

Abstract

Cloud based machine learning inference is an emerging paradigm where users share their data with a service provider. Due to increased concerns over data privacy, recent works have proposed using Adversarial Representation Learning (ARL) to learn a privacy-preserving encoding of sensitive user data before it is shared with an untrusted service provider. Traditionally, the privacy of these encodings is evaluated empirically as they lack formal guarantees. In this work, we develop a new framework that provides formal privacy guarantees for an arbitrarily trained neural network by linking its local Lipschitz constant with its local sensitivity. To utilize local sensitivity for guaranteeing privacy, we extend the Propose-Test-Release (PTR) framework to make it tractable for neural network based queries. We verify the efficacy of our framework experimentally on real-world datasets and elucidate the role of ARL in improving the privacy-utility tradeoff.

1. INTRODUCTION

The ethical and regulatory concerns around data privacy have become increasingly important with the adoption of machine learning (ML) across various sectors such as health, finance, and mobility. 2018)) address this challenge by performing computation over encrypted data. However, to combat the high computational cost of encryption techniques, alternative works have used ARL to suppress task irrelevant information from data. While ARL based techniques have shown promising empirical results, they lack formal privacy guarantees over obfuscated representations due to their use of Deep Neural Networks (DNNs) for achieving privacy. For the first time, we show how to give formal privacy guarantees for inference queries over arbitrarily trained (including ARL) DNNs. The key aspect of any ARL algorithm is an obfuscator which is trained to encode a user's private data such that an attacker can not recover the original data from its encoding. Achieving formal privacy guarantees for an obfuscator has remained elusive due to the non-convexity of the training objective of DNNs. In this work, we take a posthoc approach to guaranteeing privacy, where the privacy of data is evaluated after the obfuscator is learned. Because the obfuscator is trained for non-invertibility, we hypothesize that the obfuscator network should act as a contractive mapping, and hence, increase the stability of the function in its local neighborhood, i.e., reduce sensitivity. Therefore, we measure the stability of an adversarially learned obfuscator neural network, using Lipschitz constants, and link it with privacy properties. To exactly compute the local Lipschitz constant of a non-linear (ReLU) DNNs, we use LipMip(Jordan & Dimakis (2020)), a mixed-integer programming based technique, and re-formulate the ARL pipeline to ensure the computational feasibility of calculating the Lipschitz constant. To draw a connection between the local Lipschitz constant and reconstruction privacy, we introduce a privacy definition that is a specific instantiation of a general dχ-privacy framework by Chatzikokolakis et al. (2013) . Instead of evaluating the global Lipschitz constant of DNNs, we evaluate the Lipschitz constant only in the local neighborhood of the user's sensitive data. We extend the Propose-Test-Release (PTR) (Dwork & Lei (2009) ) framework to formalize our local neighborhood based measurement of the Lipschitz constant.



Although training ML models privately has seen tremendous progress(Abadi et al. (2016); Papernot et al. (2016); Du et al. (2021); Jordon et al. (2018)) in the last few years, protecting privacy during the inference phase remains a challenge as these models get deployed by cloud based service providers. Cryptographic techniques(Ohrimenko et al. (2016); Knott et al. (2021); Mishra et al. (2020); Juvekar et al. (

