Observational Auditing of Label Privacy

TL;DR

This work tackles the problem of auditing differential privacy in large-scale ML systems without altering the training data. It introduces an observational privacy auditing framework built on simulation-based DP, framing privacy as a post-training game between a simulator and an attacker. The authors specialize the framework to Label DP via a label-inference attack that uses counterfactual labels from a proxy model, deriving bounds that account for distribution shift. Empirical validation on CIFAR-10 and Criteo demonstrates practical, training-free privacy auditing with results aligning with interventional methods and offering a path for third-party privacy verification in production environments.

Abstract

Differential privacy (DP) auditing is essential for evaluating privacy guarantees in machine learning systems. Existing auditing methods, however, pose a significant challenge for large-scale systems since they require modifying the training dataset -- for instance, by injecting out-of-distribution canaries or removing samples from training. Such interventions on the training data pipeline are resource-intensive and involve considerable engineering overhead. We introduce a novel observational auditing framework that leverages the inherent randomness of data distributions, enabling privacy evaluation without altering the original dataset. Our approach extends privacy auditing beyond traditional membership inference to protected attributes, with labels as a special case, addressing a key gap in existing techniques. We provide theoretical foundations for our method and perform experiments on Criteo and CIFAR-10 datasets that demonstrate its effectiveness in auditing label privacy guarantees. This work opens new avenues for practical privacy auditing in large-scale production environments.

Figures (5)

• Figure 1: Comparison with MIA for different Label DP Algorithms on CIFAR-10 and Criteo datasets. The error bar represents the standard deviation across 100 different repetitions.
• Figure 2: Auditing randomized response when the adversary guesses on 0.1% of samples. The counterfactual labels are generated either from the ground-truth distribution or sampled according to the output of a logistic regression model.
• Figure 3: Auditing randomized response when the adversary guesses on 1% of samples. The counterfactual labels are generated either from the ground-truth distribution or a proxy distribution yielded by the Logistic Regression model.
• Figure 4: Auditing randomized response when synthetic labels are produced from a $\tau$-shifted distribution from the ground truth label distribution.
• Figure 5: Comparison with calibration-based MIA watson2022difficulty and RMIA zarifzadeh2024low for different Label DP Algorithms on CIFAR-10 dataset. The error bar represents the standard deviation across 100 different attack repetitions.

Theorems & Definitions (21)

• Definition 1: Simulation-based privacy for protected attributes mahloujifar2025machine
• Definition 2: Imputation-based simulator
• Definition 3: Auditing simulation-based DP
• Definition 4: Observational games
• Theorem 5: Auditing $f$-DP with distribution shift
• Definition 6: Differential privacy
• Definition : more formal version of Definition \ref{['def:sim-dp']}, Simulation-based privacy for protected attributes
• Proposition 7: dong2019gaussian
• Definition 8: Obtaining empirical epsilon from $f$-SIM-DP auditing
• Theorem 9: Restated Theorem \ref{['thm:fdp-shift']}, auditing $f$-DP with distribution shift