TL;DR
This paper critically examines the evaluation methods of empirical privacy defenses in machine learning, revealing they often underestimate privacy risks and are outperformed by differential privacy baselines.
Contribution
It identifies key flaws in existing empirical privacy evaluations and demonstrates that these defenses are less effective than properly tuned differential privacy methods.
Findings
Prior evaluations underestimate privacy leakage by an order of magnitude.
Empirical defenses are outperformed by high-utility differential privacy baselines.
Weak attacks and poor sample characterization lead to misleading conclusions.
Abstract
Empirical defenses for machine learning privacy forgo the provable guarantees of differential privacy in the hope of achieving higher utility while resisting realistic adversaries. We identify severe pitfalls in existing empirical privacy evaluations (based on membership inference attacks) that result in misleading conclusions. In particular, we show that prior evaluations fail to characterize the privacy leakage of the most vulnerable samples, use weak attacks, and avoid comparisons with practical differential privacy baselines. In 5 case studies of empirical privacy defenses, we find that prior evaluations underestimate privacy leakage by an order of magnitude. Under our stronger evaluation, none of the empirical defenses we study are competitive with a properly tuned, high-utility DP-SGD baseline (with vacuous provable guarantees).
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
