Learning to Collaborate for User-Controlled Privacy

by   Martin Bertran, et al.
Duke University

It is becoming increasingly clear that users should own and control their data. Utility providers are also becoming more interested in guaranteeing data privacy. As such, users and utility providers should collaborate in data privacy, a paradigm that has not yet been developed in the privacy research community. We introduce this concept and present explicit architectures where the user controls what characteristics of the data she/he wants to share and what she/he wants to keep private. This is achieved by collaborative learning a sensitization function, either a deterministic or a stochastic one, that retains valuable information for the utility tasks but it also eliminates necessary information for the privacy ones. As illustration examples, we implement them using a plug-and-play approach, where no algorithm is changed at the system provider end, and an adversarial approach, where minor re-training of the privacy inferring engine is allowed. In both cases the learned sanitization function keeps the data in the original domain, thereby allowing the system to use the same algorithms it was using before for both original and privatized data. We show how we can maintain utility while fully protecting private information if the user chooses to do so, even when the first is harder than the second, as in the case here illustrated of identity detection while hiding gender.



There are no comments yet.


page 1

page 2

page 3

page 4


ZipPhone: Protecting user location privacy from cellular service providers

Wireless service providers track the time and location of all user conne...

Connecting Pixels to Privacy and Utility: Automatic Redaction of Private Information in Images

Images convey a broad spectrum of personal information. If such images a...

When the signal is in the noise: The limits of Diffix's sticky noise

Finding a balance between privacy and utility, allowing researchers and ...

Defending Against Membership Inference Attacks on Beacon Services

Large genomic datasets are now created through numerous activities, incl...

Privacy-Utility Trades in Crowdsourced Signal Map Obfuscation

Cellular providers and data aggregating companies crowdsource celluar si...

Stochastic Privacy

Online services such as web search and e-commerce applications typically...

Learning to Succeed while Teaching to Fail: Privacy in Closed Machine Learning Systems

Security, privacy, and fairness have become critical in the era of data ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction, Challenges, and Contributions

Advances in machine learning allow to develop products that leverage individuals data to provide valuable services to them. At the same time care must be taken to provide an appropriate protection for users in order to adhere to various privacy, legal, and ethical constraints. Critical to this is to develop a trusting-based system where the data receiver can infer from shared data information a user does not consider private but concurrently cannot infer from the data information the user desires to keep private. Each user should have the ability to define sensitive and non-sensitive information associated with her/his data, which may differ from user to user; we propose that a user and the service provider

collaborate towards achieving user-specific privacy.

We address the following scenario: An entity (e.g., a bank) wants to offer a service to its users based on their data (e.g., an ATM verify the card holder is the legitimate owner). However, some users want to be able to prevent the entity from inferring certain information from their data (e.g., gender), whereas other users may wish to prevent the entity from inferring other attributes (e.g., ethnicity). We assume the entity and each individual user collaborate in creating such system; it is as important for the user to preserve her/his privacy as it is to the entity to guarantee it, being this a mutually beneficial system. First, the users will be more comfortable because their privacy is respected. Second, the entity offering the service increases user’s trust and provides a principled approach to guarantee that they are not using/inferring users’ sensitive information in case of legal/ethical disputes (e.g., their system can be audited to show the private information cannot be extracted).

This proposed new paradigm of collaborative privacy environment is critical since it has been shown once and again that, e.g., algorithmic or data augmentation and unpredictable correlations, can easily break privacy Israel2014 ; Narayanan2008 ; Oh2016 ; Reuben2016 . The impossibility of universal privacy protection has also been studied extensively in the domain of differential privacy Dwork2008 , where a number of authors have shown that assumptions about the data or the adversary must be made in order to be able to provide utility Dwork2010 ; Hardt2016 ; Kifer2011a ; Kifer2014 .111Privacy is not hacking, the first one is the challenge addressed in this work, the second is a security/encryption task. Both are closely connected, and removing private data will immediately improve security.

Therefore, given each individual user specific privacy requirements, it is important to design collaborative systems where each individual user shares a sanitized version of their data with the service provider in such a way that user-defined non-sensitive tasks can be performed but user-defined sensitive ones cannot, with the set of machine learning algorithms available at the service provider. A sanitization mechanism should not alter the data format so that the service provider machine learning system, consisting of a set of algorithms to infer user attributes from their data, can work independently of the user privacy preferences.

Contributions- We propose a novel framework that assumes a system-and-user collaborative environment in order to allow a service provider to infer certain user attributes but not others depending on user-specific privacy preferences. The proposed framework is based on the use of user-specific privacy filters that retain important information for the entity to perform legitimate tasks but simultaneously filter out information necessary for the entity to perform sensitive non-legitimate ones. The proposed framework is agnostic to the presence or absence of such user-specific privacy filters during operation, since by design it can handle both the original and the filtered/privatized data. The service provider uses a single processing pipeline on both sanitized and original data and still guarantee to each individual user that their privacy will be preserved, while still providing the required utility service.

Our proposed framework is also flexible to allow different levels of collaboration between each user and the service provider, from re-training of all key components (utility algorithm, private data inferring algorithm, sanitization function) to re-training only some components, or to re-train only the user-specific privacy filters for ’plug-and-play’ operation. Some of these variations are exemplified here both via deterministic and stochastic sanitization mechanisms that show how we can, without affecting utility, practically achieve the (optimal privacy) prior distribution for the privacy.

The proposed framework is described in Section  2, and learning architectures for it are given in Section 3. Examples are presented in Section 4. Since data should be protected for privacy before being transmitted (even at the sensor level if needed), we present results on a prototype hardware platform (to be demonstrated at the conference) that implements the framework at the data sharing step. We discuss connections with the literature in Section 5. The paper is concluded in Section 6.

2 The Proposed Collaborative Privacy Model

Figure 1: Three components of the collaborative privacy framework from the perspective of a user per her/his privacy preferences. Raw data can be directly fed into the privacy and utility tasks. Since the sanitization function is a transformation that maps a space onto itself, the sanitized data can also be directly fed to both tasks without any need for further adaptations.

The proposed collaborative privacy framework is based on various desiderata: (1) The entity must provide the user concrete guarantees. In particular, given a set of algorithms used by the entity to infer possible user attributes, the entity should be able to guarantee the user what it can and what it cannot infer given the data conveyed by the user to the entity; (2) The user must be able to define what she/he would like the entity to be able to infer (utility); (3) The user should be able to define what she/he would like the entity not to be able to infer (privacy); and (4) The approach should integrate seamlessly (i.e., ’plug-in’) within current systems, in the sense that the entity will not have to alter its existent state-of-the-art inference algorithms in order to allow for user-specific non-sensitive tasks and block user-specific sensitive ones. This is specially important in scenarios where an entity may use many different state-of-the-art algorithms to infer all kinds of user attributes from user data, particularly in platforms with a very large number of users with very different privacy requirements.

Following this, from the perspective of a specific user, the system has three key components, Figure 1, (1) The utility component is the service providing function; it takes input data, either raw or sanitized data, and infers a variable of interest; (2) The privacy component also operates on the same input data (raw or sanitized, they share the same format), and attempts to infer sensitive information from it; and (3) The sanitization function is a learned transformation that maps the input data onto the same space (i.e., maps images to images with the same dimensions). Note that the sanitization function – mapping user data from the input space to the same space – is critical: it allows the user to share “filtered” data with the entity without requiring (potentially) any alteration to the state-of-the-art (utility) inference algorithms.

It is not immediately clear if it is possible to define sanitization functions that transform the data in such a way that the set of pre-trained algorithms for the legitimate tasks perform well while the set of pre-trained algorithms for the sensitive tasks under-performs when the user desires that. For example, for visual data such sanitization functions have to transform an image onto another “image” where information relevant for the utility tasks is preserved whereas information associated with the sensitive tasks is blocked. No current approaches – as reviewed in later sections – have this property. Given the utility components and privacy components (here a single utility and privacy component are considered, but the principles generalize to systems with multiple such components), our goal is to learn a sanitization function that preserves performance on the utility task and lowers performance on the privacy task.


be the Kullback-Leibler divergence from probability distribution

to probability distribution ;

the posterior probability distribution of the utility variable

conditioned on the raw data ; the posterior probability distribution of the utility variable conditioned on the sanitized data ; the posterior probability distribution of the privacy variable conditioned on the sanitized data ; and the prior distribution of the privacy variable. We propose the following loss to train the sanitization function:


The proposed loss function is such that it attempts to guarantee that the outputs of the utility algorithm given the true (

) or sanitized () data are indistinguishable, and concurrently that the output of the privacy algorithm given the sanitized data is indistinguishable from the privacy variable prior. The parameter controls the trade-off between preserving information on the utility variable, and destroying information on the privacy variable. We further emphasize the importance of the mapping constraint on the sanitization function. By preserving the original space of the input data, the sanitization function can work in tandem with both the privacy and utility algorithms without any need to modify existing architectures. It is of course not immediately clear that it is possible to simultaneously filter out a privacy variable while maintaining performance on the utility variable in the raw input space. One of the contributions of this work is to show validations of this concept.

There are several possible training approaches we can pursue, some of them exemplified in this work. We can choose to exclusively train the sanitization function using the proposed loss, leaving the existing privacy and utility algorithms untouched. This training approach is very appropriate for the simple plug-in scenario, since no modification of the pre-trained utility and privacy algorithms is needed.

We can also adversarially train the privacy task. In this scenario, the privacy task is attempting to defeat the sanitization function and simultaneously perform well on unsanitized data. The sanitization function is attempting to fool the privacy task (approximate the privacy prior) and simultaneously maintain performance on the utility task. This training is computationally more expensive, but opens the door to more universal privacy guarantees, being adapted to the architecture but not to its specific parameters (weights); see captions in Figure 3.

Finally, the utility function can be trained collaboratively with the sanitization function; the utility function is aware of the sanitized data and can collaborate with the sanitization function to better preserve utility performance.

Naturally, these approaches can be freely combined to best suit the user’s and entity’s needs. In the following section, we exemplify the plug-and-play and adversarial training approaches.

3 Privacy Learning Architectures

(a) Deterministic
(b) Stochastic
Figure 2: Proposed collaborative privacy learning architectures/models. In the stochastic model the raw image is fed through the gender FaderNet function, where its original gender is overwritten at random. Here the gender attribute is drawn from the prior gender distribution of the dataset. This re-sampled image is then fed into a fully-trainable UNET. In the deterministic model the data is fed directly to the fully-trainable UNET. In both cases the sanitized and raw data are inputs to the privacy and the utility tasks. The UNET and the privacy blocks are trainable, while the weights of the utility model and the FaderNet remain fixed.

To illustrate the proposed framework, we chose subject recognition (harder task) and gender recognition (easier task) as our utility and privacy respectively. We propose two different sanitization architectures, a stochastic one and a deterministic one, Fig  2. We implement them using the plug-and-play and the adversarial approaches mentioned above. In the deterministic architecture, the data is fed directly into a fully-trainable UNET, ronneberger2015u , whose objective is to fulfill the sanitization task. In the stochastic approach the sanitization function first randomly overwrites the gender attribute of the input image using the pretrained FaderNet FaderNetworks , done by sampling the gender of each of the images from the prior gender distribution of the dataset, and then feeds the resulting image through a fully-trainable UNET.

The pretrained FaderNet was chosen as the base for the stochastic sanitization function since this network is already trained to defeat a gender discriminator in its encoding space (privacy variable is concealed here). This proves a suitable baseline comparison and starting point for a sanitization function that needs to fool a gender discriminator in image space while simultaneously preserving subject recognition performance. We show below the performance of using only the pretrained gender FaderNet and demonstrate how training a UNET on top of it improves both the utility and privatization performances.

For both architectures, the UNET portion of the sanitization function was trained using the proposed loss function in Eq. (1). For the adversarially trained results, the final layer of the privacy function (DEXNet) is trained using the binary cross entropy (BCE) loss function,



is a one-hot encoding of the ground truth gender label. This adversarial loss equally weights the performance of the gender detector on both the raw (unsanitized) data (

) and the sanitized data (

). The sanitization and privacy tasks are playing an adversarial game. Adversarial training provides stronger privacy guarantees since the privacy detector is unable to infer the privacy variable even after retraining. We alternate the training of the DEXNet and UNET every one epoch, in the supplementary methods section we show how the losses

and evolve in each iteration.

4 Experimental Results

Our data consisted of 15k samples (10k train, 5k test) from the realigned FaceScrub dataset Ng2014 . The identification utility task is performed using the ResNet-50 implementation of VGGFace2 cao2017vggface2 , where the final dense layer was retrained on the chosen dataset. For gender recognition (privacy) we used a pretrained WideResNet-based, zagoruyko2016wide , implementation of DEXNet rothe2018deep .

Figure 3 shows the utility/privacy trade-off achieved by the stochastic and deterministic sanitization functions over the tested values, as measured by the KL divergence for both the plug-and-play and adversarial training. As increases, the privacy task quickly approaches the prior distribution (KL divergence goes to zero), while the utility task correspondingly loses performance (KL divergence increases). We also observe that the baseline performance of the pretrained FaderNet comes at a considerable cost in utility performance. We also observe that the full stochastic architecture trained following Eq. (1) is able to simultaneously recover performance on the utility task and improve performance on the privacy task. For this particular example, the sanitization function trained with Eq. (1) shows a net improvement over both the privacy and utility tasks with no downside.

(a) Deterministic model
(b) Stochastic model
Figure 3: Trade-off achieved by the sanitization function between the KL-divergence of the utility distribution from the objective () and the KL-divergence of the gender distribution from the prior (). Compared to the adversarial approach, we observe better performance of the tailored plug-and-play (task is inherently easier). Thereby it is important to show the still excellent performance of the “more universal” adversarial training (tested gender networks that performed the same for unfiltered data and adversarial filtered data, the privacy deteriorated by up to 90% on the plug-and-play sanitization). For no sanitization occurs and there is no loss in utility performance. As increases ( in the figure), the KL-divergence for the utility increases and the privacy performance quickly approaches the prior.

Figures 4, 5 and 6 show more directly interpretable results on privacy and utility performance as a function of . Figures 4 and 5 shows how the output probabilities of the gender classification model approach the prior distribution of the dataset as increases for the adversarial and plug-and-play approaches respectively. We see that images from both female and male subjects produce output gender probabilities close to the dataset prior even for relatively low values. Figure 6 shows how the top-5 categorical accuracy of the subject recognition task varies across different values and training modalities. These results suggest that under these conditions we can achieve almost perfect privacy while maintaining reasonable utility performance.

(a) , Deterministic model
(b) , Deterministic model
(c) , Stochastic model
(d) , Stochastic model
Figure 4: Detailed breakdown of the gender probabilities computed by the privacy task as a function of

for the test dataset; training was done adversarially. Whisker plots show median and interquartile ranges, with outliers shown as circles. The first column shows the output probability of being male (M) as computed by the gender discriminator over all female (F) subjects. Second column shows the same output probabilities for all male subjects. Results are shown as a function of

, where

is the performance over raw data. The dotted blue line indicates the prior probability of the dataset.

(a) , Deterministic model
(b) , Deterministic model
(c) , Stochastic model
(d) , Stochastic model
Figure 5: Detailed breakdown of the gender probabilities computed by the privacy task as a function of , training was done in a plug-and-play approach. Whisker plots show median and interquartile ranges, with outliers shown as cricles. The first column shows the output probability of being male (M) as computed by the gender discriminator over all female (F) subjects. Second column shows the same output probabilities for all male subjects. Results are shown as a function of , where is the performance over raw data. The dotted blue line indicates the prior probability of the dataset.
(a) Top-5 Categorical accuracy, Deterministic model, adversarial approach
(b) Top-5 Categorical accuracy, stochastic model, adversarial approach
(c) Top-5 Categorical accuracy, Deterministic model, plug-and-play approach
(d) Top-5 Categorical accuracy, stochastic model, plug-and-play approach
Figure 6: Top-5 categorical accuracy of the subject recognition task as a function of for both the deterministic and stochastic models. The baseline of simply using the pretrained FaderNet sampler is also shown for comparison. Note that the stochastic model is able to improve performance on the Top-5 categorical accuracy metric for some values when compared to the baseline model.

We also show that retraining the privacy task adversarially with the sanitization function does not sacrifice performance on unfiltered data. Figure 7 in the supplementary material section shows how the output probabilities of the gender classification model on unfiltered data after adversarial training either maintains or improves performance when compared with the original gender classification model. This means that if the user decides not to block the gender (private data), the same system maintains its performance (and so does the utility/identity).

We show the loss evolution of the sanitization task (Eq.1) and the privacy task (Eq.2) across batch iterations for different values in figures 8 and 9 in the supplementary material section. We observe that all losses settle quickly, and that overall the privacy loss grows over time as it is unable to infer the sensitive variable on the sanitized data.

An Onboard Implementation-

The framework here proposed calls for the user to decide what to share and what not to share, and as such it renders itself for the sanitization function to be implemented as close as possible to the data acquisition, clearly before the user sharing her/his data with the service provider. To illustrate this concept, we have designed a hardware prototype, described in the supplementary information. In brief, the system consists of an end device, capturing user visual data, and an entity, processing the user data. The end device captures visual data, performs face detection, applies a privacy filter (per the user privacy requirements), and conveys the sanitized data to the service provider. The entity applies the algorithms associated with the utility and privacy tasks to the sanitized data. The respective results are displayed in a user interface. We tested the performance of the trained sanitation functions over images acquired with the proposed hardware implementation. Four new subjects provided

training images total, the subject identification network was retrained to also recognize these new subjects, in addition to all the subjects already present in the FaceScrub database. The sanitization functions were not retrained on the newly acquired images. Figure 14 in the supplementary material shows representative results on the stochastic plug-and-play sanitization function over test images. The sanitization function preserved utility performance while successfully blocking inference on the privacy variable.

5 Connections with the Literature

Our proposed framework and perspectives are new but these also connect to various elements in the privacy, statistics, and machine learning literature. Our goal here is to describe how our concepts relate to and depart from key concepts in this vast literature.

Differential Privacy- Differential privacy and (local) differential privacy based data release mechanisms are often considered to be the gold standard in privacy Dwork2008 . Data release mechanisms based on (local) differential privacy – which are also based on the application of some form of sanitization function to the original data – ensure it will be almost impossible for a data receiver to distinguish whether or not there is a certain element in a dataset/database or a certain attribute in the data held by the data holder. However, such data release mechanisms can also result in substantial utility loss Dwork2010 ; Hardt2016 ; Kifer2011a ; Kifer2014 . Our user-specific privacy collaborative approach departs from differential privacy in various ways. In particular, by building upon the premise that it is of interest both for users and service providers to collaborate to achieve privacy (and utility), we design data release mechanisms – our privacy filter – that achieve both utility and privacy, that are user-specific, and that are transparent to the service provider existing algorithms/architectures.

Information Bottleneck and Privacy Funnel- The privacy funnel – a concept closely related to the information bottleneck IB – has also been recently considered as a basis for the design of data release mechanisms funnel (see also Wang2018 ). In particular, this approach can lead to data release mechanisms that strike a balance between the level of utility and the level of privacy. Both our approach and the privacy funnel (and its variants) can lead to data release mechanisms that meet specific user privacy requirements. However, it is not entirely clear how to design ’plug-and-play’ privacy filters using the privacy funnel without the collaborative framework proposed here.

Adversarial Networks and Adversarial Examples- Adversarial game-type models as the one here presented clearly remind us of the type of works represented by generative adversarial networks (GANs) Goodfellow2014

. GANs are designed to learn the data (feature) distribution, while in our framework the task is to preserve privacy while guaranteeing utility, maintaining only the utility-needed data structure. As such, the proposed model addresses two goals, while GANs have the single goal of distribution learning (implemented though via the game-theory approach of two competing terms, not to confuse with two competing explicit tasks). We use the same general concept in

Goodfellow2014 of training for adversarial goals, as also exploited in some of the works described below. Similarly, the literature on adversarial examples, Adversarial , connects to our work, while at the same time being very different. Our goal is to preserve utility while creating uncertainty in the private data, while adversarial examples do not guarantee utility or privacy, but rather are targeted to make the system fail (note that making the system always fail in gender for example will actually reveal the gender with full certainty).

Removing Nuisance/Attribute Variable- A series of works have shown how to produce signals that preserve certain properties while removing others FaderNetworks ; Pivot ; ControllableInvariance . While these works share certain architectural similarities with ours, and can be used as components or complementary to the framework here proposed, they are different both in goals and accomplishments. Works such as FaderNetworks produce images without the nuisance, without guaranteeing neither the utility nor the privacy, e.g., producing a female version of a male face does not guarantee the utility (recognition) or even the privacy (gender). This is demonstrated in Section 4. The use of GANs in Pivot

is in order to address robustness of the classifier/regressor to nuisance variables. Same goal motivates

ControllableInvariance , which contrary to us trains both the utility and the privacy classifiers, and both can only handle filtered data (the training is done into arbitrary spaces). The possibility to handle both filtered and unfiltered data and to not retrain all system components is critical for the utility provider adoption of a framework as the one here developed. Note also that the image example in ControllableInvariance uses privacy and utility tasks that are statistically independent, whereas the pair of tasks we chose are very strongly related (there is an injective mapping from subjects to gender), thereby being a much harder problem. Finally, we should make a clear distinction between aiming at making sure the output of the predictor/classifier is independent of the nuisance variable like in these works, which is more related to the closer topic of fairness (one of the examples addressed in ControllableInvariance ), and the aim of privacy, which needs to make sure that the nuisance/sensitive variable is independent of the encoded features.

Protecting Training Data- The remarkable success of machine learning has led to intense interest in the privacy of the data used for training, since the released training models contain information about it, e.g., Carlini2018 ; Hitaj2017 . Efforts to protect such data have been made, in particular, combining tools from differential privacy with parallel and independent training using data partitions and teacher/student paradigms Acs2017 ; PATE . Contrary to these works, we are not concerned here with the protection of the training data but some of the attributes of the testing data, which depending on the users desires about whether these should or should not be revealed. In spite of these fundamental differences, these efforts do provide some insights for potential future directions for the challenge here addressed, in particular the use of different combinations and partitions of data for training the utility and privacy components, including potentially training them with different combinations of original and filtered data and of true and random labels. Studying the utility training with the filtered data produced by our algorithm is a subject of interest and future work (Carlini2018 investigated training with sanitized data in their framework). The same applies to the important subject of fairness, and investigating the possibility of training with data that preserves utility but blocks potential biasing information, as produced by our filter, is of value as well (see also ControllableInvariance for a contribution in this direction).

6 Concluding Remarks

We introduced a new paradigm where users and entities collaborate to achieve both utility and privacy per a user specific requirements. One salient feature of this paradigm is that it can be completely transparent – involving only the use of a simple user-specific privacy filter applied to user data – in the sense that it requires otherwise no modifications to the system infrastructure, including the service provider algorithmic capability, in order to achieve both utility and privacy.

Representative architectural and system concepts, and results, suggest that such a collaborative based user-controlled privacy approach can be achieved. While the results here presented clearly show the potential of this approach, much has yet to be done, from theoretical foundations to algorithm development to practical architectures, and extensions to scenarios involving multiple users with different utility and privacy requirements and scenarios involving other data types.


Work partially supported by NSF, ONR, NGA, and ARO.


  • (1) G. Acs, L. Melis, C. Castelluccia, and E. De Cristofaro.

    Differentially private mixture of generative neural networks.

    17th IEEE International Conference on Data Mining, 2017.
  • (2) Q. Cao, L. Shen, W. Xie, O. M. Parkhi, and A. Zisserman. VGGFace2: A dataset for recognising faces across pose and age. arXiv preprint arXiv:1710.08092, 2017.
  • (3) N. Carlini, C. Liu, J. Kos, U. Erlingsson, and D. Song. The secret sharer: Measuring unintended neural network memorization and extracting secrets. arxiv:1802.08232, 2018.
  • (4) C. Dwork. Differential privacy: A survey of results. International Conference on Theory and Applications of Models of Computation, pages 1–19, 2008.
  • (5) C. Dwork and M. Naor. On the difficulties of disclosure prevention in statistical databases or the case for differential privacy. Journal of Privacy and Confidentiality, 2(1):93–107, 2010.
  • (6) I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio. Generative adversarial nets. Advances in Neural Information Processing Systems (NIPS), pages 2672–2680, 2014.
  • (7) M. Hardt, E. Price, and N. Srebro.

    Equality of opportunity in supervised learning.

    Advances in Neural Information Processing Systems (NIPS), pages 3315–3323, Oct. 2016.
  • (8) B. Hitaj, G. Ateniese, and F. Perez-Cruz. Deep models under the GAN: Information leakage from collaborative deep learning. arXiv:1702.07464, 2017.
  • (9) S. Israel, A. Caspi, D. W. Belsky, H. Harrington, S. Hogan, R. Houts, S. Ramrakha, S. Sanders, R. Poulton, and T. E. Moffitt. Credit scores, cardiovascular disease risk, and human capital. Proceedings of the National Academy of Sciences, 111(48):17087–17092, 2014.
  • (10) D. Kifer and A. Machanavajjhala. No free lunch in data privacy. ACM SIGMOD International Conference on Management of data, pages 193–204, 2011.
  • (11) D. Kifer and A. Machanavajjhala. Pufferfish: A framework for mathematical privacy definitions. ACM Transactions on Database Systems, 39(1):3:1–3:36, 2014.
  • (12) D. E. King. Dlib-ml: A machine learning toolkit. Journal of Machine Learning Research, 10:1755–1758, 2009.
  • (13) A. Kurakin, I. Goodfellow, S. Bengio, and et al. Adversarial attacks and defences competition. arXiv:1804.00097, 2018.
  • (14) G. Lample, N. Zeghidour, N. Usunier, A. Bordes, L. Denoyer, and M. Ranzato. Fader networks: Manipulating images by sliding attributes. Advances in Neural Information Processing Systems (NIPS), 2017.
  • (15) G. Louppe, M. Kagan, and K. Cranmer. Learning to pivot with adversarial networks. Advances in Neural Information Processing Systems (NIPS), 2017.
  • (16) A. Makhmoudi, S. Salamatian, N. Fawaz, and M. Médard. From the information bottleneck to the privacy funnel. Information Theory Workshop, 2014.
  • (17) T. Naftali, F. Pereira, and W. Bialek. The information bottleneck method. The 37th annual Allerton Conference on Communication, Control, and Computing, 1999.
  • (18) A. Narayanan and V. Shmatikov. Robust de-anonymization of large sparse datasets. IEEE Symposium on Security and Privacy, pages 111–125, 2008.
  • (19) H. Ng and S. Winkler. A data-driven approach to cleaning large face datasets. IEEE International Conference on Image Processing (ICIP), pages 343–347, 2014.
  • (20) S. J. Oh, R. Benenson, M. Fritz, and B. Schiele. Faceless person recognition; Privacy implications in social media.

    European Conference on Computer Vision (ECCV)

    , pages 19–35, 2016.
  • (21) N. Papernot, S. Song, I. Mironov, A. Raghunathan, K. Talwar, and U. Erlingsson. Scalable private learning with PATE. ICLR, 2018.
  • (22) Raspberry Pi Foundation. Raspberry Pi 3 Model B, 2016.
  • (23) Raspberry Pi Foundation. Raspberry Pi Camera Module V2, 2016.
  • (24) A. Reuben, T. E. Moffitt, A. Caspi, D. W. Belsky, H. Harrington, F. Schroeder, S. Hogan, S. Ramrakha, R. Poulton, and A. Danese. Lest we forget: comparing retrospective and prospective assessments of adverse childhood experiences in the prediction of adult health. Journal of Child Psychology and Psychiatry, 57(10):1103–1112, 2016.
  • (25) O. Ronneberger, P. Fischer, and T. Brox. U-net: Convolutional networks for biomedical image segmentation. In International Conference on Medical Image Computing and Computer-Assisted Intervention, pages 234–241. Springer, 2015.
  • (26) R. Rothe, R. Timofte, and L. Van Gool. Deep expectation of real and apparent age from a single image without facial landmarks. International Journal of Computer Vision, 126(2-4):144–157, 2018.
  • (27) H. Wang, M. Diaz, F. Calmon, and L. Sankar. The utility cost of robust privacy guarantees. arXiv:1801.05926, 2018.
  • (28) Q. Xie, Z. Dai, Y. Du, E. Hovy, and G. Neubig. Controllable invariance through adversarial feature learning. Advances in Neural Information Processing Systems (NIPS), 2017.
  • (29) S. Zagoruyko and N. Komodakis. Wide residual networks. arXiv preprint arXiv:1605.07146, 2016.

Performance of Gender Classification Model on Unfiltered Data

We show how the adversarially trained privacy task maintains or improves performance on unfiltered data on Figure 7. This empirically shows that there is little to no downside to this adversarial retraining of the privacy function.

(a) , Deterministic model
(b) , Deterministic model
(c) , Stochastic model
(d) , Stochastic model
Figure 7: Detailed breakdown of the gender probabilities computed by the adversarially trained privacy task as a function of for the test dataset over unfiltered images. Whisker plots show median and interquartile ranges, with outliers shown as circles. The first column shows the output probability of being male (M) as computed by the gender discriminator over all female (F) subjects. Second column shows the same output probabilities for all male subjects. Results are shown as a function , where is the performance of the untrained gender detector over raw data.

Details on Evolution of Training Losses Across Iterations

Here we show the loss evolution of the sanitization task () when using the plug-and-play and adversarial training for both the deterministic (figures 8 and 10) and stochastic architectures (figures 9 and 11). The privacy loss () is also shown on the adversarial training approach. The privacy and sanitization tasks are trained alternatively every epoch. Overall, grows over time as it is unable to infer the sensitive variable on the sanitized data.

(a) = 0.05
(b) = 0.2
(c) = 0.5
(d) = 0.8
Figure 8: Evolution of the privacy loss () and sanitization loss () as a function of training time.Results are shown on the deterministic model trained adversarially. We observe that the both losses settle quickly, and that overall, the privacy loss grows over time as it is unable to infer the sensitive variable on the sanitized data.
(a) = 0.05
(b) = 0.2
(c) = 0.5
(d) = 0.8
Figure 9: Evolution of the privacy loss () and sanitization loss () as a function of training time. Results are shown on the stochastic model trained adversarially. We observe that both losses settle quickly, and that overall, the privacy loss grows over time as it is unable to infer the sensitive variable on the sanitized data.
(a) = 0.05
(b) = 0.2
(c) = 0.5
(d) = 0.8
Figure 10: Evolution of the sanitization loss () as a function of training time. Results are shown on the deterministic model trained using the plug-and-play approach. The loss quickly settles to its final value.
(a) = 0.05
(b) = 0.2
(c) = 0.5
(d) = 0.8
Figure 11: Evolution of the sanitization loss () as a function of training time. Results are shown on the stochastic model trained using the plug-and-play approach. The loss quickly settles to its final value.

Details on the Onboard Implementation

This section describes a proof-of-concept prototype of our proposed collaborative privacy based system. The main components of this system are an edge device and an entity. The edge device is responsible to obtain visual user data, pre-process the visual data, and convey it to the entity. The pre-processing phase occurs when the user chooses to protect data that she/he does not want the entity to infer. This phase includes several tasks:

  1. The first task is to locate a face (or multiple faces) within the acquired visual data. In particular, we use the face detector from dlib library dlib09 , consisting of a combination of the Histogram of Oriented Gradients (HOG) feature with a linear classifier, an image pyramid, and sliding window detection scheme. After this, the found faces are treated as individual images.

  2. The second task is to filter what the user would like the entity not to be able to infer. Each detected face is filtered according to the learned sanitization function responsible for the selected feature the user wishes to protect. This process transforms the data onto another piece of data, in the same space, such that utility is preserved but privacy is protected.

  3. Finally, the data is conveyed to the entity using TCP/IP protocols.

Figure 12 summarizes these various steps.

Figure 12: Edge device and entity tasks.

A Raspberry Pi 3 Model B board Rpi3 with quad-core 1.2GHz ARM Cortex A53 (ARMv8) CPU and 1GB LPDDR2 RAM running at 900MHz was used as a system’s edge device. The operating system installed on the board is Raspbian and it is powered by a 5.1 Volts micro USB supply. In order to obtain the visual data, a Raspberry Pi camera module v2 Rpicamera was attached to the Raspberry Pi board via a ribbon cable. The camera module v2 is based on the 8-Megapixels resolution Sony IMX219 sensor. The images are sent using the embedded WIFI module of the Raspberry Pi 3. See Figure 13 for these components.

Figure 13: System overview.

For the purposes of the entity component, we developed a local server. This server communicates with the Raspberry Pi 3 using a Wireless Local Area Network (WLAN) to receive the user data. There, the received information is saved and displayed on a user interface. In parallel, a number of algorithms are used in order to try to infer information from the visual data. The classification results are displayed in the same interface as well.

Figure 14 shows representative results on the stochastic plug-and-play sanitization function over test images. The sanitization function preserved utility performance while successfully blocking inference on the privacy variable.

(a) Top-5 categorical accuracy, stochastic model.
(b) , Stochastic model
(c) , Stochastic model
Figure 14: Detailed breakdown of the top-5 categorical accuracy and gender probabilities computed by the utility and privacy tasks as a function of on data from the hardware-acquired dataset. The sanitization function shown here is the stochastic model trained using the plug-and-play approach.