Within the realm of privacy-preserving machine learning, empirical privacy defenses have been proposed as a solution to achieve satisfactory levels of training data privacy without a significant drop in model utility. Most existing defenses against membership inference attacks assume access to reference data, defined as an additional dataset coming from the same (or a similar) underlying distribution as training data. Despite the common use of reference data, previous works are notably reticent about defining and evaluating reference data privacy. As gains in model utility and/or training data privacy may come at the expense of reference data privacy, it is essential that all three aspects are duly considered. In this paper, we first examine the availability of reference data and its privacy treatment in previous works and demonstrate its necessity for fairly comparing defenses. Second, we propose a baseline defense that enables the utility-privacy tradeoff with respect to both training and reference data to be easily understood. Our method is formulated as an empirical risk minimization with a constraint on the generalization error, which, in practice, can be evaluated as a weighted empirical risk minimization (WERM) over the training and reference datasets. Although we conceived of WERM as a simple baseline, our experiments show that, surprisingly, it outperforms the most well-studied and current state-of-the-art empirical privacy defenses using reference data for nearly all relative privacy levels of reference and training data. Our investigation also reveals that these existing methods are unable to effectively trade off reference data privacy for model utility and/or training data privacy. Overall, our work highlights the need for a proper evaluation of the triad model utility / training data privacy / reference data privacy when comparing privacy defenses.

翻译：在隐私保护机器学习领域，经验隐私防御被提出作为一种解决方案，旨在实现训练数据隐私的满意水平，同时不显著降低模型效用。大多数现有的针对成员推断攻击的防御方法假设可以访问参考数据，即来自与训练数据相同（或相似）潜在分布的额外数据集。尽管参考数据被广泛使用，但先前的研究在定义和评估参考数据隐私方面明显讳莫如深。由于模型效用和/或训练数据隐私的提升可能以牺牲参考数据隐私为代价，因此必须充分考虑这三个方面。本文首先考察了先前工作中参考数据的可用性及其隐私处理方法，并证明了其在公平比较防御方法中的必要性。其次，我们提出了一种基线防御方法，能够轻松理解关于训练数据和参考数据的效用-隐私权衡。我们的方法被表述为一种带有泛化误差约束的经验风险最小化，在实践中，这可以评估为对训练数据集和参考数据集的加权经验风险最小化（WERM）。尽管我们最初将WERM视为一种简单的基线方法，但实验表明，令人惊讶的是，在参考数据和训练数据的几乎所有相对隐私水平上，它都优于使用参考数据的最深入研究和当前最先进的防御方法。我们的研究还揭示，这些现有方法无法有效权衡参考数据隐私与模型效用和/或训练数据隐私。总体而言，我们的工作强调了在比较隐私防御方法时，需要恰当评估模型效用、训练数据隐私和参考数据隐私这三元组合。