Auditing Approximate Machine Unlearning for Differentially Private Models
Yuechun Gu, Jiajie He, Keke Chen
TL;DR
This paper critically examines the privacy guarantees of approximate machine unlearning methods applied to differentially private models, revealing potential privacy risks for retained data and proposing an efficient auditing approach.
Contribution
It introduces a holistic auditing framework for unlearned and retained samples' privacy, including new criteria and an efficient membership inference attack, highlighting privacy risks in existing unlearning methods.
Findings
Existing unlearning algorithms may compromise retained data privacy.
Differential privacy may not hold after approximate unlearning.
Proposed auditing method effectively detects privacy breaches.
Abstract
Approximate machine unlearning aims to remove the effect of specific data from trained models to ensure individuals' privacy. Existing methods focus on the removed records and assume the retained ones are unaffected. However, recent studies on the \emph{privacy onion effect} indicate this assumption might be incorrect. Especially when the model is differentially private, no study has explored whether the retained ones still meet the differential privacy (DP) criterion under existing machine unlearning methods. This paper takes a holistic approach to auditing both unlearned and retained samples' privacy risks after applying approximate unlearning algorithms. We propose the privacy criteria for unlearned and retained samples, respectively, based on the perspectives of DP and membership inference attacks (MIAs). To make the auditing process more practical, we also develop an efficient MIA,…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.