TLDR: A new method called Self-supervised Model Seeding (SMS) allows users to verify that their genuine data has been successfully removed from machine learning models. This addresses the limitations of previous techniques that only verified artificial “backdoored” samples. SMS works by embedding unique, invisible “seeds” into user data, which the model learns alongside its primary task. After an unlearning request, users can check if their seed has disappeared, confirming data removal for both exact and approximate unlearning scenarios while preserving model performance.
In the age of increasing data privacy regulations like GDPR and CCPA, the “right to be forgotten” has become a critical concern for individuals. This right mandates that users should be able to request the removal of their data from services, including those powered by machine learning (ML) models. While many machine unlearning methods have emerged to facilitate this, a significant challenge remains: how can users actually verify that their data has been successfully removed from a trained model?
Current approaches to unlearning verification often rely on a technique called “backdooring.” This involves adding special, backdoored samples to the training data. The idea is that if the backdoor (and thus the backdoored samples) can be removed, it implies the user’s data has also been unlearned. However, this method has a crucial flaw: backdoored samples are distinct from a user’s genuine data. Removing the backdoor only confirms the unlearning of those specific backdoored samples, not the actual, genuine data provided by the user. Furthermore, these backdoor methods are typically only effective for “exact unlearning” scenarios, where the model is essentially retrained from scratch, and often fail in more efficient “approximate unlearning” situations.
To address these limitations, a new approach called Self-supervised Model Seeding (SMS) has been proposed. SMS aims to provide a robust verification mechanism for genuine user data, applicable to both exact and approximate unlearning methods. The core idea behind SMS is to establish a direct link between user-specific “seeds” (unique identifiers), their original data, and the ML model itself.
The SMS scheme operates in three main phases:
Data Seeding
Before a user’s data is sent to an ML server for training, the user embeds a unique, often invisible, “seed” into their genuine data. This seed could be a small, imperceptible pattern or a unique digital signature. The key is that this seed becomes an inherent feature of the data, rather than a separate, artificial sample. This process does not alter the original label or purpose of the data.
Model Seeding Joint Training
The ML server then trains its service model using this seed-embedded data. Unlike traditional training, SMS employs a “joint-training” structure. This means the model is simultaneously optimized for two tasks: its primary service task (e.g., image classification) and a “self-supervised model seeding task.” The self-supervised task is designed to learn all the detailed features of the input data, including the hidden seeds, into the model’s internal representation. This joint optimization ensures that the model effectively learns the seed information while maintaining, and often even improving, its utility for the primary task. Importantly, the server does not need to know the specific seed information, as it’s learned as a feature of the data itself.
Also Read:
- CURE: A Framework for Self-Correcting Language Model Unlearning
- Tackling Multimodal Misinformation: A Unified Detection System
Seed Verification
After the model has been trained and an unlearning request is made by the user, the user can then verify if their data has been removed. The user, who knows their specific seed, can train a small, individual “verifier” model. This verifier checks the output of the ML server’s model when presented with the user’s seed-embedded data. If the verifier can no longer detect the presence of the seed, it confirms that the genuine data (and its associated features) has been successfully unlearned from the model. If the seed is still detectable, it indicates the data has not been fully removed.
Extensive experiments conducted on various datasets (MNIST, CIFAR10, CelebA) and model architectures demonstrate that SMS provides effective verification for genuine sample unlearning. It significantly outperforms existing backdoor-based methods, especially in approximate unlearning scenarios where those methods typically fail. SMS also shows superior functionality preservation, meaning it doesn’t degrade the model’s performance on its primary task, and in some cases, even enhances it due to the comprehensive feature learning during joint training.
While SMS introduces some additional computational costs compared to simpler backdoor methods, these are considered acceptable for the enhanced security and verifiability it offers. The research paper, available at https://arxiv.org/pdf/2509.25613, marks a crucial step towards building more transparent and trustworthy machine unlearning services, empowering users with the confidence that their data privacy requests are genuinely honored.
