While model compression techniques—such as pruning, quantization, and weight clustering—improve resource efficiency, they may inadvertently exacerbate privacy vulnerabilities to membership inference attacks (MIAs), yet systematic risk assessment remains lacking. Method: We propose CompLeak, the first framework to systematically expose how diverse compression operations universally increase model privacy leakage. CompLeak introduces three variants—including single- and multi-model collaborative analysis—that jointly leverage confidence scores and other meta-information from both original and compressed models to enable fine-grained quantification of privacy leakage. Contribution/Results: Extensive experiments across seven model architectures and six image/text datasets demonstrate that all compression methods significantly boost MIA success rates. CompLeakMR achieves the best performance, improving average attack accuracy by 12.7%. This work establishes a reproducible benchmark and provides theoretical caution regarding the privacy–efficiency trade-off in compressed deep learning models.

Model compression is crucial for minimizing memory storage and accelerating inference in deep learning (DL) models, including recent foundation models like large language models (LLMs). Users can access different compressed model versions according to their resources and budget. However, while existing compression operations primarily focus on optimizing the trade-off between resource efficiency and model performance, the privacy risks introduced by compression remain overlooked and insufficiently understood. In this work, through the lens of membership inference attack (MIA), we propose CompLeak, the first privacy risk evaluation framework examining three widely used compression configurations that are pruning, quantization, and weight clustering supported by the commercial model compression framework of Google's TensorFlow-Lite (TF-Lite) and Facebook's PyTorch Mobile. CompLeak has three variants, given available access to the number of compressed models and original model. CompLeakNR starts by adopting existing MIA methods to attack a single compressed model, and identifies that different compressed models influence members and non-members differently. When the original model and one compressed model are available, CompLeakSR leverages the compressed model as a reference to the original model and uncovers more privacy by combining meta information (e.g., confidence vector) from both models. When multiple compressed models are available with/without accessing the original model, CompLeakMR innovatively exploits privacy leakage info from multiple compressed versions to substantially signify the overall privacy leakage. We conduct extensive experiments on seven diverse model architectures (from ResNet to foundation models of BERT and GPT-2), and six image and textual benchmark datasets.