In an era of widespread web scraping, unlearnable dataset methods have the potential to protect data privacy by preventing deep neural networks from generalizing. But in addition to a number of practical limitations that make their use unlikely, we make a number of findings that call into question their ability to safeguard data. First, it is widely believed that neural networks trained on unlearnable datasets only learn shortcuts, simpler rules that are not useful for generalization. In contrast, we find that networks actually can learn useful features that can be reweighed for high test performance, suggesting that image privacy is not preserved. Unlearnable datasets are also believed to induce learning shortcuts through linear separability of added perturbations. We provide a counterexample, demonstrating that linear separability of perturbations is not a necessary condition. To emphasize why linearly separable perturbations should not be relied upon, we propose an orthogonal projection attack which allows learning from unlearnable datasets published in ICML 2021 and ICLR 2023. Our proposed attack is significantly less complex than recently proposed techniques.
翻译:在网络数据广泛抓取的时代,不可学习数据集方法通过阻止深度神经网络泛化,具有保护数据隐私的潜力。然而,除了实际应用中的诸多限制外,我们发现了若干质疑其数据保护能力的问题。首先,普遍观点认为,在不可学习数据集上训练的神经网络仅学习捷径(即对泛化无用的简单规则)。相反,我们发现网络实际上能够学习到可被重新加权以实现高测试性能的有用特征,这表明图像隐私并未得到保护。此外,人们认为不可学习数据集通过扰动项的线性可分性诱导学习捷径。我们提供了一个反例,证明扰动项的线性可分性并非必要条件。为强调不应依赖线性可分扰动,我们提出了一种正交投影攻击方法,可成功学习在ICML 2021和ICLR 2023上发布的不可学习数据集。我们提出的攻击方法相比近期技术显著简化了复杂度。