Israeli Researchers Train AI Models for Safe “Forgetting” of Confidential Data

Researchers from Tel Aviv University, along with colleagues from the United States, have concluded that current methods of removing information from AI models can lead to leaks of remaining confidential data. The necessity to make trained AI models “forget” certain information, in accordance with data protection laws like the European law on the “right to be forgotten,” carries certain risks.

It is traditionally believed that the ideal solution would be to completely retrain the system from scratch, excluding the data to be deleted. However, scientists have proven that striving for such precision creates vulnerabilities. A malicious actor can input their own data into the model and then request its deletion. By controlling only a small portion of the data, they can extract confidential information by analyzing changes in the model’s responses. This is particularly relevant for models that are trained in real-time on user data.

Studies have shown that when a model alters its parameters after data deletion, the differences between the “before” and “after” states can reveal excessive information about the remaining data. Existing security measures often overlook this risk, focusing solely on complete deletion rather than protecting the remaining information. This makes current “machine forgetting” methods vulnerable to attacks.

To improve the situation, the authors of the study proposed a new security standard that shifts the focus from simulating “ideal retraining” to actively protecting data that should not be deleted. This approach allows for the functionality of AI models to be preserved without the risk of exposing protected information. The new method demonstrates that the process of data deletion is not a simple technical process but a complex interplay between privacy and functionality.