csc 2515 lecture 11 differential privacy
play

CSC 2515 Lecture 11: Differential Privacy Roger Grosse University - PowerPoint PPT Presentation

Jan 17, 2024 •424 likes •970 views

CSC 2515 Lecture 11: Differential Privacy Roger Grosse University of Toronto UofT CSC 2515: 11-Differential Privacy 1 / 53 Overview So far, this class has been about getting algorithms to perform well according to some metric (e.g.

  1. CSC 2515 Lecture 11: Differential Privacy Roger Grosse University of Toronto UofT CSC 2515: 11-Differential Privacy 1 / 53

  2. Overview So far, this class has been about getting algorithms to perform well according to some metric (e.g. prediction error). Up until about 5 years ago, this is what almost the entire field was about. Now that AI is in widespread use by companies and governments, and used to make decisions about people, we have to ask: are we optimizing the right thing? The final two lectures are about AI ethics. Focus is on technical , rather than social/legal/political , aspects. (I’m not qualified to talk about the latter.) UofT CSC 2515: 11-Differential Privacy 2 / 53

  3. Overview This lecture: differential privacy Companies, governments, hospitals, etc. are collecting lots of sensitive data about individuals. Anonymizing data is surprisingly hard. Differential privacy gives a way to analyze data that provably doesn’t leak (much) information about individuals. Next lecture: algorithmic fairness How can we be sure that the predictions/decisions treat different groups fairly? What does this even mean? Privacy and fairness are among the most common topics the Vector Institute is asked for advice about by local companies and hospitals. Disclaimer: I’m still learning this too. UofT CSC 2515: 11-Differential Privacy 3 / 53

  4. Overview Many AI ethics topics we’re leaving out Explainability (people should be able to understand why a decision was made about them) Accountability (ability for a third-party to verify that an AI system is following the regulations) Bad side effects of optimizing for click-through? How should self-driving cars trade off the safety of passengers, pedestrians, etc.? (Trolley problems) Unemployment due to automation Face recognition and other surveillance-enabling technologies Autonomous weapons Risk of international AI arms races Long-term risks of superintelligent AI I’m focusing on privacy and fairness because these topics have well-established technical principles and techniques that address part of the problem. UofT CSC 2515: 11-Differential Privacy 4 / 53

  5. Overview An excellent popular book: UofT CSC 2515: 11-Differential Privacy 5 / 53

  6. Why Is Anonymization Hard? UofT CSC 2515: 11-Differential Privacy 6 / 53

  7. Why Is Anonymization Hard? Some examples of anonymization failures (taken from The Ethical Algorithm ) In the 1990s, a government agency released a database of medical visits, stripped of identifying information (names, addresses, social security numbers) But it did contain zip code, birth date, and gender. Researchers estimated that 87 percent of Americans are uniquely identifiable from this triplet. Netflix Challenge (2006), a Kaggle-style competition to improve their movie recommendations, with a $1 million prize They released a dataset consisting of 100 million movie ratings (by “anonymized” numeric user ID), with dates Researchers found they could identify 99% of users who rated 6 or more movies by cross-referencing with IMDB, where people posted reviews publicly with their real names UofT CSC 2515: 11-Differential Privacy 7 / 53

  8. Why Is Anonymization Hard? Not sufficient to prevent unique identification of individuals. Kearns & Roth, The Ethical Algorithm From this (fictional) hospital database, if we know Rebecca is 55 years old and in this database, then we know she has 1 of 2 diseases. UofT CSC 2515: 11-Differential Privacy 8 / 53

  9. Why Is Anonymization Hard? Even if you don’t release the raw data, the weights of a trained network might reveal sensitive information. Model inversion attacks recover information about the training data from the trained model. Here’s an example of reconstructing individuals from a face recognition dataset, given a classifier trained on this dataset and a generative model trained on an unrelated dataset of publicly available images. Col 1: training image. Col 2: prompt. Col 4: best guess from only public data. Col 5: reconstruction using classification network. Source: Zhang et al., “The secret revealer: Generative model-inversion attacks against deep neural networks.” https://arxiv.org/abs/1911.07135 UofT CSC 2515: 11-Differential Privacy 9 / 53

  10. Why Is Anonymization Hard? A neural net language model trained on Linux source code learned to output the exact text of the GPL license. http://karpathy.github.io/2015/05/21/rnn-effectiveness/ Gmail uses language models for email autocompletion. Imagine if the autocomplete feature spits out the entire text of one of your past emails. UofT CSC 2515: 11-Differential Privacy 10 / 53

  11. Why Is Anonymization Hard? It’s hard to guess what capabilities attackers will have, especially decades into the future. Analogy with crypto: Cryptosystems today are designed based on what quantum computers might be able to do in 30 years. To defend against unknown capabilities, we need mathematical guarantees. Want to guarantee: no individual is directly harmed (e.g. through release of sensitive information) by being part of the database, even if the attacker has tons of data and computation. UofT CSC 2515: 11-Differential Privacy 11 / 53

  12. An Intuition Pump: Randomized Response UofT CSC 2515: 11-Differential Privacy 12 / 53

  13. Randomized Response Intuition: Randomized response is a survey technique that ensures some level of privacy. Example: Have you ever dodged your taxes? Flip a coin. If the coin lands Heads , then answer truthfully. If it lands Tails , then flip it again. If it lands Heads , then answer Yes . If it lands Tails , then answer No . Probability of responses: Yes No 3/4 1/4 Dodge No Dodge 1/4 3/4 UofT CSC 2515: 11-Differential Privacy 13 / 53

  14. Randomized Response Tammy the Tax Investigator assigns a prior probability of 0.02 to Bob having dodged his taxes. Then she notices he answered Yes to the survey. What is her posterior probability? Pr ( Dodge ) Pr ( Yes | Dodge ) Pr ( Dodge | Yes ) = Pr ( Dodge ) Pr ( Yes | Dodge ) + Pr ( NoDodge ) Pr ( Yes | NoDodge ) 0 . 02 · 3 4 = 0 . 02 · 3 4 + 0 . 98 · 1 4 ≈ 0 . 058 So Tammy’s beliefs haven’t shifted too much. More generally, randomness turns out to be a really useful technique for preventing information leakage. UofT CSC 2515: 11-Differential Privacy 14 / 53

  15. Randomized Response How accurately can we estimate µ , the population mean? Let X ( i ) denote individual i ’s response if they respond truthfully, and T X ( i ) individual i ’s response under the RR mechanism. R Maximum likelihood estimate, if everyone responds truthfully: N µ T = 1 � X ( i ) ˆ T N i =1 Variance of the ML estimate: µ T ) = 1 N Var( X ( i ) Var(ˆ T ) = 1 N µ (1 − µ ) . UofT CSC 2515: 11-Differential Privacy 15 / 53

  16. Randomized Response How to estimate µ from the randomized responses { X ( i ) R } ? R ] = 1 4(1 − µ ) + 3 E [ X ( i ) 4 µ µ R = 2 − 1 � X ( i ) ⇒ ˆ R N 2 i Variance of the estimator: µ R ) = 4 N Var( X ( i ) Var(ˆ R ) ≥ 4 N Var( X ( i ) T ) = 4 Var(ˆ µ T ) The variance decays as 1 / N , which is good. But it is at least 4x larger because of the randomization. Can we do better? UofT CSC 2515: 11-Differential Privacy 16 / 53

  17. Differential Privacy UofT CSC 2515: 11-Differential Privacy 17 / 53

  18. Differential Privacy Basic setup: There is a database D which potentially contains sensitive information about individuals. The database curator has access to the full database. We assume the curator is trusted. The data analyst wants to analyze the data. She asks a series of queries to the curator, and the curator provides a response to each query. The way in which the curator responds to queries is called the mechanism. We’d like a mechnism that gives helpful responses but avoids leaking sensitive information about individuals. UofT CSC 2515: 11-Differential Privacy 18 / 53

  19. Differential Privacy Two databases D 1 and D 2 are neighbouring if they agree except for a single entry. Idea: if the mechanism behaves nearly identically for D 1 and D 2 , then an attacker can’t tell whether D 1 or D 2 was used (and hence can’t learn much about the individual). Definition: A mechanism M is ε -differentially private if for any two neighbouring databases D 1 and D 2 , and any set R of possible responses Pr ( M ( D 1 ) ∈ R ) ≤ exp( ε ) Pr ( M ( D 2 ) ∈ R ) . Note: for small ε , exp( ε ) ≈ 1 + ε . A consequence: for any possible response y , exp( − ε ) ≤ Pr ( M ( D 1 ) = y ) Pr ( M ( D 2 ) = y ) ≤ exp( ε ) UofT CSC 2515: 11-Differential Privacy 19 / 53

  20. Differential Privacy Visually: Notice that the tail behavior is important. UofT CSC 2515: 11-Differential Privacy 20 / 53

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy Generalized definition of differential privacy allowing for a (supposedly small) additive factor Used in a variety of applications A query mechanism M is (

1.27k views • 43 slides
Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor

Differential Privacy Techniques Beyond Differential Privacy Steven Wu Assistant Professor University of Minnesota 1 Differential privacy? Isnt it just adding noise? How to add smart noise to guarantee privacy without sacrificing

592 views • 57 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Algorithms for Differential Privacy: Exponential & Median Mechanism CompSci 590.03

Algorithms for Differential Privacy: Exponential & Median Mechanism CompSci 590.03

Algorithms for Differential Privacy: Exponential & Median Mechanism CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 7 : 590.03 Fall 12 1 Recap: Differential Privacy For every pair of inputs For every output that differ in one

445 views • 29 slides
Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 14 : 590.03 Fall 12 1 Outline Differential Privacy Implementations PINQ: Privacy Integrated Queries [McSherry SIGMOD

1.22k views • 40 slides
Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques

CS573 Data Privacy and Security Differential Privacy Li Xiong Outline Differential Privacy Definition Basic techniques Composition theorems Statistical Data Privacy Non-interactive vs interactive Privacy goal: individual is

1.15k views • 64 slides
CSC 2515 Lecture 7: Expectation-Maximization Marzyeh Ghassemi Material and slides developed by

CSC 2515 Lecture 7: Expectation-Maximization Marzyeh Ghassemi Material and slides developed by

CSC 2515 Lecture 7: Expectation-Maximization Marzyeh Ghassemi Material and slides developed by Roger Grosse, University of Toronto UofT CSC 2515: 07-EM 1 / 53 Motivating Examples Some examples of situations where youd use unupservised

862 views • 64 slides
Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New

Differential Privacy and Fairness: Foundations and New Frontiers Toniann Pitassi Outline 1. Differential Privacy: The Basics 2. Differential Privacy in New Settings - Pan Privacy - Privacy in multi-party settings - Fairness Outline

947 views • 49 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy Alexandra Wood Berkman Klein Center for Internet & Society at Harvard University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to

964 views • 54 slides
Differential privacy and applications to location privacy Catuscia Palamidessi INRIA & Ecole

Differential privacy and applications to location privacy Catuscia Palamidessi INRIA & Ecole

Differential privacy and applications to location privacy Catuscia Palamidessi INRIA & Ecole Polytechnique 1 Plan of the talk General introduction to privacy issues A naive approach to privacy protection: anonymization Why it

740 views • 44 slides
Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka

Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka

Data Mining with Differential Privacy Arik Friedman and Assal Schuster by Slawomir Goryczka Differential Privacy A randomized computation M provides -differential privacy if for any datasets A and B that differ by 1 record and any set of

193 views • 17 slides
Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Do Computer Science Definitions of Privacy Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS LAW Kobbi Nissim Ben-Gurion University Center for Research on Computation and Society

865 views • 62 slides
Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue University) 1 Outline Motivation of Differential Privacy and Local Differential Privacy (LDP) Frequency Oracles in LDP Tradeoff between

821 views • 53 slides
Differential Privacy and Applications Marco Gaboardi Boston University Recap Foundamental Law

Differential Privacy and Applications Marco Gaboardi Boston University Recap Foundamental Law

Differential Privacy and Applications Marco Gaboardi Boston University Recap Foundamental Law of Information Reconstruction The release of too many overly accurate statistics gives privacy violations. ( , )-Differential Privacy

1.26k views • 76 slides
Foundations of Computing II Lecture 26: Applications Differential Privacy Stefano Tessaro

Foundations of Computing II Lecture 26: Applications Differential Privacy Stefano Tessaro

CSE 312 Foundations of Computing II Lecture 26: Applications Differential Privacy Stefano Tessaro tessaro@cs.washington.edu 1 Setting Data mining Statistical queries Medical data Query logs Social network data 2 Setting

1.03k views • 21 slides
Magnetometry standard for the muon g2 experiment g2 p measurement NMR

Magnetometry standard for the muon g2 experiment g2 p measurement NMR

Magnetometry standard for the muon g2 experiment g2 p measurement NMR magnetometers Absolute calibration problem 3 He magnetometry How to polarize 3 He state of the art Sam Henry, University of Oxford 1 The g2

509 views • 11 slides
Philosophical Ethics Philosophical Ethics an introduction George Matthews 2020 1 / 17 The

Philosophical Ethics Philosophical Ethics an introduction George Matthews 2020 1 / 17 The

Philosophical Ethics Philosophical Ethics an introduction George Matthews 2020 1 / 17 The case of the runaway trolley The case of the runaway trolley You are standing near a switch next a railroad track when you notice a runaway trolley

565 views • 34 slides
AI in the Public Imagination Philipp Koehn 31 January 2019 Philipp Koehn Artificial

AI in the Public Imagination Philipp Koehn 31 January 2019 Philipp Koehn Artificial

AI in the Public Imagination Philipp Koehn 31 January 2019 Philipp Koehn Artificial Intelligence: AI in the Public Imagination 31 January 2019 Fiction 1 Robots and AI are a central element in Science Fiction Questions raised

673 views • 45 slides
Best rank-one approximation Definition: The first left singular vector of A is defined to be the

Best rank-one approximation Definition: The first left singular vector of A is defined to be the

Best rank-one approximation Definition: The first left singular vector of A is defined to be the vector u 1 such that 1 u 1 = A v 1 , where 1 and v 1 are, respectively, the first singular value and the first right singular vector. Theorem:

305 views • 27 slides
Fermilab Measurement of Muon g-2 Dave Kawall, University of Massachusetts Amherst, on behalf of the

Fermilab Measurement of Muon g-2 Dave Kawall, University of Massachusetts Amherst, on behalf of the

Fermilab Measurement of Muon g-2 Dave Kawall, University of Massachusetts Amherst, on behalf of the Muon g -2 Collaboration Goal: Measure the muon anomalous magnetic moment a to 140 ppb, a fourfold improvement over the 540 ppb precision of

740 views • 39 slides
Downtown Pensacola Perception Study September 2017 Contents Purpose and Methodology 3 Key

Downtown Pensacola Perception Study September 2017 Contents Purpose and Methodology 3 Key

Downtown Pensacola Perception Study September 2017 Contents Purpose and Methodology 3 Key Findings 4 5 Downtown Patron Profile Net Promoter Score 6 Downtown Perceptions 9 Delivery vs Expectations 10 Missing from Downtown 13

571 views • 16 slides
Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2

Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2

Software Architecture Software Architecture Bertrand Meyer Lecture 6: More patterns: Visitor, Strategy, Chain, State, Command 1 Command 2 2 Command pattern - Intent Purpose Way to implement an undo-redo mechanism, e.g. in text y p g

1.11k views • 82 slides
HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST /

HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST /

HEX Switch: Hardware-assisted security extensions of OpenFlow Taejune Park / KAIST / taejune.park@kaist.ac.kr Zhaoyan Xu / StackRox Inc. / z@stackrox.com Seungwon Shin / KAIST / claude@kaist.ac.kr Software-Defined Networking

673 views • 36 slides

More recommend