References & Citations
Computer Science > Machine Learning
Title: The Privacy Onion Effect: Memorization is Relative
(Submitted on 21 Jun 2022 (v1), last revised 22 Jun 2022 (this version, v2))
Abstract: Machine learning models trained on private datasets have been shown to leak their private data. While recent work has found that the average data point is rarely leaked, the outlier samples are frequently subject to memorization and, consequently, privacy leakage. We demonstrate and analyse an Onion Effect of memorization: removing the "layer" of outlier points that are most vulnerable to a privacy attack exposes a new layer of previously-safe points to the same attack. We perform several experiments to study this effect, and understand why it occurs. The existence of this effect has various consequences. For example, it suggests that proposals to defend against memorization without training with rigorous privacy guarantees are unlikely to be effective. Further, it suggests that privacy-enhancing technologies such as machine unlearning could actually harm the privacy of other users.
Submission history
From: Nicholas Carlini [view email][v1] Tue, 21 Jun 2022 15:25:56 GMT (917kb,D)
[v2] Wed, 22 Jun 2022 16:51:50 GMT (917kb,D)
Link back to: arXiv, form interface, contact.