Privacy Auditing with Zero (0) Training Run
This work solves the practical problem of auditing privacy in large-scale deployed models where interventional access (e.g., retraining) is infeasible, offering a post-hoc method that is both valid and applicable.
The paper introduces Zero-Run privacy auditing, a post-hoc framework that audits differential privacy of models using two fixed datasets (members and non-members) without requiring retraining or controlled data insertion. It addresses distribution shift confounding via causal inference corrections, enabling valid privacy audits in large deployed systems like foundation models.
Privacy auditing provides empirical lower bounds on the differential privacy parameters of learning algorithms. Existing methods, however, require interventional access to the training pipeline, either to retrain multiple times or to randomize data inclusion. This is often infeasible for large deployed systems such as foundation models. We introduce Zero-Run privacy auditing, a post-hoc framework for auditing models using two fixed datasets: examples known to be training-set members and examples known to be non-members. In this observational regime, membership is no longer randomized; instead, member and non-member data often differ in distribution, so membership inference scores may reflect a distribution shift rather than algorithmic leakage. Drawing on ideas from causal inference, we formalize this confounding effect and propose two complementary corrections that yield valid privacy audits. Our first approach models the combined effect of distribution shift and algorithmic leakage as an adaptive composition, producing conservative global corrections. Our second approach conditions on observed data and adjusts pointwise membership guesses, yielding sharper instance-dependent bounds. Experiments on synthetic data and large-scale models show that Zero-Run auditing enables practical privacy evaluation when retraining or controlled data insertion is infeasible.