Tracing Data through Learning with Watermarking

Abstract

How can we gauge the privacy provided by machine learning algorithms? Models trained with differential privacy (DP) provably limit information leakage, but the question remains open for non-DP models. In this talk, we present multiple techniques for membership inference, which estimates if a given data sample is in the training set of a model. In particular, we introduce a watermarking-based method that allows for a very fast verification of data usage in a model: this technique creates marks called radioactive that propagates from the data to the model during training. This watermark is barely visible to the naked eye and allows data tracing even when the radioactive data represents only 1% of the training set.