PASS: Private Attributes Protection with Stochastic Data Substitution

Q1. The paper overlooks memory requirements for storing substitute datasets and embeddings, particularly problematic for high-dimensional data applications.

A1. Thanks for your question! Importantly, the substitution dataset itself does not need to be loaded into memory during inference. Instead, we only need to load the corresponding embeddings into memory to calculate the substitution probability $P_\theta(X'|X)$. which greatly reduces memory usage.

Furthermore, as demonstrated in the ablation study on substitution dataset size (Appendix F.1, Table 10), PASS maintains consistently strong performance across a wide range of substitution dataset sizes. This flexibility allows users to adapt the size of the substitution dataset based on their available storage and memory. For instance, if a user has limited secondary storage to store the substitution dataset, or limited memory to load its embeddings, then they can opt to use a smaller substitution dataset without substantial loss in performance.

In addition, users can further control memory usage by adjusting the dimension of the embeddings. Users with limited memory can reduce the embedding dimension to fit their resource constraints.

These characteristics allow PASS to be adapted to different hardware settings without compromising its core functionality.

Q2. Critical visualizations comparing original and substituted samples are missing, which would better demonstrate the method's effectiveness.

A2. Thanks for the insightful suggestion! We will visualize the original and the substituted samples in our revised paper to help readers understand PASS's behavior and showcase PASS's effectiveness.

Q3. The substitute dataset construction relies on random sampling without justification or exploration of more optimal selection strategies.

A3. Thanks for the thoughtful question! To better understand how the choice of substitution dataset affects PASS’s performance, we conducted a new ablation study on the AudioMNIST dataset. In this study, we constructed multiple substitution datasets with varying attribute distributions:

1. For the sensitive attribute "gender", we varied its distribution from "90% Male / 10% Female" to "10% Male / 90% Female".

2. For the useful attribute "digit", we varied its distribution from uniform distribution "10% 0-9" to a highly skewed distribution "50% 0 / 5.6% 1-9".

The results, shown in Table A below, demonstrate that PASS consistently maintains high performance across all these different substitution dataset configurations, even under highly imbalanced conditions. This ablation study provides empirical evidence that the specific selection of the substitution dataset has a limited impact on PASS's overall performance. Consequently, it may justify that a simple random sampling strategy is sufficient to construct an effective substitution dataset and achieve strong PASS performance.

That said, we agree that there may still be room to further enhance PASS's effectiveness with more advanced substitution dataset selection strategies. We plan to explore this direction in our future work.

Table A. Ablation study on the distribution of substitution dataset. The other settings are the same as Table 2. Results are averaged over 3 random seeds (STD is omitted to save space).

Q1: "...apply the "unfinetuned" classifier metric to other datasets..."

A1: Thanks for the suggestion! We applied the "NAG-unfinetuned" metric to the useful attributes in the AudioMNIST and CelebA datasets for consistency. The results are shown in Tables A and B, respectively. For unfinetuned classifiers, PASS still offers the best balance between privacy protection and utility preservation. This is due to our loss function, which encourages replacing each sample with others sharing the same useful attributes. That said, we acknowledge that fine-tuning downstream classifiers can further improve performance, and we plan to explicitly explore adapting PASS to better suit unfinetuned classifiers in future work.

Table A. Comparison with baselines, using "NAG-unfinetuned" metric on useful attributes. The settings are the same as Table 2. NAG on the private attribute "gender" is also presented for reference. Results are averaged over 3 random seeds (STD is omitted to save space).

Table B. Comparison with baselines, using "NAG-unfinetuned" metric on useful attributes. The settings are the same as Table 5. NAG on the private attribute "Male" is also presented for reference. Results are averaged over 3 random seeds (STD is omitted to save space).

Q2. "...guidance on selecting optimal hyperparameters ($\lambda$, $\mu$)..."

A2. To guide the selection of $\lambda$ and $\mu$, we conducted the following ablation studies. For $\lambda$, the results in Table C below show that PASS consistently achieves near-0 NAG on private attribute and stable overall performance across a wide range of values. Thus, we recommend the users to simply fix $\lambda=N/M$ without extensive tuning, where $N$ and $M$ are numbers of useful and private attributes, respectively. This choice is used throughout this paper. For $\mu$, results in Appendix F.1 Table 9 show that increasing $\mu$ enhances general feature preservation but may slightly reduce useful attribute preservation. Importantly, privacy protection remains strong across all $\mu$. Therefore, we suggest that $\mu$ can be flexibly adjusted based on the relative importance of general features in users' specific tasks, without compromising privacy protection.

Table C. Ablation study on $\lambda$. The other settings are the same as Table 2. Results are averaged over 3 random seeds (STD is omitted to save space).

Q3. "...direct benchmarks against modern DP methods (e.g., DP-SGD)..."

A3. We compared PASS with four additional DP-based baselines: Laplace Mechanism (Additive Noise) [1], DPPix [2], Snow [3], and DP-Image [4]. Due to space limitations, the results are presented in Table A in our response to Reviewer RCzr above. These methods show limited effectiveness on the Private Attribute Protection task because they are designed to prevent inference of membership from obfuscated samples, which is not fully aligned with our objective of preventing inference of specific private attributes from obfuscated samples while preserving the utility.

In contrast, DP-SGD [5] aims to protect against membership inference from a model’s trained parameters, which is orthogonal to our goal—PASS focuses on preventing private attributes inference from obfuscated samples. Therefore, DP-SGD is not directly comparable to PASS, but could potentially be combined with PASS to provide more comprehensive privacy protection.

References [1-4] are shown in our response A3 to Reviewer RCzr due to space limitations.

[5]: Abadi, Martin, et al. "Deep learning with differential privacy." Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 2016.

Q4. "Discussing potential limitations... particularly in high-dimensional or highly imbalanced data..."

A4. Thanks for the suggestion! While we have demonstrated PASS's effectiveness on moderately high-dimensional data (e.g., 3×160×160 images in CelebA) and imbalanced datasets (e.g., 80% Male / 20% Female for "gender" in AudioMNIST), we acknowledge that handling even higher-dimensional or more imbalanced data may demand PASS to learn more representative features per sample, posing intrivial challenges to PASS's robustness and scalability.

Q1: "The experiments consider only a single private attribute per dataset, despite multiple useful attributes being present. Evaluating the method with multiple private attributes would strengthen the analysis."

A1: Thanks for your question. This paper included experiments with multiple private attributes to demonstrate PASS’s scalability.

• In Table 3, we experimented with up to 4 private attributes: "gender", "accent", "age", and "ID", on the AudioMNIST dataset.
• In Tables 4 and 13, we experimented with 2 private attributes: "gender" and "ID", on the MotionSense dataset.
• In Table 16, we experimented with up to 5 private attributes: "Male", "Smiling", "Young", "Attractive", and "Mouth_Slightly_Open", on the CelebA dataset.

Across all settings, PASS consistently delivered a strong performance, highlighting its ability to scale to varying numbers and combinations of private attributes. Please see Sections 5.2, 5.3, Appendices F.2 and F.3 for details.

Q2: "The NAG metric lacks a clear explanation. More details are needed on its computation, particularly how Acc_guessing is derived."

A2: Thanks for pointing this out. We will include a more detailed explanation of NAG below as an extension to Section 5.1. NAG, proposed by Chen et al. [1], is a metric for evaluating Private Attribute Protection methods. For private attribute $S_i$, the NAG is defined as

$$NAG(S_i) = \max\left(0,\frac{Acc(S_i) - Acc_\text{guessing}(S_i)}{Acc_\text{no-suppr.}(S_i) - Acc_\text{guessing}(S_i)}\right),$$

where

• $Acc(S_i)$ is the accuracy of a classifier trained to classify $S_i$ from the substituted sample $X'$.
• $Acc_\text{guessing}(S_i)$ is the accuracy of a majority classifier (a classifier that always predicts the most frequent class regardless of the input, i.e., a poor classifier that can only "guess"), which in most cases represents the lower bound performance of $Acc(S_i)$.
• $Acc_\text{no-suppr.}(S_i)$ is the classification accuracy of a classifier trained to classify $S_i$ from the original data $X$, which in most cases represents the upper bound performance of $Acc(S_i)$.

By normalizing $Acc(S_i)$ between the lower bound ($Acc_\text{guessing}(S_i)$) and the upper bound ($Acc_\text{no-suppr.}(S_i)$), we ensure that NAG is on a consistent scale across all attributes, regardless of whether an attribute is balanced or imbalanced, or whether it is easy or difficult to predict. As a result, NAG provides a fair and reliable measure of how well each private attribute is suppressed or preserved. This makes it a suitable and consistent metric for comparing the effectiveness of different Private Attribute Protection methods. We will include this detailed description of NAG in our revised paper.

[1]: Chen, Yizhuo, et al. "MaSS: multi-attribute selective suppression for utility-preserving data transformation from an information-theoretic perspective." Proceedings of the 41st International Conference on Machine Learning. 2024.

Q3: "What happens when we use other attributes like age is used as private?"

A3: Thanks for your question. This paper included experiments using "age" as a private attribute on the AudioMNIST dataset, as shown in Section 5.2, Table 3. Similarly, we experimented with "Young" as a private attribute on the CelebA dataset, detailed in Appendix F.2, Table 16. In both cases, PASS demonstrated a robust ability to suppress the private attribute "age" or "Young", while effectively preserving other useful attributes.

Throughout the paper, we have evaluated PASS on a wide range of private attributes, including "gender", "accent", "age", "ID", "Male", "Smiling", "Young", "Attractive", and "Mouth_Slightly_Open". Across all these scenarios, PASS consistently achieved strong performance, reinforcing its broad applicability and versatility in handling diverse Private Attribute Protection tasks.

Q1: "Embedding function $g(x')$."

A1: Thanks for pointing it out! Our embedding function $g(x')$ is implemented as an embedding layer with trainable parameters (e.g., like the embedding layer in language models). We will update it as $g_\psi(x')$ to indicate its associated parameters clearly.

Q2: "Sample replacement vs. NN training."

A2: We do not need to perform "sample replacement" during training. Because our novel loss function (Equation 3) can be calculated with solely the substitution probability $P_\theta(X'|X)$, represented as a matrix for each batch, reducing training computation costs.

Q3: "The paper should also compare with other general defenses, such as DP..."

A3: Theoretically, as shown in Appendix B, PASS can be viewed as a Local DP method—specifically, a generalized form of Randomized Response with desirable DP properties.

Experimentally, as suggested by the Reviewer, we further compared PASS with 4 additional DP-based baselines: Laplace Mechanism (Additive Noise) [1], DPPix [2], Snow [3], and DP-Image [4]. As shown in Table A below, these DP methods exhibit limited performance in the Private Attribute Protection task, because they focus on preventing the inference of membership from obfuscated samples, which is not fully aligned with our objective of preventing inference of specific private attributes while preserving utility.

Table A. Comparison with DP-based baselines. The other settings are the same as Table 5. Results are averaged over 3 random seeds (STD is omitted to save space).

[1]: Dwork et al. "Calibrating noise to sensitivity in private data analysis." Theory of Cryptography: Third Theory of Cryptography Conference, TCC. 2006.

[2]: Fan, Liyue. "Image pixelization with differential privacy." IFIP Annual Conference on Data and Applications Security and Privacy. 2018.

[3]: John et al. "Let it snow: Adding pixel noise to protect the user’s identity." ACM Symposium on Eye Tracking Research and Applications. 2020.

[4]: Xue et al. "Dp-image: Differential privacy for image data in feature space." arXiv preprint. 2021.

Q4: "...include comprehensive evaluations on key impacting factors. For example, the distribution and quantity of a substitution dataset..."

A4: Thanks for the suggestion! Below, we demonstrate PASS's strong stability across varying quantities and distributions of substitution datasets. First, an ablation study on substitution dataset quantity (Appendix F.1, Table 10) shows that PASS maintains high performance across a wide range of substitution dataset sizes (1024 to 24,000). Second, we conducted a new ablation study on the distribution of the substitution dataset on AudioMNIST, where we varied the distribution of:

1. the sensitive attribute "gender", from "90% Male / 10% Female" to "10% Male / 90% Female".
2. the useful attribute "digit" from "10% 0-9" to "50% 0 / 5.6% 1-9".

As shown in Table B, PASS achieved consistently high performance, even on highly skewed distributions.

Table B. Ablation study on the distribution of substitution dataset. The other settings are the same as Table 2. Results are averaged over 3 random seeds (STD is omitted to save space).

Q5: "...the method may be difficult to scale on features..."

A5: All baseline state-of-the-art Private Attribute Protection methods in this paper require retraining when private attributes change. In comparison, PASS has a lower training cost than them, as its loss can be computed without actual sample replacement (please see A2 and the last paragraph of Section 4.1 for more details).

Furthermore, PASS is designed with scalability in mind, as it supports any number of private and useful attributes without substantially increasing computational cost.

In addition, although some DP-based methods do not require retraining, their focus on general membership protection unavoidably limits their effectiveness on the Private Attributes Protection task, as shown in A3 above.