Automated Privacy Risk Estimation of Limited Fixed Aggregate Statistics
Authors: Yifeng Mao (Imperial College London), Bozhidar Stevanoski (Imperial College London), Yves-Alexandre de Montjoye (Imperial College London)
Volume: 2026
Issue: 3
Pages: 100–117
DOI: https://doi.org/10.56553/popets-2026-0073
Abstract: Empirical inference attacks are a popular approach for evaluating the privacy risk of data release mechanisms in practice. While an active attack literature exists to evaluate machine learning models or synthetic data release, we currently lack comparable methods for fixed aggregate statistics, in particular when only a limited number of statistics are released. We here propose an inference attack framework against fixed aggregate statistics and an attribute inference attack called DeSIA (Deterministic-Stochastic Inference Attack). DeSIA consists of two modules: a deterministic module, which verifies whether the target user's attribute can be uniquely inferred, and a stochastic module, which estimates the most likely attribute value when it cannot be uniquely inferred. We instantiate DeSIA against the U.S. Census PPMF dataset and show it to identify risks missed by reconstruction-based attacks. In particular, we show DeSIA to be highly effective in identifying vulnerable users, achieving a true positive rate of 0.14 at a false positive rate of $10^{-3}$. We show DeSIA to outperform all reconstruction-based attacks even without access to a real-world auxiliary dataset. We show DeSIA to be robust to varying levels of noise addition and across varying numbers of released aggregate statistics. We perform an extensive ablation study of DeSIA and show how DeSIA can be successfully adapted to the membership inference task. Overall, our results show that (a) even a limited number of aggregate statistics can reveal sufficient information to expose users to risk from inference attacks, leaving some users disproportionately vulnerable, and (b) emphasize the need for formal privacy mechanisms and testing before aggregate statistics are released.
Keywords: attribute inference attacks, aggregate statistics, privacy
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.