The right to be forgotten states that a data owner has the right to erase their data from an entity storing it. In the context of machine learning (ML), the right to be forgotten requires an ML model owner to remove the data owner's data from the training set used to build the ML model, a process known as machine unlearning. While originally designed to protect the privacy of the data owner, we argue that machine unlearning may leave some imprint of the data in the ML model and thus create unintended privacy risks. In this paper, we perform the first study on investigating the unintended information leakage caused by machine unlearning. We propose a novel membership inference attack that leverages the different outputs of an ML model's two versions to infer whether a target sample is part of the training set of the original model but out of the training set of the corresponding unlearned model. Our experiments demonstrate that the proposed membership inference attack achieves strong performance. More importantly, we show that our attack in multiple cases outperforms the classical membership inference attack on the original ML model, which indicates that machine unlearning can have counterproductive effects on privacy. We notice that the privacy degradation is especially significant for well-generalized ML models where classical membership inference does not perform well. We further investigate four mechanisms to mitigate the newly discovered privacy risks and show that releasing the predicted label only, temperature scaling, and differential privacy are effective. We believe that our results can help improve privacy protection in practical implementations of machine unlearning. Our code is available at https://github.com/MinChen00/UnlearningLeaks.

翻译：被遗忘的权利指出数据拥有者有权从存储数据的实体中抹去数据。 在机器学习(ML)方面,被遗忘的权利要求ML模型拥有者将数据拥有者的数据从用于构建 ML 模型的培训数据集中去除,这是一个被称为机器不学习的过程。虽然最初设计的目的是保护数据拥有者的隐私,但我们认为,机器不学习可能会留下数据在ML模型中的某些印记,从而造成意外的隐私风险。在本文中,我们进行了关于调查机器不学习造成的意外信息泄漏的第一次研究。我们建议了一个新的成员推论,利用ML模型两个版本的不同产出来推断数据所有者的数据拥有者的数据拥有者的数据是否从用于构建ML模型的培训数据集中移除数据数据所有者的数据所有者的数据所有者的数据所有数据所有者的数据所有者的数据所有者的数据所有者的数据所有。 我们的实验表明,在多个案例中,我们的攻击可能比原始ML模型的经典成员温度攻击得更完美,这说明机器不学习会给ML模型带来反效果的影响。 我们注意到,在最初的保密性模型中, 我们的降解风险是显著地展示了我们的安全度 。