Revisiting Differentially Private ReLU Regression

We thank the Reviewer M8TJ for the thorough review and the insightful comments.

Response to the Weakness 1 and Question 1

We thank reviewer M8TJ for the constructive feedback and we will include these comments in the updated version, thanks! We acknowledge that our main improvement is highlighted in Table 1, with [1] as the baseline. While [4] also studies DP-GLM with non-convex loss, it is not directly comparable to our work. Specifically, Theorem 5 of [4] assumes $\lVert x_i \rVert_2 \leq 1$, while we consider $x$ has a sub-Gaussian tail, meaning $\lVert x_i \rVert_2 \leq O(\sqrt{d})$ with high probability. Moreover, [4] provides a bound of $\tilde{O}(\frac{\sqrt[4]{d}}{\sqrt{n\epsilon}})$ dependent on $\sqrt[4]{d}$, which we aim to mitigate in the overparameterized setting. For Theorem 6 in [4], it still needs to assume $\lVert x \rVert_\infty \leq 1$ while we consider more general distributions that could be unbounded. Moreover, it needs a very strong assumption that $\lVert w^* \rVert_1 \leq 1$ as it uses DP-Frank Wolfe.

Regarding the results on convex optimization in lines 98 and references [2, 3], we will revise our paper to clarify differences in assumptions, particularly regarding the bounded norm of input samples, ensuring clear distinctions between our work and the convex baseline.

Response to the Weakness 2 and Question 2

We appreciate the reviewer's attention to our motivation. Before analyzing DP-GLMtron, we noticed DP-SGD sometimes fails to converge and reaches suboptimal solutions (as seen in our experiments). Therefore, we try to visualize the training trajectories of DP-SGD and DP-GLMtron on a 2D noiseless ReLU regression with symmetric Bernoulli data (we put the figures in the PDF file, please check it). The visualization demonstrates that DP-SGD struggles to converge under large noise conditions and is more likely to settle at a saddle point rather than reach the optimal solution. As we mentioned in our paper section 4 (equation 3), the SGD and GLMtron follow the different update rules: $SGD: \mathbf{w}\_t=\mathbf{w}\_{t-1}-\eta \cdot (\operatorname{ReLU} (\mathbf{x}\_t^{\top} \mathbf{w}\_{t-1})-y\_t) \mathbf{x}\_t \cdot \mathbb{1}[\mathbf{x}\_t^{\top} \mathbf{w}\_{t-1}>0]$ $GLMtron: \mathbf{w}\_t=\mathbf{w}\_{t-1}-\eta \cdot (\operatorname{ReLU} (\mathbf{x}\_t^{\top} \mathbf{w}\_{t-1} )-y\_t ) \mathbf{x}\_t$ When $\\mathbf{x}\_t^{\top} \\mathbf{w}\_{t-1} \leq 0$, the SGD gradient is zero, and DP-SGD's direction is heavily influenced by noise, especially with a low privacy budget (see Figure 1a). Therefore, these observations motivated us to propose the DP-GLMtron and DP-TAGLMtron algorithms.

Response to the Weakness 3 and Question 3

We appreciate the reviewer's attention to our approach to addressing dimension independence. However, the reviewer may misunderstood our paper. Generally, our bounds depend on the trace of the covariance matrix $\mathbf{H}$ rather than $\\|x\\|_2\leq 1$. In line 222, we just aim to provide a simple example to illustrate how the bounds behave under the assumption $\\|\mathbf{x}\\|_2 \leq 1$. However, this does not imply that our bounds improve previous results with this setting. Our main contributions are:

1. We provided the first analysis beyond data assumptions that satisfy Gaussian-like distributions, which may overlook cases where the spectrum exhibits decay.

2. Our results offer nearly dimension-independent bounds without assuming $\\|\mathbf{x}\\|_2 \leq 1$. This indicates that as long as $k^*$ is $o(N)$ and the tail summation of eigenvalues is $o(1/N)$, it is possible to achieve diminishing bounds without being affected by the dimension $d$ in the over-parameterized regime.

Why do we focus on the covariance matrix $\mathbf{H}$? We provide some examples here. If $\mathbf{H} = \operatorname{diag}\\{1, 1, \ldots, 1\\}$, its trace satisfies $\operatorname{Tr}(\mathbf{H}) = \mathcal{O}(d)$. If $\mathbf{H} = \operatorname{diag}\\{1, 1/2, \ldots, 1/d\\}$, its trace satisfies $\operatorname{Tr}(\mathbf{H}) = \mathcal{O}(\log d)$. These examples illustrate that only the effective rank influences utility, which explains why we can mitigate the impact of dimension $d$ in some cases.

Additionally, $\\|\mathbf{w}_0-\mathbf{w}^*\\|_2$ (i.e., $\\|\mathbf{w}^*\\|_2$) to be bounded by a constant is a common assumption in the DP estimation even for the linear regression model such as [5,6,7].

Regarding the $\Gamma$ term, we provide analysis in Lemma D.3 for detailed discussion, where we establish that each $\gamma_t$ is effectively bounded by the $\mathbf{H}$ norm term $(\\|\\mathbf{w}\_*-\\mathbf{w}\_t\\|\_{\\mathbf{H}})$. This crucial detail ensures that our results remain controlled. Furthermore, by decomposing our analysis into the head and tail subspaces of $\mathbf{H}$, we can achieve bounded results analogous to those observed in non-private scenarios, as detailed in references [8,9,10,11].

Response to the Weakness 4 and Question 4

We understand your concern regarding our experimental setup. Below, we hope to address your concerns as follows:

1. Why do we have a synthetic dataset with spectrum decay in the main body? The simulation in our main body aims to validate the theoretical insights related to the role of eigenvalues in a high-dimensional setting, as we discussed in Section 4.

2. Typo of MNIST. Thanks for pointing out the typo, we will correct it in our revised version.

3. Why are results increasing with data size and approximately $\sim 24$? The observed increase in excess risk as data size grows, along with its approximation to 24, stems from the nature of our experimental setup. We are considering a ReLU regression model, as outlined in the Preliminary Section and Equation 1, without incorporating any neural network architecture.

Due to space limitations, we will include more explanations, experiment setup, and references in the comment section, please check it in the following.

We continue to provide more explanations here.

According to the updated rules of algorithms (see Equation 3) and further discussion in response to Weakness 2 and Question 2, this behavior illustrates that DP-SGD struggles to converge effectively in this context. As data size increases, the challenges with convergence lead to an increase in error, which highlights the limitations of DP-SGD in handling certain high-dimensional regression tasks.

Another potential reason for the error approximating ~24 is that our model is a regression model. Regression models output continuous values, but classification problems require discrete class labels. This can result in predictions that aren't directly usable for classification, which may contribute to the observed discrepancy in excess risk.

4. Experimental settings used for DP-SGD on MNIST data. Yes, we will provide the details of our experimental settings as follows:

A.Data Preparation

• Dataset: MNIST, loaded via tensorflow.keras.datasets.mnist.
• Data Preprocessing: Training and test data are reshaped and normalized to have values between 0 and 1.

B.Experimental Parameters

• Data Sizes: The experiment uses a range of data sizes from 50 to 5000, increasing in steps of 500.
• Feature Dimension: Derived from the reshaped MNIST data.
• Repeats: The experiment is repeated 5 times to ensure robustness.
• lr = $0.01$
• Privacy Parameters:
• Delta: $1 \times 10^{-3}$
• Epsilon: An array with values $[0.05,0.2,0.5]$
• Sigma: Calculated as $\sigma=\sqrt{2 \log (1.25 / \delta)} \times(1 / \epsilon)$

C. Experimental Model Updates and Evaluation Metric (Our gradient update follows the rule of Equation 3 with private noise.)

• Model update: (SGD update)

            if x_t @ thetasgd > 0:
                gradient = (relu(x_t @ thetasgd ) - y_t) * x_t.T + noise
            else:
                gradient = np.zeros((featuredim, 1)) + noise
            thetasgd = thetasgd - lr * gradient 
  

• Evaluation Metric: (Mean Square Loss)

            rwsgd = np.mean((relu(X @ thetasgd) - y) ** 2)
  

References

[1] - Shen, Hanpu, et al. "Differentially private non-convex learning for multi-layer neural networks." arXiv preprint arXiv:2310.08425 (2023).

[2] - Jain, Prateek, and Abhradeep Guha Thakurta. "(Near) dimension independent risk bounds for differentially private learning." International Conference on Machine Learning. PMLR, 2014.

[3] - Song, Shuang, et al. "Evading the curse of dimensionality in unconstrained private glms." International Conference on Artificial Intelligence and Statistics. PMLR, 2021.

[4] - Wang, Di, Changyou Chen, and Jinhui Xu. "Differentially private empirical risk minimization with non-convex loss functions." International Conference on Machine Learning. PMLR, 2019.

[5] Varshney, Prateek, Abhradeep Thakurta, and Prateek Jain. "(Nearly) Optimal Private Linear Regression via Adaptive Clipping." arXiv preprint arXiv:2207.04686 (2022).

[6] Cai, T. Tony, Yichen Wang, and Linjun Zhang. "The cost of privacy: Optimal rates of convergence for parameter estimation with differential privacy." The Annals of Statistics 49.5 (2021): 2825-2850.

[7] Bassily, Raef, et al. "Private stochastic convex optimization with optimal rates." Advances in neural information processing systems 32 (2019).

[8] Wu, Jingfeng, et al. "Last iterate risk bounds of sgd with decaying stepsize for overparameterized linear regression." International Conference on Machine Learning. PMLR, 2022.

[9] Zou, Difan, et al. "Benign overfitting of constant-stepsize sgd for linear regression." Conference on Learning Theory. PMLR, 2021.

[10] Bartlett, Peter L., et al. "Benign overfitting in linear regression." Proceedings of the National Academy of Sciences 117.48 (2020): 30063-30070.

[11] Wu, Jingfeng, et al. "Finite-sample analysis of learning high-dimensional single relu neuron." International Conference on Machine Learning. PMLR, 2023.

We thank Reviewer M8TJ for your reviewing efforts and feedback.

Response to the Cont.W2 and Q2

We appreciate the reviewer's concerns regarding our experiments. However, it is important to note that our paper primarily focuses on theoretical work. The experiments we conducted on Bernoulli data, which satisfy our assumptions for analysis, were designed to validate our theoretical insights into the role of eigenvalues in a high-dimensional setting.

Why do we focus on the ReLU regression model? Indeed, the ReLU regression model can be viewed as the same as a two-layer neural network model with a ReLU activation function and a single neuron in the hidden layer, as described in [1]. In particular, [1] considers the following formulation:

where $\mathbf{x} \in \mathbb{R}^d$ is the input, $\mathbf{w}_r \in \mathbb{R}^d$ is the weight vector of the first layer, $a_r \in \mathbb{R}$ is the output weight, and $\sigma(\cdot)$ is the ReLU activation function defined as $\sigma(z)=z$ if $z \geq 0$ and $\sigma(z)=0$ if $z<0$. Since they assume that $a_r$ is not trained and focus on the empirical risk minimization problem with quadratic loss, it is equivalent to ReLU regression when setting $m=1$.

Therefore, ReLU regression can be considered a basic simplified problem in neural network optimization [1,2,3]. As we replied to Reviewer 7Kd7, one potential way to extend our work to ReLU Neural Network is to consider the $m$ neurons. In this case, the gradient for optimization would become a summation of $m$ gradients, each akin to the one used in our current analysis. This extension represents an area for future work.

Regarding the lack of experiments, we hope to address your concerns in the following part.

Response to the Cont.W3 and Q3

We appreciate the reviewer's clarifications and acknowledge that we may have misunderstood your feedback earlier. Yes, our paper offers a novel perspective by demonstrating that dimensionality can be mitigated in specific cases, such as when the data covariance matrix exhibits eigenvalue decay. This aspect might have been overlooked in previous Differential Privacy (DP) studies due to their reliance on data assumptions that resemble Gaussian-like distributions.

However, it is important to note that even in non-private regression models, the mitigation of dimensionality $d$ is typically contingent upon assumptions about the spectrum, as discussed in [3-10]. Therefore, we do not view this as a weakness of our work.

Response to the Cont.W4 and Q4

To better address your concerns, we have included additional experimental results on three different regression tasks, including one table here. (Because the PDF file in the global rebuttal cannot be edited during the discussion period, we will incorporate figures into our revised paper.)

The table below presents the errors observed for the Gas Turbine, CA Housing, and Wine Quality datasets when using various Differential Privacy algorithms: DP-SGD, DP-GLMtron, DP-TAGLMtron, and DP-FTRL. These experiments were conducted using the ReLU regression model across three different privacy budgets, represented by epsilon values of 0.05, 0.2, and 0.5, with a learning rate of 0.01. The errors reported were taken from the results at the final epoch (50th epoch). It can be observed that DP-GLMtron and DP-TAGLMtron still consistently outperformed the DP-SGD and DP-FTRL across all datasets and privacy budgets, demonstrating their robustness and effectiveness. Additionally, the performance gap between DP-GLMtron, DP-TAGLMtron, and the other two algorithms indicates that DP-SGD and DP-FTRL may converge to suboptimal solutions.

Reference

[1] Frei, Spencer, Yuan Cao, and Quanquan Gu. "Agnostic learning of a single neuron with gradient descent." Advances in Neural Information Processing Systems 33 (2020): 5417-5428.

We thank the Reviewer JyY5 for the valuable review as well as the positive feedback!

Response to the Weakness 1

Thank you for your suggestion. We agree that adding a literature survey on privacy-utility tradeoffs would be beneficial. We will include more related work in the revised paper and hope to provide valuable context for readers.

Response to the Question 1

Yes. ReLU regression, as discussed in our paper, can be viewed as the same as a two-layer neural network model with a rectified linear unit (ReLU) activation function and a single neuron in the hidden layer, as described in [2]. In particular, [2] considers the following formulation:

where $\mathbf{x} \in \mathbb{R}^d$ is the input, $\mathbf{w}_r \in \mathbb{R}^d$ is the weight vector of the first layer, $a_r \in \mathbb{R}$ is the output weight, and $\sigma(\cdot)$ is the ReLU activation function defined as $\sigma(z) = z$ if $z \geq 0$ and $\sigma(z) = 0$ if $z < 0$. Since they assume that $a_r$ is not trained and focus on the empirical risk minimization problem with quadratic loss, it is equivalent to ReLU regression when setting $m = 1$. Therefore, ReLU regression can be considered a basic simplified problem in neural network optimization[1,2,3].

Response to the Question 2

Thank you for pointing out these relevant works. We will include references to these papers in our revised manuscript to provide a broader context for the privacy-utility tradeoff algorithms discussed in our study.

Response to the Question 3

Thank you for catching the typo on line 335. We will correct it ("simulation") in the revised paper.

[1] Wu, Jingfeng, et al. "Finite-sample analysis of learning high-dimensional single ReLU neuron." International Conference on Machine Learning. PMLR, 2023.

[2] Frei, Spencer, Yuan Cao, and Quanquan Gu. "Agnostic learning of a single neuron with gradient descent." Advances in Neural Information Processing Systems 33 (2020): 5417-5428.

[3] Diakonikolas, Ilias, et al. "Learning a single neuron with adversarial label noise via gradient descent." Conference on Learning Theory. PMLR, 2022.

We thank Reviewer 7Kd7 for the careful and detailed review as well as the constructive feedback.

Response to the Weakness 1

We kindly disagree with the reviewer's opinion. It is important to note that our work is theoretical, and our assumptions are standard in theoretical studies of ReLU regression or linear regression. As we mentioned in the paper, most assumptions are weaker than the sub-Gaussian data assumption. Even for linear regression models, certain assumptions are necessary to provide analysis on private estimation, such as [1,2,3].

Response to the Weakness 2

We understand the reviewer's concern about our experimental results and we hope to address this in the following answers (Question 4 part).

Response to the Question 1

Yes, the rate is provided in Theorem 5 of [4], which analyzes the performance of the DP-Projected Gradient Descent for ReLU regression :).

Response to the Question 2

Previous studies on differentially private (DP) statistical estimation have primarily focused on convex models, such as linear models or linear regression, with less attention given to non-convex models. ReLU regression is one of the most fundamental non-convex models in neural networks, which is why we chose to focus on it in our paper. More specifically, ReLU regression, as discussed in our paper, can be viewed as the same as a two-layer neural network model with a rectified linear unit (ReLU) activation function and a single neuron in the hidden layer, as described in [5]. Specifically, they consider:

where $\mathbf{w}_r \in \mathbb{R}^d$ is the weight vector of the first layer, $a_r \in \mathbb{R}$ is the output weight, and $\sigma(\cdot)$ is the ReLU activation function defined as $\sigma(z) = z$ if $z \geq 0$ and $\sigma(z) = 0$ if $z < 0$. Since they assume that $a_r$ is not trained and focus on the empirical risk minimization problem with quadratic loss, it is equivalent to ReLU regression when setting $m = 1$. Therefore, ReLU regression can be considered as a basic and simplified problem in neural network optimization[6,7,8].

Response to the Question 3

We are glad to see the reviewer notice this difference. The term $D_{eff}$ arises from the variance error term, which is related to model noise. Specifically, it takes the form of $\mathbf{x}^{\top} z$. In contrast, $D_{eff}^{priv}$ originates from the private error introduced by the private noise $\mathbf{g}$. Thus, when considering how the noise terms interact with the data points $\mathbf{x}$, we observe the following: 1) model noise leads to $\mathbf{H}$; 2) private noise results in $\mathbf{I}$. This is the main reason why $D_{eff}^{priv}$ lacks the component $\lambda_i$ compared to $D_{eff}$. We provide more details in the Appendix (Lemma D.4).

Response to the Question 4 and Weakness 2

This phenomenon for DP-SGD is actually our motivation for studying the private ReLU regression problem. As we mentioned in our paper section 4 (equation 3), the SGD and GLMtron follow the different update rules: $SGD: \mathbf{w}\_t=\mathbf{w}\_{t-1}-\eta \cdot (\operatorname{ReLU} (\mathbf{x}\_t^{\top} \mathbf{w}\_{t-1})-y\_t) \mathbf{x}\_t \cdot \mathbb{1}[\mathbf{x}\_t^{\top} \mathbf{w}\_{t-1}>0]$ $GLMtron: \mathbf{w}\_t=\mathbf{w}\_{t-1}-\eta \cdot (\operatorname{ReLU} (\mathbf{x}\_t^{\top} \mathbf{w}\_{t-1} )-y\_t ) \mathbf{x}\_t$ This indicates that if $\mathbf{x}\_t^{\top} \mathbf{w}\_{t-1} \leq 0$, the gradient for SGD becomes zero. Then, in DP-SGD, noise added on gradient can significantly influence the update direction, especially with a low privacy budget. Indeed, we visualized the training trajectories of DP-SGD and DP-GLMtron on a 2D noiseless ReLU regression (Please check the files in the global rebuttal). The visualization demonstrates that DP-SGD struggles to converge under large noise conditions and is more likely to settle at a saddle point rather than reach the optimal solution. This observation motivated us to propose the DP-GLMtron algorithm.

Response to the Question 5

Exactly, the DP-GLMtron can not provide the privacy guarantee when $\varepsilon$ is large, but here the performance refers to the utility/excess risk. A large $\varepsilon$ implies that less noise is added to the gradient, which means the gradient is less impacted by noise, improving performance. The primary difference between DP-GLMtron and DP-TAGLmtron lies in the method of noise accumulation. Therefore, when the noise is reduced, the performance gap between these two algorithms narrows.

Response to the Question 6

We kindly disagree with the reviewer's opinion. The utility bound depends not only on the privacy budget but also on the data size $n$ and the dimension $d$. It is not possible to separate these factors to independently demonstrate the efficiency of the algorithms. Thus, our results $O(\frac{1}{n^2\epsilon^2})$ is better than $O(\frac{1}{(n\epsilon)^\frac{2}{3}})$. Additionally, the rate in Table 1 for [1] is for DP-PGD rather than DP-SGD.

Response to the Question 7

The setting with two eigenvalue decay scenarios $i^{-2}$ and $i^{-3}$ satisfy our assumptions and we would like to validate our theoretical insights on the role of eigenvalues in a high-dimensional setting, as detailed in Corollary 4.3. As discussed previously, existing work in the DP community primarily relies on data assumptions satisfying Gaussian-like distributions, which reduces the data covariance matrix to an identity matrix scaled by variance. Such an assumption may cause the case to be overlooked when the spectrum exhibits decay. Therefore, our paper chooses one of the eigenvalue decay scenarios $i^{-2}$ and $i^{-3}$ in our stimulation to examine the effect of eigenvalue.

Due to space limitations, we will include references in the comment section, please check it in the following.

[1] Varshney, Prateek, Abhradeep Thakurta, and Prateek Jain. "(Nearly) Optimal Private Linear Regression via Adaptive Clipping." arXiv preprint arXiv:2207.04686 (2022).

[2] Cai, T. Tony, Yichen Wang, and Linjun Zhang. "The cost of privacy: Optimal rates of convergence for parameter estimation with differential privacy." The Annals of Statistics 49.5 (2021): 2825-2850.

[3] Bassily, Raef, et al. "Private stochastic convex optimization with optimal rates." Advances in neural information processing systems 32 (2019).

[4] Shen, Hanpu, et al. "Differentially private non-convex learning for multi-layer neural networks." arXiv preprint arXiv:2310.08425 (2023).

[5] Du, Simon S., et al. "Gradient descent provably optimizes over-parameterized neural networks." arXiv preprint arXiv:1810.02054 (2018).

[6] Wu, Jingfeng, et al. "Finite-sample analysis of learning high-dimensional single ReLU neuron." International Conference on Machine Learning. PMLR, 2023.

[7] Frei, Spencer, Yuan Cao, and Quanquan Gu. "Agnostic learning of a single neuron with gradient descent." Advances in Neural Information Processing Systems 33 (2020): 5417-5428.

[8] Diakonikolas, Ilias, et al. "Learning a single neuron with adversarial label noise via gradient descent." Conference on Learning Theory. PMLR, 2022.

We appreciate the Reviewer for the thoughtful feedback and hope the following responses address your concerns effectively!

Response to the Cont.Q2

Yes, we would like to further explore the relationship between our work and neural network optimization here. Theoretically, as we mentioned earlier(our response to Q2), ReLU regression can be viewed as the same as a two-layer neural network model with a single neuron. Therefore, to extend our work to NN optimization, one potential way is to consider the $m$ neurons. In this case, the gradient for optimization will become a summation of $m$ of our current gradient. Then, we can conduct an analysis analogous to that presented in this paper.

Empirically, our work offers a novel perspective on the over-parameterization problem, showing that the dimension $d$ can be avoided in certain cases, such as when the data covariance matrix exhibits eigenvalue decay. Additionally, our findings highlight that DP-SGD struggles with convergence and tends to settle at suboptimal points. It would be quite interesting to explore whether similar observations can be made with a two-layer neural network model.

Response to the Cont.Q6

To better address your question, we have included additional experimental results related to the performance of different algorithms under various privacy budgets. (We found that the PDF file in the global rebuttal cannot be edited during the discussion period. Therefore, we will incorporate these results into our revised paper.)

When the sample size is fixed, the utility in [1] can be understood as $1 /(N \epsilon)^{2 / 3}$, whereas our utility bound is $1 /(N \epsilon)^2$, which is an improvement over [1] according to the magnitude of $N$ and $\epsilon$.

In this additional experiment, we demonstrate the sensitivity of the privacy budget for each algorithm, and it is clear that DP-SGD faces the same issue. When $\epsilon$ is small, the tree mechanism in DP-FTRL allows it to add less noise compared to the naive Gradient Descent or GLMtron algorithm, resulting in similar performance between DP-FTRL and DP-GLMtron. Additionally, it is important to note that DP-FTRL should be compared with DP-TAGLMtron rather than DP-GLMtron, as both DP-FTRL and DP-TAGLMtron utilize the tree mechanism, whereas DP-GLMtron does not. Moreover, even though DP-FTRL converges at the end of the training, it can be observed that the excess risk for DP-FTRL is significantly larger than that of DP-TAGLMtron, indicating that it may converge to a suboptimal solution.

[1] Shen, Hanpu, et al. ”Differentially private non-convex learning for multi-layer neural networks.” arXiv preprint arXiv:2310.08425 (2023)

Thanks for the detailed clarification.

• Regarding Response to Question 2: so does your work lead to any suggestions on NN optimization? (no criticism if no)
• Regarding Response to Question 6: but if the sample size is fixed, varying $\epsilon$ would result in a larger variation in your method? Because $\epsilon^2$ term leads to a larger slope compared to $\epsilon^{2/3}$. Also, in the simulation, your methods performed evenly to DP-FTRL when $\epsilon$ is small, but while outperform it significantly for large $\epsilon$.

In general, it is not customary for authors to produce new results during the discussion phase. It might be best if you avoid presenting them, but rather mention their existence. If you absolutely must reply to the reviewer who specifically asks to see the results, I suggest you use an anonymous link. Again, I would caution against abusing this to present revisions of the work submitted.