BridgePure: Limited Protection Leakage Can Break Black-Box Data Protection
This exposes critical vulnerabilities in black-box data protection for data owners and practitioners, highlighting an incremental threat model.
The authors tackled the vulnerability of black-box data protection tools (e.g., APIs for unlearnable examples) by showing that an adversary with a small set of unprotected in-distribution data can compromise them, achieving effective purification of protected data in classification and style mimicry tasks.
Availability attacks, or unlearnable examples, are defensive techniques that allow data owners to modify their datasets in ways that prevent unauthorized machine learning models from learning effectively while maintaining the data's intended functionality. It has led to the release of popular black-box tools (e.g., APIs) for users to upload personal data and receive protected counterparts. In this work, we show that such black-box protections can be substantially compromised if a small set of unprotected in-distribution data is available. Specifically, we propose a novel threat model of protection leakage, where an adversary can (1) easily acquire (unprotected, protected) pairs by querying the black-box protections with a small unprotected dataset; and (2) train a diffusion bridge model to build a mapping between unprotected and protected data. This mapping, termed BridgePure, can effectively remove the protection from any previously unseen data within the same distribution. BridgePure demonstrates superior purification performance on classification and style mimicry tasks, exposing critical vulnerabilities in black-box data protection. We suggest that practitioners implement multi-level countermeasures to mitigate such risks.