On the Alignment between Fairness and Accuracy: from the Perspective of Adversarial Robustness

We thank the reviewer for the detailed comments.

[Theoretical Contribution and Insights]

Our discussion is not focused on designing novel attack schemes, as this has been extensively covered in the existing literature. Instead, our goal is to identify efficient defense strategies against fairness attacks, which has not been adequately addressed in existing work.

Our results contradict existing studies that suggest a trade-off between fairness and adversarial robustness. For example, [1] observes that in linear classifiers, a fairer model can be more vulnerable to accuracy attacks compared to a baseline model. Similarly, [2] empirically finds that reliance on sensitive information (i.e., exacerbating group-wise disparities) can enhance adversarial robustness. These observations suggest that adversarial training alone may be sufficient to improve fairness robustness. However, our analysis indicates that when designing defense strategies against fairness attacks, both static fairness and adversarial robustness shall be taken into account. This conclusion is supported by both our theoretical insights and empirical results under fairness attacks.

[Applicability of Theoretical Results]

As discussed in Section 5 of the main paper, the two assumptions we adopt align with those used in existing work and are introduced to facilitate our analysis. Although they may lead to slightly looser bounds, our analysis in Appendix I and the visualization results below validate the effectiveness of our theoretical framework in quantifying the alignment between fairness robustness and accuracy robustness. While the theoretical bounds differ from real-world values, they exhibit similar trends and preserve the relative ordering, where smaller upper-bounds correspond to smaller real-world values.

[Formulation of the DP Attack]

Since DP is defined by the difference in positive prediction rates, maximizing DP under a given perturbation level is most efficiently achieved by increasing one group's rate while decreasing the other's. In contrast, increasing the positive prediction rates for both groups does not align with the objective of maximizing disparity.

[Visualization of Theoretical Bounds]

Thank you for the suggestion. We show DP and EOd, as well as their theoretical bounds under varying levels of fairness attacks on CelebA dataset in the following link:

https://drive.google.com/file/d/1nR1o4IHUOxFAhNc0AvLac2e9L1ehFYvD/view?usp=sharing

We 'll include full results in the revised paper.

[Setting of Adversarial Attacks]

We refer to Sec. A of the appendix for the detailed setup.

[Misalignment between Experimental Results and Analysis]

We apologize for the confusion. The labels for "baseline" and "adversarial training (fairness)" in Fig. 3 are swapped. Specifically, "baseline" should be labeled as "adversarial training (fairness)," and "adversarial training (fairness)" should be labeled as "baseline." We 'll correct the mislabeling in the revised paper.

[Performance Differences in Figure 2 and 4]

The performance differences between the baseline, vanilla adversarial training and our method validate our analysis in Theorem 5.5 of the main paper. Our analysis demonstrates that to achieve smaller changes in group-wise disparities under a fairness attack, it is essential to consider both static fairness and accuracy robustness; focusing on only one does not guarantee low fairness violations. In contrast, our method jointly addresses both aspects, resulting in lower fairness violations compared with other methods.

[Generalization to Other Metrics]

Our formulation can be generalized to alternative fairness notions as it aims to maximize disparities in predictions between groups. The two metrics we focus on have been shown to be conflicting under varying base rates [3], but by maximizing DP, we also maximize EOd. We show results of two alternative metrics, predictive equality (PE) [3] and positive class balance (PCB) [4] on CelebA dataset under the perturbation level $\epsilon=0.15$ in the following link:

https://drive.google.com/file/d/1CS41yfL4YwBwYakPQVQVtxDqoLX-e4xn/view?usp=sharing

The DP attack effectively maximizes PE and PCB on the baseline, while our method maintains lower values for both metrics, validating the generalizability of our formulation and our defense framework.

[1] Tran, Cuong, et al. "Fairness increases adversarial vulnerability." arXiv preprint arXiv:2211.11835 (2022).

[2] Moayeri, Mazda, Kiarash Banihashem, and Soheil Feizi. "Explicit tradeoffs between adversarial and natural distributional robustness." Advances in Neural Information Processing Systems 35 (2022): 38761-38774.

[3] Chouldechova, Alexandra. "Fair prediction with disparate impact: A study of bias in recidivism prediction instruments." Big data 5.2 (2017): 153-163.

[4] Kleinberg, Jon, Sendhil Mullainathan, and Manish Raghavan. "Inherent trade-offs in the fair determination of risk scores." arXiv preprint arXiv:1609.05807 (2016).

We thank the reviewer for the detailed comments.

[W1: Extension to Non-Binary Classification]

Our method can be readily extended to multi-class scenarios by simply replacing $L_{\text{CE}}$ and the fairness constraint $L$ with their respective multi-class formulations. We show results in the following table on Drug dataset [1] to validate the extension, where the perturbation level is chosen as $0.1$:

Our method (last three rows) achieves remarkably better performance under the fairness attack, validating the extensibility to non-binary tasks.

[W2: Theoretical Analysis]

We may clarify that our analysis is not limited to fully successful attacks. Under a successful DP attack, we have $f(x) < 0.5$ for samples in the disadvantaged group $\mathbb{S}\_{.0}$, and $f(x) \geq 0.5$ for samples in the advantaged group $\mathbb{S}\_{.1}$. Consequently, we have

$

\text{EOd} = &\left|\frac{\sum_{x \in \mathbb{S}_{10}} \mathbb{1}[f(x) \geq 0.5]}{|\mathbb{S}_{10}|} - \sum_{x \in \mathbb{S}_{11}} \frac{\mathbb{1}[f(x) \geq 0.5]}{|\mathbb{S}_{11}|}\right| \ &+ \left|\sum_{x \in \mathbb{S}_{00}} \frac{\mathbb{1}[f(x) < 0.5]}{|\mathbb{S}_{00}|} - \sum_{x \in \mathbb{S}_{01}} \frac{\mathbb{1}[f(x) < 0.5]}{|\mathbb{S}_{01}|}\right| \ & =2,

$

which indicates that a successful DP attack implies a successful EOd attack. However, the converse does not hold true, as discussed in the counterexample of Appendix D. Furthermore, our analysis in Sec. 5 of the main paper on the alignment between fairness robustness and accuracy robustness does not rely on additional assumptions about the attacks. The discussion on fully successful attacks is included solely to illustrate this relationship.

[W3: Fairness Metrics]

We are sorry for the confusion. The results we reported are calculated based on 0-1 fairness metrics, rather than the relaxed version. We 'll clarify the choice in the revised paper.

[W4: Optimization of Algorithm 2]

The relaxed fairness constraint is optimized over each mini-batch. Since the mini-batches are randomly constructed from the training data, as long as the batch size is not excessively small, $L_{\text{DI}}$ can be reliably estimated and optimized using only mini-batches.

[R1: Algorithm Presentation]

Thank you for the suggestion. We 'll include the details of the fairness interventions in Algorithm 1 and 3 in the revised paper. The preprocessing method [2] reweighs each training sample to balance the class distributions within each sensitive group, while the post-processing method by [3] adjusts the decision threshold for each group based on approximated logit distributions.

[R2: Projection Operator]

Our formulation primarily follows the conventional formalism [4]. We 'll include more explanations in the revised paper to avoid confusion.

[R3&4: Notations]

We are sorry for the confusion. $L\_{\text{DI}}$ should be $L\_{\text{DP}}$. Since $\delta^{\text{fair}}\_{\text{sub,a}}$ is defined as the change in $L\_{\text{CE}}$ before and after the fairness attack, we slightly abuse the notation here, as we focus on the DP attack as the fairness attack.

[R5: Assumption 5.2]

By "bound of a distribution" we refer to the supremum of function values of a distribution, i.e.,

$$\max_{x} p(x),$$

where $p$ is the probability density function (PDF) of the distribution.

[R6: Clarification of Theroem 5.3]

As discussed in Sec. 5 (line 272-274) of the main paper, the fairness robustness of $x_{\text{FN},0}$ naturally aligns with the accuracy robustness of $x_{\text{FN},0}$ since the fairness attacks and accuracy attacks are identical regarding $x_{\text{FN},0}$. Consequently, $x_{\text{FN},0}$ is naturallly bounded under adversarial training. Therefore, our discussion in Theroem 5.3 focuses on $x_{\text{FN},1}$, where the fairness attack diverges from the accuracy attack.

[1] Fehrman, E., Egan, V., & Mirkes, E. (2015). Drug Consumption (Quantified) [Dataset]. UCI Machine Learning Repository. https://doi.org/10.24432/C5TC7S.

[2] Yu, Zhe, Joymallya Chakraborty, and Tim Menzies. "FairBalance: How to Achieve Equalized Odds With Data Pre-processing." IEEE Transactions on Software Engineering (2024).

[3] Jang, Taeuk, Pengyi Shi, and Xiaoqian Wang. "Group-aware threshold adaptation for fair classification." Proceedings of the AAAI Conference on Artificial Intelligence. Vol. 36. No. 6. 2022.

[4] Madry, Aleksander, et al. "Towards deep learning models resistant to adversarial attacks." arXiv preprint arXiv:1706.06083 (2017).

We thank the reviewer for the detailed comments. We will carefully refine the writing and include tables of notations in the revised paper to enhance readability. We include a short list of notations in the following table:

[W1: Clarification of Adversarial Perturbation]

Regarding the fairness attack, while the adversarial objective is formulated at the group level, the perturbations are applied to individual input samples rather than directly modifying sensitive attributes. Similar to how labels guide perturbation directions in the accuracy attack, sensitive attributes are used solely to determine the perturbation directions in the fairness attack. Specifically, the fairness attack shifts samples from the advantaged group toward the subspace of positive predictions, while pushing samples from the disadvantaged group toward the subspace of negative predictions.

We thank the reviewer for the detailed comments.

[W1: Clarification of Threat Model]

In our threat model, we assume that the adversarial has full access to the parameters of the target model. The adversarial manipulation is performed at the input level, subject to a maximum perturbation level $\epsilon$. The fairness attacks aim to maximize group-wise disparities on the testing data, quantified by metrics including Demographic Parity (DP) and Equalized Odds (EOd), while the accuracy attacks are designed to maximize the classification error on the testing data. We 'll include the description in the revised paper.

[W2: Computational Trade-Off]

We include the training time of our proposed framework relative to vanilla adversarial training in the following table, where the fairness intervention is chosen as in-processing [1]:

Our method leads to relatively small increase in the training time compared with vanilla adversarial training, and therefore leads to a reasonable computational trade-off.

[W3: Practical Applicability]

As shown in Eq. 6, our method does not require additional assumptions about the model architecture, fairness interventions, or adversarial training techniques. Consequently, it can be seamlessly integrated into the training process of fair models by simply replacing clean samples with adversarial ones.

[1] Wang, Jialu, Xin Eric Wang, and Yang Liu. "Understanding instance-level impact of fairness constraints." International Conference on Machine Learning. PMLR, 2022.