Explanations Leak: Membership Inference with Differential Privacy and Active Learning Defense
Fatima Ezzeddine, Osama Zammar, Silvia Giordano, Omran Ayoub
TL;DR
This work interrogates how counterfactual explanations (CFs) amplify membership inference attacks (MIAs) in MLaaS and introduces a defense that combines Differential Privacy (DP) with Active Learning (AL) to curb memorization and data exposure. By analyzing shadow-based MIAs with and without CFs, the authors quantify a three-way trade-off between privacy leakage, predictive performance, and CF quality. Empirical results on EEG and In-Location datasets show that CFs can substantially degrade privacy protections even under DP, while DP dimensions may not heavily impair CF fidelity. The study highlights the delicate balance required to maintain transparency, utility, and privacy in explainable MLaaS deployments and suggests avenues for user-centered evaluation of CFs under privacy constraints.
Abstract
Counterfactual explanations (CFs) are increasingly integrated into Machine Learning as a Service (MLaaS) systems to improve transparency; however, ML models deployed via APIs are already vulnerable to privacy attacks such as membership inference and model extraction, and the impact of explanations on this threat landscape remains insufficiently understood. In this work, we focus on the problem of how CFs expand the attack surface of MLaaS by strengthening membership inference attacks (MIAs), and on the need to design defense mechanisms that mitigate this emerging risk without undermining utility and explainability. First, we systematically analyze how exposing CFs through query-based APIs enables more effective shadow-based MIAs. Second, we propose a defense framework that integrates Differential Privacy (DP) with Active Learning (AL) to jointly reduce memorization and limit effective training data exposure. Finally, we conduct an extensive empirical evaluation to characterize the three-way trade-off between privacy leakage, predictive performance, and explanation quality. Our findings highlight the need to carefully balance transparency, utility, and privacy in the responsible deployment of explainable MLaaS systems.
