Anonymizing Machine Learning Models

TL;DR

This paper introduces a novel accuracy-guided anonymization method for machine learning models that enhances privacy protection while maintaining high model utility, outperforming existing k-anonymity techniques and rivaling differential privacy in preventing inference attacks.

Contribution

It proposes a new anonymization approach that leverages model knowledge to preserve accuracy, offering a practical alternative to differential privacy with improved utility and attack resistance.

Findings

Outperforms state-of-the-art k-anonymity in utility, especially with high k and many quasi-identifiers.

Achieves comparable or better resistance to membership inference attacks than differential privacy.

Provides a practical, less complex method for privacy-preserving machine learning models.

Abstract

There is a known tension between the need to analyze personal data to drive business and privacy concerns. Many data protection regulations, including the EU General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), set out strict restrictions and obligations on the collection and processing of personal data. Moreover, machine learning models themselves can be used to derive personal information, as demonstrated by recent membership and attribute inference attacks. Anonymized data, however, is exempt from the obligations set out in these regulations. It is therefore desirable to be able to create models that are anonymized, thus also exempting them from those obligations, in addition to providing better protection against attacks. Learning on anonymized data typically results in significant degradation in accuracy. In this work, we propose a method that is able to achieve better model accuracy by using the knowledge encoded within the trained model, and guiding our anonymization process to minimize the impact on the model's accuracy, a process we call accuracy-guided anonymization. We demonstrate that by focusing on the model's accuracy rather than generic information loss measures, our method outperforms state of the art k-anonymity methods in terms of the achieved utility, in particular with high values of k and large numbers of quasi-identifiers. We also demonstrate that our approach has a similar, and sometimes even better ability to prevent membership inference attacks as approaches based on differential privacy, while averting some of their drawbacks such as complexity, performance overhead and model-specific implementations. This makes model-guided anonymization a legitimate substitute for such methods and a practical approach to creating privacy-preserving models.