Privacy Preserving Generative Feature Transformation

Thank you for acknowledging the importance of our motivation, the validity of our approach, the clarity of our figures, and the solid techniques and diverse experiments presented in our work.

---

W1.1: Why Maximizing the Mutual Information Lower Bound Rather Than Itself

Maximizing the lower bound of mutual information is a standard approach in machine learning and information theory [1-3]. Directly computing mutual information (MI) is often computationally intractable or statistically challenging, particularly in high-dimensional or continuous settings. By leveraging a lower bound, we achieve a tractable and effective optimization strategy while maintaining theoretical rigor.

---

W1.2 & Q2: Explaining Step (c) of Equation 3

Thank you for pointing out the typo. Our textual description is correct, but the equation had a typo. We have revised the formula as follows:

$$\begin{aligned} \mathbb{I}(F_{i}; y) & \overset{(a)}{=} H(F_{i}) - H(F_{i}|y) \overset{(b)}{\geq} -H(F_{i}|y) \overset{(c)}{=} \sum p(F_{i}, y) \log{(p(F_{i}|y))} \\ & \overset{(d)}{\geq} \log{(p(F_{i}|y))} \overset{(e)}{=} \log{(\phi(\mathcal{D}(F_{i})))} \overset{(f)}{\geq} \log{(\phi(\mathcal{D}(F_{i})))} - \log{(\phi(\mathcal{D}(F_{i-1})))}, \end{aligned}$$

---

W2: Explaining Why Experimental Comparisons Are Fair

Our optimization is based on constrained optimization. When comparing our method with baseline methods, we optimize both our methods and baselines to achieve the best predictive accuracy for a downstream task (e.g., heart attack risk prediction). Then, we report the privacy protection effectiveness of our method and baselines under the maximum downstream task predictive accuracy. Therefore, our comparisons are fair.

---

Q1: Why Not Using Differential Privacy as an Evaluation Criterion

Differential privacy (DP) typically requires introducing randomness (e.g., noise injection, perturbation) into the transformation process to ensure that even minor changes to the input do not significantly alter the output distribution.

Our and other baseline feature transformation processes do not rely on noise injection, making them incompatible with direct evaluation via a DP budget $\epsilon$.

Instead, we use Attribute Inference Attacks [4-6] to empirically assess privacy leakage. Specifically:

• Non-sensitive features from the transformed dataset are used to predict sensitive features.
• The model’s prediction performance on the test set serves as a measure of privacy leakage.

---

Q3: What Exactly is $v$? How $\Psi_{pe}$ is Trained

The variable $v$ represents the accuracy of a downstream model on a test set, used to evaluate the performance of a given feature space.

During knowledge collection, $v$ is recorded for each feature space. In training, $\Psi_{pe}$, a simple MLP, predicts the downstream performance $\hat{v}$ using the latent space representation.

The loss for optimizing $\Psi_{pe}$ is the MSE between the true performance $v$ and the predicted performance $\hat{v}$.

---

Q4: In Line 128: "Minimization" Should Be Changed to "Maximization"

Thank you for pointing out the typo. We have corrected the text to change "minimization" to "maximization" as intended.

---

References

[1] Barber, David, and Felix Agakov. "The im algorithm: a variational approach to information maximization." Advances in neural information processing systems 16.320 (2004): 201.
[2] Oord, Aaron van den, Yazhe Li, and Oriol Vinyals. "Representation learning with contrastive predictive coding." arXiv preprint arXiv:1807.03748 (2018).
[3] Tschannen, Michael, et al. "On mutual information maximization for representation learning." arXiv preprint arXiv:1907.13625 (2019).
[4] Fredrikson, Matt, Somesh Jha, and Thomas Ristenpart. "Model inversion attacks that exploit confidence information and basic countermeasures." Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. 2015.
[5] Yeom, Samuel, et al. "Privacy risk in machine learning: Analyzing the connection to overfitting." 2018 IEEE 31st computer security foundations symposium (CSF). IEEE, 2018.
[6] Zhao, Benjamin Zi Hao, et al. "On the (in) feasibility of attribute inference attacks on machine learning models." 2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2021.

Thank you for acknowledging that the idea is valuable, the explanations are clear, the details are sufficient, and the experiments are comprehensive.

W1: Adding Background of Reinforcement Learning & Q1: DQN Structure

The task of Section 3.2.1 is to collect training data of transformed feature sets (e.g., transformed patient table data), corresponding predictive performance (e.g., RMSE of heart attack risk regression), and corresponding privacy exposure risk (e.g., HSIC between gender/race and non-sensitive features).

Training data collection can be manually collected by students/volunteers. However, since the possibilities of combinations of feature transformation are large, instead of manual collection, we use reinforcement learning agents to explore various transformed feature sets and test corresponding predictive performance and privacy exposure risk for us. This is why we call RL a training data collector.

DQN is one of the most famous value learning-based RL methods for discrete actions. We use the widely used classic DQN structure by using a simple vanilla neural network as the state-action value estimation function. The role of DQN is to explore and collect training data to learn privacy-aware feature transformation.

As stated in the paper, we employ a standard DQN structure without additional modifications. This simplicity ensures the interpretability and reproducibility of our approach.

---

W2: Place the Related Work Section Earlier in the Paper

In our offline revised version, we have moved RELATED WORK to Section 2.

---

Q2: The X-Axis Representation in Figure 5

Figure 5 shows the correlation between HSIC scores and Sensitivity (how accurately we can use a model to infer sensitive features with a model on a transformed feature set) over a series of transformed feature sets explored by reinforcement learning agents.

Thus, the X-axis represents the index of a series of transformed feature sets explored by RL, for instance:

• Transformed feature set #1
• Transformed feature set #2
• Transformed feature set #3
  ...

---

Q3: Identification and Evaluation of Sensitive Features

1. In our experiments, for instance, sensitive features are gender and race.

2. We didn’t identify which features are sensitive. Since we know the names (e.g., gender and race) of features, we directly predefine gender and race as sensitive features.

3. Since we predefined which features are sensitive, we didn’t need to detect sensitive features.

4. Our focused task is to evaluate how our transformed feature set can improve prediction accuracy while avoiding sensitive features from being inferred, instead of identifying or detecting sensitive features.

Thank you for acknowledging the importance of our problem and the extensiveness of our experiments.

W1 & Q1 & Q2: How to Ensure Privacy and Address Worst-Case Privacy Leakage

• Measurement:
  We employed the information bottleneck, a theoretically proven principle, to ensure that in a dataset, label information is preserved while private information is filtered out.

• Objective Functions and Constrained Optimization:
  Our objective function maximizes downstream task predictive accuracy while minimizing privacy exposure risk. We solve this as a constrained optimization problem, providing a clear and tangible approach to identify a feasible optimal solution.

• Experiments:
  We developed comprehensive experiments to examine various aspects (performance, privacy protection, cost, rationality, etc.) of our method. Our framework demonstrates strong empirical performance in mitigating privacy risks across diverse datasets.

---

W2: Definition of SF in Evaluating Indicators

We have defined “SF” in Section 4.1.2. SF is a loss measure for inferring sensitive features:

• For classification tasks, SF is $1 - \text{F1 score}$.
• For regression tasks, SF is Relative Absolute Error (RAE).

Thus, when SF is large, the downstream model fails to infer sensitive attributes, meaning less privacy is exposed.

DT is an accuracy measure for predicting downstream tasks. The larger the DT value, the better the performance of our solution.

To evaluate both the performance of inferring sensitive features and predicting downstream tasks, we use the Avg metric, which considers the trade-offs between utility (DT) and privacy protection (SF).

---

Q1: Doubts About the Role of $\Psi_{pr}$

Thanks for pointing out the typo. We have fixed Eq(9) as follows:

$$\begin{aligned} & \hat{E_p} = E_p + \eta \frac{\partial \Psi_{pe}}{\partial E_p} \\ & \text{s.t.} \quad \Psi_{pr}(\hat{E_p}; s) \leq \Psi_{pr}(\hat{E_p}^{\text{min}}; s), \end{aligned}$$

This correction ensures that the representation aligns with the intended objective.

Thank you for acknowledging the interesting formulation and the reasonable objective function design.

W1.1: Clarity of Problem Formulation

Our AI task is privacy-aware feature transformation. Our task is to transform a given feature set into a new feature set, such that:

1. we can use the transformed feature set to improve predictive accuracy;
2. we cannot use the transformed feature set to infer sensitive features.

---

W1.2: Experiments in Appendix E Should Be Moved to the Main Text

Thanks for highlighting the importance of Appendix E. Due to space limits, the experimental motivation example is moved to Appendix E.

---

W2: Figure 7 that downstream task performance w/o sensitive features is close to the now w sensitive features

This experiment (Line 916-950) is to demonstrate the strengths of privacy-aware feature transformation formulation:

1. our formulation (i.e., using transformed data) can not just leverage sensitive features to improve predictive accuracy, but also protect sensitive features from being inferred.
2. Whereas, there are two weaknesses of direct sensitive feature deletion:
   1. although deleted, sensitive features can be inferred by non-sensitive features;
   2. direct sensitive features deletion can degrade the predictive power of a feature set.

---

W3: Problem Statement Clarification and Real Application Scenario

With a data mining academic background, our problem statement is clear for the following reasons:

1. Feature transformation is to transform a given feature set to a new feature set.
2. The original feature set refers to the given, old features of a table before transformation.
3. The new feature set refers to the transformed, new features of the table after transformation.
4. $A_{pe}$ is the model that predicts a downstream task (e.g., yes-no binary classification of heart disease).
5. $A_{pr}$ is the model that infers sensitive features using non-sensitive features.

Considering heart attack risk regression, given the tabular data of patients with the sensitive features such as race and gender, the privacy-aware feature transformation is to transform the feature set of this tabular data into a new feature set, so that:

1. we maximize regression accuracy of heart attack risks;
2. we minimize the risk of using transformed features to infer race and gender.