Erase Private Data from AI Models

A team of computer scientists at UC Riverside has advanced the field of artificial intelligence by developing a pioneering method to erase private and copyrighted data from AI models without requiring access to the original training data. This breakthrough was presented in July at the International Conference on Machine Learning in Vancouver, Canada, highlighting a significant response to growing concerns about personal and copyright information lingering in AI models despite attempts from creators to secure their content.

This innovative approach, termed “source-free certified unlearning,” enables AI models to effectively forget specified information while retaining their overall functionality. The implications of this development are profound, particularly as it offers a means to amend models without incurring the substantial costs and energy consumption associated with retraining them from original data, which may no longer be accessible.

Ümit Yiğit Başaran, a UCR doctoral student in electrical and computer engineering and the lead author, emphasized the necessity of this method: “In real-world situations, you can’t always go back and get the original data. We’ve created a certified framework that works even when that data is no longer available.” This assertion underscores the urgent need for such innovations, especially as regulatory frameworks like the European Union’s General Data Protection Regulation and California’s Consumer Privacy Act seek to enforce stricter control over data security in machine learning systems.

The legal landscape is also evolving, illustrated by The New York Times’ lawsuit against OpenAI and Microsoft regarding the use of copyrighted articles for training AI models like GPT. These AI systems learn language patterns from vast amounts of text scraped from the Internet, often generating outputs that closely replicate the training materials, enabling users to circumvent paywalls and access premium content.

The UCR team’s method utilizes a surrogate dataset that statistically resembles the original data to remove unwanted information. Additionally, they implement a mechanism of noise calibration to enhance privacy by preventing the reconstruction of erased data. Their approach draws on established concepts in AI optimization to estimate model changes without the need to retrain from scratch. The efficacy of this method was validated against both synthetic and real-world datasets, demonstrating privacy assurances comparable to full retraining but requiring significantly less computational power.

This remarkable method applies currently to simpler models but holds potential scalability to more complex systems like ChatGPT. Professor Amit Roy-Chowdhury, a co-director of the Riverside Artificial Intelligence Research and Education (RAISE) Institute, indicated that the framework could greatly benefit various sectors, including media and healthcare, that handle sensitive information in AI models.

Moreover, this advancement could empower individuals to demand the removal of their personal or copyright data from AI systems. “People deserve to know their data can be erased from machine learning models—not just in theory, but in provable, practical ways,” Professor Başak Güler articulated, reinforcing the ethical obligation to respect personal data rights.

Looking ahead, the team aims to refine their method for use with more complex model types and to develop tools that make this technology accessible to AI developers worldwide. The original paper, titled “A Certified Unlearning Approach without Access to Source Data,” was a collaborative effort that included contributions from Sk Miraj Ahmed, a computational science research associate at the Brookhaven National Laboratory.