Towards integration of Privacy Enhancing Technologies in Explainable Artificial Intelligence

TL;DR

This paper investigates integrating Privacy Enhancing Technologies into Explainable AI to defend against privacy attacks, evaluating their effectiveness and impact on system utility and explanation quality.

Contribution

It introduces and empirically evaluates three PETs methods for protecting privacy in feature-based XAI explanations, addressing a critical security gap.

Findings

PETs reduced privacy attack success by up to 49.47%

Different PETs have varying impacts on utility and performance

Strategies for effective PETs integration in XAI are proposed

Abstract

Explainable Artificial Intelligence (XAI) is a crucial pathway in mitigating the risk of non-transparency in the decision-making process of black-box Artificial Intelligence (AI) systems. However, despite the benefits, XAI methods are found to leak the privacy of individuals whose data is used in training or querying the models. Researchers have demonstrated privacy attacks that exploit explanations to infer sensitive personal information of individuals. Currently there is a lack of defenses against known privacy attacks targeting explanations when vulnerable XAI are used in production and machine learning as a service system. To address this gap, in this article, we explore Privacy Enhancing Technologies (PETs) as a defense mechanism against attribute inference on explanations provided by feature-based XAI methods. We empirically evaluate 3 types of PETs, namely synthetic training data, differentially private training and noise addition, on two categories of feature-based XAI. Our evaluation determines different responses from the mitigation methods and side-effects of PETs on other system properties such as utility and performance. In the best case, PETs integration in explanations reduced the risk of the attack by 49.47%, while maintaining model utility and explanation quality. Through our evaluation, we identify strategies for using PETs in XAI for maximizing benefits and minimizing the success of this privacy attack on sensitive personal information.