Saved in:
Bibliographic Details
Main Authors: Wang, Ziyu, Khatibi, Elahe, Sharma, Ankita, Chakrabarty, Krishnendu, Moosavi, Sanaz Rahimi, Firouzi, Farshad, Rahmani, Amir
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.10424
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910122195812352
author Wang, Ziyu
Khatibi, Elahe
Sharma, Ankita
Chakrabarty, Krishnendu
Moosavi, Sanaz Rahimi
Firouzi, Farshad
Rahmani, Amir
author_facet Wang, Ziyu
Khatibi, Elahe
Sharma, Ankita
Chakrabarty, Krishnendu
Moosavi, Sanaz Rahimi
Firouzi, Farshad
Rahmani, Amir
contents Foundation-style ECG encoders pretrained with self-supervised learning are increasingly reused across tasks, institutions, and deployment contexts, often through model-as-a-service interfaces that expose scalar scores or latent representations. While such reuse improves data efficiency and generalization, it raises a participation privacy concern: can an adversary infer whether a specific individual or cohort contributed ECG data to pretraining, even when raw waveforms and diagnostic labels are never disclosed? In connected-health settings, training participation itself may reveal institutional affiliation, study enrollment, or sensitive health context. We present an implementation-grounded audit of membership inference attacks (MIAs) against modern self-supervised ECG foundation encoders, covering contrastive objectives (SimCLR, TS2Vec) and masked reconstruction objectives (CNN- and Transformer-based MAE). We evaluate three realistic attacker interfaces: (i) score-only black-box access to scalar outputs, (ii) adaptive learned attackers that aggregate subject-level statistics across repeated queries, and (iii) embedding-access attackers that probe latent representation geometry. Using a subject-centric protocol with window-to-subject aggregation and calibration at fixed false-positive rates under a cross-dataset auditing setting, we observe heterogeneous and objective-dependent participation leakage: leakage is most pronounced in small or institution-specific cohorts and, for contrastive encoders, can saturate in embedding space, while larger and more diverse datasets substantially attenuate operational tail risk. Overall, our results show that restricting access to raw signals or labels is insufficient to guarantee participation privacy, underscoring the need for deployment-aware auditing of reusable biosignal foundation encoders in connected-health systems.
format Preprint
id arxiv_https___arxiv_org_abs_2604_10424
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Membership Inference Attacks Expose Participation Privacy in ECG Foundation Encoders
Wang, Ziyu
Khatibi, Elahe
Sharma, Ankita
Chakrabarty, Krishnendu
Moosavi, Sanaz Rahimi
Firouzi, Farshad
Rahmani, Amir
Machine Learning
Foundation-style ECG encoders pretrained with self-supervised learning are increasingly reused across tasks, institutions, and deployment contexts, often through model-as-a-service interfaces that expose scalar scores or latent representations. While such reuse improves data efficiency and generalization, it raises a participation privacy concern: can an adversary infer whether a specific individual or cohort contributed ECG data to pretraining, even when raw waveforms and diagnostic labels are never disclosed? In connected-health settings, training participation itself may reveal institutional affiliation, study enrollment, or sensitive health context. We present an implementation-grounded audit of membership inference attacks (MIAs) against modern self-supervised ECG foundation encoders, covering contrastive objectives (SimCLR, TS2Vec) and masked reconstruction objectives (CNN- and Transformer-based MAE). We evaluate three realistic attacker interfaces: (i) score-only black-box access to scalar outputs, (ii) adaptive learned attackers that aggregate subject-level statistics across repeated queries, and (iii) embedding-access attackers that probe latent representation geometry. Using a subject-centric protocol with window-to-subject aggregation and calibration at fixed false-positive rates under a cross-dataset auditing setting, we observe heterogeneous and objective-dependent participation leakage: leakage is most pronounced in small or institution-specific cohorts and, for contrastive encoders, can saturate in embedding space, while larger and more diverse datasets substantially attenuate operational tail risk. Overall, our results show that restricting access to raw signals or labels is insufficient to guarantee participation privacy, underscoring the need for deployment-aware auditing of reusable biosignal foundation encoders in connected-health systems.
title Membership Inference Attacks Expose Participation Privacy in ECG Foundation Encoders
topic Machine Learning
url https://arxiv.org/abs/2604.10424