On the Privacy Risks of Model Explanations
This work highlights a critical privacy concern for users and developers of explainable AI systems, revealing a trade-off between transparency and data protection.
The paper investigates privacy risks in machine learning by showing that feature-based model explanations, particularly backpropagation-based ones, can leak significant information about individual training datapoints through membership inference attacks, with empirical evidence across various datasets.
Privacy and transparency are two key foundations of trustworthy machine learning. Model explanations offer insights into a model's decisions on input data, whereas privacy is primarily concerned with protecting information about the training data. We analyze connections between model explanations and the leakage of sensitive information about the model's training set. We investigate the privacy risks of feature-based model explanations using membership inference attacks: quantifying how much model predictions plus their explanations leak information about the presence of a datapoint in the training set of a model. We extensively evaluate membership inference attacks based on feature-based model explanations, over a variety of datasets. We show that backpropagation-based explanations can leak a significant amount of information about individual training datapoints. This is because they reveal statistical information about the decision boundaries of the model about an input, which can reveal its membership. We also empirically investigate the trade-off between privacy and explanation quality, by studying the perturbation-based model explanations.