Saved in:
Bibliographic Details
Main Authors: Li, Qi, Wang, Cheng-Long, Cao, Yinzhi, Wang, Di
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.12342
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914471015874560
author Li, Qi
Wang, Cheng-Long
Cao, Yinzhi
Wang, Di
author_facet Li, Qi
Wang, Cheng-Long
Cao, Yinzhi
Wang, Di
contents Training models on a carefully chosen portion of data rather than the full dataset is now a standard preprocess for modern ML. From vision coreset selection to large-scale filtering in language models, it enables scalability with minimal utility loss. A common intuition is that training on fewer samples should also reduce privacy risks. In this paper, we challenge this assumption. We show that subset training is not privacy free: the very choices of which data are included or excluded can introduce new privacy surface and leak more sensitive information. Such information can be captured by adversaries either through side-channel metadata from the subset selection process or via the outputs of the target model. To systematically study this phenomenon, we propose CoLA (Choice Leakage Attack), a unified framework for analyzing privacy leakage in subset selection. In CoLA, depending on the adversary's knowledge of the side-channel information, we define two practical attack scenarios: Subset-aware Side-channel Attacks and Black-box Attacks. Under both scenarios, we investigate two privacy surfaces unique to subset training: (1) Training-membership MIA (TM-MIA), which concerns only the privacy of training data membership, and (2) Selection-participation MIA (SP-MIA), which concerns the privacy of all samples that participated in the subset selection process. Notably, SP-MIA enlarges the notion of membership from model training to the entire data-model supply chain. Experiments on vision and language models show that existing threat models underestimate subset-training privacy risks: the expanded privacy surface leaks both training and selection membership, extending risks from individual models to the broader ML ecosystem.
format Preprint
id arxiv_https___arxiv_org_abs_2604_12342
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle CoLA: A Choice Leakage Attack Framework to Expose Privacy Risks in Subset Training
Li, Qi
Wang, Cheng-Long
Cao, Yinzhi
Wang, Di
Cryptography and Security
Computer Vision and Pattern Recognition
Training models on a carefully chosen portion of data rather than the full dataset is now a standard preprocess for modern ML. From vision coreset selection to large-scale filtering in language models, it enables scalability with minimal utility loss. A common intuition is that training on fewer samples should also reduce privacy risks. In this paper, we challenge this assumption. We show that subset training is not privacy free: the very choices of which data are included or excluded can introduce new privacy surface and leak more sensitive information. Such information can be captured by adversaries either through side-channel metadata from the subset selection process or via the outputs of the target model. To systematically study this phenomenon, we propose CoLA (Choice Leakage Attack), a unified framework for analyzing privacy leakage in subset selection. In CoLA, depending on the adversary's knowledge of the side-channel information, we define two practical attack scenarios: Subset-aware Side-channel Attacks and Black-box Attacks. Under both scenarios, we investigate two privacy surfaces unique to subset training: (1) Training-membership MIA (TM-MIA), which concerns only the privacy of training data membership, and (2) Selection-participation MIA (SP-MIA), which concerns the privacy of all samples that participated in the subset selection process. Notably, SP-MIA enlarges the notion of membership from model training to the entire data-model supply chain. Experiments on vision and language models show that existing threat models underestimate subset-training privacy risks: the expanded privacy surface leaks both training and selection membership, extending risks from individual models to the broader ML ecosystem.
title CoLA: A Choice Leakage Attack Framework to Expose Privacy Risks in Subset Training
topic Cryptography and Security
Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2604.12342