LEARNING PRIVATE REPRESENTATIONS WITH FOCAL ENTROPY

Abstract

How can we learn a representation with good predictive power while preserving user privacy? We present an adversarial representation learning method to sanitize sensitive content from the representation in an adversarial fashion. Specifically, we propose focal entropy -a variant of entropy embedded in an adversarial representation learning setting to leverage privacy sanitization. Focal entropy enforces maximum uncertainty in terms of confusion on the subset of privacy-related similar classes, separated from the dissimilar ones. As such, our proposed sanitization method yields deep sanitization of private features yet is conceptually simple and empirically powerful. We showcase feasibility in terms of classification of facial attributes and identity on the CelebA dataset as well as CIFAR-100. The results suggest that private components can be removed reliably.

1. INTRODUCTION

Lately, the topics of privacy and security are enjoying increased interest in the machine learning community. This can largely be attributed to the success of big data in conjunction with deep learning and the urge to create and process ever-larger data sets for mining. However, with the emergence of more and more machine learning services becoming part of our daily lives and making use of our data, special measures must be taken to protect privacy and decrease the risk of privacy creep Narayanan & Shmatikov (2006) ; Backstrom et al. (2007) . Simultaneously, growing privacy concerns entail the risk of becoming a major deterrent in the widespread adoption of machine learning and the attainment of their concomitant benefits. Therefore, reliable and accurate privacy-preserving methodologies are needed, which is why the topic lately has enjoyed increased attention in the research community. Several efforts have been made in machine learning to develop algorithms that preserve user privacy while achieving reasonable predictive power. Solutions proposed for privacy in the research community are versatile. A standard approach to address privacy issues in the client-server setup is to anonymize the data of clients. This is often achieved by directly obfuscating the private part(s) of the data and/or adding random noise to raw data. Consequently, the noise level controls the trade-off between predictive quality and user privacy (e.g., data-level Differential Privacy Dwork ( 2006)). These approaches associate a privacy budget with all operations on the dataset. However, complex training procedures run the risk of exhausting the budget before convergence. A recent solution to such a problem has been federated learning McMahan et al. (2016); Geyer et al. (2017) , which allows us to collaboratively train a centralized model while keeping the training data decentralized. The idea behind this strategy is that clients transfer the parameters of the training model in the form of gradient updates to a server instead of the data itself. While such an approach is appealing to train a network with data hosted on different clients, transferring the models between clients and server, and averaging the gradients across the clients generates significant data transmission and extra computations, which considerably prolongs training. Another widely adopted solution is to rely on encoded data representation. Following this notion, instead of transferring the client's data, a feature representation is learned on the clients' side and transferred to the server. Unfortunately, the learned features may still contain rich information, which can breach user privacy Osia et al. (2017; 2018) . Also, the extracted features can be exploited by an attacker to infer private attributes Salem et al. ( 2019). Yet, another approach is homomorphic encryption Armknecht et al. (2015) . Despite providing strong cryptographic guarantees, in theory, it incurs considerable computational overhead, which still prevents its applicability for SOTA deep learning architectures Srivastava et al. (2019) . In the common ARL formalization of the privacy-preserving representation learning, a "predictor" seeks to extract the desired target attributes while an "adversary" seeks to reveal the private attributes. However, the solutions mentioned earlier can only meet its practical promises when the private attributes do not strongly correlate with the target attributes Roy & Boddeti (2019) . In this paper, we deal with adversarial privacy-preserving representation learning. In this setting, the sensitive and target attributes are related to each other (e.g., 'Queen Elizabeth II.' and 'wearing hat', or 'Mahatma Gandhi' and 'wearing eyeglasses') to a large extent. The objective of this task is to learn a representation that contains all the information about non-sensitive attributes. At the same time, it omits to encode the sensitive attributes of them. Such representation can be transmitted to the server without concerns regarding the privacy revelation of classifiers having equal and higher capacity than the adversarial proxy used during training. For that, we adopt an ARL procedure and propose to learn a representation which maximizes the likelihood of the target information (i.e., attribute predictor) while increasing the uncertainty about the class that each sample belongs to (i.e., class adversary). With that, we intuitively tie the privacy notion to the class-level information and sanitize the class-revealing information from the representation in a semantic-aware fashion. Specifically, we propose to learn the representation using the popular Variational Autoencoders (VAE) Kingma & Welling (2013) , where the latent representation is additionally decomposed into two latent factors: target and residual. Whereas the target part encodes the information for the target task, the residual part identifies and collects the data's private part. In order to sanitize the target representation, we leverage an ARL procedure. There are two general strategies for ARL: the common solution for adversarial optimization is to maximize the loss of the adversary by minimizing the negative log-likelihood of sensitive variables. However, this is practically sub-optimal from the perspective of preventing information leakage. If the optimization does not reach the equilibrium, the resulting distribution associated with the minimum likelihood solution is subject to leaking the most amount of information. Another solution for adversarial optimization is to maximize the adversary's entropy by enforcing a uniform distribution over the sensitive labels Roy & Boddeti (2019); Sarhan et al. (2020) . Such a solution provides no information to the adversary. However, it has the risk of weakening the encoder as it partially eliminates the adversary's role in the representation learning phase and is provably bound to the adversary's optimality. However, fulfilling the necessary optimality conditions impractical. Hence we seek to relax optimality by leveraging a quasi-optimal objective. To this end, we propose to maximize a variant of entropy -focal entropy -for dealing with inter-class uncertainty maximization. Focal entropy enforces the uncertainty to focus on a sparse set of similar classes and prevents the vast number of dissimilar classes from overwhelming the uncertainty. Maximization of focal entropy increases the uncertainty in a more organic, namely in a systematic and semantic-aware fashion. Hence, it is leading to a deeper privacy sanitization during the representation learning phase. In summary, the main contributions of this paper are three-fold. First, we propose to learn the privacy-preserving representations. Second, we introduce an ARL setting for this task by adding a novel entropy term to the VAE. Third, we demonstrate experimentally that our proposed method learns a semantically meaningful privacy-preserving sanitized representation. 2016) on data and parameter level by anonymizing raw data directly, or incorporating a randomized mechanism into the learning process, respectively. Although successful, our method is fundamentally different from them, as we aim to learn a private representation instead of preserving privacy in data or parameter level. While we do not consider their framework here, our method could employ differential privacy during the post-classifier training.

2. RELATED WORKS

The advantages of learning and transmitting representations instead of data have been investigated recently in many works, see Osia et al. (2017; 2018) , and references therein. Nevertheless, such a representation is proven to contain some privacy revealing information of clients. The recent



The recent success of adversarial learning in making the representations fair Louizos et al. (2015), unbiased Madras et al. (2018), and controllably invariant to sensitive attributes Xie et al. (2017), has led to the increased adoption of Adversarial Representation Learning (ARL) to control the private information encapsulated within the representation Roy & Boddeti (2019); Sadeghi et al. (2019).

Much research has been conducted in protecting differential privacy Dwork et al. (2017); Dwork (2006); Ryoo et al. (2017); Abadi et al. (

