Privacy Auditing with Zero (0) Training Run

TL;DR

Zero-Run privacy auditing offers a practical, post-hoc method to evaluate the privacy of large models using fixed datasets, addressing limitations of existing approaches that require retraining.

Contribution

It introduces a novel observational framework for privacy auditing that accounts for distribution shifts, enabling valid privacy assessments without retraining or data manipulation.

Findings

Enables privacy evaluation without retraining large models.

Provides conservative and sharper bounds through two correction methods.

Effective on synthetic and large-scale models.

Abstract

Privacy auditing provides empirical lower bounds on the differential privacy parameters of learning algorithms. Existing methods, however, require interventional access to the training pipeline, either to retrain multiple times or to randomize data inclusion. This is often infeasible for large deployed systems such as foundation models. We introduce Zero-Run privacy auditing, a post-hoc framework for auditing models using two fixed datasets: examples known to be training-set members and examples known to be non-members. In this observational regime, membership is no longer randomized; instead, member and non-member data often differ in distribution, so membership inference scores may reflect a distribution shift rather than algorithmic leakage. Drawing on ideas from causal inference, we formalize this confounding effect and propose two complementary corrections that yield valid privacy audits. Our first approach models the combined effect of distribution shift and algorithmic leakage as an adaptive composition, producing conservative global corrections. Our second approach conditions on observed data and adjusts pointwise membership guesses, yielding sharper instance-dependent bounds. Experiments on synthetic data and large-scale models show that Zero-Run auditing enables practical privacy evaluation when retraining or controlled data insertion is infeasible.