In many data-sharing or learning applications, ensuring unnecessary inference or inappropriate use of sensitive data is essential while simultaneously guaranteeing usefulness of the data. It is now well accepted that randomizing mechanisms are needed to ensure privacy or fairness. In this talk, we will discuss a recently introduced class of leakage measures that allow quantifying the information a learning adversary can infer from a post-randomized dataset. In particular, we will focus on maximal alpha leakage as a new class of adversarially motivated tunable leakage measures that is based on guessing an arbitrary function of a dataset conditioned on the released dataset. The choice of alpha determines the specific adversarial action ranging from refining a belief for alpha = 1 to guessing the best posterior for alpha = ∞. Relationship of this measure to mutual information, maximal leakage, maximal information, Renyi DP, and local DP will be discussed, in particular from the viewpoint of adversarial actions. The tutorial-style talk will also include discussion of adversarial knowledge of side information as well as the consequences of using this measure to design privacy mechanisms.

This is joint work with Jiachun Liao, Oliver Kosut, and Flavio Calmon.

We consider a setting where a designer would like to assess the efficacy of a privacy/fairness scheme by evaluating its performance against a finite-capacity adversary interested in learning a sensitive attribute from released data. Here, a finite-capacity adversary is a learning agent with limited statistical knowledge (finite number of data samples) and limited expressiveness capabilities limited to those expressed by a neural network. We provide probabilistic bounds on the discrepancy between the risk performance of such a finite capacity adversary relative to an infinite capacity adversary for the squared and log-losses, where an infinite-capacity adversary is one with full statistical knowledge and expressiveness capabilities. Our bounds quantify both the generalization error resulting from limited samples and the function approximation limits resulting from finite expressiveness. We illustrate our results for both scalar and multi-dimensional Gaussian mixture models.

Based on joint work with Mario Diaz (ASU/CIMAT), Chong Huang (ASU), and Lalitha Sankar (ASU).

How much information is "leaked" in a side channel?  Despite decades of work on these channels, including the development of many sophisticated mitigation mechanisms for specific side channels, the fundamental question of how to measure the key quantity of interest---leakage---has received surprisingly little attention. Many metrics have been used in the literature, but these metrics either lack a cogent operational justification or mislabel systems
that are obviously insecure as secure.

We propose a new metric called "maximal leakage," defined as the logarithm of the multiplicative increase, upon observing the public data, of the probability of correctly guessing a randomized function of the private information, maximized over all such randomized functions.
We provide an operational justification for this definition, show how it can be computed in practice, and discuss how it relates to existing metrics, including mutual information, local differential privacy, and a certain under-appreciated metric in the computer science literature. We also present some structural results for optimal mechanisms under this metric. Among other findings, we show that mutual information underestimates leakage while local differential privacy overestimates it.

This is joint work with Ibrahim Issa, Sudeep Kamath, Ben Wu, and Ed Suh.