Metric-Normalized Posterior Leakage (mPL): Attacker-Aligned Privacy for Joint Consumption

arXiv cs.LG / 5/5/2026

📰 NewsIdeas & Deep AnalysisModels & Research

共有:

Key Points

The paper proposes Metric-Normalized Posterior Leakage (mPL), an attacker-aligned privacy metric that captures how released data shifts posterior odds under metric differential privacy assumptions.
It shows that for single or independent releases, uniformly bounding mPL is equivalent to satisfying metric differential privacy (mDP), validating mPL as a faithful measure in simpler settings.
Under joint observation, however, mDP alone may not prevent high mPL because aggregators can compound evidence across correlated records.
To address practical control, the authors introduce probabilistically bounded mPL (PBmPL) and Adaptive mPL (AmPL), a trust-and-verify method that perturbs releases, audits with a learned attacker, and adapts parameters to balance privacy and utility.
In a word-embedding case study, neural adversaries cause mPL violations under joint consumption even when per-record mDP holds, but AmPL significantly reduces violation frequency with low utility loss.

Abstract

Metric differential privacy (mDP) strengthens local differential privacy (LDP) by scaling noise to semantic distance, but many machine learning (ML) systems are consumed under joint observation, where model-agnostic, per-record guarantees can miss leakage from evidence aggregation. We introduce metric-normalized posterior leakage (mPL), an attacker-aligned, distance-calibrated measure of posterior-odds shift induced by releases, and show that for single or independent releases, uniformly bounding mPL is equivalent to mDP. Under joint observation, however, satisfying mDP may still leave mPL high because learned aggregators compound evidence across correlated items. To make control practical, we formalize probabilistically bounded mPL (PBmPL), which limits how often mPL may exceed a target budget, and we operationalize it via Adaptive mPL (AmPL), a trust-and-verify framework that perturbs, audits with a learned attacker, and adapts parameters (with optional Bayesian remapping) to balance privacy and utility. In a word-embedding case study, neural adversaries violate mPL under joint consumption despite per-record mDP perturbations, whereas AmPL substantially lowers the frequency of such violations with low utility loss, indicating PBmPL as a practical, certifiable protection for joint-consumption settings.