Muhammad H. Ashiq¹ · Peter Triantafillou² · Hung Yun Tseng¹ · Grigoris G. Chrysos¹
¹University of Wisconsin-Madison · ²University of Warwick
A key concern for AI safety remains understudied in the machine learning (ML) literature: how can we ensure users of ML models do not leverage predictions on incorrect personal data to harm others? This is particularly pertinent given the rise of open-weight models, where simply masking model outputs does not suffice to prevent adversaries from recovering harmful predictions. To address this threat, which we call test-time privacy, we induce maximal uncertainty on protected instances while preserving accuracy on all other instances. Our proposed algorithm uses a Pareto optimal objective that explicitly balances test-time privacy against utility. We also provide a certifiable approximation algorithm which achieves
The paper was accepted as a long paper in the NeurIPS'25 workshop on Regulatable ML and the NeurIPS'25 workshop on Reliable ML for Unreliable Data.
To install the package, clone the repository and create the main experiment environment through conda:
conda env create -f experiments/env.yml
conda activate beyond_certified_unlearningLabelDP uses a separate dependency stack. If you plan to run the LabelDP baseline, create its environment separately:
conda env create -f experiments/env_labeldp.yml
conda activate beyond_certified_unlearning_labeldpHere is an overview of the files/folders and their functionalities:
bash_scripts: A folder containing bash scripts to run several experiment faster. See the Usage section below.data: A folder containing data; if no data is contained, it will be loaded automatically during training. -experiments: A folder containingconfigswhich contains hyperparameter configurations for our various experiments. Please seeexperiments/configs/MNIST/pareto/MLP_75.yamlfor an example config. Furthermore, contains experiments.txt, which contains all the commands (and more) for our experiments in the paper.label_dp: A link to the label_dp repository, which implements the paper by Ghazi et al. 2021. We use this as a backend for frontendlabeldp.py, which is integrated into our experimental pipeline so that we can use LabelDP as a baseline. Please seeexperiments/configs/labeldp/CIFAR10/ResNet50.yamlfor an example config file forlabeldp.py.evaluator.py: Contains code to evaluate accuracy and forget set metricsload_dataset.py: Standard dataset loading code.models.py: Standard code specifying models like logistic regression, MLP, ResNet18, and ResNet50.main.py: Main function, entry point to our experimental pipeline.synthetic.py: Implements our synthetic baseline, which is discussed in the Appendix.train.py: Implements training, retraining, and Pareto finetuning with and without gradient surgery (Algorithm 1)uniformity_exact.py: Computes Algorithm 2.visualization.py: Saves softmax forget set outputs after uniformity has been induced, for inspection. All of this is done automatically.uniformity_estimator.py: Computes Algorithm 3. Currently not implemented.
First, please be sure to make empty results, logs, and images directories after cloning before running any experiments.
Then, to reproduce experiments, please take a look at experiments/experiments.txt and run the appropriate commands. Check the config files in experiments/configs first to ensure that you are running the right experiment. Some experiments have their own bash script which can be used to run several experiments:
bash_scripts/KMNIST_SVHN.sh: Runs the KMNIST, SVHN experiments for 5 runsbash_scripts/pareto_front_MNIST.sh: Computes the Pareto front for 5 runs for Alg. 1 over MNIST.bash_scripts/synthetic.sh: Run synthetic baselines for LogReg on MNIS and ResNet18 on MNIST, KMNIST, and SVHN
Pretraining and retraining baselines are implemented in the *_0.yaml file in experiments/configs; please run these to obtain the pretrained model before running any additional experiments.
Note that for the LabelDP baseline, you should activate the separate LabelDP environment and use only one GPU. For example:
conda activate beyond_certified_unlearning_labeldp
export CUDA_VISIBLE_DEVICES=1
python labeldp.py --config experiments/configs/labeldp/CIFAR10/ResNet50.yamlOtherwise, due to deprecated code used in the baseline repository, one may run into errors with tensor shapes or GPU memory allocation.