Bailey Kacsmar is a PhD candidate within the School of Computer Science on the University of Waterloo and an incoming faculty member on the University of Alberta. Her research interests are in the event of user-conscious privacy-enhancing technologies, through the parallel study of technical approaches for personal computation alongside the corresponding user perceptions, concerns, and comprehension of those technologies. Her work goals at identifying the potential and the restrictions for privacy in machine learning applications.

Your research interests are in the event of user-conscious privacy-enhancing technologies, why is privacy in AI so essential?

Privacy in AI is so essential, largely because AI in our world doesn’t exist without data. Data, while a useful abstraction, is ultimately something that describes people and their behaviours. We’re rarely working with data about tree populations and water levels; so, anytime we’re working with something that may affect real people we must be cognizant of that and understand how our system can do good, or harm. This is especially true for AI where many systems profit from massive quantities of information or hope to make use of highly sensitive data (comparable to health data) to attempt to develop latest understandings of our world.

What are some ways that you simply’ve seen that machine learning has betrayed the privacy of users?

Betrayed is a robust word. Nonetheless, anytime a system uses details about people without their consent, without informing them, and without considering potential harms it runs the danger of betraying individual’s or societal privacy norms. Essentially, this leads to betrayal by a thousand tiny cuts. Such practices might be training a model on users email inboxes, training on users text messages, or on health data; all without informing the topics of the information.

Could you define what differential privacy is, and what your views on it are?  

Differential privacy is a definition or technique that has risen to prominence when it comes to use for achieving technical privacy. Technical definitions of privacy, generally speaking, include two key facets; what’s being protected, and from who. Inside technical privacy, privacy guarantees are protections which can be achieved given a series of assumptions are met. These assumptions could also be concerning the potential adversaries, system complexities, or statistics. It’s an incredibly useful technique that has a wide selection of applications. Nonetheless, what is vital to be mindful is that differential privacy isn’t equivalent with privacy.

Privacy isn’t limited to at least one definition or concept, and it is necessary to concentrate on notions beyond that. For example, contextual integrity which is a conceptual notion of privacy that accounts for things like how different applications or different organizations change the privacy perceptions of a person with respect to a situation. There are also legal notions of privacy comparable to those encompassed by Canada’s PIPEDA, Europe’s GDPR, and California’s consumer protection act (CCPA). All of that is to say that we cannot treat technical systems as if they exist in a vacuum free from other privacy aspects, even when differential privacy is being employed.

One other privacy enhancing sort of machine learning is federated learning, how would you define what that is, and what are your views on it?

Federated learning is a way of performing machine learning when the model is to be trained on a set of datasets which can be distributed across several owners or locations. It isn’t intrinsically a privacy enhancing sort of machine learning. A privacy enhancing sort of machine learning must formally define what’s being protected, who’s being protected against, and the conditions that have to be met for these protections to carry. For instance, when we expect of a straightforward differentially private computation, it guarantees that somebody viewing the output won’t find a way to find out whether a certain data point was contributed or not.

Further, differential privacy doesn’t make this guarantee if, as an example, there’s correlation amongst the information points. Federated learning doesn’t have this feature; it simply trains a model on a set of information without requiring the holders of that data to directly provide their datasets to one another or a 3rd party. While that appears like a privacy feature, what is required is a proper guarantee that one cannot learn the protected information given the intermediaries and outputs that the untrusted parties will observe. This formality is very essential within the federated setting where the untrusted parties include everyone providing data to coach the collective model.

What are a few of the current limitations of those approaches?

Current limitations could best be described as the character of the privacy-utility trade-off. Even when you do every little thing else, communicate the privacy implications to those effected, evaluated the system for what you are attempting to do, etc, it still comes right down to achieving perfect privacy means we do not make the system, achieving perfect utility will generally not have any privacy protections, so the query is how can we determine what’s the “ideal” trade-off. How can we find the proper tipping point and construct towards it such that we still achieve the specified functionality while providing the needed privacy protections.

You currently aim to develop user conscious privacy technology through the parallel study of technical solutions for personal computation. Could you go into some details on what a few of these solutions are?

What I mean by these solutions is that we will, loosely speaking, develop any variety of technical privacy systems. Nonetheless, when doing so it is necessary to find out whether the privacy guarantees are reaching those effected. This will mean developing a system after checking out what sorts of protections the population values. This will mean updating a system after checking out how people actually use a system given their real-life threat and risk considerations. A technical solution might be an accurate system that satisfies the definition I discussed earlier. A user-conscious solution would design its system based on inputs from users and others effected within the intended application domain.

You’re currently searching for interested graduate students to begin in September 2024, why do you think that students ought to be inquisitive about AI privacy?

I feel students ought to be interested since it is something that can only grow in its pervasiveness inside our society. To have some idea of how quickly these systems look no further than the recent Chat-GPT amplification through news articles, social media, and debates of its implications. We exist in a society where the gathering and use of information is so embedded in our day-to-day life that we’re almost always providing details about ourselves to varied firms and organizations. These firms wish to use the information, in some cases to enhance their services, in others for profit. At this point, it seems unrealistic to think these corporate data usage practices will change. Nonetheless, the existence of privacy preserving systems that protect users while still allowing certain evaluation’ desired by firms will help balance the risk-rewards trade-off that has develop into such an implicit a part of our society.