. Epsilon* is a function of true positive and false positive rates in a hypothesis test used by an adversary in a membership inference attack. We distinguish between quantifying the privacy loss of a trained model instance, which we refer to as empirical privacy, and quantifying the privacy loss of the training mechanism which produces this model instance. Existing approaches in the privacy auditing literature provide lower bounds for the latter, while our metric provides an empirical lower bound for the former by relying on an (${\epsilon}$, ${\delta}$)-type of quantification of the privacy of the trained model instance. We establish a relationship between these lower bounds and show how to implement Epsilon* to avoid numerical and noise amplification instability. We further show in experiments on benchmark public data sets that Epsilon* is sensitive to privacy risk mitigation by training with differential privacy (DP), where the value of Epsilon* is reduced by up to 800% compared to the Epsilon* values of non-DP trained baseline models. This metric allows privacy auditors to be independent of model owners, and enables visualizing the privacy-utility landscape to make informed decisions regarding the trade-offs between model privacy and utility.