MaSS: Multi-attribute Selective Suppression for Utility-preserving Data Transformation from an Information-theoretic Perspective

Q. The authors need provide more detailed explanations and justifications for their proposed techniques...

A. InfoNCE contrastive learning loss (Oord et al., 2018) is a classical contrastive learning loss, which learns useful representations of data by making the representations of positive samples (similar or related samples) closer while pushing the representations of negative samples further apart from the anchor. The sampling strategy in our framework is as follows. Suppose we have ${K+1}$ samples $\\{ x _i \\} _{i=1}^{K+1}$ in a mini-batch. We first pass them through the feature extractor $P _\eta(F|X)$ and data transformation module to sample a batch of $\\{ f _i \\} _{i=1}^{K+1}$ and $\\{ x' _i \\} _{i=1}^{K+1}$ respectively. Then suppose we choose the $j$-th feature $f _j$ as the anchor. Then the corresponding $x' _j$ would be designated as a positive sample, and all other $x' _{i \neq j}$ are designated as negative samples. After sampling, we calculate the contrastive learning loss as Equation 14 in our paper. For training stability, in our implementation each of the $K+1$ features in a batch are used as an anchor once and then averaged. An analogous strategy was used when anchors are chosen from $x'$.

InfoNCE Contrastive learning is suitable in our design because it is a proper approximation to $I(F;X')$ (and $I(X;X')$), so that it can be used to maximize $I(F;X')$ thus protect unannotated useful attributes in the transformed data. Contrastive learning loss may help with preserving annotated useful attributes as well. But the annotated useful attributes preserving module is taking the primary responsibility, by ensuring the predictability of useful attributes from the transformed data.

Besides, contrastive learning loss also succeeds in that it does not assume the distribution of $X, X'$. It can be universally applied to images, language, sensor signals, etc, with few adjustments. Another important merit of contrastive learning is its advanced empirical performance. We conducted an ablation experiment where we replaced the contrastive learning loss with MSE reconstruction loss (denoted as MaSS-MSE). The results are shown in Table 2 and Table 3. MaSS-NF means MaSS trained without unannotated useful attributes preservation. We can observe that the NAG of digit is significantly lower without unannotated attribute preservation. We can also observe that MaSS achieves higher NAG on digit than MaSS-MSE, as well as lower NAG on other sensitive attributes, which demonstrates the strong empirical performance of contrastive learning loss compared to MSE reconstruction loss.

Table 2: Comparison of the classification accuracy and NAG between MaSS and ablations on AudioMNIST. We suppress gender, accent, age, ID, while preserve digit as if an unannotated attribute.

Table 3: Comparison of the classification accuracy and NAG between MaSS and ablations on MotionSense. We suppress gender, ID, while preserve activity as if unannotated useful attribute.

Reference:

• Aaron van den Oord, Yazhe Li, and Oriol Vinyals. Representation learning with contrastive predictive coding. arXiv preprint arXiv:1807.03748, 2018.

W1. The dataset lacks a detailed description...

A1. We thank the reviewer for pointing out this problem. The detailed descriptions of datasets, including size, classes, split, preprocessing, and other basic information, are included in Appendix B of the revised manuscript.

W2. All six methods of experimental comparison rely on adversarially training a sensitive attribute inference model and lack the ability to compare state-of-the-art dp-based methods...

A2. We thank the reviewer for pointing out this related work. However, as stated in Section 2 of our original manuscript, our method aims at providing Information-theoretic Privacy, instead of defending against Membership Inference Attacks as Differential Privacy (DP) does. These are two distinct privacy notions in the literature (Hsu et al., 2021). Thus our method is not comparable with DP-based works. Specifically, Differential Privacy for deep learning generally focuses on creating a randomized optimization mechanism, so that the distributions of learned model parameters are similar for adjacent subsets of the original dataset [Abadi et al. (2016), Zhang et al., (2018), Sun et al., (2020)]. For Information-theoretic Privacy, on the other hand, the goal is to learn a data transformation, so that the information of sensitive attributes contained in the transformed data can be constrained.

References:

• Hsiang Hsu, Natalia Martinez, Martin Bertran, Guillermo Sapiro, and Flavio P Calmon. A survey on statistical, information, and estimation—theoretic views on privacy. IEEE BITS the Information Theory Magazine, 1(1):45–56, 2021
• Abadi, Martin, et al. "Deep learning with differential privacy." Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 2016.
• Zhang, Xinyang, Shouling Ji, and Ting Wang. "Differentially private releasing via deep generative model (technical report)." arXiv preprint arXiv:1801.01594 (2018).
• Sun, Mingxuan, Qing Wang, and Zicheng Liu. "Human action image generation with differential privacy." 2020 IEEE International Conference on Multimedia and Expo (ICME). IEEE, 2020.

W3. Lack of comparison with a state-of-the-art method...

A3. We thank the reviewer for pointing out this related work. STPrivacy (Li et al., 2023) proposed an insightful framework for privacy-preserving action recognition (PPAR) for 3D video data, which combined sparsification (removing privacy-leaking action-irrelevant tubelets from ViT input) and anonymization (removing privacy information adversarially by maximizing CE loss). STPrivacy was specially tailored for video data and ViT model, overcoming the dynamic utility loss and privacy leakage of previous frame-based PPAR methods. However, this specialization also hindered its generalizability to other domains, which made it inapplicable to our settings. However, as a remedy, we compared our method with two baseline methods mentioned in the STPrivacy paper, namely PPDAR (Wu et al., 2020) (named VITA in the STPrivacy paper) and SPAct (Dave et al., 2022). The results of PPDAR is shown in Table 1, 2, 4, 5, 7 in our paper. The results of SPAct is shown in the Table 1 below. We can observe that MaSS achieves slightly lower NAG on digit compared to SPAct, but significantly lower NAG on all sensitive attributes (up to 5%), which shows that our method can achieve a better trade-off between suppression and preservation. However, please note that SPAct did not consider preserving unannotated useful attributes.

Table 1: Comparison of the classification accuracy and NAG between MaSS and SPAct on AudioMNIST. We suppress gender, accent, age, id, while preserve digit as annotated useful attribute.

References:

• Li, Ming, et al. "STPrivacy: Spatio-Temporal Tubelet Sparsification and Anonymization for Privacy-preserving Action Recognition." arXiv preprint arXiv:2301.03046 (2023).

• Wu, Zhenyu, et al. "Privacy-preserving deep action recognition: An adversarial learning framework and a new dataset." IEEE Transactions on Pattern Analysis and Machine Intelligence 44.4 (2020): 2126-2139.

• Dave, Ishan Rajendrakumar, Chen Chen, and Mubarak Shah. "Spact: Self-supervised privacy preservation for action recognition." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022.

Q1. The paper introduces an interesting concept in Theorem 3.1, highlighting the importance of mutual information constraints 'm' and 'n' in the context of privacy and utility trade-offs...

A1. We conducted experiments to show the effect of varying constraint, in which we took gender, accent, age and ID as sensitive attributes and digit as an annotated useful attribute on the AudioMNIST dataset. We fixed $m=0$ for gender, accent and age and $n=2.3$ for digit (its maximal value). Then we varied $m$ for ID from $0$ to $1.46$ (its maximal value). The results are shown in Table 1. We can observe that as $m$ increases, the constraint is gradually loosened, which results in the gradually increasing accuracy and NAG for ID.

Table 1: Varying the suppression constraint $m$ on AudioMNIST. We suppress gender, accent, age, ID, while preserve digit as if an annotated useful attribute.

Q2. The theoretical argument presented in Theorem 3.2 may raise some questions...

A2. Theorem 3.2 provided an operational upper bound for the learning objective $I(X';F)$, namely $I(X';F) \leq H(X|S _i) + m _i$. The detailed proof can be found in Appendix A.2. The value of the upper bound ($H(X|S _i) + m _i$) is independent from the parameters of our model, which means that the unannotated useful attributes preservation module can at most preserve $H(X|S _i) + m _i$ nats (Naperian bits) of information of $F$ in $X'$.

Besides, $H(X|S _i) + m _i$ is indeed dependent on the dataset and the task. For an extreme example, in a dataset where $X$ is fully decided by $S _i$ ($H(X|S _i)=0$) and $m _i$ is set to 0, then we can have $I(X';F) \leq 0$, which means we can not preserve any information of $F$ in $X'$. On the other hand, if $X$ is conditionally independent from $S _i$ ($H(X|S _i)=H(X)$), we can have $I(X';F) \leq H(X) + m _i$, which is already guaranteed by Data Processing Inequity $I(X';F) \leq I(X'; X) \leq H(X)$. Therefore in this case, Theorem 3.2 no longer casts any additional constraint on $I(X';F)$.

Q3. Clarification is needed on how the positive and negative samples for the InfoNCE loss are determined...

A3. The sampling strategy in our framework is as follows: Suppose we have ${K+1}$ samples $\\{ x _i \\} _{i=1}^{K+1}$ in a mini-batch. We first pass them through the feature extractor $P _\eta(F|X)$ and data transformation module to sample a batch of $\\{ f _i \\} _{i=1}^{K+1}$ and $\\{ x' _i \\} _{i=1}^{K+1}$ respectively. Then suppose we choose the $j$-th feature $f _j$ as the anchor. Then the corresponding $x' _j$ would be designated as the positive sample, and all other $x' _{i \neq j}$ are designated as negative samples. For training stability, in our implementation each of $K+1$ features in a batch are used as an anchor once and then averaged. An analogous strategy was used when anchors are chosen from $x'$.

Q1. For the sensitive attribute suppression, the objective is to minimize the the expectation of the entropy between P(Si|x) and P_phi(Si|X’)...

A1. The relationship between our sensitive attributes suppression and adversarial learning is as follows:

First, our sensitive attributes suppression can be viewed as one type of adversarial learning. When we use linear relaxation and $I(X'; S _i) \geq m _i$, it can be derived from Equation 6 and Equation 8 that our sensitive attributes inference model $\phi _i$ is trained adversarially with the data transformation module by solving a min-max optimization as:

$\max _\theta \min _{\phi _i} \mathbb{E} _{P(X)P _\theta(X'|X)} [H(P(S _i|X),P _{\phi _i}(S _i|X'))],$

where $\phi _i$ is trained to narrow the gap between $P(S _i|X)$ and $P _{\phi _i}(S _i|X')$, while $\theta$ is trained to widen the gap between $P(S _i|X)$ and $P _{\phi _i}(S _i|X')$.

However, the objective of our min-max optimization is different from other adversarial learning methods. In adversarial training for adversarial robustness, the objective is the cross entropy between prediction and groun truth (Bai et al., 2021). In classical GAN (Goodfellow et al., 2014), the objective is the cross entropy loss of differentiating real and fake samples; in WGAN (Arjovski et al., 2017), the objective is the estimated Wasserstein distance between real and fake data distributions.

References:

• Bai, Tao, et al. "Recent advances in adversarial training for adversarial robustness." arXiv preprint arXiv:2102.01356 (2021).
• Goodfellow, Ian, et al. "Generative adversarial nets." Advances in neural information processing systems 27 (2014).
• Arjovsky, Martin, Soumith Chintala, and Léon Bottou. "Wasserstein generative adversarial networks." International conference on machine learning. PMLR, 2017.

Q2. For unannotated useful attribute, depending on the definition of the problem, the setting will be different from the other method...

A2. We thank the reviewer for pointing out this problem. We have revised the discussion in our revised manuscript to establish a fair and clear view on all baselines. For example, we changed the original term "overlook" to "do not consider".

Q3. Still, for those methods that are sharing exactly the same setting, e.g., GAP and MSDA, from technical frame design, what is the difference?..

A3. We thank the reviewer for the suggestion. The key difference of technical design between our method and GAP, MSDA is that, both GAP and MSDA utilize a heuristic MSE reconstruction loss for preserving unannotated useful attributes, which has inferior empirical performance, and can not be readily generalized to other datasets (e.g. language, etc.). On the other hand, the contrastive learning loss used in our method does not assume the distribution of $X, X'$, and therefore can be universally applied to images, language, sensor signals, etc, with few adjustments to yield good performance.

References:

• Huang, Chong, et al. "Generative adversarial privacy." arXiv preprint arXiv:1807.05306 (2018).

• Malekzadeh, Mohammad, et al. "Mobile sensor data anonymization." Proceedings of the international conference on internet of things design and implementation. 2019.

Q2. The paper proposes learning a data transformation instead of a representation but the codomain of the transformation is another seemingly incidental factor given that interpretability does not appear to be a major concern...

A2. This paper is targeted at learning a data transformation instead of a compact representation for the following reasons:

First, transformed data can deliver better reusability for the community. For example, users can utilize the transformed data for training generative models. For another case, users can develop their own possibly more generalizable feature extractors on the transformed data. Data reusability is crucial for the proliferation of Machine Learning community.

Second, transformed data can be readily used by pre-trained off-the-shelf models, whereas compact representations can only be used by models specially trained for them. To empirically support this claim, we ran an experiment of facial landmark detection on both the original and the transformed Adience datasets based on torchlm (https://github.com/DefTruth/torchlm), with the PIPNet (Jin et al., 2021) with ResNet18 backbone. This model generates 98 landmarks for each facial image. We then took the landmarks detected from the original images as the ground truth and evaluated the landmarks detected from the transformed images, using normalized mean error (NME) (Jin et al., 2021) as the quantitative metric. The results are shown in Table 3. We can observe that the NME between the transformed Adience and the original Adience is comparable to the NME between the original WLFW dataset (Wu et al., 2018) and the ground truth label, which suggests that the transformed dataset can be accurately exploited by a pre-trained model.

Table 3: The NME(%) of PIPNet between transformed Adience and original Adience, in comparison to the NME(%) of PIPNet between original WLFW dataset and ground truth label. The comparable performance showed that transformed Adience dataset can be accurately exploited by pre-trained PIPNet. On the contrary, compact representations would not be compatible with the pre-trained PIPNet.

References:

• Haibo Jin, Shengcai Liao, and Ling Shao. 2021. Pixel-in-Pixel Net: Towards Efficient Facial Landmark Detection in the Wild. Int. J. Comput. Vision 129, 12 (Dec 2021), 3174–3194. https://doi.org/10.1007/s11263-021-01521-4
• Wayne Wu, Chen Qian, Shuo Yang, Quan Wang, Yici Cai, Qiang Zhou. 2018 CVPR. Look at Boundary: A Boundary-Aware Face Alignment Algorithm

Q3. The mathematical formalism is confusing and, at times, unrigorous...

A3. We thank the reviewer for pointing out these problems. We adjusted the notations in our revised paper. Specifically, we use uppercase (e.g. $X,F$) for random variables and lowercase (e.g. $x,f$) for their realizations. We also changed the original function name $f$ to $\mathcal{F}$ to correct the notation collision.

Q4. While their meaning, as analogues of $X _p$ and $X _n$, respectively, can be easily inferred...

A4. We thank the reviewer for pointing out these problems. We included the definitions of $f _p$ and $f _n$ in the revised paper.

Q5. Why compute cross-entropy terms w.r.t. the estimates of $P(U _j|X)$ and $P(S _i|X)$ as opposed to simply using the (degenerate ground-truth distribution (the annotations) used in the fitting of those estimates?...

A5. We would like to point out that we did already use this degenerate distribution to compute cross entropy in our original manuscript, as stated in Section 3, Section 4.2 and Section 4.3. We updated the description in the revision for improved clarity.

Q1. The paper is limited in terms of novelty...

A1. Our key novelty lies in our proposal of utility preservation, especially for the unannotated attributes from an information theoretic perspective, as opposed to purely heuristic-driven methods.

Although similar ideas of preserving generic features and maximizing $I(X;X')$ can be found in the literature, these existing approaches have noticeable limitation in that they only preserve generic features by minimizing a heuristic reconstruction loss, which is limited in that, 1) it is oftentimes not general enough to be applied in different datasets as they might require different ways to measure the reconstruction loss, for example, MSE for image and Cross-entropy for language; and 2) its performance is not supported by information theoretic analysis.

For example, Madras et al. (2018) and Edwards et al. (2015) based their fair representation learning methods on an MSE reconstruction loss. Although they provided insightful and sound analyses on the fairness of the learned representation, they did not embed their reconstruction loss into a theoretical framework. In addition, Huang et al. (2019) and Malekzadeh et al. (2019) targeted similar tasks as ours, but resorted to a heuristic MSE reconstruction loss. On the contrary, in our work we proposed to approach the preservation of the generic features from an information theoretic point of view, and accordingly derived a contrastive learning-based framework.

Contrastive learning plays a vital role in our design because InfoNCE contrastive learning loss is not only a proper "reconstruction loss", but also a proper approximation to $I(F;X')$ (and $I(X;X')$), which is consistent with our problem definition. Besides, contrastive learning loss does not assume the distribution of $X, X'$. It can be universally applied to images, language, sensor signals, etc, with few adjustments. Another important merit of contrastive learning is its advanced empirical performance. We conducted an ablation experiment where we replaced the contrastive learning loss with MSE reconstruction loss (denoted as MaSS-MSE). The results are shown in Table 1 and Table 2. MaSS-NF means MaSS trained without unannotated useful attributes preservation. We can observe that the NAG (normalized accuracy gain) of digit is significantly lower without unannotated attribute preservation. We can also observe that MaSS achieved higher NAG on digit than MaSS-MSE, as well as lower NAG on other sensitive attributes, which demonstrate the strong empirical performance of contrastive learning loss compared to MSE reconstruction loss.

Table 1: Comparison of the classification accuracy and NAG between MaSS and ablations on AudioMNIST. We suppress gender, accent, age, ID, while preserve digit as if an unannotated attribute.

Table 2: Comparison of the classification accuracy and NAG between MaSS and ablations on MotionSense. We suppress gender, ID, while preserve activity as if unannotated useful attribute.

References:

• Madras, David, et al. "Learning adversarially fair and transferable representations." International Conference on Machine Learning. PMLR, 2018.
• Edwards, Harrison, and Amos Storkey. "Censoring representations with an adversary." arXiv preprint arXiv:1511.05897 (2015).
• Huang, Chong, et al. "Generative adversarial privacy." arXiv preprint arXiv:1807.05306 (2018).
• Malekzadeh, Mohammad, et al. "Mobile sensor data anonymization." Proceedings of the international conference on internet of things design and implementation. 2019.

Q6. The quality of the writing, in terms of clarity and structure, could generally do with improvement.

A6. We thank the reviewer for the suggestion. We have updated our manuscript to improve its clarity and structure.

Q7. Lack of ablation studies, such as those investigating the influence of the loss prefactor.

A7. Apart from the ablation we provided in Table 1 and 2 examining the unannotated attributes preservation module, we also conducted experiments to show the effect of varying the constraint on sensitive attributes suppression ($m$). We took gender, accent, age and ID as sensitive attributes and digit as an annotated useful attribute on the AudioMNIST dataset. We fixed $m=0$ for gender, accent and age and $n=2.3$ for digit (its maximal value). Then we varied $m$ for ID from $0$ to $1.46$ (its maximal value). The results are shown in Table 4. We can observe that as $m$ increases, the constraint is gradually loosened, which results in the gradually increasing accuracy and NAG for ID.

Table 4: Varying the suppression constraint $m$ on AudioMNIST. We suppress gender, accent, age, ID, while preserve digit as if an annotated useful attribute.

Q8. No discussion of the practical challenges entailed by adversarial infomin (vide Song and Shmatikov, 2021, for instance).

A8. We thank the reviewer for pointing out this related work. For both de-censoring and re-purposing mentioned in Song et al. (2020), they require the access to the trained black box feature extractor (or, equivalently, the data transformation module in our case). However, the objective of our work is to release the transformed data in order to unleash its utility without the risk of leaking its sensitive attributes, whereas the transformation module itself will not be released.

Reference:

• Song, Congzheng, and Vitaly Shmatikov. "Overlearning reveals sensitive attributes." arXiv preprint arXiv:1905.11742 (2019).