Neural networks memorise personal information from one sample

John Hartley; Pedro Sanchez; Fasih Haider; Sotirios A. Tsaftaris

doi:10.1038/s41598-023-48034-3

Neural networks memorise personal information from one sample

John Hartley, Pedro Sanchez, Fasih Haider, Sotirios A. Tsaftaris

School of Engineering

Research output: Contribution to journal › Article › peer-review

Abstract

Deep neural networks (DNNs) have achieved high accuracy in diagnosing multiple diseases/conditions at a large scale. However, a number of concerns have been raised about safeguarding data privacy and algorithmic bias of the neural network models. We demonstrate that unique features (UFs), such as names, IDs, or other patient information can be memorised (and eventually leaked) by neural networks even when it occurs on a single training data sample within the dataset. We explain this memorisation phenomenon by showing that it is more likely to occur when UFs are an instance of a rare concept. We propose methods to identify whether a given model does or does not memorise a given (known) feature. Importantly, our method does not require access to the training data and therefore can be deployed by an external entity. We conclude that memorisation does have implications on model robustness, but it can also pose a risk to the privacy of patients who consent to the use of their data for training models.

Original language	English
Article number	21366
Pages (from-to)	21366
Journal	Scientific Reports
Volume	13
Issue number	1
Early online date	4 Dec 2023
DOIs	https://doi.org/10.1038/s41598-023-48034-3
Publication status	Published - Dec 2023

Keywords / Materials (for Non-textual outputs)

Humans
Neural Networks, Computer
Privacy

Access to Document

10.1038/s41598-023-48034-3Licence: Creative Commons: Attribution (CC-BY)

https://www.nature.com/articles/s41598-023-48034-3Licence: Creative Commons: Attribution (CC-BY)

1 Active
2 Finished

Canon Medical / RAEng Senior Research Fellow in Healthcare AI
Tsaftaris, S. (Principal Investigator)
Canon Medical Research Europe Limited
31/03/19 → 30/06/26
Project: Research
From trivial representations to learning concepts in AI by exploiting unique data
Tsaftaris, S. (Principal Investigator)
1/02/23 → 31/01/25
Project: Research
iCAIRD: Industrial Centre for AI Research in Digital Diagnostics
Tsaftaris, S. (Principal Investigator)
UK central government bodies/local authorities, health and hospital authorities
1/02/19 → 31/01/23
Project: Research

Cite this

@article{38a354f213504c008f0fa542c562e258,

title = "Neural networks memorise personal information from one sample",

abstract = "Deep neural networks (DNNs) have achieved high accuracy in diagnosing multiple diseases/conditions at a large scale. However, a number of concerns have been raised about safeguarding data privacy and algorithmic bias of the neural network models. We demonstrate that unique features (UFs), such as names, IDs, or other patient information can be memorised (and eventually leaked) by neural networks even when it occurs on a single training data sample within the dataset. We explain this memorisation phenomenon by showing that it is more likely to occur when UFs are an instance of a rare concept. We propose methods to identify whether a given model does or does not memorise a given (known) feature. Importantly, our method does not require access to the training data and therefore can be deployed by an external entity. We conclude that memorisation does have implications on model robustness, but it can also pose a risk to the privacy of patients who consent to the use of their data for training models.",

keywords = "Humans, Neural Networks, Computer, Privacy",

author = "John Hartley and Pedro Sanchez and Fasih Haider and Tsaftaris, {Sotirios A.}",

note = "Funding Information: This work is supported by iCAIRD, which is funded by Innovate UK on behalf of UK Research and Innovation (UKRI) [Project Number 104690]. S.A. Tsaftaris acknowledges also support by a Canon Medical/Royal Academy of Engineering Research Chair under Grant RCSRF1819. We acknowledge the UK{\textquoteright}s Engineering and Physical Sciences Research Council (EPSRC) support via grant EP/X017680/1. Publisher Copyright: {\textcopyright} 2023, The Author(s).",

year = "2023",

month = dec,

doi = "10.1038/s41598-023-48034-3",

language = "English",

volume = "13",

pages = "21366",

journal = "Scientific Reports",

issn = "2045-2322",

publisher = "Nature Research",

number = "1",

}

TY - JOUR

T1 - Neural networks memorise personal information from one sample

AU - Hartley, John

AU - Sanchez, Pedro

AU - Haider, Fasih

AU - Tsaftaris, Sotirios A.

N1 - Funding Information: This work is supported by iCAIRD, which is funded by Innovate UK on behalf of UK Research and Innovation (UKRI) [Project Number 104690]. S.A. Tsaftaris acknowledges also support by a Canon Medical/Royal Academy of Engineering Research Chair under Grant RCSRF1819. We acknowledge the UK’s Engineering and Physical Sciences Research Council (EPSRC) support via grant EP/X017680/1. Publisher Copyright: © 2023, The Author(s).

PY - 2023/12

Y1 - 2023/12

N2 - Deep neural networks (DNNs) have achieved high accuracy in diagnosing multiple diseases/conditions at a large scale. However, a number of concerns have been raised about safeguarding data privacy and algorithmic bias of the neural network models. We demonstrate that unique features (UFs), such as names, IDs, or other patient information can be memorised (and eventually leaked) by neural networks even when it occurs on a single training data sample within the dataset. We explain this memorisation phenomenon by showing that it is more likely to occur when UFs are an instance of a rare concept. We propose methods to identify whether a given model does or does not memorise a given (known) feature. Importantly, our method does not require access to the training data and therefore can be deployed by an external entity. We conclude that memorisation does have implications on model robustness, but it can also pose a risk to the privacy of patients who consent to the use of their data for training models.

AB - Deep neural networks (DNNs) have achieved high accuracy in diagnosing multiple diseases/conditions at a large scale. However, a number of concerns have been raised about safeguarding data privacy and algorithmic bias of the neural network models. We demonstrate that unique features (UFs), such as names, IDs, or other patient information can be memorised (and eventually leaked) by neural networks even when it occurs on a single training data sample within the dataset. We explain this memorisation phenomenon by showing that it is more likely to occur when UFs are an instance of a rare concept. We propose methods to identify whether a given model does or does not memorise a given (known) feature. Importantly, our method does not require access to the training data and therefore can be deployed by an external entity. We conclude that memorisation does have implications on model robustness, but it can also pose a risk to the privacy of patients who consent to the use of their data for training models.

KW - Humans

KW - Neural Networks, Computer

KW - Privacy

U2 - 10.1038/s41598-023-48034-3

DO - 10.1038/s41598-023-48034-3

M3 - Article

C2 - 38049432

SN - 2045-2322

VL - 13

SP - 21366

JO - Scientific Reports

JF - Scientific Reports

IS - 1

M1 - 21366

ER -

Neural networks memorise personal information from one sample

Abstract

Keywords / Materials (for Non-textual outputs)

Access to Document

Fingerprint

Projects

Canon Medical / RAEng Senior Research Fellow in Healthcare AI

From trivial representations to learning concepts in AI by exploiting unique data

iCAIRD: Industrial Centre for AI Research in Digital Diagnostics

Cite this