Protecting the Undeleted in Machine Unlearning

TL;DR

This paper reveals privacy risks in machine unlearning, demonstrating that perfect retraining can lead to data reconstruction attacks, and proposes a new security definition to better protect undeleted data.

Contribution

It identifies privacy vulnerabilities in existing unlearning methods and introduces a new security framework that safeguards undeleted data while supporting essential functionalities.

Findings

Reconstruction attack can recover almost entire dataset from deletion requests.

Existing definitions are either vulnerable or too restrictive.

Proposed definition balances security and functionality.

Abstract

Machine unlearning aims to remove specific data points from a trained model, often striving to emulate "perfect retraining", i.e., producing the model that would have been obtained had the deleted data never been included. We demonstrate that this approach, and security definitions that enable it, carry significant privacy risks for the remaining (undeleted) data points. We present a reconstruction attack showing that for certain tasks, which can be computed securely without deletions, a mechanism adhering to perfect retraining allows an adversary controlling merely $\omega(1)$ data points to reconstruct almost the entire dataset merely by issuing deletion requests. We survey existing definitions for machine unlearning, showing they are either susceptible to such attacks or too restrictive to support basic functionalities like exact summation. To address this problem, we propose a new security definition that specifically safeguards undeleted data against leakage caused by the deletion of other points. We show that our definition permits several essential functionalities, such as bulletin boards, summations, and statistical learning.