Search papers, labs, and topics across Lattice.
This paper investigates the vulnerability of counterfactuals to membership inference attacks, revealing that adversaries can exploit these explanations to infer sensitive information about training data. By leveraging techniques originally designed for synthetic data, the authors demonstrate that successful privacy attacks can be conducted using only a set of counterfactuals, without needing direct access to the underlying model. The findings underscore the need for heightened caution among model developers when disseminating counterfactuals, as they pose significant privacy risks.
Counterfactuals, often seen as safe tools for model explanation, can inadvertently expose sensitive training data through membership inference attacks.
Counterfactuals are typically used in high-stakes decision areas to explain a machine learning model by showing how changes to the user profiles result in the desired outcome. However, explaining the model's decisions through counterfactuals can also be exploited by an adversary to conduct privacy attacks against the model or its training data. Drawing on the analogy that counterfactuals provide realistic substitutes for real training data, similar to synthetic data, we demonstrate in this paper how it is possible to successfully perform privacy attacks on counterfactuals by drawing on the attacks developed against synthetic data. More precisely, we investigate the effectiveness of the membership inference attacks designed for synthetic data on various types of counterfactuals. Additionally, while existing membership inference attacks against counterfactuals usually require to be able to query the model, we show how it is possible to perform successful membership inference attacks using only a set of counterfactuals, with no access to the model from which they are generated. Our results demonstrate that model developers should be more cautious when releasing counterfactuals to various users, as it can lead to a privacy breach.