Inducing Uncertainty on Open-Weight Models for Test-Time Privacy in Image Recognition

A key concern for AI safety remains understudied in the machine learning (ML) literature: how can we ensure users of ML models do not leverage predictions on incorrect personal data to harm others? This is particularly pertinent given the rise of open-weight models, where simply masking model outputs does not suffice to prevent adversaries from recovering harmful predictions. To address this threat, which we call *test-time privacy*, we induce maximal uncertainty on protected instances while preserving accuracy on all other instances. Our proposed algorithm uses a Pareto optimal objective that explicitly balances test-time privacy against utility. We also provide a certifiable approximation algorithm which achieves $(\varepsilon, δ)$ guarantees without convexity assumptions. We then prove a tight bound that characterizes the privacy-utility tradeoff that our algorithms incur. Empirically, our method obtains at least $>3\times$ stronger uncertainty than pretraining with marginal drops in accuracy on various image recognition benchmarks. Altogether, this framework provides a tool to guarantee additional protection to end users.

Key Contributions

• Introduces 'test-time privacy' (TTP) — a novel threat model where adversaries leverage open-weight model predictions on incorrect/corrupted personal data to cause individual harm
• Proposes a Pareto-optimal fine-tuning algorithm that induces maximal output uncertainty on protected instances while preserving accuracy on all other instances
• Provides (ε, δ)-certified approximation algorithms without convexity assumptions and a tight theoretical bound characterizing the privacy-utility tradeoff

🛡️ Threat Analysis

Details

Similar Papers