Minimax Filter: Learning to Preserve Privacy from Inference Attacks

TL;DR

This paper introduces a minimax filter mechanism that enhances privacy preservation for high-dimensional data against inference attacks, outperforming traditional noisy mechanisms in utility and privacy tradeoffs.

Contribution

It proposes a novel filter-based privacy mechanism formulated as a min-diff-max optimization, with theoretical analysis and a practical algorithm, extending to combine with differential privacy.

Findings

Achieves comparable or better task accuracy than existing methods.

Significantly reduces inference accuracy of sensitive attributes.

Demonstrates effectiveness on facial, speech, and activity data.

Abstract

Preserving privacy of continuous and/or high-dimensional data such as images, videos and audios, can be challenging with syntactic anonymization methods which are designed for discrete attributes. Differential privacy, which provides a more formal definition of privacy, has shown more success in sanitizing continuous data. However, both syntactic and differential privacy are susceptible to inference attacks, i.e., an adversary can accurately infer sensitive attributes from sanitized data. The paper proposes a novel filter-based mechanism which preserves privacy of continuous and high-dimensional attributes against inference attacks. Finding the optimal utility-privacy tradeoff is formulated as a min-diff-max optimization problem. The paper provides an ERM-like analysis of the generalization error and also a practical algorithm to perform the optimization. In addition, the paper proposes an extension that combines minimax filter and differentially-private noisy mechanism. Advantages of the method over purely noisy mechanisms is explained and demonstrated with examples. Experiments with several real-world tasks including facial expression classification, speech emotion classification, and activity classification from motion, show that the minimax filter can simultaneously achieve similar or better target task accuracy and lower inference accuracy, often significantly lower than previous methods.