Abstract
Empirical defenses for machine learning privacy forgo the provable guaranteesof differential privacy in the hope of achieving higher utility while resistingrealistic adversaries. We identify severe pitfalls in existing empiricalprivacy evaluations (based on membership inference attacks) that result inmisleading conclusions. In particular, we show that prior evaluations fail tocharacterize the privacy leakage of the most vulnerable samples, use weakattacks, and avoid comparisons with practical differential privacy baselines.In 5 case studies of empirical privacy defenses, we find that prior evaluationsunderestimate privacy leakage by an order of magnitude. Under our strongerevaluation, none of the empirical defenses we study are competitive with aproperly tuned, high-utility DP-SGD baseline (with vacuous provableguarantees).