Exploring Data Counterfactuals

Many data-centric techniques in machine learning can be unified under the concept of 'data counterfactuals': how does changing data affect model outcomes.

About

Short memo from Nick Vincent; ping him for any suggestions or complaints regarding this site!

This page is meant to provide an interactive explainer for the broad concept of "data counterfactuals". This is a concept that I found referring to a bunch when teaching about data valuation, algorithmic collective action, etc. As I referenced the idea repeatedly, in several different contexts students asked me something along the lines of: "is this 'data counterfactuals' like an actual term, in a textbook, or something?" Upon reflection and inspection, I realized that indeed, there was a not a go-to reference for what I think is an important and useful unifying concept. Thus, I created the first draft of this website, which includes the short memo you're reading and an interactive illustration of a toy exploration of data counterfactuals.

In short, data valuation, data scaling, data selection, data poisoning, nascent algorithmic collective action (ACA), and even some concepts in the privacy literature (like differential privacy) and in the data-centric ML literature (like data augmentation) all touch on a shared idea: exploring what happens when we hold our training choices fixed or somewhat fixed and change the data we train on. Many methods seek to answer "what if the data was different", or "what if we had picked these data instead of those?" or "what if the world produced different data altogether?"

Data valuation techniques often tell us how a relevant metric (e.g. test loss) would change if a data point (or groups of points) was missing/added/upweighted/downweighted. Data scaling tells us what would happen is our training data size was 10x-ed or 1/10. Data selection tries to tell us which data points we should pick from a given set. Data poisoning tells us what will happen when data is manipulated. Algorithmic collective action is focused on strategic behaviour by people that cause data to change. And some privacy concepts like differential privacy and data-centric ML concepts like augmentation involve intentionally modifying data to promote some outcome (more privacy, better performance).

A key distinction runs through this space. Some techniques explore counterfactual choices over the data that already exist -- choosing subsets, reweighting, making synthetic perturbations. Others try to act on, or incentivize, people so that the world itself changes. The latter camp manufactures real counterfactuals. In both cases the we can explore potential impact in the same way: by comparing two different "worlds" that differ in their data.

Here's the idea: Imagine enumerating every possible training set as the rows of a grid and every possible evaluation set as the columns. To make this tractable for a toy visualization, as we'll see below, perhaps just start by imagining we have 4 observations or 4 big groups of observation, A, B, C, and D. Each cell stores the performance you would observe if you trained on that row and tested on that column. We could use many different evaluation metrics to add a third dimension. This giant matrix is the full landscape of data counterfactuals.

If we see the space this way, a lot of ideas fall into place as even more clearly related to each other:

  • Observation- and group-level values, Shapley values, Beta Shapley, and related notions are all aggregations over carefully chosen slices of that grid.
  • We can understand what any valuation method is "really doing" by tracing how it walks the grid, which makes it easier to relate Beta Shapley, vanilla Shapley, leave-one-out, etc.
  • Data scaling laws become simple regressions on the averages across the rows grouped by size
  • Data selection and data leverage interventions—data strikes, boycotts, targeted contributions—are paths that move us to different rows and therefore different outcomes.

Critically, any strategic behavior by data creators (strike, contribution campaign, etc.) can be understood as movement within this grid. Similarly, strategic behavior by data consumers (selection, weighting, etc.) is also movement within this grid.

Data strikes lower performance by nudging AI operators toward less favorable rows. Data poisoning does the same (although to tell the full story of data poisoning we need a much, much bigger grid to account for all possible poisoning perturbations, i.e. an explosion of possible worlds).

This same view also clarifies how strikes or poisoning impact evaluation, which runs into the "unknown unknowns" problem in ML evaluation writ large. If we only evaluate on a few slices of the columns, we may miss important shifts in performance that occur on other slices. This is especially true if the data change is strategic, i.e. if data creators are trying to influence outcomes in a way that evades detection.

The grid also can help us to start reasoning about the costs of data valuation on seller side or buyer side. "Unveiling" the grid—actually measuring enough cells to run a Shapley calculation or a scaling-law fit—is often the dominant expense in data valuation, so we can reason about when the marginal benefit of better accounting beats the marginal cost of more evaluations. Likewise, the metaphor helps us price the work required to "generate" new parts of the grid. We might think of it as a board game where you drop fresh tiles to build the world: each new tile represents data labor, annotation, or incentive design, and the grid tells us whether that tile changes downstream outcomes enough to justify the effort (indeed, we are working on exactly this kind of "data labor board game" concept for future release, see a preview in the "Experiment" section of this website).

Finally, the grid metaphor also helps us see connections to privacy interventions. Differential privacy can be seen as a way to limit how much any one data point can move you around the grid. Data augmentation can be seen as a way to fill in more of the grid with synthetic data points, which may help smooth out performance across rows and columns.

Feedback welcome! I'm hopeful to iterate on this (and open to contribution -- if there's interest, let's make this an OSS project!) to help make the connections between technical data-centric work and collective action / data leverage / safety / responsible AI work clearer and more accessible.

It will also be helpful to further connect with the formal definitions from a variety of literature including:

  • specific results re: influence functions for LLMs
  • active learning
  • coresets
  • experimental design
  • causal inference
  • curriculum learning
  • machine unlearning
  • adversarial training
  • fairness interventions that operate via data

At the bottom of this page, we have started to collect a non-comprehensive list of relevant references that touch on data counterfactuals in some way -- more to come here!

Guided examples

Click a preset and watch the controls snap into place.

Pick one of the examples above to auto-configure the grid and walk through the narration.

Controls

Universe size
4
Cell metric
Palette
Baseline train row
Eval column
Show numbers
Edit data / world
Interpretation: imagine a data strike or targeted poisoning—every training subset that includes a focus point is uniformly degraded.
Full settings snapshot
Live JSON reflecting universe, rows, evals, and edit toggles.
{
  "tutorial": null,
  "universe": [
    "A",
    "B",
    "C",
    "D"
  ],
  "metric": "jaccard",
  "palette": "Blue→Yellow",
  "focus": "A",
  "focusSet": [
    "A"
  ],
  "baselineTrain": {
    "index": 1,
    "set": [
      "A"
    ]
  },
  "evalColumn": {
    "index": 1,
    "set": [
      "A"
    ]
  },
  "computed": "shapley",
  "edits": {
    "mode": "poison",
    "poison": false,
    "noiseLevel": 0
  },
  "scalingK": 2,
  "showNumbers": false,
  "gridView": "operator",
  "rows": [
    "∅",
    "A",
    "B",
    "C",
    "D",
    "AB",
    "AC",
    "AD",
    "BC",
    "BD",
    "CD",
    "ABC",
    "ABD",
    "ACD",
    "BCD",
    "ABCD"
  ]
}
Focus point(s)
This is the point (or group) we assess value for; amber/cyan rings compare cells with and without these members.
Single mode: pick one.

Counterfactual Grid

Axis headers glow for the active train row and eval column. Switching computed views pulses the contributing cells.
A
B
C
D
AB
AC
AD
BC
BD
CD
ABC
ABD
ACD
BCD
ABCD
A
B
C
D
AB
AC
AD
BC
BD
CD
ABC
ABD
ACD
BCD
ABCD
What you’re seeing: each cell = Train subset and an Eval subset. Click a row label to choose the train slice, a column label for the eval slice, or click a cell to choose both at once.
How to read the highlights: Amber rings mark the cells we pull values from (e.g., baseline rows or subsets without our data point we want to value). Cyan rings mark the cells we compare against (e.g., rows with the data point of interest). White outline = your currently selected cell.
Why it matters: the amber→cyan pairs are exactly the train/eval combinations the statistic is contrasting—these are the places to inspect to understand LOO, Group LOO, Shapley, or Scaling. Watch the rings pulse when you change computed modes to see which cells are being compared.
Operator view reflects edits (poison / noise / world shift); Real world shows the untouched matrix.

Computed values

Swap modes to see which cells drive the statistic; active cells flash in the grid.

Basic
Advanced (TODO)
Shapley value asks: “on average, how much does the focus point change the score when added to a partial training set?”
phi0.4688 from 8 pairs at eval A.
|S|Avg marginal Δ#pairs
01.00001
10.50003
20.33333
30.25001

Experiment

Kick the tires in a sandboxed “tactical board” with more open-ended knobs and spatial interactions.

It mirrors the explorer state but favors experimentation and animation.
Open tactical board

Appendix

Extra reading and references that inform the counterfactual / data attribution framing.

Bibliography
Influence / Attribution
  • TRAK: Attributing Model Behavior at Scale
    Sung Min Park, Kristian Georgiev, Andrew Ilyas, Guillaume Leclerc, Aleksander Madry
    International Conference on Machine Learning (ICML) (2023)
  • Beta Shapley: a Unified and Noise-reduced Data Valuation Framework for Machine Learning
    Yongchan Kwon, James Zou
    International Conference on Artificial Intelligence and Statistics (AISTATS) (2022)
  • Datamodels: Predicting Predictions from Training Data
    Andrew Ilyas, Sung Min Park, Logan Engstrom, Guillaume Leclerc, Aleksander Madry
    International Conference on Machine Learning (ICML) (2022)
  • Estimating Training Data Influence by Tracing Gradient Descent
    Garima Pruthi, Frederick Liu, Mukund Sundararajan, Satyen Kale
    Advances in Neural Information Processing Systems (NeurIPS) (2020)
  • Data Shapley: Equitable Valuation of Data for Machine Learning
    Amirata Ghorbani, James Zou
    Proceedings of the 36th International Conference on Machine Learning (ICML) (2019)
  • Understanding Black-box Predictions via Influence Functions
    Pang Wei Koh, Percy Liang
    Proceedings of the 34th International Conference on Machine Learning (ICML) (2017)
Poisoning / Security
  • Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses
    Micah Goldblum, Dimitris Tsipras, Chulin Xie, Xinyun Chen, Avi Schwarzschild, Dawn Song, Aleksander Madry, Bo Li, Tom Goldstein
    IEEE Transactions on Pattern Analysis and Machine Intelligence (2022)
  • Poisoning Attacks against Support Vector Machines
    Battista Biggio, Blaine Nelson, Pavel Laskov
    Proceedings of the 29th International Conference on Machine Learning (ICML) (2012)
Strikes / Leverage
  • Algorithmic Collective Action in Machine Learning
    Moritz Hardt, Eric Mazumdar, Celestine Mendler-Dünner, Tijana Zrnic
    International Conference on Machine Learning (ICML) (2023)
  • "Data Strikes": Evaluating the Effectiveness of a New Form of Collective Action Against Technology Companies
    Nicholas Vincent, Brent Hecht, Shilad Sen
    The World Wide Web Conference (WWW) (2019)
Selection / Coresets
  • DeepCore: A Comprehensive Library for Coreset Selection in Deep Learning
    Chengcheng Guo, Bo Zhao, Yanbing Bai
    arXiv preprint (2022)
  • Coresets for Data-efficient Training of Machine Learning Models
    Baharan Mirzasoleiman, Jeff Bilmes, Jure Leskovec
    International Conference on Machine Learning (ICML) (2020)
  • Active Learning for Convolutional Neural Networks: A Core-Set Approach
    Ozan Sener, Silvio Savarese
    International Conference on Learning Representations (ICLR) (2018)
Scaling
  • Scaling Laws for Neural Language Models
    Jared Kaplan, Sam McCandlish, Tom Henighan, Tom B. Brown, Benjamin Chess, Rewon Child, Scott Gray, Alec Radford, Jeffrey Wu, Dario Amodei
    arXiv preprint (2020)
Other / Game-theory
  • Exploring the limits of strong membership inference attacks on large language models
    Jamie Hayes, Ilia Shumailov, Christopher A. Choquette-Choo, Matthew Jagielski, George Kaissis, Milad Nasr, Sahra Ghalebikesabi, Meenatchi Sundaram Mutu Selva Annamalai, Niloofar Mireshghallah, Igor Shilov, Matthieu Meeus, Yves-Alexandre de Montjoye, Katherine Lee, Franziska Boenisch, Adam Dziedzic, A. Feder Cooper
    arXiv preprint arXiv:2505.18773 (2025)
  • If open source is to win, it must go public
    Tan, Joshua, Vincent, Nicholas, Elkins, Katherine, Sahlgren, Magnus
    arXiv preprint arXiv:2507.09296 (2025)
  • OLMoTrace: Tracing Language Model Outputs Back to Trillions of Training Tokens
    Liu, Jiacheng, Blanton, Taylor, Elazar, Yanai, Min, Sewon, Chen, YenSung, Chheda-Kothary, Arnavi, Tran, Huy, Bischoff, Byron, Marsh, Eric, Schmitz, Michael, others
    arXiv preprint arXiv:2504.07096 (2025)
  • LLM Dataset Inference: Did you train on my dataset?
    Pratyush Maini, Hengrui Jia, Nicolas Papernot, Adam Dziedzic
    arXiv preprint arXiv:2406.06443 (2024)
  • Poisoning Web-Scale Training Datasets is Practical
    Nicholas Carlini, Matthew Jagielski, Christopher A. Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, Florian Tramèr
    (2024)
  • Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training
    Evan Hubinger, Carson Denison, Jesse Mu, Mike Lambert, Meg Tong, Monte MacDiarmid, Tamera Lanham, Daniel M. Ziegler, Tim Maxwell, Newton Cheng, Adam Jermyn, Amanda Askell, Ansh Radhakrishnan, Cem Anil, David Duvenaud, Deep Ganguli, Fazl Barez, Jack Clark, Kamal Ndousse, Kshitij Sachan, Michael Sellitto, Mrinank Sharma, Nova DasSarma, Roger Grosse, Shauna Kravec, Yuntao Bai, Zachary Witten, Marina Favaro, Jan Brauner, Holden Karnofsky, Paul Christiano, Samuel R. Bowman, Logan Graham, Jared Kaplan, Sören Mindermann, Ryan Greenblatt, Buck Shlegeris, Nicholas Schiefer, Ethan Perez
    (2024)
  • What is Your Data Worth to GPT? LLM-Scale Data Valuation with Influence Functions
    arXiv preprint arXiv:2405.13954 (2024)
  • Quantifying Memorization Across Neural Language Models
    Nicholas Carlini, Daphne Ippolito, Matthew Jagielski, Katherine Lee, Florian Tramer, Chiyuan Zhang
    International Conference on Learning Representations (2023)
  • The Dimensions of Data Labor: A Road Map for Researchers, Activists, and Policymakers to Empower Data Producers
    Proceedings of the 2023 ACM Conference on Fairness, Accountability, and Transparency (2023)
  • Beyond neural scaling laws: beating power law scaling via data pruning
    Sorscher, Ben, Geirhos, Robert, Shekhar, Shashank, Ganguli, Surya, Morcos, Ari
    Advances in Neural Information Processing Systems (2022)
  • Training Data Influence Analysis and Estimation: A Survey
    Zayd Hammoudeh, Daniel Lowd
    arXiv preprint arXiv:2212.04612 (2022)
  • Beta Shapley: A Unified and Noise-Reduced Data Valuation Framework for Machine Learning
    arXiv preprint arXiv:2110.14049 (2021)
  • Data Leverage: A Framework for Empowering the Public in its Relationship with Technology Companies
    Vincent, Nicholas and Li, Hanlin and Tilly, Nicole and Chancellor, Stevie and Hecht, Brent
    Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency (2021)
  • Extracting Training Data from Large Language Models
    Carlini, Nicholas, Tramer, Florian, Wallace, Eric, Jagielski, Matthew, Herbert-Voss, Ariel, Lee, Katherine, Roberts, Adam, Brown, Tom B., Song, Dawn, Erlingsson, {\'U}lfar, Oprea, Alina, Papernot, Nicolas
    Proceedings of USENIX Security Symposium (2021)
  • Are anonymity-seekers just like everybody else? An analysis of contributions to Wikipedia from Tor
    Tran, Chau, Champion, Kaylea, Forte, Andrea, Hill, Benjamin Mako, Greenstadt, Rachel
    2020 IEEE Symposium on Security and Privacy (SP) (2020)
  • Language Models are Few-Shot Learners
    Tom B. Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, Sandhini Agarwal, Ariel Herbert-Voss, Gretchen Krueger, Tom Henighan, Rewon Child, Aditya Ramesh, Daniel M. Ziegler, Jeffrey Wu, Clemens Winter, Christopher Hesse, Mark Chen, Eric Sigler, Mateusz Litwin, Scott Gray, Benjamin Chess, Jack Clark, Christopher Berner, Sam McCandlish, Alec Radford, Ilya Sutskever, Dario Amodei
    arXiv preprint arXiv:2005.14165 (2020)
  • Data Shapley: Equitable Valuation of Data for Machine Learning
    International Conference on Machine Learning (2019)
  • Dissecting Racial Bias in an Algorithm Used to Manage the Health of Populations
    Obermeyer, Ziad, Powers, Brian, Vogeli, Christine, Mullainathan, Sendhil
    Science (2019)
  • Fairness and Abstraction in Sociotechnical Systems
    Selbst, Andrew D., Boyd, Danah, Friedler, Sorelle A., Venkatasubramanian, Suresh, Vertesi, Janet
    Proceedings of the ACM Conference on Fairness, Accountability, and Transparency (FAccT) (2019)
  • Mapping the Potential and Pitfalls of "Data Dividends" as a Means of Sharing the Profits of Artificial Intelligence
    Nicholas Vincent, Yichun Li, Renee Zha, Brent Hecht
    arXiv preprint arXiv:1912.00757 (2019)
  • On the Accuracy of Influence Functions for Measuring Group Effects
    Pang Wei Koh, Kai-Siang Ang, Hubert H. K. Teo, Percy Liang
    Advances in Neural Information Processing Systems (2019)
  • Privacy, anonymity, and perceived risk in open collaboration: A study of service providers
    McDonald, Nora, Hill, Benjamin Mako, Greenstadt, Rachel, Forte, Andrea
    Proceedings of the 2019 CHI conference on human factors in computing systems (2019)
  • Reconciling modern machine-learning practice and the classical bias–variance trade-off
    Belkin, Mikhail, Hsu, Daniel, Ma, Siyuan, Mandal, Soumik
    Proceedings of the National Academy of Sciences (2019)
  • Towards Efficient Data Valuation Based on the Shapley Value
    Ruoxi Jia, Dah-Yuan Dao, Boxin Wang, Frances Ann Hubis, Nick Hynes, Neslihan M. Gurel, Carl J. Spanos
    International Conference on Artificial Intelligence and Statistics (2019)
  • A Reductions Approach to Fair Classification
    Alekh Agarwal, Alina Beygelzimer, Miroslav Dudik, John Langford, Hanna Wallach
    International Conference on Machine Learning (2018)
  • Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification
    Buolamwini, Joy, Gebru, Timnit
    Proceedings of the Conference on Fairness, Accountability and Transparency (FAT*) (2018)
  • Should We Treat Data as Labor? Moving Beyond 'Free'
    Imanol Arrieta-Ibarra, Leonard Goff, Diego Jimenez-Hernandez, Jaron Lanier, E. Glen Weyl
    AEA Papers and Proceedings (2018)
  • Deep learning scaling is predictable, empirically
    Hestness, Joel, Narang, Sharan, Ardalani, Newsha, Diamos, Gregory, Jun, Heewoo, Kianinejad, Hassan, Patwary, Md, Ali, Mostofa, Yang, Yang, Zhou, Yanqi
    arXiv preprint arXiv:1712.00409 (2017)
  • Big Data's Disparate Impact
    Barocas, Solon, Selbst, Andrew D.
    California Law Review (2016)
  • The Algorithmic Foundations of Differential Privacy
    Cynthia Dwork, Aaron Roth
    Foundations and Trends in Theoretical Computer Science (2014)
  • Robust De-anonymization of Large Sparse Datasets
    Narayanan, Arvind, Shmatikov, Vitaly
    Proceedings of the IEEE Symposium on Security and Privacy (2008)
  • Simple Demographics Often Identify People Uniquely
    Sweeney, Latanya
    Carnegie Mellon University, Data Privacy Working Paper (2000)
Extras / Notes
TODO: add outbound links, citations, and deeper dives organized by topic.