It is notoriously challenging to audit the potential unauthorized data usage in deep learning (DL) model development lifecycle, i.e., to \emph{judge whether certain private user data has been used to train or fine-tune a DL model without authorization}. Yet, such data usage auditing is crucial to respond to the urgent requirements of trustworthy Artificial Intelligence (AI) such as data transparency, which are promoted and enforced in recent AI regulation rules or acts like General Data Protection Regulation (GDPR) and EU AI Act.

In this work, we propose TeDA, a simple and flexible \emph{te}sting framework for auditing \emph{da}ta usage in DL model development process.

Given a set of user's private data to protect ($D_p$), the intuition of TeDA is to apply \emph{membership inference} (with good intention) for judging whether the model to audit ($M_a$) is likely to be trained with $D_p$. Notably, to significantly expose the usage under membership inference, TeDA applies imperceptible perturbation directed by boundary search to generate a carefully crafted test suite $D_t$ (which we call `isotope') based on $D_p$.

With the test suite, TeDA then adopts membership inference combined with hypothesis testing to decide whether a user's private data has been used to train $M_a$ with statistical guarantee.

We evaluated TeDA through extensive experiments on ranging data volumes across various model architectures for data-sensitive face recognition and medical diagnosis tasks. TeDA demonstrates high feasibility, effectiveness and robustness under various adaptive strategies (e.g., pruning and distillation).