Introduction
Preserving data privacy is an essential tenet required to maintain the bond of trust between consumers and corporations. Consumers expect their data to remain secure while being used to design better services for them without compromising their identities – especially while carrying out sensitive transactions and interactions. We define these potentially compromising and personally identifiable data as sensitive data
. Annotated data drives the machine learning economy and sensitive data holds the key to building richer experiences for users interacting with modern AI interfaces. However, in a bid to get annotations, sensitive data in the wrong hands could lead to irreparable damage in terms of reputation and trust between data holders and their users.
This potential data transfer deserves greater monitoring in the era of human powered crowdsourcing and active learning. As niche classification tasks arise to power new applications, they often lack an abundance of preannotated datasets. With active learning, the learner can select a subset of the available data points to be annotated. This can exponentially reduce [Settles2010] (in some cases) the number of training queries required. However, the cost [Dasgupta2011, Arora, Nyberg, and Rosé2009, Settles2010] of labelling machine learning datasets is traditionally viewed as a function of the expert, time or price.
In this paper, we argue that, for nonpublic datasets, the cost of learning the true labels should also factor in the privacy of the information contributed by the data owners to the data custodians. As a result, the active learning condition (beyond simply selecting the best examples) becomes twofold when submitting a batch
of data for annotation: (1) labeling this selected subset leads to the greatest increase in our machine learning model performance, (2) the probability of revealing any query that can uniquely identify a specific user is very small (and quantifiable by a privacy parameter).
Contributions
Recent studies into privacy and machine learning have focused on preserving model parameters from leaking training data [Papernot et al.2016, Hamm, Cao, and Belkin2016]. See [Ji, Lipton, and Elkan2014] for a recent survey. However, in this paper, we address the privacy preserving requirement from the point of view of training samples that are sent to annotators from an active learning model. To the best of our knowledge, this is the first paper that views preserving privacy in machine learning from this angle. We also describe how techniques such as anonymity does not provide sufficient privacy guarantees and how this can be improved using differential privacy (DP). We describe how to do this by providing experimental results after discussing an approach that leverages one of the DP algorithms from literature.
Background
In this section, we present an introduction to active learning and the privacy challenge of outsourcing queries to the crowd. We then describe anonymity, its shortcoming in providing an adequate privacy model for active learning and how this can be improved with differential privacy.
Active Learning
The central premise of active learning is that a model is able to perform as well with less data, if a learner can select the training examples that provide the highest information [Settles2010]. Formally described, using a classification task: let be a distribution over where the goal is to output a label from the label space {} given an input from the feature space . The learner receives a batch of i.i.d. draws (), …, () over the unknown underlying distribution . The value of is unknown unless an annotation request is made by the learner. The objective is to select a hypothesis function , where err() = is small. Given that is the space of all hypothesis, and err is the hypothesis with minimum error, the aim of active learning is to select a hypothesis with error err() within reasonable bounds of err() by using few annotation requests (i.e., few compared to a passive learner).
Various strategies have been proposed to implement an active learner. One is uncertainty sampling [Lewis and Gale1994] which attempts to select the query that the model is least convinced about; i.e., , where is the label with the highest posterior for model and is maximized over the range of all the unlabeled examples in the training pool. Other approaches to uncertainty sampling use either the margin between the two most probable classes and ; i.e., or a general entropybased uncertainty over all the possible classes; i.e., .
The main privacy issue with active learning stems from the need to scale the annotation process by crowdsourcing the labels via an open call [Howe2006]. Whenever you make a request to an external resource, you pay a privacy cost by transmitting the information to be annotated. This problem is compounded when there is only one oracle [Avidan and Butman2007] or collusion among crowd workers. In this paper, we describe privacy notions that can be used to address these concerns along the privacyutility tradeoff spectrum.
Privacypreserving machine learning
kAnonymity
At first glance, a straightforward approach for addressing the privacy concerns of active learning could be through anonymity [Sweeney2002, Di Castro et al.2016]; i.e., ensuring each query that is sent out for crowdsourcing occurs at least times. In deploying anonymity, the first step involves identifying a set of quasiidentifiers. In our context, these are user queries which can be potentially combined with an externally available dataset to uniquely identify a user. The frequency set of these quasiidentifiers represent the number of occurrences in the dataset. We therefore say that a dataset satisfies anonymity relative to the quasiidentifiers if when it is projected on an external dataset, the frequency set occurs greater than or equal to times.
To achieve anonymity when the size of the frequency set is less than a desired , the attributes are anonymized by either generalizing or suppressing the information. For example, marital status attributes listed as married, divorced or widowed are generalized as once married, while the ethnicity is redacted as *****.
Despite its promise, anonymity has fundamental challenges, some of which are exacerbated by our unstructured data domain. First, [Aggarwal2005] demonstrated that anonymity suffers from the curse of dimensionality since generalization (such as with traditional database columns), requires cooccurrence of words across different examples, but unstructured data such as text phrases tend to follow a heavytailed distribution that have a low cooccurrence of words. Secondly, the choice of quasiidentifiers might exclude the selection of some useful sensitive attributes which could then be used for reidentification attacks. This led to other approaches such as diversity [Machanavajjhala et al.2006] and closeness [Li, Li, and Venkatasubramanian2007] to handle sensitive attributes. In our implementation, we subsume the quasiidentifiers to include the entire user query.
Therefore, by ‘hiding in the crowd’ of , a user has received some assurance from anonymity that their sensitive query will not be outsourced from the active learning model unless it passes a meaningful threshold. However, stronger formal privacy guarantees are required to demonstrate that given the user’s query, an attacker cannot decide where it came from with certainty. With anonymity, we are unable to directly quantify a privacy loss value, nor state the bounds of the guarantee of this loss. These two quantities are obtainable from a differential privacy model which we now describe.
Differential Privacy
To motivate our discourse on why we need stronger privacy guarantees than what anonymity provides, we consider a hypothetical scenario: Would a user be comfortable asking an AI agent a sensitive question, with the knowledge that the question will be possibly used to further train agent’s learning model? We denote the training data available to the model before the user submission as , and the data after the user question as . These are adjacent datasets differing on only one record. We posit that a user will be comfortable if (1) where is a query over the dataset; and (2) where is a user secret. These points are articulated in Dalenius’s Desideratum [Dwork2011] that:
Anything that can be learned about a respondent from the statistical database should be learnable without access to the database
However, we can’t make these exact guarantees because datasets are meant to convey information and they will have no utility if these points were true.
What Differential Privacy [Dwork2011, Dwork and Roth2014] offers is a strong privacy guarantee on adjacent datasets (taking our AI agent example), that: the example selected for active learning will be very similar whether or not the user added their sensitive question. This means, an adversarial annotator receiving a random training query cannot guess with certainty if the query was from dataset (which doesn’t include the user’s query) or (which includes it).
With this, we state that, a randomized algorithm that receives as input a dataset with records from a universe and outputs an element from is differentially private if for every pair of databases and differing in one record and every possible set of outputs we have
(1) 
The parameter accounts for a relaxed chance of the guarantee not holding – otherwise, it will be equivalent to just selecting a random sample on the order of the size of the dataset. One benefit of the differential privacy model is that it has a quantifiable, non binary value for privacy loss which helps in deciding to comparatively select one algorithm over the other. We observe an output of the random algorithm where we believe that was more likely produced by and not , then the privacy loss from the query that yields on an auxiliary input x is:
(2) 
So we surmise that differential privacy promises to prevent a user from sustaining additional damage by including their data in a dataset; and the privacy loss obtained is with probability .
A common method for making the results of a statistical query differentially private involves adding Laplacian noise proportional to either the query’s global sensitivity [Dwork2008, Dwork et al.2006] or the smooth bound of the local sensitivity [Nissim, Raskhodnikova, and Smith2007] (where sensitivity ). However, for noncontinuous domains, adding noise can result in unintended consequences that completely wipe out the utility of the results e.g., [Dwork and Roth2014] describe how attempting to add noise to the query for the optimal price for an auction could drive the revenue to zero.
Research has however shown that apart from providing reasonable and well understood protection from inadvertent exposure [Di Castro et al.2016], anonymity can also be used as a launchpad for achieving quantifiable differential privacy without the utility loss that comes from applying noise [Li, Qardaji, and Su2012, SoriaComas et al.2014].
Privacy Preserving Active Learning Framework
This section introduces our proposed framework for carrying out active learning with privacy guarantees on queries that are sent to an external oracle. It presents the task we try our approach on, highlights the considerations that drive our choices and lays out a high level pseudocode of our approach.
Task model
Our task consists of a very large dataset of user queries
that represent the user intent (we map the queries to the intent and do not extract specific quasiidentifiers in order to prevent leakages from uncaptured sensitive attributes). Our pipeline consists of an active learning model which learns a binary classifier, predicting if a user intent belongs to a specified class or not. The model is bootstrapped with a golden set of user queries and their associated intents. Subsequent queries from a fixed pool are added to a
RankedExamplePool where they are ordered by confidence/uncertainty [Gal and Ghahramani2016]from our deep learning model.
To train the model, it first draws on the golden set, then we make a call to draw an uncertain query from the pool with the criteria that knowing the accurate intent of this query gives the best performance increase to the model while preserving privacy. The query is then outsourced to external annotators and the annotated labels are reincorporated into the model training process.
Considerations
Given the size and projected scale of our dataset (
queries), we decide to employ randomized probabilistic algorithms in estimating if a query satisfies
anonymity. Compute and memory resources are thus freed up for training and retraining the model rather than maintaining the frequency and cardinality of incoming queries. Each algorithm (detailed below) is adjusted to prevent overestimations which could erode the privacy guarantees. Furthermore, after a query is presumed to satisfy anonymity, only of the queries is sent to external annotators to prevent an aggregation of privacy losses.Approach
In this paper, we adopt the differential privacy algorithm from [Li, Qardaji, and Su2012] but we utilize it in an active learning setting to select a subset of training examples to send for crowdsourcing. We also note that other DP methods that have been designed for search logs and include a form of parameter aggregation such as: [Korolova et al.2009], Zealous [Gotz et al.2012] and SafeLog [Zhang et al.2016] can be implemented to obtain similar results.
We take a twostepped approach to extend anonymity to yield a quantifiable differentially private active learning model taking a cue from how [Li, Qardaji, and Su2012] demonstrated the use of presampling to achieve differential privacy with anonymity. This is predicated on Theorem 1 from [Li, Qardaji, and Su2012] which states that: given an algorithm which satisfies differential privacy under sampling, then also satisfies differential privacy under sampling for any where
(3) 
Therefore, anonymity on our full dataset (i.e., ) can instead be preceded by a mechanism that samples each row of its input with probability , with anonymity then applied to the resulting subsample to yield differential privacy for within the bounds . Thus the effect of sampling serves to amplify preexisting privacy guarantees [Balle, Barthe, and Gaboardi2018].
Furthermore, we harden our anonymity to offer ‘safe’ anonymization by aggregating the queries by frequency rather than using a distance based measure [LeFevre, DeWitt, and Ramakrishnan2006]. The benefit we get from this is that no query within our set of contains any extraneous sensitive text which could be used as a source of reidentification or to carry out reconstruction attacks.
The next sections describe: how we carry out our sampling to ensure we select useful candidates in an efficient manner, and how we estimate anonymity using the queries.
Efficient subsampling for active learning
Given a multiset of query sets {} with repetitions where a given is a tuple , and a sampling rate , our objective is to return a subsample from which to carry out anonymization before training our active learner. Let n be the number of distinct query sets —{}— with elements {}. For a very large dataset size s, we seek to estimate using only m registers where . The number of distinct queries in our sample set therefore become .
To estimate the cardinality , we utlize the HyperLogLog algorithm by [Flajolet et al.2007]. HyperLogLog is a probabilistic cardinality estimator that uses a very small memory footprint (
12kb per key) for a low standard error (
%) while scaling up to dataset sizes as large as items^{1}^{1}1Values taken for the Redis implementation of HyperLogLog  http://antirez.com/news/75.For each incoming , a hash is computed and converted to base 2. The b least significant bits are used to identify the register location to modify, where or . With the remaining bits w, a count p(w) is made of the number of running up to the leftmost
. For a very large, uniformly distributed multiset of random numbers, 2 raised to the maximum value of
p(w) gives a wide approximate of the cardinality. To correct this, HyperLogLogbreaks the multiset into subsets and uses the harmonic mean of the subsets.
After determining our sample size, the next step is to draw a random set of unique samples without replacement up to . We keep each element in the dataset with probability . The ensuing subsample represents the new dataset in our RankedExamplePool from which we will carry out our anonymization.
Estimating kanonymity using query frequency
Given a multiset of query sets {} with repetitions such that the frequency of is and is a tuple . For a very large dataset size , we seek to estimate using sublinear space. To estimate the query frequency, we use the CountMeanMin with conservative update [Goyal, Daumé III, and Cormode2012] sketch algorithm which is an improvement on the proposed CountMin sketch algorithm by [Cormode and Muthukrishnan2005]. For each incoming , different hashes of the queries is computed and a counter indexed by each hashed result is incremented. To return the frequency, the minimum over all index locations for is returned. To further reduce the potential of error from overestimation, conservative updates are employed to increment only the minimum counter from the indexes, and an estimated noise is further deducted from the result.
Therefore after initial presampling step, we select only queries which occur at least times. These queries are then added to the RankedExamplePool where the next_example is drawn based on the element with the highest uncertainty measure. The benefit of using the frequency to satisfy anonymity rather than using partitioning, clustering and recoding, or distance based algorithms, is to prevent attacks that rise from an attackers apriori knowledge of a dataset. For example, a cluster of
with one sensitive or extreme outlier (e.g., a cluster of incomes within zip code with one UHNW outlier becomes easily identifiable by an attacker even though the aggregation was based on nearest neighbors).
Experiments
Our work seeks to demonstrate quantifiable privacy preserving guarantees in an active learning setting by taking a presampling approach before carrying out anonymization. We evaluate our approach on an internal dataset used for intent classification on voice devices.
Datasets
The Intent Classifier dataset consists of a subset of queries from February . The dataset is used to train a model which determines a binary intent for a user. The dataset consists of M queries comprising K distinct data points. Each record contains a user query and a label indicating if it is categorized as a Positive or Negative intent query. Part of the dataset has also been previously discussed and described by [Yang et al.2018]. Figures 0(c) and 0(d) show the nature of the dataset with a histogram and plot of the frequency distribution of the queries. As expected with textual data, there is a long tail of queries which were observed just once (making up of the dataset). The dataset consists of of queries labelled as Positive intents vs being Negative.
Experiment setup
The experiment task was binary intent classification in an active learning setting. We created a new baseline model which predicts Positive and Negative intents. For the experiments, the model was initially bootstrapped with labeled examples. The active learner then queries a data pool to get a batch of additional training examples to improve the model. The active learning strategy was uncertainty sampling based on confidence scores.
The confidence and uncertainty scores for the active learning model were obtained from a Bayesian deep learning model described in [Yang et al.2018] where model uncertainty, quantified by Shannon entropy is and is the averaged predicted probability of class for , sampled times by Monte Carlo dropout. A histogram of the confidence and uncertainty scores can be seen in Figures 0(a) and 0(b).
We simulated the probability of the crowd annotators returning the correct answers to the requested queries by drawing from a normal distribution with mean centered at
(see [Yang et al.2018]’s Figure (a) for more).Evaluation metrics
To evaluate our results, we compared the annotation accuracy between the baseline model, and the models trained with active learning and our privacy preserving model. We vary the subsampling parameter and the anonymization factor while training our model and recording its accuracy. We set the evaluation data at samples (i.e., about % of the dataset). We also provide privacy guarantee values from numerical computations of and and highlight in the appendix, what values of and provide those levels of guarantees.
Baseline condition
train standard classification model. Subsampling parameter , anonymization factor i.e., using the entire dataset
Experiment conditions
train classification model using privacy preserving active learning. Subsampling parameter varied at , anonymization factor varied at
Results
Privacy vs Utility Tradeoff
Figure 2 highlights the privacy–utility tradeoff which occurs as a result of varying and . As expected, as the value of , gets smaller, i.e., by selecting more items in the tail of the dataset, we are able to improve the accuracy of our model. This however has the effect of degrading our privacy guarantees. Similarly, by providing privacy amplification by subsampling, the utility of our model suffers. Figure 2 paints a wholistic picture of this by showing how by tuning the values of and , we can arrive at the same values of accuracy.
Annotation budget
Figure 3 describes how our annotation budget changes for different privacy settings. With a stronger privacy model, we incur less cost as a function of less annotation requests. By reading across the graph, we also discover that the same budget can be realized from different privacy configurations: e.g., by subsampling with and selecting , we incur the same budget as and and therefore, the same accuracy (from Figure 2 above).
Budget vs Accuracy
We established from Figure 2 and Figure 3, the relationship between privacy and accuracy, and between privacy and our annotation budget. Since we can obtain the same level of accuracy and budget requirements from different parameter values, Figure 4 highlights how an increase in budget affects our overall model accuracy. Increasing the budget initially accelerates the improvement of our model, however, the utility gains quickly slow down. For example, after labels, we do not see any significant increase in model accuracy.
These results can serve as a guideline in selecting appropriate privacy parameters for different annotation budgets in a way that is more representative of the dataset. For example, for a fixed annotation budget, you can reduce to select more data points from the tail of the dataset (i.e., a smaller ). This variation can also be done by starting with a target accuracy score and varying and . The results also demonstrate that by sacrificing some utility gains, we can make stronger privacy guarantees and reduce our annotation budget when carrying out active learning.
Conclusion
We now briefly revisit our results in the light of our hypothesis. We also discuss the limitations of our process, its implication to the broader discourse on privacy and machine learning and conclude with future work.
We apply the approach from [Li, Qardaji, and Su2012] to offer privacy guarantees when training models with active learning which requires sending unlabelled examples to an external oracle. Our results join the conversation on differential privacy and machine learning [Ji, Lipton, and Elkan2014] with particular reference to preserving the privacy of users.
Our results show that by taking a small performance hit, we can achieve similar accuracy scores with a smaller annotation budget and stronger privacy guarantee. One limitation however is that we have only reported results on a binary classification task. We are currently expanding our approach by designing a new algorithm for differential privacy on text. We show that the accuracy loss increases as task complexity increases. Therefore, if we were to apply the approach in this work to other NLP tasks, e.g. multiclass classification or question answering, we will expect the accuracy loss to be greater.
Another limitation of our approach and potentially other parameter based approaches ([Korolova et al.2009],[Gotz et al.2012],[Zhang et al.2016]) to differential privacy for text is that it will not work for tasks where almost all the data is unique i.e., is essentially (e.g., a datasets of emails or movie reviews). Therefore, a different approach is needed to provide quantifiable privacy guarantees without resorting to anonymity.
We believe that this is an area worthy of further research in order to further quantify the true cost of privacy in crowdsourcing and machine learning. We have already begun further work to address two of the limitations reported in this current paper.
Appendix
Table 1 lays out a grid of , scores and the corresponding sampling parameter and anonymization factor required to satisfy that level of (,)differential privacy. The shaded region presents a high level view of how to achieve a desired level of privacy.
A few insights can be gleaned from the results, the most obvious being that strong privacy requirements, (indicated by small and scores as we traverse the table towards the bottom left corner), require a higher anonymization factor and smaller sampling rate . This is also observed by the fact that lowering the factor only preserves privacy at the highest displayed value of and (at the top right corner of the table).
Observing individually, we also note that, when and are at fixed values, as decreases, i.e., to obtain stronger privacy guarantees, we need to lower the sampling rate . This indicates as decreases, privacy guarantees increase. Similarly, observing by fixing the values of and , demonstrates that increasing improves our privacy guarantees.
0.25  0.5  0.75  1.0  







References
 [Aggarwal2005] Aggarwal, C. C. 2005. On kanonymity and the curse of dimensionality. In Proceedings of the 31st international conference on Very large data bases, 901–909. VLDB Endowment.

[Arora, Nyberg, and
Rosé2009]
Arora, S.; Nyberg, E.; and Rosé, C. P.
2009.
Estimating annotation cost for active learning in a multiannotator
environment.
In
Proceedings of the NAACL HLT 2009 Workshop on Active Learning for Natural Language Processing
, 18–26. Association for Computational Linguistics. 
[Avidan and Butman2007]
Avidan, S., and Butman, M.
2007.
Efficient methods for privacy preserving face detection.
In Advances in neural information processing systems, 57–64.  [Balle, Barthe, and Gaboardi2018] Balle, B.; Barthe, G.; and Gaboardi, M. 2018. Privacy amplification by subsampling: Tight analyses via couplings and divergences. arXiv preprint arXiv:1807.01647.
 [Cormode and Muthukrishnan2005] Cormode, G., and Muthukrishnan, S. 2005. An improved data stream summary: the countmin sketch and its applications. Journal of Algorithms 55(1):58–75.
 [Dasgupta2011] Dasgupta, S. 2011. Two faces of active learning. Theoretical computer science 412(19):1767–1781.
 [Di Castro et al.2016] Di Castro, D.; LewinEytan, L.; Maarek, Y.; Wolff, R.; and Zohar, E. 2016. Enforcing kanonymity in web mail auditing. In Proceedings of the Ninth ACM International Conference on Web Search and Data Mining, 327–336. ACM.
 [Dwork and Roth2014] Dwork, C., and Roth, A. 2014. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science 9(3–4):211–407.
 [Dwork et al.2006] Dwork, C.; McSherry, F.; Nissim, K.; and Smith, A. 2006. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography Conference, 265–284. Springer.
 [Dwork2008] Dwork, C. 2008. Differential privacy: A survey of results. In International Conference on Theory and Applications of Models of Computation, 1–19. Springer.
 [Dwork2011] Dwork, C. 2011. A firm foundation for private data analysis. Communications of the ACM 54(1):86–95.
 [Flajolet et al.2007] Flajolet, P.; Fusy, É.; Gandouet, O.; and Meunier, F. 2007. Hyperloglog: the analysis of a nearoptimal cardinality estimation algorithm. In AofA: Analysis of Algorithms, 137–156. Discrete Mathematics and Theoretical Computer Science.
 [Gal and Ghahramani2016] Gal, Y., and Ghahramani, Z. 2016. Dropout as a Bayesian approximation: Representing model uncertainty in deep learning. In international conference on machine learning, 1050–1059.
 [Gotz et al.2012] Gotz, M.; Machanavajjhala, A.; Wang, G.; Xiao, X.; and Gehrke, J. 2012. Publishing search logs – a comparative study of privacy guarantees. IEEE Transactions on Knowledge and Data Engineering 24(3):520–532.
 [Goyal, Daumé III, and Cormode2012] Goyal, A.; Daumé III, H.; and Cormode, G. 2012. Sketch algorithms for estimating point queries in nlp. In Proceedings of the 2012 Joint Conference on Empirical Methods in Natural Language Processing and Computational Natural Language Learning, 1093–1103. Association for Computational Linguistics.
 [Hamm, Cao, and Belkin2016] Hamm, J.; Cao, Y.; and Belkin, M. 2016. Learning privately from multiparty data. In International Conference on Machine Learning, 555–563.
 [Howe2006] Howe, J. 2006. The rise of crowdsourcing. Wired magazine 14(6):1–4.
 [Ji, Lipton, and Elkan2014] Ji, Z.; Lipton, Z. C.; and Elkan, C. 2014. Differential privacy and machine learning: a survey and review. arXiv preprint arXiv:1412.7584.
 [Korolova et al.2009] Korolova, A.; Kenthapadi, K.; Mishra, N.; and Ntoulas, A. 2009. Releasing search queries and clicks privately. In Proceedings of the 18th international conference on World wide web, 171–180. ACM.
 [LeFevre, DeWitt, and Ramakrishnan2006] LeFevre, K.; DeWitt, D. J.; and Ramakrishnan, R. 2006. Mondrian multidimensional kanonymity. In Data Engineering, 2006. ICDE’06. Proceedings of the 22nd International Conference on, 25–25. IEEE.
 [Lewis and Gale1994] Lewis, D. D., and Gale, W. A. 1994. A sequential algorithm for training text classifiers. In Proceedings of the 17th annual international ACM SIGIR conference on Research and development in information retrieval, 3–12. SpringerVerlag New York, Inc.
 [Li, Li, and Venkatasubramanian2007] Li, N.; Li, T.; and Venkatasubramanian, S. 2007. tcloseness: Privacy beyond kanonymity and ldiversity. In Data Engineering, 2007. ICDE 2007. IEEE 23rd International Conference on, 106–115. IEEE.
 [Li, Qardaji, and Su2012] Li, N.; Qardaji, W.; and Su, D. 2012. On sampling, anonymization, and differential privacy or, kanonymization meets differential privacy. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, 32–33. ACM.
 [Machanavajjhala et al.2006] Machanavajjhala, A.; Gehrke, J.; Kifer, D.; and Venkitasubramaniam, M. 2006. ldiversity: Privacy beyond kanonymity. In Data Engineering, 2006. ICDE’06. Proceedings of the 22nd International Conference on, 24–24. IEEE.

[Nissim, Raskhodnikova, and
Smith2007]
Nissim, K.; Raskhodnikova, S.; and Smith, A.
2007.
Smooth sensitivity and sampling in private data analysis.
In
Proceedings of the thirtyninth annual ACM symposium on Theory of computing
, 75–84. ACM.  [Papernot et al.2016] Papernot, N.; Abadi, M.; Erlingsson, U.; Goodfellow, I.; and Talwar, K. 2016. Semisupervised knowledge transfer for deep learning from private training data. arXiv preprint arXiv:1610.05755.
 [Settles2010] Settles, B. 2010. Active learning literature survey. 2010. Computer Sciences Technical Report 1648.
 [SoriaComas et al.2014] SoriaComas, J.; DomingoFerrer, J.; Sánchez, D.; and Martínez, S. 2014. Enhancing data utility in differential privacy via microaggregationbased kanonymity. The VLDB Journal 23(5):771–794.
 [Sweeney2002] Sweeney, L. 2002. kanonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and KnowledgeBased Systems 10(05):557–570.
 [Yang et al.2018] Yang, J.; Drake, T.; Damianou, A.; and Maarek, Y. 2018. Leveraging crowdsourcing data for deep active learning an application: Learning intents in Alexa. In Proceedings of the 2018 World Wide Web Conference on World Wide Web, 23–32. International World Wide Web Conferences Steering Committee.
 [Zhang et al.2016] Zhang, S.; Yang, G. H.; Singh, L.; and Xiong, L. 2016. Safelog: Supporting web search and mining by differentiallyprivate query logs. In 2016 AAAI Fall Symposium Series.