Explanations Leak: Membership Inference with Differential Privacy and Active Learning Defense

TL;DR

This paper investigates how counterfactual explanations in MLaaS increase privacy risks via membership inference attacks and proposes a defense combining Differential Privacy and Active Learning to mitigate these risks while maintaining utility.

Contribution

It systematically analyzes the privacy risks introduced by explanations and introduces a novel defense framework integrating Differential Privacy with Active Learning.

Findings

Exposing CFs via APIs enhances membership inference attacks.

The proposed DP and AL defense reduces privacy leakage.

Trade-offs exist between privacy, utility, and explanation quality.

Abstract

Counterfactual explanations (CFs) are increasingly integrated into Machine Learning as a Service (MLaaS) systems to improve transparency; however, ML models deployed via APIs are already vulnerable to privacy attacks such as membership inference and model extraction, and the impact of explanations on this threat landscape remains insufficiently understood. In this work, we focus on the problem of how CFs expand the attack surface of MLaaS by strengthening membership inference attacks (MIAs), and on the need to design defense mechanisms that mitigate this emerging risk without undermining utility and explainability. First, we systematically analyze how exposing CFs through query-based APIs enables more effective shadow-based MIAs. Second, we propose a defense framework that integrates Differential Privacy (DP) with Active Learning (AL) to jointly reduce memorization and limit effective training data exposure. Finally, we conduct an extensive empirical evaluation to characterize the three-way trade-off between privacy leakage, predictive performance, and explanation quality. Our findings highlight the need to carefully balance transparency, utility, and privacy in the responsible deployment of explainable MLaaS systems.