Explaining Privacy and Fairness Violations in Data-Driven Systems - - PowerPoint PPT Presentation

explaining privacy and fairness violations in data driven
SMART_READER_LITE
LIVE PREVIEW

Explaining Privacy and Fairness Violations in Data-Driven Systems - - PowerPoint PPT Presentation

Dec 18, 2022 271 likes •732 views

Explaining Privacy and Fairness Violations in Data-Driven Systems Matt Fredrikson Carnegie Mellon University Joint effort Emily Black Gihyuk Ko Klas Leino Anupam Datta Sam Yeom Piotr Mardziel Shayak Sen 2 Data-driven systems are

slide-1
SLIDE 1

Explaining Privacy and Fairness Violations in Data-Driven Systems

Matt Fredrikson Carnegie Mellon University

slide-2
SLIDE 2

Joint effort

2

Shayak Sen Gihyuk Ko Piotr Mardziel Anupam Datta Sam Yeom Emily Black Klas Leino

slide-3
SLIDE 3

Data-driven systems are ubiquitous

Web services Credit Law Enforcement Healthcare Education

3

slide-4
SLIDE 4

Data-driven systems are opaque

Online Advertising System User data Decisions

4

slide-5
SLIDE 5

Opacity and privacy

5

…able to identify about 25 products that, when analyzed together, allowed him to assign each shopper a “pregnancy prediction” score. Take a fictional Target shopper who … bought cocoa- butter lotion, a purse large enough to double as a diaper bag, zinc and magnesium supplements and a bright blue rug. There’s, say, an 87 percent chance that she’s pregnant

slide-6
SLIDE 6

6

Image source: Han Huang, Reuters

Opacity and fairness

slide-7
SLIDE 7

Inappropriate information use

Bo Both p problems ms c can b be s seen a as inappropri riate use of protected inform rmation

  • Fairness/discrimination
  • Use of ra

race or ge gender for em employmen ent dec ecisi sions

  • Business necessity exceptions
  • Privacy
  • Use of he

health h or po political ba backgr ground und for ma marketi ting ng

  • Exceptions derive from contextual information norms

Th This is a type of f bug!

7

slide-8
SLIDE 8

Agenda

Methods for r dealing with inappropri riate inform rmation use

  • Detecting when it occurs
  • Providing diagnostic information to developers
  • Automatic repair, when possible

Re Remaining talk:

  • Formalize “inappropriate information use”
  • Show how it applies to classifiers
  • Generalize to continuous domain
  • Nonlinear continuous models & applications

8

slide-9
SLIDE 9

Ex Explicit us use via causal influence [Datta, Sen, Zick Oakland’16]

Classifier

(uses only income) Age

Decision

Income

9

Conclusion: Measures of association not informative

Example: Credit decisions

slide-10
SLIDE 10

Causal intervention

Classifier

(uses only income) Age

Decision

Income

10

21 28 44 63 $90K $100K $20K $10K

Replace feature with random values from the population, and examine distribution over outcomes.

slide-11
SLIDE 11

Challenge: Indirect (proxy) use

Classifier

(targets older people) # years in same job

Decision

unpaid mortgage?

11

Need to determine when information type is inferr rred and then used income …

slide-12
SLIDE 12

Proxy use: a closer look

12

What do we mean by proxy use?

  • 1. Explicit use is also proxy use

Age > 60

T F Y N

slide-13
SLIDE 13

Proxy use: a closer look

13

What do we mean by proxy use?

  • 1. Explicit use is also proxy use
  • 2. “Inferred use” is proxy use

yrs in job > 10 F Y N T unpaid mortgage? T F N

slide-14
SLIDE 14

Proxy use: a closer look

14

What do we mean by proxy use?

  • 1. Explicit use is also proxy use
  • 2. “Inferred use” is proxy use
  • Inferred values must be influential

yrs in job > 10 F Y N T unpaid mortgage? T F Y N unpaid mortgage? T F

slide-15
SLIDE 15

Proxy use: a closer look

15

What do we mean by proxy use?

  • 1. Explicit use is also proxy use
  • 2. “Inferred use” is proxy use
  • Inferred values must be influential
  • Associations must be two-sided

yrs in job > 10 F Y N T unpaid mortgage? T F Y N unpaid mortgage? T F

slide-16
SLIDE 16

One- and two-sided associations

16

What happens if we allow one-sided association? Consider this model:

  • Uses postal code to determine state
  • Zip code can predict race
  • …but not the other way around

This is a benign use of information that’s associated with a protected information type

zip code

Pittsburgh Philadelphia Ad #1 Ad #2

slide-17
SLIDE 17

Proxy use: a closer look

17

What do we mean by proxy use?

  • 1. Explicit use is also proxy use
  • 2. “Inferred use” is proxy use
  • Inferred values must be in

influ luential ial

  • Associations must be tw

two-si sided

  • 3. Output association is unnecessary for proxy use

women’s college?

yes no Reject Accept interested? yes no Accept Reject interested? yes no

slide-18
SLIDE 18

Towards a formal definition: axiomatic basis

  • (Axiom 1: Explicit use) If random variable Z is an influential input of the model A, then A

makes proxy use of Z.

  • (Axiom 2: Preprocessing) If a model A makes proxy use of Z, and A’(x) = A(x, f(x)), then A’ also

makes proxy use of Z.

  • Example: A’ infers a protected piece of info given directly to A
  • (Axiom 3: Dummy) If A’(x,x’) = A(x) for all x and x’, then A’ has proxy use of Z exactly when A

does.

  • Example: feature never touched by the model.
  • (Axiom 4: Independence) If Z is independent of the inputs of A, then A does not have proxy

use of Z.

  • Example: model obtains no information about protected type

18

slide-19
SLIDE 19

Extensional proxy use axioms are inconsistent

Ke Key In Intu tuiti tion:

  • Pr

Preprocessing forces us to preserve proxy use under function composition

  • But the rest of the model can ca

cancel ou

  • ut a composed proxy
  • Let X, Y, Z be pairwise independent random variables, and Y = X ⊕ Z
  • Then A(Y, Z)= Y ⊕ Z makes proxy use of Z (explicit use axiom)
  • So does A’(Y, Z, X)= Y ⊕ Z (dummy axiom)
  • And so does A’’(Z, X) = A’(X ⊕ Z, Z, X) (preprocessing axiom)
  • But A’’(Z, X) = X ⊕ Z ⊕ Z = X, and X, Z are independent…

19

slide-20
SLIDE 20

Syntactic relaxation

  • We address this with a sy

syntactic definition

  • Composition is tied to how the function is

represented as a pr progr gram

  • Ch

Checkin ing for proxy use requires access to program internals

20

  • ffer

women’s college

true no offer false interested? interested? yes no no offer

  • ffer

yes no

slide-21
SLIDE 21

Models as Programs

  • Expressions that produce a value
  • No loops or other complexities
  • But often very large

21

⟨exp⟩ ::= R | True ue | Fa False | var | op(⟨exp⟩ , … , ⟨exp⟩) | if if ( ⟨exp⟩ ) the hen n { ⟨exp⟩ } els else { ⟨exp⟩ } Operations: arithmetic operations: +, -, *, etc. boolean connectives: or, and, not, etc. relations: ==, <, ≤, >, etc.

  • ffer

women’s college

true no offer false interested? interested? yes no no offer

  • ffer

yes no

slide-22
SLIDE 22

Modeling Systems | Probabilistic Semantics

22

Expression semantics: ⟦exp⟧ : Instance à Value I is a random variable over dataset instances ⟦exp⟧ : I à V V is a random variable over the expression’s value Joint over input instance (I) and expression values (Vi) for each expression expi. Pr[ I, V0, V1, ..., V9 ] marginals: Pr[V4 = True ue, V0 = Ad Ad1] conditionals: Pr[V4 = True ue | V0 = Ad Ad1]

women’s college?

true

  • ffer

no offer false interested? interested? true false

  • ffer

no offer true false

exp1 exp0 exp3 exp2 exp6 exp7 exp5 exp4 exp8 exp9

slide-23
SLIDE 23

Program decomposition

23

De Decomposi sition

Given a program p, a decomposition (p1, X, p2) consists of two programs p1, p2, and a fresh variable X such that replacing X with p1 inside p2 yields p.

p1

Y N T F

yrs in job? X

N F T

p2

yrs in job > 10 F Y N T unpaid mortgage? T F N unpaid mortgage?

slide-24
SLIDE 24

Characterizing pr proxies

24

Pr Proxy

Given a decomposition (p1, X, p2) and a random variable Z, p1 is a pr proxy for Z if ⟦p1⟧(I) is associated with Z.

p1

women’s college

p2

X

true Y N false interested? interested? true false Y N true false

p1 is a proxy for “gender = Female”

slide-25
SLIDE 25

Characterizing use

25

In Influenti tial D Decomp mpositi tion

A decomposition (p1, X, p2) is influe uential if X can change the outcome of p2

p1

Y N unpaid mortgage? T F

yrs in job? X

N F T

p2

yrs in job > 10 F Y N T unpaid mortgage? T F N

slide-26
SLIDE 26

Putting it all together

26

Pr Proxy Us Use

A program p has pr proxy us use of random variable Z if there exists an influential decomposition (p1, X, p2) of p that is a proxy for Z.

This is close to our intuition from earlier Formally, it satisfies similar axioms:

  • Dummy and independence axioms remain largely unchanged
  • Explicit use, preprocessing rely on program decomposition instead of function composition
slide-27
SLIDE 27

Quantitative proxy use

27

A decomposition (p1, X, p2) is an (ε, δ)-pr proxy us use of Z when

  • The association between p1 and Z is ≥ ε, and
  • p1’s influence in p2, ɩ(p1, p2) ≥ δ

A program has (ε, δ)-proxy use of Z when it admits a decomposition that is an (ε, δ)-proxy use of Z

slide-28
SLIDE 28

p1

N Y yes no

Quantifying decomposition influence

28

yrs in job? X

N yes no

p2 ɩ(p1, p2) = EX,X’[ ⟦p⟧(X) ≠ ⟦p2⟧(X, ⟦p1⟧(X’)) ]

1. Intervene on p1 2. Compare the behavior:

  • With intervention
  • As the system runs normally

3. Measure divergence:

unpaid mortgage?

slide-29
SLIDE 29

Algorithmics

  • Does system have an (ε, δ)-

proxy-use of a protected variable?

  • Basic algorithm O(S*N2)
  • S – # expressions
  • N – # dataset instances

29

  • How do we remove (ε, δ)-proxy-use violation?
  • Naive algorithm
  • Replace Expi with a constant

O( 1 ) // any constant O( N * M ) // best constant, M – # possible values

slide-30
SLIDE 30

Witnesses

30

zip = z1 or z3

true

  • ffer

no offer false

Exp0 women’s college?

true Y N false interested? interested? true false Y N true false

exp1 exp0 exp3 exp2 exp6 exp7 exp5 exp4 exp8 exp9 exp1 exp2

Us Using Witn tnesses De Demonstration of vi violation n in in the system Lo Localize e where scru rutiny/human eyeballs need to be ap applie lied Determ rmine what repair r should be applied

slide-31
SLIDE 31

Experiments: Benchmark datasets (CCS’17)

31

~ Marital status

model accuracy: 83.6 % after repair: 81.7% ...

Age ≤ 30

... ...

gender = female capital-loss ≤ 1882.5

... ...

~

Wife’s religion

...

age ≤ 31

... ...

# children ≤ 3 wife-educ ≤ 3

... ... model accuracy: 61.2 % after repair: 52.1 %

slide-32
SLIDE 32

Agenda

Methods for r dealing with inappropri riate inform rmation use

  • Detecting when it occurs
  • Providing diagnostic information to developers
  • Automatic repair, when possible

Re Remaining talk:

  • Formalize “inappropriate information use”
  • Show how it applies to classifiers
  • Ge

Generalize to

  • con
  • ntinuou
  • us

s dom

  • main
  • Nonlinear continuous models & applications

32

slide-33
SLIDE 33

Proxies in linear regressors [NIPS’18]

Recall our definition of decomposition influence:

33

ɩ(p1, p2) = EX,X’[ ⟦p⟧(X) ≠ ⟦p2⟧(X, ⟦p1⟧(X’)) ] We generalize to regression by defining: ɩ(p1, p2) = EX,X’[ (⟦p⟧(X) - ⟦p2⟧(X, ⟦p1⟧(X’)))2 ]

Y(X) = a1X1 + a2X2 + … + anXn

slide-34
SLIDE 34

Proxies in regressors [NIPS’18]

34

Y(X) = a1X1 + a2X2 + … + anXn

What are the decompositions?

  • Just individual terms anXn? Or groups like a1X1 + a2X2?
  • What about 0.5*a1X1 + a2X2?

Component P(X) = 𝛾1a1X1 + 𝛾2a2X2 + … + 𝛾nanXn for 𝛾1, …, 𝛾n ∊ [0, 1]

slide-35
SLIDE 35

Proxies in regressors [NIPS’18]

35

ɩ(p1, p2) = EX,X’[ (Y(X) - Y(X, P(X’)))2 ] ∝ Var( P(X) ) Asc(Y, Z) ∝ Cov(Y, Z) Fi Find max𝛾 ‖ A𝛾 ‖ suc uch h tha hat |Asc(A𝛾 , Z)| ≥ ε wh where ATA = Cov(X, , X) cT𝛾 (for ‖ A𝛾 ‖ ≤ cT𝛾 ) Optimize to find proxies!

slide-36
SLIDE 36

Agenda

Methods for r dealing with inappropri riate inform rmation use

  • Detecting when it occurs
  • Providing diagnostic information to developers
  • Automatic repair, when possible

Re Remaining talk:

  • Formalize “inappropriate information use”
  • Show how it applies to classifiers
  • Generalize to continuous domain
  • Nonlinear

r continuous models & applications

36

slide-37
SLIDE 37

Distributional Influence: proxies in neural nets

37

Feature extractor z = h(x) Classifier g(z) 𝜅' 𝑔, 𝑄 = , 𝜖𝑕 𝜖𝑨

' 1 2

𝑄 𝑦 𝑒𝑦

𝒴

Network f(x) = h(g(x))

distribution over inputs Axioms:

  • Linear agreement
  • Distributional marginality
  • Distribution linearity
slide-38
SLIDE 38

Problems with neural nets: stereotyping

38

ping-pong ball (37%) ballplayer (90%) basketball (73%) See [Stock & Sisse, 2018] for more examples like this

slide-39
SLIDE 39

Problems with neural nets: bias amplification

39

In training data, 33% of “cooking” images have men in them In predictions, 16% of “agent” roles in cooking images are labeled “man”

Image source: [Zhao et al., EMNLP 2018]

slide-40
SLIDE 40

Explaining stereotype predictions

40

basketball (73%) top 5% most influential features top 25% most influential features

slide-41
SLIDE 41

Intrinsic bias amplification

41

Prior class probability statistical distance between classes

slide-42
SLIDE 42

Prediction bias from inductive bias

42

# “weak” features for h(x) = 1 data size hS – h* Difference between learned (hS) and

  • ptimal (h*) weight (averaged)

= 0.5 + prediction bias

Larger weights More influence ≈

slide-43
SLIDE 43

Simple fix: kill weak features

43

Bias of resulting classifier

# most positive-influential features to keep # most negative-influential features to keep

Don’t increase the emprical loss

slide-44
SLIDE 44

Early results

44

CelebA dataset For “attractive” prediction task:

  • 0.4% data bias towards 1 (= “attractive”)
  • 7.7% prediction bias
  • 79.6% accuracy

Post-fix:

  • 0.2% prediction bias
  • 79.9% accuracy
slide-45
SLIDE 45

Summary

Methods for r dealing with inappropri riate inform rmation use

  • Detecting when it occurs
  • Providing diagnostic information to developers
  • Automatic repair, when possible

Pr Prog

  • gress:
  • Formalize “inappropriate information use” as proxy use
  • Generalized to continuous domain and neural networks
  • Algorithms for detection and diagnosis
  • Explanation-based repair methods

45