We introduce Epsilon*, a new privacy metric for measuring the privacy risk of a single model instance prior to, during, or after deployment of privacy mitigation strategies. The metric does not require access to the training data sampling or model training algorithm. Epsilon* is a function of true positive and false positive rates in a hypothesis test used by an adversary in a membership inference attack. We distinguish between quantifying the privacy loss of a trained model instance and quantifying the privacy loss of the training mechanism which produces this model instance. Existing approaches in the privacy auditing literature provide lower bounds for the latter, while our metric provides a lower bound for the former by relying on an (${\epsilon}$,${\delta}$)-type of quantification of the privacy of the trained model instance. We establish a relationship between these lower bounds and show how to implement Epsilon* to avoid numerical and noise amplification instability. We further show in experiments on benchmark public data sets that Epsilon* is sensitive to privacy risk mitigation by training with differential privacy (DP), where the value of Epsilon* is reduced by up to 800% compared to the Epsilon* values of non-DP trained baseline models. This metric allows privacy auditors to be independent of model owners, and enables all decision-makers to visualize the privacy-utility landscape to make informed decisions regarding the trade-offs between model privacy and utility.

翻译：我们提出一种新的隐私度量指标Epsilon*，用于在隐私缓解策略部署前、部署期间或部署后测量单个模型实例的隐私风险。该指标无需访问训练数据采样或模型训练算法。Epsilon*是成员推理攻击中对手所用假设检验的真阳性率与假阳性率的函数。我们区分了量化已训练模型实例的隐私损失与量化产生该模型实例的训练机制的隐私损失。现有隐私审计文献中的方法为后者提供下界，而我们的指标则通过基于(${\epsilon}$,${\delta}$)类型的已训练模型实例隐私量化方式为前者提供下界。我们建立了这些下界之间的关系，并展示了如何实现Epsilon*以避免数值和噪声放大不稳定性。进一步在基准公开数据集上的实验表明，Epsilon*对通过差分隐私（DP）训练实现的隐私风险缓解具有敏感性，其值相比非DP训练的基线模型Epsilon*值最高可降低800%。该指标使隐私审计者能够独立于模型所有者，并支持所有决策者可视化隐私-效用全景，从而在模型隐私与效用之间做出权衡的知情决策。