Critical Analysis of Privacy Risks in Machine Learning and Implications for Use of Health Data: A systematic review and meta-analysis on membership inference attacks

Abstract

Abstract Purpose. Machine learning(ML) has revolutionized data processing and analysis, with applications in health showing great promise. However, ML poses privacy risks, as models may reveal information about their training data. Developing frameworks to assess/mitigate privacy risks is essential, particularly for health data custodians responsible for adhering to ethical and legal standards in data use. In September 2022, we conducted a systematic review/meta-analysis to estimate the relative effects of factors hypothesized to contribute to ML privacy risk, focusing on membership inference attacks (MIA). Methods. Papers were screened for relevance to MIA, and selected for the meta-analysis if they contained attack performance(AP) metrics for attacks on models trained on numeric data. Random effects regression was used to estimate the adjusted average change in AP by model type, generalization gap and the density of training data in each region of input space (partitioned density). Residual sum of squares was used to determine the importance of variables on AP. Results. The systematic review and meta-analysis included 115 and 42 papers, respectively, comprising 1,910 experiments. The average AP ranged from 61.0% (95%CI:60.0%-63.0%; AUC)-74.0% (95%CI:72.0%-76.0%; recall). Higher partitioned density was inversely associated with AP for all model architectures, with the largest effect on decision trees. Higher generalization gap was linked to increased AP, predominantly affecting neural networks. Partitioned density was a better predictor of AP than generalization gap for most architectures. Conclusions. This is the first quantitative synthesis of MIA experiments, that highlights the effect of dataset composition on AP, particularly on decision trees, which are commonly used in health.