Search papers, labs, and topics across Lattice.
This paper investigates the privacy risks associated with the one-dataset-multiple-model (ODMM) paradigm, revealing that deploying multiple models trained on the same dataset significantly amplifies privacy leakage. The authors establish a theoretical framework for "ODMM privacy composition," demonstrating that exposure to additional models increases the risk of membership inference attacks. Their proposed method, PRIME, effectively quantifies this risk across various datasets and model architectures, showing that traditional mitigations like differential privacy are insufficient against their attack strategy.
Exposing multiple models trained on the same dataset can dramatically increase privacy leakage, with traditional defenses falling short against this compounded risk.
To efficiently exploit a valuable data source (e.g., facial or medical images), it is frequently harnessed to fulfill multiple learning objectives (e.g., facial recognition, age estimation, and race classification). Each trained model is then deployed as an independent API service for corresponding inference. However, the privacy risk introduced by this one-dataset-multiple-model (ODMM) paradigm is completely overlooked by the community. For the first time, this work reveals that the ODMM setting substantially amplifies privacy leakage. We establish a theoretical framework that proves that privacy leakage accumulates as more ODMM models are exposed, a phenomenon we term ODMM privacy composition. Guided by this theoretical foundation, we propose PRIME (Privacy Amplification RIsk from One-Dataset-Multiple-Model Exposure) to systematically assess this risk and quantify the resulting leakage using membership inference attacks (MIAs). Under black-box access to ODMM models, we design an aggregation mechanism that collectively captures carefully identified privacy signals leaked by individual ODMM models, and construct an attack meta-classifier over the aggregated meta-information to infer the membership status of a given sample jointly. Our results provide strong evidence that dataset reuse across ODMM models strikingly jeopardizes privacy, which is consistently evident across five privacy-sensitive image and textual benchmark datasets and diverse model architectures (from ResNet and ViT to Qwen3-1.7B), spanning three domains: facial analysis, medical imaging, and textual attribution analysis. While mitigations such as differential privacy can reduce the effectiveness of PRIME with trade-offs, our attack still consistently outperforms single-task MIAs.