Compressing an AI model to save space can accidentally restore private data that was supposed to have been unlearned and deleted.
Machine unlearning is used to remove sensitive user data from models to comply with privacy laws like GDPR. However, this study found that quantization, the process of shrinking a model's precision, brings that deleted data back. Even if a model passes a privacy audit at high precision, the ghost of the deleted data remains in its lower-precision weights. This creates a massive legal and security loophole for companies deploying AI. Deleting data from a neural network is much harder and more fragile than we previously believed.
DurableUn: Quantization-Induced Recovery Attacks in Machine Unlearning
arXiv · 2605.02196
Machine unlearning aims to remove specified training data to satisfy privacy regulations such as GDPR. However, existing evaluations assume identical precision at unlearning and deployment, overlooking that production LLMs are deployed at low-bit precision. We show that INT4 quantization systematically restores forgotten content even when models pass compliance audits at bfloat16 (BF16), we term this the quantization recovery attack (QRA). We conduct the first systematic study of unlearning robu