Adversarially Robust and Privacy-Preserving Representation Learning via Information Theory

We thank the reviewer for the constructive comments!

Comment#1: How different networks and losses of each network are implemented.

Response: The neural network losses are defined in Section 4.3, and the detailed training procedure is in Algorithm 1 in Appendix.

Comment#2: Just like the adversarial private representation learning, the proposed method ARPRL does not have privacy guarantees.

Response: This is a misunderstanding! Theorem 5 shows the information-theoretic privacy guarantee.

Comment#3: mutual information upper and lower bounds are known to be quite loose; the final optimization seems to be quite disjoint from mutual information goals.

Response: We admit that the estimated mutual information bounds are loose. The fundamental reason lies in the challenges of accurately calculating the mutual information for high-dimensional random variables. We emphasize the state-of-the-art mutual information neural estimators (e.g., Cheng et al. 2020) also mention the gap, but they show the (loose) mutual information bounds do not affect the performance too much in practice.

Comment#4: information theoretic analysis is quite similar to [1] Azam et al. AISTATS 2022; The intuition about random guessing based on eqn 5 is quite similar to [2]

Response: We carefully read the paper [1], but do not see any information theoretical results. Could you please have a double check?

We put the advantage definition in Eqn 5 in the preliminary section and hence do not treat it as our contribution. We also point out that the advantage definition is widely used in the literature.

Comment#5: the proposed method can only work with one utility and one sensitive target

Response: In the paper, we only focus on a sensitive attribute and a primary task, which is most widely studied.. However, our method can be easily generalized to multiple sensitive attributes. For instance, when there is a set of $B$ private attributes $\{u_1, u_2, \cdots, u_B \}$ to be protected, our Goal 1 can be extended to $\min_f \sum_{b=1}^B I(z;u_b)$, while Goal 2 can be extended as $\max_f I(x;z|u_1, u_2, \cdots u_b)$.

Comment#6: closed-form solutions by [3] (CVPR workshop 2020) give very robust benchmarks to compare against

Response: The closed-form solution in [3] is obtained by assuming the representation learner to be linear to the input, i.e., $z = \theta x$, which limits the learning capability. In Our compared methods are more recent (e.g., Deepobfuscator (Li et al., 2021)), which shows state-of-the-art privacy protection performance.

Comment#7: The proposed method is also not compared against private learning algorithms if the representation learner is trained with adversarial examples.

Response: As suggested, we choose [2] as the private learner and augment adversarial examples with the PGD attack. We test [2] + adversarial examples on CelebA. By tuning the tradeoff hyperparameters, we obtain the best utility, privacy, and robustness tradeoff of [2] + adversarial examples as: (Robust Acc, Test Acc, Infer. Acc) = (0.73, 0.82, 0.62). In contrast, the best tradeoff of ARPRL in is (Robust Acc, Test Acc, Inference Acc) = (0.79, 0.85, 0.62). Still, our results show simply combining adversarial examples and privacy-preserving methods is not the best option.

We thank the reviewer for appreciating the theoretical contributions and constructive comments!

Comment#1: Why conditioning on u for formalizing Goal 2 and Goal 3, as Goal 1's objective already minimizes the I(z,u). Excluding u could make the representation not truly adversarially robust.

Response: Conditioning on $u$ for formulating Goal 2: The MI in Goal 1 is to reduce the correlation between the private $u$ and representation $z$. The purpose of conditioning on $u$ is to also remove the information that $x$ contains about the private $u$, not just only letting $z$ be uncorrelated to $u$ in an uncontrollable way. Hene, together with Goal 1, $z$ can maintain more information in $x$, as well as leaking less information in $u$. Without such a condition on $u$, the formulation is the same as the privacy tunnel (Makhdoumi, et al. [1]). Note that the compared DPFE (Osia et al., 2020b) indeed uses the idea as privacy tunnel [1] to learn privacy-preserving representations. Our results show DPFE performs worse than our ARPRL against privacy protection, which demonstrates that the conditioning on $u$ is necessary.

Conditioning on $u$ for formulating Goal 3: The purpose is to ensure that the learnt representation $z$ is robust to adversarial perturbation, under the constraint that the private $u$ cannot be leaked from $z$. Hence, this can produce a representation that is both robust and privacy-preserving.

Comment#2: Should Equation 14 (first line as an example) be I(x;z|u) = H(x|u) - H(x|z,u)?

Response: Yes, it is! Thanks for your correction!

Comment#3: "Comparing with task-known privacy-protection baselines", what is the $\alpha$ and $\beta$?

Response: $\alpha=0.1$ and $\beta=0$, as we only consider privacy protection (in order to fairly compare with the privacy-protection baselines). That is also why infer acc=0.71 is not shown in Table 1, where $\alpha=0.1$ and $\beta=0.45$.

Comment#4: Is the result of ARPRL Section 5.4 computed as the optimal result from different combinations of $\alpha$ and $\beta$? How sensitive is the result to different values of $\alpha$ and $\beta$?

Response: No, the results in Section 5.4 are irrelevant to the optimal results. They are obtained by directly training the neural networks with the corresponding $\alpha$ and $\beta$.

The experimental results in Table 1 show that $\alpha$ controls privacy, while $\beta$ controls robustness. Our findings were that, given a fixed $\alpha$ (or $\beta$), the results are relatively insensitive to a small range of $\beta$ (or $\alpha$).

Comment#5: Comparing with task-known adversarial robustness baselines, how does the proposed method include task labels during training.

Response: We emphasize that our ARPRL does NOT use task labels during training, since it is task-agnostic.

Comment#6: What is the definition of the best "utility, privacy, and robustness tradeoff"? Why is it just one set of results?

Response: Our theoretical results show that utility, privacy, and robustness have inherent tradeoffs. Empirically, a better tradeoff means a larger utility, smaller inference accuracy, and larger robust accuracy at the same time. Note that the tradeoffs can be reflected by tuning $\alpha$ and $\beta$ values (i.e., a larger/smaller $\alpha$ indicates a stronger/weaker attribute privacy protection and a larger/smaller $\beta$ indicates a stronger/weaker robustness against adversarial perturbations). We do not say (and cannot prove theoretically) the best tradeoff is obtained at one single set of $\alpha$ and $\beta$. What we can do in practice is to tune $\alpha$ and $\beta$ (See B.3 in Appendix) and observe the trend of the tradoff.

Comment#7: same learning rate 1e−3 in all neural networks? How sensitive the hyperparameters are.

Response: Yes, we use the same learning rate. We admit that it is difficult to tune the four neural networks simultaneously in practice to obtain the optimal performance. We also observed that the adversarial robustness network is sensitive to a large learning rate (e.g., when lr=0.01, the robustness performance could drop 10-15% among the four datasets). To ensure a stable training, we hence consider relatively small learning rates in all networks and set an equal value 1e−3 for simplicity. Our results also showed this value exhibits promising performance in terms of utility, adversarial robustness, and privacy protection.

Comment#8: Minors: change the section order, lr5 is not used.

Response: Thanks for pointing this out. Will fix them.