NDSS 2025 – Provably Unlearnable Data Examples

The rapid expansion of AI models trained on publicly scraped datasets has amplified worries about inadvertent leakage of personal data and proprietary knowledge. Traditional unlearnable examples (UEs) rely on heuristic perturbations that aim to break the input‑label correlation, yet they offer no formal assurance that an adversary cannot still extract useful patterns. Moreover, empirical test accuracy, the usual yardstick, suffers from high variance across training runs, leaving defenders uncertain about the true strength of their protections. This gap motivates a shift toward provable guarantees in machine unlearning.

The NDSS 2025 paper introduces a certification framework based on parametric smoothing that quantifies a dataset’s (q, η)-learnability, a metric reflecting the maximum test accuracy an unauthorized model can achieve under bounded perturbations. By tightening the certification bounds, the authors construct Provably Unlearnable Examples (PUEs) that demonstrably lower this metric. Experimental results show PUEs cut certified learnability by up to 18.9 % on ImageNet and reduce empirical test accuracy by 54.4 % on CIFAR‑100, outperforming prior UE techniques while withstanding simple weight‑recovery attacks.

For enterprises that share training data with partners or publish open‑source datasets, provable unlearnability offers a tangible safeguard against downstream model misuse. By providing a measurable guarantee, PUEs enable data owners to assess risk quantitatively and to enforce compliance with privacy regulations such as GDPR and CCPA. The approach also opens avenues for integrating certified unlearning into automated data pipelines, where security auditors can verify that shared assets remain protected regardless of adversarial training strategies. As AI governance standards evolve, mechanisms like (q, η)-learnability certification are likely to become a cornerstone of responsible data stewardship.