Rethinking Privacy in Machine Learning Pipelines from an Information Flow Control Perspective
Modern machine learning systems use models trained on ever-growing corpora. Typically, metadata such as ownership, access control, or licensing information is ignored during training. Instead, to mitigate privacy risks, we rely on generic techniques such as dataset sanitization and differentially pr...
Gespeichert in:
Hauptverfasser: | , , , , , , , , |
---|---|
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext bestellen |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Zusammenfassung: | Modern machine learning systems use models trained on ever-growing corpora.
Typically, metadata such as ownership, access control, or licensing information
is ignored during training. Instead, to mitigate privacy risks, we rely on
generic techniques such as dataset sanitization and differentially private
model training, with inherent privacy/utility trade-offs that hurt model
performance. Moreover, these techniques have limitations in scenarios where
sensitive information is shared across multiple participants and fine-grained
access control is required. By ignoring metadata, we therefore miss an
opportunity to better address security, privacy, and confidentiality
challenges. In this paper, we take an information flow control perspective to
describe machine learning systems, which allows us to leverage metadata such as
access control policies and define clear-cut privacy and confidentiality
guarantees with interpretable information flows. Under this perspective, we
contrast two different approaches to achieve user-level non-interference: 1)
fine-tuning per-user models, and 2) retrieval augmented models that access
user-specific datasets at inference time. We compare these two approaches to a
trivially non-interfering zero-shot baseline using a public model and to a
baseline that fine-tunes this model on the whole corpus. We evaluate trained
models on two datasets of scientific articles and demonstrate that retrieval
augmented architectures deliver the best utility, scalability, and flexibility
while satisfying strict non-interference guarantees. |
---|---|
DOI: | 10.48550/arxiv.2311.15792 |