Universally Adaptive Data Analysis Cynthia Dwork, Microsoft Research - - PowerPoint PPT Presentation

Universally Adaptive Data Analysis

Cynthia Dwork, Microsoft Research

Adaptive Data Analysis

 𝑟𝑗 depends on 𝑏1, 𝑏2, … , 𝑏𝑗−1  Worry: analyst finds a query for which the dataset is not

representative of population; reports surprising discovery

q1 a1

Database 𝑇 ∼ 𝐸 data analyst

M

q2 a2 q3 a3

𝑇 𝑟1: > 6 ft? 𝑟2: muffin tops? 𝑟2: muffin bottoms?

Differential Privacy for Adaptive Validity

 𝑟𝑗 depends on 𝑏1, 𝑏2, … , 𝑏𝑗−1  Differential privacy neutralizes risks incurred by adaptivity

 Definition of privacy tailored to statistical analysis of large data sets

q1 a1

Database data analyst

DP

q2 a2 q3 a3

[D., Feldman, Hardt, Pitassi, Reingold, Roth ’14] DP

𝑇 𝑟1: > 6 ft? 𝑟2: muffin tops? 𝑟2: muffin bottoms?

Differential Privacy for Adaptive Validity

 𝑟𝑗 depends on 𝑏1, 𝑏2, … , 𝑏𝑗−1  Differential privacy neutralizes risks incurred by adaptivity

 ∃ LARGE literature on DP algorithms for data analysis

q1 a1

Database data analyst

DP

q2 a2 q3 a3

[D., Feldman, Hardt, Pitassi, Reingold, Roth ’14] DP

𝑇 𝑟1: > 6 ft? 𝑟2: muffin tops? 𝑟2: muffin bottoms?

Some Intuition

 Fix a query, eg, “What fraction of population is over 6 feet tall?”  Almost all large datasets will give an approximately correct reply

 Most datasets are representative with respect to this query

 If, in the process of adaptive exploration, the analyst finds a

query for which the dataset is not representative, then she must have “learned something significant” about the dataset.

 Preserving the “privacy” of the data may prevent over-fitting.

Intuition After Nati’s Talk

 Differential Privacy: The outcome of any analysis is essentially equally

likely, independent of whether any individual joins, or refrains from joining, the dataset.

 This is a stability requirement.  Gave rise to the folklore that differential privacy yields generalizability.  But we will be able to say something stronger.

 𝑟𝑗 depends on 𝑏1, 𝑏2, … , 𝑏𝑗−1  Differential privacy neutralizes risks incurred by adaptivity

 E.g., for statistical queries: whp 𝐹𝑇 𝐵 𝑇

− 𝐹𝑄 𝐵 𝑇 < 𝜐

 High probability is important for handling many queries

[D., Feldman, Hardt, Pitassi, Reingold, Roth ’14]

q1 a1

Database data analyst

M

q2 a2 q3 a3

DP

𝑟1: > 6 ft? 𝑟2: muffin tops? 𝑟2: muffin bottoms? 𝑇

𝑟𝑗(𝑇) fails to generalize

Formalization

 Data sets 𝑇 ∈ 𝑌𝑜; 𝑇 ∼ 𝐸  Queries 𝑟: 𝑌𝑜 → 𝑍  Algorithms that choose queries and output results

 𝐵1 = 𝑟1 (trivial choice), outputs (𝑟1, 𝑟1(𝑇))

 𝐵𝑗: 𝑌𝑜 × 𝑍

1 × ⋯ × 𝑍 𝑗−1 → 𝑍 𝑗 where  𝑟𝑗 = 𝐷𝑗(𝑧1, … , 𝑧𝑗−1)  𝐵𝑗 𝑇, 𝑧1, … , 𝑧𝑗−1 = 𝑟𝑗, 𝑟𝑗 𝑇

= (𝑟𝑗, 𝑏𝑗)

 𝐼 ≝

𝑇, 𝑟 𝑟 𝑇 not representative wrt 𝐸}

 ∀ 𝑧1, … , 𝑧𝑗−1 Pr

𝑇

𝑇, 𝑟𝑗 ∈ 𝐼 ≤ 𝛾𝑗

 We want: Pr[ 𝑻, 𝐷𝑗 𝑻

∈ 𝐼] to be similar

 𝑟𝑗(𝑇) should generalize even when 𝑟𝑗 chosen as a function of 𝑇

Choose new query based on history of

• bservations

Output chosen query and its response on 𝑇

q1 a1 q2 a2 q3 a3

Differential Privacy [D.,McSherry,Nissim,Smith ‘06]

𝑁 gives 𝜗-differential privacy if for all pairs of adjacent data sets 𝑇, 𝑇′, and all events 𝑈 Pr 𝑁 𝑇 ∈ 𝑈 ≤ 𝑓𝜗 Pr 𝑁 𝑇′ ∈ 𝑈 Randomness introduced by 𝑁

Differential Privacy [D.,McSherry,Nissim,Smith ‘06]

𝑁 gives 𝜗-differential privacy if for all pairs of adjacent data sets 𝑇, 𝑇′, and all events 𝑈

For random variables 𝒀, 𝒁 over Χ, the max-divergence of 𝒀 from 𝒁 is given by 𝐸∞(𝒀| 𝒁 = log max

x∈𝑌

Pr[𝒀 = 𝑦] Pr[𝒁 = 𝑦] Then 𝜗-DP equivalent to 𝐸∞ 𝑁 𝑇 ||𝑁(𝑇′) ≤ 𝜗.

Pr 𝑁 𝑇 ∈ 𝑈 ≤ 𝑓𝜗 Pr 𝑁 𝑇′ ∈ 𝑈

Differential Privacy [D.,McSherry,Nissim,Smith ‘06]

𝑁 gives 𝜗-differential privacy if for all pairs of adjacent data sets 𝑇, 𝑇′, and all events 𝑈

For random variables 𝒀, 𝒁 over Χ, the max-divergence of 𝒀 from 𝒁 is given by 𝐸∞(𝒀| 𝒁 = log max

x∈𝑌

Pr[𝒀 = 𝑦] Pr[𝒁 = 𝑦] Then 𝜗-DP equivalent to 𝐸∞ 𝑁 𝑇 ||𝑁(𝑇′) ≤ 𝜗. Closed under post-processing: 𝐸∞ 𝐵(𝑁 𝑇 )||𝐵(𝑁 𝑇′ ) ≤ 𝜗.

Pr 𝑁 𝑇 ∈ 𝑈 ≤ 𝑓𝜗 Pr 𝑁 𝑇′ ∈ 𝑈

Differential Privacy [D.,McSherry,Nissim,Smith ‘06]

𝑁 gives 𝜗-differential privacy if for all pairs of adjacent data sets 𝑇, 𝑇′, and all events 𝑈

For random variables 𝒀, 𝒁 over Χ, the max-divergence of 𝒀 from 𝒁 is given by 𝐸∞(𝒀| 𝒁 = log max

x∈𝑌

Pr[𝒀 = 𝑦] Pr[𝒁 = 𝑦] Then 𝜗-DP equivalent to 𝐸∞ 𝑁 𝑇 ||𝑁(𝑇′) ≤ 𝜗. Group Privacy: ∀𝑇, 𝑇′′ 𝐸∞ 𝑁 𝑇 ||𝑁 𝑇′ ≤ Δ 𝑇, 𝑇′′ 𝜗.

Pr 𝑁 𝑇 ∈ 𝑈 ≤ 𝑓𝜗 Pr 𝑁 𝑇′ ∈ 𝑈

Properties

 Closed under post-processing

 Max-divergence remains bounded

 Automatically yields group privacy

 𝑙𝜗 for groups of size 𝑙

 Understand behavior under adaptive composition

 Can bound cumulative privacy loss over multiple analyses

 “The epsilons add up”

 Programmable

 Complicated private analyses from simple private building blocks

The Power of Composition

 Lemma: The choice of 𝑟𝑗 is differentially private.

 Closure under post-processing.

 Inductive step (key): If 𝑟 is chosen in a differentially private

fashion with respect to 𝑇, then Pr[ 𝑻, 𝐷(𝑻) ∈ 𝐼] is small

 Sufficiency: union bound.

q1 a1

Database data analyst

M

q2 a2 q3 a3

DP

𝑇

Description Length

 Let 𝐵: 𝑌𝑜 → 𝑍.  Description length of 𝐵 is the cardinality of its range

If ∀𝑧 Pr𝑇 𝑇, 𝑧 ∈ 𝐼 ≤ 𝛾, then Pr

S

𝑇, 𝐵 𝑇 ∈ 𝐼 ≤ 𝑍 ⋅ 𝛾

 Description length composes too.

 Product: 𝛾 ⋅ Π𝑗|𝑍

𝑗|

 And, morally, it is closed under post-processing

 Once you fix the randomness of the post-processing algorithm

[D., Feldman, Hardt, Pitassi, Reingold, Roth ’15]

Approximate max-divergence

𝛾-approximate max-divergence of 𝒀 from 𝒁

𝐸∞

𝛾(𝒀| 𝒁 = log

max

𝑈∈𝑌, Pr 𝒀∈𝑈 >𝛾

Pr 𝒀 ∈ 𝑈 − 𝛾 Pr[𝒁 ∈ 𝑈]

Approximate max-divergence

𝛾-approximate max-divergence of 𝒀 from 𝒁

𝐸∞

𝛾(𝒀| 𝒁 = log

max

𝑈∈𝑌, Pr 𝒀∈𝑈 >𝛾

Pr 𝒀 ∈ 𝑈 − 𝛾 Pr[𝒁 ∈ 𝑈]

We are interested in (with 𝛾, but too messy) 𝐸∞((𝑻, 𝐵 𝑻 )||𝑻 × 𝐵 𝑻 ) = log max

𝑈 Pr[ 𝑻,𝐵 𝑻 ∈𝑈] Pr[𝑻×𝐵 𝑻 ∈𝑈]

Approximate max-divergence

𝛾-approximate max-divergence of 𝒀 from 𝒁

𝐸∞

𝛾(𝒀| 𝒁 = log

max

𝑈∈𝑌, Pr 𝒀∈𝑈 >𝛾

Pr 𝒀 ∈ 𝑈 − 𝛾 Pr[𝒁 ∈ 𝑈]

We are interested in (with 𝛾, but too messy) 𝐸∞((𝑻, 𝐵 𝑻 )||𝑻 × 𝐵 𝑻 ) = log max

𝑈 Pr[ 𝑻,𝐵 𝑻 ∈𝑈] Pr[𝑻×𝐵 𝑻 ∈𝑈]

How much more likely is 𝐵(𝑇) to relate to 𝑇 than to a fresh 𝑇′? Captures the maximum amount of information that an output of an algorithm might reveal about its input

Unifying Concept: Max-Information

 𝐽∞

𝛾 𝒀; 𝒁 = 𝐸∞ 𝛾((𝒀, 𝒁)||𝒀 × 𝒁)

 We are interested in 𝐽∞

𝛾(𝑻; 𝐵 𝑻 )

 Theorem: If 𝐽∞

𝛾 𝑻; 𝐵 𝑻

≤ 𝑙 then for any 𝑈 ⊆ 𝑌𝑜 × 𝑍

 Pr 𝑻, 𝐵 𝑻

∈ 𝑈 ≤ 2𝑙 Pr 𝑻 × 𝐵 𝑻 ∈ 𝑈 + 𝛾

 So Pr 𝑻, 𝐵 𝑻

∈ 𝐼 ≤ 2𝑙 max

𝑧∈𝑍 Pr 𝑻, 𝑧 ∈ 𝐼 + 𝛾 !

[D., Feldman, Hardt, Pitassi, Reingold, Roth ’15]

Unifying Concept: Max-Information

 𝐽∞

𝛾 𝒀; 𝒁 = 𝐸∞ 𝛾((𝒀, 𝒁)||𝒀 × 𝒁)

 We are interested in 𝐽∞

𝛾(𝑻; 𝐵 𝑻 )

 Theorem: If 𝐽∞

𝛾 𝑻; 𝐵 𝑻

≤ 𝑙 then for any 𝑈 ⊆ 𝑌𝑜 × 𝑍

 Pr 𝑻, 𝐵 𝑻

∈ 𝑈 ≤ 2𝑙 Pr 𝑻 × 𝐵 𝑻 ∈ 𝑈 + 𝛾

 So Pr 𝑻, 𝐵 𝑻

∈ 𝐼 ≤ 2𝑙 max

𝑧∈𝑍 Pr 𝑻, 𝑧 ∈ 𝐼 + 𝛾 !

 Max-Information composes and is closed under post-processing  For 𝜗-DP 𝐵: 𝐽∞ 𝐵, 𝑜 ≤ 𝜗𝑜 log2 𝑓. Better bounds for 𝐽∞

𝛾(𝐵, 𝑜).

 𝐽∞

𝛾 𝐵, 𝑜 ≤ log 𝑍 𝛾

[D., Feldman, Hardt, Pitassi, Reingold, Roth ’15]

Bound on worst case approximate max info for any distribution on 𝑜-element databases

Abstract is Good

 Focusing on properties is powerful

 Completely universal approach to validity of adaptive analysis

 DP, small description length, low max-information

 Large numbers of arbitrary adaptively chosen computations

 Closure under post-processing and composition

Long Live the Dataset!

 Leaking information slowly prolongs the lifetime of the system  Similar to the situation with privacy for the sake of privacy

 To avoid too much cumulative loss, answer with smaller values of 𝜗  Essential: Fundamental Law of Information Leakage

 Overly accurate estimates of too many statistics is blatantly non-private.  Dealer’s choice

 Conjecture: The same is true for adaptivity.

 Failure to control cumulative max-info leads to failure to generalize  Important policy Implications!  Supporting evidence: Hardt-Ullman queries

Thank you!

NIPS Workshop on Adaptive Data Analysis, Montreal, 12/11/15