Abstract
Empirical inference attacks are a popular approach for evaluating the privacyrisk of data release mechanisms in practice. While an active attack literatureexists to evaluate machine learning models or synthetic data release, wecurrently lack comparable methods for fixed aggregate statistics, in particularwhen only a limited number of statistics are released. We here propose aninference attack framework against fixed aggregate statistics and an attributeinference attack called DeSIA. We instantiate DeSIA against the U.S. CensusPPMF dataset and show it to strongly outperform reconstruction-based attacks.In particular, we show DeSIA to be highly effective at identifying vulnerableusers, achieving a true positive rate of 0.14 at a false positive rate of$10^{-3}$. We then show DeSIA to perform well against users whose attributescannot be verified and when varying the number of aggregate statistics andlevel of noise addition. We also perform an extensive ablation study of DeSIAand show how DeSIA can be successfully adapted to the membership inferencetask. Overall, our results show that aggregation alone is not sufficient toprotect privacy, even when a relatively small number of aggregates are beingreleased, and emphasize the need for formal privacy mechanisms and testingbefore aggregate statistics are released.