Spurious Privacy Leakage in Neural Networks

We thank the reviewer for the feedback. Below we address each point:

6. Finding V claims that they draw the conclusion under a fair experimental setup. However, the authors use different hyperparameter settings for different models, which is not a fair comparison.

The reviewer expects us to use the same hyperparameter settings to compare different models. However, the process of benchmarking in Machine Learning follows a different procedure. For each model, a grid search of hyperparameters is used and the best set of hyperparameters is chosen based on a held-out validation dataset (see section 11.4.3 of [1] or section 8.5 of [2]). We have followed exactly this approach described in Appendix E.

5. [...] Additional experiments are needed for each finding

See overall comment 2).

1. Current research has much more literature than what the paper presented in the related work section

See overall comment 1).

2. The authors should explain why these datasets are chosen and not the other datasets

We clarify the section 3.1 by adding:

Experiment setup. We choose the datasets that are commonly used by the spurious correlation community (see Table 2 of [3]): Waterbirds, CelebA, FMoW, and MultiNLI. These datasets contain real-world spurious correlations, diverse modalities, and different target complexity. Moreover, to the best of our knowledge, we are the first to study subgroup MIA attacks on these datasets.

3. In Sec 3.1, [...] Where do "3%" and "100 times" come from?

Indeed, these numbers are not immediately clear from the figure, which provides the full picture by displaying TPR at every FPR. Table 1, however, reports the exact TPR number at ~3% FPR area for Waterbirds, showing that the vulnerability for the non-spurious group (0) is 0.22%, while for the spurious group (2) is 30.91%. We will clarify the reference of Table 1 from the section 3.1.

4. The claim of "spurious groups can be up to 100 times more vulnerable to privacy attacks than non-spurious groups" [...] is exaggeration and should not include in the abstract.

We will rephrase it as "spurious groups can be more vulnerable to privacy attacks than non-spurious groups".

[1] Bengio, Yoshua, Ian Goodfellow, and Aaron Courville. Deep learning. MIT press, 2017

[2] Prince, Simon JD. Understanding deep learning. MIT press, 2023

[3] Yang, Yuzhe, et al. Change is Hard: A Closer Look at Subpopulation Shift. International Conference on Machine Learning, 2023"

We thank the reviewer for the insightful comments.

1. [...] it's unclear why privacy parity across subgroups could be a priority. Why should we care about these gaps?

Prior to our work, it was unclear what are the privacy implications of spurious correlations in natural data. We find that spurious correlation cause leads to spurious privacy leakage, which raises additional security and ethical challenges for sensitive domains. For example, after a privacy audit with a "low overall privacy risk" result, we may naively conclude that our model satisfies the privacy requirements. However, the privacy disparity (or variance) between subpopulations can be high, which breaks the privacy requirements when analyzing per-subpopulation risks (e.g. GDPR emphasizes fairness and equal treatment). Overlooking these gaps means assuming all the data have the same importance (which is not true for real-world data [1]). Therefore, we argue that we should care about these gaps to precisely understand the risks our models carry, to encourage the research of more robust defenses, and to improve the auditing process. We will revise our introduction to clarify the motivations.

2. While the authors present technically interesting observations about privacy disparities [...] It’s unclear how these findings can contribute to the field. For instance, could they inspire new defense strategies? Or inform advanced attack methods?

We will expand the discussion section on how our findings can contribute to the field:

• We show that spurious correlations represent a privacy concern for real-world data, highlighting the issue and the importance of privacy disparity (see above Q1).
• We are the first to show that robust methods (e.g. DRO, DFR) mitigate spurious correlations but not spurious privacy leakage. This result highlights the limitations of current defenses (e.g. spurious robust methods and also DP-SGD) from the privacy perspective, encouraging the community to develop better solutions.
• Given the previous contributions, we suggest a potential future work direction that exploits spurious correlation for a stronger attack. For example, it may be possible to exploit spurious correlation to carry a data poisoning attack: adding poisoned samples to enhance the spurious correlation of a specific target subgroup.

4. The paper needs more detailed discussions and comparisons to better support the conclusions. It’s unclear how these findings are connected to current studies. For example, in Section 3, there is related work on subgroup evaluations of model fairness and privacy with MIA—are the findings consistent? For Section 4, previous studies have explored the utility tradeoffs of DP methods—do they also show a failure to protect samples? Similarly, in Section 5, prior research compares the model robustness of Vision Transformers and CNNs—do those results align? [...]

We thank the reviewer for suggesting how to expand our discussion and related works section.

For section 3, we show the presence of privacy disparity in real-world spurious correlated data, connecting our results with prior research focused on privacy and fairness [2, 3, 4], where they also found the presence of privacy disparity between subpopulations within the fairness models.

For section 4, we add the following paragraph: Although robust methods successfully mitigate spurious correlations and can mildly reduce the overall privacy at low FPR ("T" rows), they do not affect the privacy disparity. The leakage for the spurious groups is consistently at a similar level for all three training methods across datasets. These results complement the findings from [4], whose analysis is limited to overall privacy.

For section 5, the main point exactly discusses (or revisits) the past work from Ghosal & Li 2024. Contrary to their conclusions, we find that ViTs do not outperform CNNs in mitigating spurious correlations, highlighting the importance of fair benchmarking.

3. The conclusions in Sections 3 to 5 are important but not well-supported as they rely on limited experiments [...]

See overall comment 2).

5. The related work section feels too limited, given the paper covers multiple topics.

See overall comment 1).

[1] Feldman, Vitaly, and Chiyuan Zhang. What neural networks memorize and why: Discovering the long tail via influence estimation. Advances in Neural Information Processing Systems, 2020

[2] Bogdan Kulynych, et al. Disparate vulnerability to membership inference attacks. Proceedings on Privacy Enhancing Technologies, 2022

[3] Da Zhong, et al. Understanding disparate effects of membership inference attacks and their countermeasures. In Asia Conference on Computer and Communications Security, 2022

[4] Huan Tian, et al. When fairness meets privacy: Exploring privacy threats in fair binary classifiers via membership inference attacks. In International Joint Conference on Artificial Intelligence, 2024

We thank the reviewer for the support and for the insightful review.

1. I would urge the authors to make some of the details a little bit more transparent [...] difference between the standard setting and this work is that MIAs are used for fine-tuning and not pre-training data [...]

We improve the clarity in section 3.1 as follows:

Experiment setup. [...] We use the pretrained ResNet50 (He et al., 2016) on ImageNet1k from the timm library and finetune the spurious datasets with random crop and horizontal flip augmentations. Our setting differs from the standard settings (i.e. training from random initialization) by initializing our models pretrained on public data to facilitate the optimization process.

2. [...] what is the size of the data that the model is fine-tuned on?

The column Group (n) from Table 1 reports the size of data for each group and total (T). The total is used for finetuning and represents approximately 50% of the original training data (as in LiRA). We noticed and corrected the values for the dataset MultiNLI, which was reporting 100% of the data.

3. I am also not sure how meaningful the differential privacy results are -- since here epsilon=128. That kind of value for epsilon offers quite negligible privacy. That being said the remaining results are quite interesting.

Indeed, a high epsilon {128} may offer negligible privacy. We included these results for completeness, showing how they compare to low privacy budget settings. We invite the reviewer to check also our overall comment 2) where we strengthen our differential privacy results with additional experiments.

Thank you for the clarification and the new experiments. Even though some of the findings were there piecemeal in previous work, I still do think that there is value in this paper as it carries out a comprehensive set of experiments on this topic. I will retain my score.

We thank the reviewer for the feedback.

1. [...] What is the reason to assess privacy disparities between spurious and non-spurious subgroups?

Prior to our work, it was unclear what are the privacy implications of spurious correlations in natural data. We find that spurious correlation cause leads to spurious privacy leakage, which raises additional security and ethical challenges for sensitive domains. For example, after a privacy audit with a "low overall privacy risk" result, we may naively conclude that our model satisfies the privacy requirements. However, the privacy disparity (or variance) between subpopulations can be high, which breaks the privacy requirements when analyzing per-subpopulation risks (e.g. GDPR emphasizes fairness and equal treatment). Overlooking these gaps means assuming all the data have the same importance (which is not true for real-world data [1]). Therefore, we argue that we should care about these gaps to precisely understand the risks our models carry, to encourage the research of more robust defenses, and to improve the auditing process. We will revise our introduction to clarify the motivations.

2. The related work section is too brief considering the multiple topics the paper covers. [...] It is also unclear how the findings align with current research [...]

See overall comment 1) where we expand the related work section.

Then, we expand our discussion in each section as follows:

For section 3, we show the presence of privacy disparity in real-world spurious correlated data, connecting our results with prior research focused on privacy and fairness [2, 3, 4], where they also found the presence of privacy disparity between subpopulations within the fairness models.

For section 4, we add the following paragraph: Although robust methods successfully mitigate spurious correlations and can mildly reduce the overall privacy at low FPR ("T" rows), they do not affect the privacy disparity. The leakage for the spurious groups is consistently at a similar level for all three training methods across datasets. These results complement the findings from [4], whose analysis is limited to overall privacy.

For section 5, the main point exactly discusses (or revisits) the past work from Ghosal & Li 2024. Contrary to their conclusions, we find that ViTs do not outperform CNNs in mitigating spurious correlations, highlighting the importance of fair benchmarking.

4. The experiments are not clearly explained. Including the choice of datasets and neural network models

We clarify the section 3.1 by explaining the choice of datasets:

Experiment setup. We choose the datasets that are commonly used by the spurious correlation community (see Table 2 of [1]): Waterbirds, CelebA, FMoW, and MultiNLI. These datasets contain real-world spurious correlations, diverse modalities, and different target complexity. Moreover, to the best of our knowledge, we are the first to study MIA on these datasets.

Next, we clarify our choice of models. All of our experiments related to images include ResNet50 as it is a solid baseline across the literature for both MIA and spurious correlation [1]. The BERT model is used for the text dataset MultiNLI and is also commonly used as the baseline in spurious correlation works [1]. Lastly, for Section 5, we compare eight different neural networks. Contrary to previous works comparing similar models (e.g. ResNet, DenseNet, MobileNet...) [2, 3], we include only models that are sufficiently "diverse". For example, we compare models from different families (convolution and transformers), with different pretraining (supervised and self-supervised), and released at different time periods (e.g. ResNet and its successor ConvNext).

In case the reviewer still has doubts, may you help us to pinpoint exactly which part requires additional clarification?

[1] Yang, Yuzhe, et al. Change is Hard: A Closer Look at Subpopulation Shift. International Conference on Machine Learning, 2023

[2] Yiyong Liu et al. Membership inference attacks by exploiting loss trajectory. In Conference on Computer and Communications Security, 2022a.

[3] Nicholas Carlini et al. Membership inference attacks from first principles. In Symposium on Security and Privacy, 2022