=Paper=
{{Paper
|id=Vol-3215/paper_10
|storemode=property
|title=Privacy Safe Representation Learning via Frequency Filtering Encoder
|pdfUrl=https://ceur-ws.org/Vol-3215/10.pdf
|volume=Vol-3215
|authors=Jonghu Jeong,Minyong Cho,Philipp Benz,Jinwoo Hwang,Jeewook Kim,Seungkwan Lee,Tae-hoon Kim
|dblpUrl=https://dblp.org/rec/conf/ijcai/JeongCBHKLK22
}}
==Privacy Safe Representation Learning via Frequency Filtering Encoder==
https://ceur-ws.org/Vol-3215/10.pdf
Privacy Safe Representation Learning via Frequency
Filtering Encoder
Jonghu Jeong, Minyong Cho, Philipp Benz, Jinwoo Hwang, Jeewook Kim, Seungkwan Lee
and Tae-hoon Kim
Deeping Source Inc., 508, Eonju-ro, Gangnam-gu, Seoul, Republic of Korea
Abstract
Deep learning models are increasingly deployed in real-world applications. These models are often deployed on the server-side
and receive user data in an information-rich representation to solve a specific task, such as image classification. Since images
can contain sensitive information, which users might not be willing to share, privacy protection becomes increasingly
important. Adversarial Representation Learning (ARL) is a common approach to train an encoder that runs on the client-side
and obfuscates an image. It is assumed, that the obfuscated image can safely be transmitted and used for the task on the server
without privacy concerns. However, in this work, we find that training a reconstruction attacker can successfully recover
the original image of existing ARL methods. To this end, we introduce a novel ARL method enhanced through low-pass
filtering, limiting the available information amount to be encoded in the frequency domain. Our experimental results reveal
that our approach withstands reconstruction attacks while outperforming previous state-of-the-art methods regarding the
privacy-utility trade-off. We further conduct a user study to qualitatively assess our defense of the reconstruction attack.
Keywords
privacy-preserving machine learning, adversarial representation learning, image frequency filtering
1. Introduction
Service providers, such as Amazon Rekognition and Mi-
crosoft Cognitive Services, frequently deploy deep learn-
ing models in real-world applications in recent years.
The models run on the providers’ server can receive and
process user information in an information-rich repre-
sentation to solve a specific task. For example, the users
send their face images from their smartphone (client) to
the server and receive the processed results, such as face
identification. However, the raw images can also contain
additional information which users do not consent to re- Figure 1: An overview of our proposed method. The pro-
veal or share, violating the users’ privacy. An adversary posed method trains an encoder that obfuscates an input
could take over and abuse the images of the users. In image through a neural net and leverages a frequency filter-
one possible attack scenario, adversaries can train a new ing module to safely transmit a privacy-sensitive image from
a client-side to a server-side. The frequency filtering module
attacker model (e.g. neural network) that retrieves pri-
helps the encoder to remove private information effectively
vate attributes, such as gender, emotional state, and race.
from the image while retaining its utility to be used for a par-
Even the service provider could have malicious intent ticular task of interest (utility task) on the server-side. The
without the users’ knowledge. Hence, an obfuscation encoder is trained with the conventional ARL scheme and
method should be used to protect the users’ privacy. then deployed to the client-side. Even with the possibility of
For privacy protection with deep learning models, data leakage during data transmission, malicious attackers
several prior works exist ranging from federated learn- can not abuse the obfuscated image for a privacy breach attack
(privacy task) since the transmitted data contains information
The IJCAI-ECAI-22 Workshop on Artificial Intelligence Safety that is only useful for the utility task.
(AISafety 2022), July 24-25, 2022, Vienna, Austria
Envelope-Open jonghu.jeong@deepingsource.io (J. Jeong);
minyong.cho@deepingsource.io (M. Cho);
philipp.benz@deepingsource.io (P. Benz); ing [1, 2], split learning [3, 4], differential privacy [5, 6, 7],
jinwoo.hwang@deepingsource.io (J. Hwang); and homomorphic encryption [8, 9, 10] to instance hid-
jeewook.kim@deepingsource.io (J. Kim); ing mechanisms [11, 12, 13, 14], GAN-based obfuscation
seungkwan.lee@deepingsource.io (S. Lee); techniques [15, 16] and adversarial representation learn-
pete.kim@deepingsource.io (T. Kim)
© 2022 © Copyright 2022 for this paper by its authors. Use permitted under ing [17]. Among these works, however, adversarial repre-
Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org) sentation learning (ARL) is the one suitable for the service
�provider to serve users with an obfuscation method. For
example, federated learning and instance hiding focus on
model training with privacy-safe data, not on inference
with obfuscated data [1, 11]. Furthermore, several exist-
ing methods suffer under privacy leakage [18, 19, 20], and
the degree of computational complexity is too large to
be deployed in practice [8, 9, 10]. With ARL, the service
provider can train an obfuscator model and deploy it to
make data obfuscation possible on the user side [21, 22].
Most previous ARL methods solve the problem of
privacy-safe transmission by optimizing 1) utility task
loss and 2) proxy adversary task loss [23, 21, 24, 22]. They
also introduce specific loss-design formulations, model
architecture design, and training schemes. The methods
are evaluated quantitatively with performance on both
utility and adversary tasks. Note that there usually exists
a trade-off between privacy and utility. We use a recon-
struction attack, to test the quality of the obfuscation. In
a reconstruction attack, a new model is trained that takes
the obfuscated representation as an input and outputs
the original image. As demonstrated in Figure 2, the orig-
inal data of existing ARL methods can successfully be
recovered from the obfuscated representation. This re- Figure 2: Results of the reconstruction attack with vari-
sult suggests that the private information is still encoded ous methods on CelebA. For a successful defense, the recon-
in the obfuscated representations. structed image should not reveal 1) the identity of the original
We present a novel ARL method that leverages fre- image and 2) the privacy attribute (in this case, gender). Our
quency filtering, leveraging an extreme low-pass fre- method successfully defends the reconstruction attack while
quency filter (Figure 1). The representation filtering on all other approaches fail. Detailed results are further discussed
the frequency domain effectively limits the amount of in- in Section 5.
formation to be encoded. Our experimental results show
that our approach outperforms previous state-of-the-art
methods regarding the privacy-utility trade-off. We also images are used for the inference which means that there
present that our proposed method withstands the recon- are still potential threats for data breaches when inferring
struction attack better than existing ARL methods, which the target.
are evaluated through visual metrics and a user study.
Adversarial Representation Learning (ARL) An-
other line of work focuses on the training framework
2. Related Work of ARL to address the utility-privacy trade-off of (a)
Data-privacy in Computer Vision For privacy-safe mitigation of privacy disclosure while (b) maintaining
data transmission, several approaches have been pro- task utility. ARL methods have found their applica-
posed to tackle the problem of raw image sharing. Fed- tion in practical scenarios, such as information censor-
erated learning [1, 2] and split learning [3, 4] aim to ing [25], learning fair representations [26, 27], the miti-
train a machine learning model without directly sharing gation of information leakage [23, 21, 24], collaborative
raw images through sharing gradients or a processed inference [28, 29, 22], and GAN-based obfuscation tech-
representation. These methods usually focus on the niques [15, 16]. Commonly, the ARL framework consists
model training, and not on inference with obfuscated of three entities: 1) an obfuscator, which transforms input
data. Homomorphic encryption [8, 9, 10] attempts to data to a private representation that retains utility, 2) a
train models on encrypted data, such that the data can task model, performing the utility task on the data repre-
be shared in encrypted form and be processed without sentation, 3) a proxy adversary, attempting to extract sen-
decryption. Currently, this method suffers from a consid- sitive attributes. Recent approaches [30, 31, 32, 24] rep-
erably high computational cost. Instance hiding mech- resent each component as deep neural networks (DNNs).
anisms [11, 12, 13, 14] introduce random pixel mixing MaxEnt [23] formulate the ARL problem as an adver-
and clipping algorithm to perturb images. The perturbed sarial non-zero-sum game and minimizes the amount of
images are used only for the training, and the original non-utility information, which they quantify through
entropy. Adversarial representation learning with non-
�linear functions through kernel representation with the- 3. Problem Formulation
oretical guarantees are introduced in [33]. While most
of the previous methods represent the obfuscated output We consider an image dataset 𝑥 ∼ 𝒳 ∈ R𝐻 ×𝑊 ×3 , where
as the intermediate feature of a DNN, Bertran et al. [21] 𝐻 and 𝑊 represent width and height, respectively, along
leverages domain-preserving transformations, i.e. im- with a number of various attributes 𝑦 ∼ 𝒴. Some of the
ages to images. Above mentioned ARL methods mainly attributes are private attributes 𝑦𝑝 ∼ 𝒴𝑝 and some are
focused on designing special loss functions or model ar- utility attributes 𝑦𝑡 ∼ 𝒴𝑡 , such that 𝒴 = 𝒴𝑡 ∪𝒴𝑝 . Given a
chitectures. To the best of our knowledge, our method utility task model 𝑓𝑡 , we search for an intermediate repre-
is the first ARL method that focuses on the effective en- sentation 𝑥,̂ from which 𝑓𝑡 can infer the utility attributes,
coding of privacy-safe representation in the frequency but not the privacy attributes. This transformation can
domain. also be represented through a DNN 𝑜, termed obfusca-
There are three common attacks on privacy in ma- tor, resulting in 𝑜(𝑥) = 𝑥.̂ Note that in prior works, the
chine learning. The first is the membership inference intermediate representation 𝑥̂ was often represented as
attack [34], which attempts to infer whether a data sam- a feature map differing in shape from the original input
ple is used for the machine learning model training. This images. However, similar to [21], we represent the ob-
attack is more related to the attack on the server-side fuscated representation in the same shape as the original
model, not the transmitted data. The second is the inver- input image. This setting allows us to leverage existing
sion attack [35] which attempts to infer raw data from image transformation techniques, such as transforming
processed representation. This is the same attack sce- them into a 2D Fourier representation. Additionally, this
nario as the aforementioned reconstruction attack. The form of intermediate representation allows us to analyze
last is the information leakage attack [23], for which ad- the representations visually.
versaries attempt to infer privacy-related information
from obfuscated representation. In this work the in- Threat Model Given the above problem formulation,
version attack and the information leakage attack are an attacker can attempt to retrieve information about the
considered as they are potential threats to transmitted private attributes from the intermediate representation.
privacy-sensitive images. This can be realized either by directly inferring private
information from the intermediate representation (infor-
Frequency Perspective in Computer Vision Prior mation leakage attack) or through the reconstruction of
works have explored the behavior of DNNs from a fre- the original input images from the intermediate represen-
quency perspective. Overall, there is solid evidence that tations (reconstruction attack). In the information leakage
both high-frequency features and low-frequency features attack scenario an attacker is able to obtain data pairs
can be helpful for classification [36, 37]. It has been consisting of the corresponding intermediate represen-
demonstrated that DNNs have an increased bias toward tation and their respective private attributes {𝑥,̂ 𝑦𝑝 }. In
texture compared to the object’s shape [38]. On the other this scenario an attacker can attempt to train a model
hand, DNNs trained only on low-pass filtered images 𝑓𝑎 , which leaks the private information from the repre-
also generalize well and are capable of achieving high sentations 𝑓𝑎 (𝑥)̂ = 𝑦𝑝 . In the reconstruction attack, given
accuracies [36]. Yin et al. [36] shows that adversarial image pairs of the original image and the intermediate
training and Gaussian data augmentation shift DNNs representation {𝑥, 𝑥}̂ the attacker attempts to obtain a
towards utilizing low-frequency information in the in- model 𝑓𝑟 which retrieves the original image 𝑥 from the
put. Wang et al. [37] points out that convolutional neural intermediate representation 𝑓𝑟 (𝑥)̂ = 𝑥. In this work, we
networks (CNNs) mainly exploit high-frequency compo- represent both attacker models 𝑓𝑎 and 𝑓𝑟 through DNNs,
nents. Similarly, Abello et al. [39] find that mid or high- since they are proven to be powerful for image processing
level frequencies are disproportionately critical for CNNs. tasks.
Ilyas et al. [40] also show similar findings that human-
imperceptible features with high-frequency properties
are sufficient for the model to exhibit high generalization
4. Methodology
capability. Fourier Transformation Fourier transform is a com-
In this work, we leverage previous insights that infor- mon tool to perform frequency analysis [41]. We consider
mation can be encoded in different frequency ranges of the 2D discrete Fourier transformation ℱ ∶ R𝑊 ×𝐻 →
images. We propose encoding information in the low- C𝑊 ×𝐻 and the inverse Fourier transformation as ℱ −1 . Af-
frequency band of images to securely transfer them be- ter applying ℱ on an image, low frequencies are located
tween different parties. in the center of a Fourier image, while high frequencies
are located toward the boundaries. For low-pass filter-
ing, we set all frequency components outside of a central
�circle with radius 𝑟 in the frequency domain to zero and retically, the utility (higher the better) is upper bounded
apply ℱ −1 afterward. We normalize the radius to be in by 100%. In practice, however, we consider the upper
the range of [0, 1] by considering the center of the image bound as the utility performance of a ResNet18 [43]
as 0 and the corner as 1. We indicate low-pass filtering model trained on the original images. For privacy (lower
as 𝐿𝑃. the better), we consider the lower bound as the random
guess for the privacy attribute.
Frequency Obfuscation We depict our proposed We also perform a reconstruction attack on the obfus-
methodology in Figure 1. Given an input image, the objec- cated images to recover corresponding original images.
tive is to obfuscate the image to achieve the best privacy- We evaluate the reconstruction attacks quantitative and
utility trade-off. Our obfuscator module consists of an qualitatively by calculating similarity scores between the
encoder architecture followed by frequency-filtering. We original and reconstructed images and conducting a user
choose the commonly used U-Net [42] architecture as study on the reconstructed images.
our encoder and pass the original image through it. For-
mally, we express this as 𝑒(𝑥), where we indicated the
encoder with 𝑒. The subsequent frequency filtering is
5. Experiments
realized via a low-pass filter 𝐿𝑃(𝑒(𝑥)). This procedure
completes the generation of the intermediate represen-
5.1. Setup
tation through the obfuscator 𝑥̂ = 𝑜(𝑥) = 𝐿𝑃(𝑒(𝑥)). Dur- Datasets We conduct experiments on CelebA [44],
ing obfuscator training, we leverage a task model and a FairFace [45], and CIFAR10 [46]. Following the utility and
proxy adversary. The objective of the task model is to privacy task setting from DISCO [22], we set “Smiling”
predict the utility attribute from the intermediate rep- as the utility attribute and “Male” as the privacy attribute
resentation. The respective task loss can be calculated for CelebA, “Gender” as the utility attribute, and “Race”
with 𝑙𝑡 = 𝔼[ℒ𝑡 (𝑓𝑡 (𝑜(𝑥)), 𝑦𝑡 )], where ℒ𝑡 indicates the task as the privacy attribute for FairFace. For CIFAR10, the
loss function, which is the cross-entropy function in utility task is defined as classifying living objects (e.g.
our setup. The objective of proxy adversary model is “bird”, “cat”, etc.) or non-living objects (e.g. “airplane”,
to leak the privacy attribute from the intermediate rep- “automobile”, etc.) and the privacy task as classifying the
resentation. The proxy adversary loss can be calculated separate 10 classes.
as 𝑙𝑝 = 𝔼[ℒ𝑝 (𝑓𝑎 (𝑜(𝑥)), 𝑦𝑝 )], where ℒ𝑝 indicates the pri-
vacy loss function, which is also represented as the cross- Implementation details The encoder is a lightweight
entropy function. The obfuscator loss is represented as variant of U-Net [42], with 4× fewer intermediate feature
𝑙𝑜 = 𝑙 𝑡 − 𝑙 𝑝 . channels than the original version. We use an extreme
Similar to the scenario introduced in DISCO [22] a low pass filter with radius, 𝑟 = 0.01 for CelebA and Fair-
practical application scenario of our proposed approach Face, and 𝑟 = 0.05 for CIFAR10. We apply a center-circled
is when the obfuscator module is present on a trusted filter, which can adjust the level of obfuscation by chang-
client device, which sends the intermediate feature repre- ing its radius (bandwidth). Section 6.2 discusses the effect
sentations to a server. Since an adversary can intercept of the radius. We normalize the radius by the length from
the communication between client and server, or the the filter’s center to the corner to make the value in the
server can also be malicious, we consider the server-side range [0, 1]. For both the utility and privacy task models,
an untrusted entity. we use ResNet-18 [43], and use the same dataset for train-
ing both models. We use Adam [47] optimizer for all 3
Evaluation Protocol In the following, we outline our models with learning rate 10−4 for U-Net and 10−3 for the
evaluation protocol. We follow the general ARL eval- ResNet-18 models. We evaluate the top-1 accuracy for
uation protocol [22, 23]. Given an image classification both utility and privacy tasks. We used the lightweight
dataset, we specify certain classes as the utility and pri- U-Net as the reconstructor for the reconstruction attack.
vacy tasks, respectively. Based on the chosen tasks, fol- The reconstructor adversary is trained with the MSE
lowing our proposed method we obtain an obfuscator loss between the original and the reconstructed images.
and a utility task model. Note that this includes training The reconstructed images are evaluated using MSE, 𝐿1 ,
proxy adversaries. After training, we evaluate the mod- SSIM [48], MS-SSIM [49], PSNR [50], and LPIPS [51].
els on the utility task and report the accuracy as utility. MSE, 𝐿1 , and PSNR compare the images pixel-wise while
Then we freeze the weights of the obfuscator and train an SSIM and MS-SSIM compare structural similarity (e.g.,
adversary model to predict the privacy attributes and re- brightness, contrast) between the images. LPIPS uses a
port the accuracy as privacy. To assess the privacy-utility pre-trained neural network’s feature map for comparison.
trade-off, we measure their difference (Δ). These metrics are commonly used for comparing the sim-
Additionally, we report the performance bounds. Theo- ilarity between images [22, 24, 52] and we consider them
� Fairface CelebA CIFAR10
Method Privacy ↓ Utility ↑ Δ↑ Privacy ↓ Utility ↑ Δ↑ Privacy ↓ Utility ↑ Δ↑
Perf. Bounds 19.03 90.16 71.13 57.43 93.32 35.89 10.00 98.79 78.79
Noise 42.61 74.33 31.72 91.71 85.38 -6.33 54.37 87.77 33.40
LP 31.93 64.77 32.84 76.52 63.69 -12.83 47.05 85.76 38.71
U-Net 51.52 86.40 34.88 87.21 93.12 5.91 85.05 95.45 10.40
DISCO 19.00 81.50 62.50 61.20 91.00 29.80 22.30 91.98 69.68
Ours 23.63 89.67 66.04 61.60 93.27 31.67 22.58 92.95 70.37
Table 1
Evaluation of the privacy-utility trade-off. The upper/lower arrow suggests that each value is higher/lower the better. Our
method shows the biggest gap between privacy and utility accuracy among all the datasets. Note that the privacy accuracy is
based on the newly trained adversary model which is trained with the fully trained and frozen obfuscation model.
as a proxy of human vision. Method MSE ↑ 𝐿1 ↑ SSIM ↓ MS-SSIM ↓ PSNR ↓ LPIPS ↑
Noise 584.88 16.97 0.6017 0.7776 20.46 0.3714
Compared Methods We compare our method with LP 1889.15 32.10 0.4632 0.5390 15.37 0.5537
various baselines. As a simple baseline obfuscator, we U-Net 390.34 13.81 0.7505 0.8839 22.22 0.1809
add Gaussian noise sampled from 𝒩 (0, 𝜎 2 ) to the input DISCO 567.17 15.94 0.5765 0.7611 20.60 0.4351
image while obeying the image range of pixels in the Ours 3689.50 48.08 0.4240 0.4728 12.47 0.6145
range [0, 1]. We indicate this method with Noise. We Table 2
use 𝜎 2 = 4 for CelebA and FairFace and 𝜎 2 = 0.64 for Similarity scores between the original image and the recon-
CIFAR10, which obfuscate the images sufficiently. To structed ones on CelebA. The upper/lower arrow suggests that
investigate the sole effect of the low-pass filtering, we each value is higher/lower the better, respectively. Our ap-
apply only the low-pass filter to the raw images. We name proach shows the best dissimilarity among all the metrics.
this baseline as LP. Complementary, we also compare
the U-Net without the low-pass filtering module as an
obfuscator. We call it U-Net. This setup is similar to Our method is a combination of LP and U-Net, and learns
DeepObfuscator [24] which uses an encoder, task model, to encode a representation into the restricted bandwidth,
and a proxy adversary. However, since DeepObfuscator which is limited by the frequency filtering module. This
has not open-sourced their code, we used our U-Net limited bandwidth helps the encoder to learn how to ex-
encoder as a method to compare. Finally, we compare our tract utility information effectively and remove privacy
method to the state-of-the-art ARL method DISCO [22], attributes to fully leverage the limited bandwidth. While
which selectively removes features via channel pruning the same data is used to train both utility and adversary
in the latent space. models, which is a generous and unrealistic condition
for the attackers to have, we found the adversary model
5.2. Results performed poorly. DISCO shows the lowest privacy accu-
racy among all the datasets. However, the utility accuracy
Table 1 shows a comparison between the privacy and util- is lower than our method, so the utility-privacy gap is
ity accuracy of each obfuscation method. Our method smaller than ours.
resulted in the highest gap between utility and privacy In terms of the visual quality, our obfuscated repre-
accuracy on all datasets. For the methods without en- sentations appear as simple globs of color, making them
coder (i.e. Noise and LP), the accuracy for both utility and unrecognizable to human observers (Figure 1). The ob-
privacy decreases compared to training with the origi- fuscated representations from other methods also appear
nal image since these methods obfuscate images without obfuscated to the human eye. However, applying our
any prior knowledge of the tasks. These methods cannot best effort reconstruction attack, it is possible to recon-
selectively restrict information for high utility and low struct the original image or infer the privacy attribute (i.e.
privacy leakage. U-Net showed high utility accuracy but gender) from reconstructed images. (Figure 2). The re-
failed to defend against the privacy attack, although it constructed images from our method successfully defend
is trained with a proxy adversary. We conjecture that identity reconstruction and privacy attribute leakage,
simply taking the guidance of the proxy model loss is not with the reconstructed images all being relatively similar
enough for the encoder to learn to restrict information. to each other. The quantitative results of the reconstruc-
� Method Privacy ↓ Utility ↑ Δ↑
HP (r=0.80) 26.19 89.03 62.84
HP (r=0.85) 26.28 89.13 62.85
HP (r=0.90) 28.94 88.00 59.06
HP (r=0.95) 24.96 88.12 63.16
HP (r=0.99) 19.03 52.88 33.85
LP (r=0.01) 23.63 89.67 66.04
Table 3
The privacy-utility gap of the high-pass filtering module
on FairFace. Our low-pass filtering module shows the best
Figure 3: Result of the user study on reconstructed images of privacy-utility gap compared to the high-pass filter with the
CelebA. We asked the participants to classify gender (male/fe- various filter radii.
male) on 180 images such as Figure 2. The participants cor-
rectly distinguished the gender of original images and recon-
structed images from the three methods (Noise, U-Net, and
DISCO) with more than 90% accuracy. Our method and LP ef-
from the methods Noise, U-Net, and DISCO. More than
fectively confused the participants with gender-neutral faces 90% of answers were correct for the three methods. LP
(45.83% and 56.9% of correct answers ratio each), while ours showed a relatively low correct ratio (56.9%) and a high
is slightly better than LP in terms of obfuscation. We also “cannot judge” ratio (6.19%). Our method showed the
plot the ideal case of the user study to show our method’s best for both, the lowest correct ratio of 45.83% and the
near-perfect superiority against the reconstruction attack. highest “cannot judge” ratio of 7.02%. We consider the
50% ratio for each “correct” and “wrong” answer as a
random guess since the labels for the test datasets are bal-
tion attack in Table 2 further confirm this since all scores anced. Additionally, we note that “cannot judge” can be
achieve the best results in terms of dissimilarity for our considered as a random guess since without this option,
approach. We note that an adversary model trained with the users would have done a random choice. The results
the reconstructed images to infer the privacy attributes indicate that our approach successfully protects against
performs worse than directly training the model with reconstruction attacks in terms of human vision. The
the obfuscated images since the reconstructed images are results also align with the quantitative results (Table 2).
processed from the obfuscated images. In terms of obfuscation, our method shows the best re-
sults, followed by LP. It reconfirms the usefulness of our
architecture design, the combination of the encoder and
5.3. User Study the frequency filtering module.
We present a user study to show our method’s robustness
against the reconstruction attack on CelebA. Since the
privacy task for the dataset is gender classification, the
6. Ablation Study
reconstructed image’s gender should not be correctly clas-
6.1. High-pass filter
sified by a human observer if the obfuscation is successful.
To conduct the experiment, we randomly sampled 30 im- Previously, we presented the effect of the low-pass fre-
ages (15 for male and 15 for female), for which ResNet18 quency filtering module on ARL. The module appropri-
classifies the gender correctly. By doing so, we balanced ately limits the amount of encoded information in the
each class and addressed the ambiguity of the labels to obfuscated image. It retains the information at a low-
prevent unfair results. Then, we obfuscated the images frequency range. Using a high-pass filter, we can lever-
using each of the techniques and reconstructed them age the same intuition, by limiting the information to be
with their respective attacker models from Section 5.1. encoded in the high-frequency bandwidth. However, in
Examples of reconstructed images are shown in Figure 2. the following, we will present results indicating that the
We presented 180 reconstructed images to a group of low-pass filter is the superior method to use.
people and asked them to identify whether the person We conduct the same experiment from Section 5.2 on
in the reconstructed image is male, female, or cannot be FairFace with a high-pass filtering module for 5 radii
judged. We provided the last option to let the users skip (0.80, 0.85, 0.90, 0.95, 0.99). Contrary to the low-pass
the examples that are hard to judge. The test subjects filtering, the filter removes frequencies inside the filter
were randomly selected and consist of 30 people who live radius, which leads to a radius of 0.99 as the most extreme
in Seoul, South Korea, and are in their 20s and 30s. high-pass filter. We call this method HP.
As shown in Figure 3, people correctly identify the gen- The respective results are presented in Table 3. As the
der for the original images and the reconstructed ones filtering gets more extreme, the utility accuracy decreases
� a privacy attack easily. Note that the utility accuracy
did not decrease even with the harshest filter. We specu-
late that the extremely low-pass filtered representation
is enough for these specific utility tasks. Figure 4 and Ta-
ble 3 confirm that the radius is a crucial factor of privacy
and utility accuracy. Thus the radius is a hyperparameter
that should be tuned based on the privacy-utility gap.
Figure 4: (Left) Privacy and utility accuracy under each ra-
dius of the low-pass filter. The experiments are conducted on
FairFace. (Right) Privacy-utility trade-off. Delta represents
7. Conclusion
the performance gap between utility and privacy. This work proposes a novel ARL method based on fre-
quency filtering, which is robust to privacy leakage at-
tacks while maintaining task utility. Our experiments
together with the privacy accuracy. The table also shows suggest that a combination of neural-net encoder and low-
that our approach with a low-pass filter from Table 1 pass filter improves ARL training for the quantitative and
outperforms all results from the high-pass filter regarding qualitative metrics. The method outperforms other com-
the privacy-utility gap. The best privacy-utility gap with pared methods for the quantitative measure of privacy-
the high-pass filter is 63.16% with a radius of 0.95, which utility trade-off and reconstruction attack (Section 5).
is 2.88%p lower than for the approach with low-pass Our user study suggests that the proposed method effec-
filtering. It has been demonstrated that DNNs can learn tively defends against reconstruction attacks (Section 5.3).
from low-pass filtered images more efficiently than high- The ablation experiments justified the use of a low-pass
pass filtered ones [36]. Especially with the extreme high- filter and also showed that the filter radius adjusts the
pass (r=0.99), the model did not learn for both, the utility privacy-utility trade-off (Section 6).
and privacy tasks. For future work we consider the optimization of the
Furthermore, from a practical point of view, we need to client-side model to reduce the computation burden by us-
reduce the size of the obfuscated image to reduce the cost ing a lightweight architecture such as MobileNetV3 [53].
of transmission or storage. The most commonly used Furthermore, an adaptive selection of the frequency-
JPEG compression algorithm leverages the filtering of filtering hyperparameter might increase the utility accu-
high frequency. If we use a high-pass filter ARL method, racy and decrease the privacy accuracy.
encoded information in the high-frequency range would
be lost. To this end, encoding information into the low-
frequency range is more suitable than the opposite to References
utilize the conventional compression algorithms further.
[1] J. Konečnỳ , H. B. McMahan, F. X. Yu, P. Richtárik,
A. T. Suresh, D. Bacon, Federated learning: Strate-
6.2. The effect of filter radius gies for improving communication efficiency, arXiv
preprint arXiv:1610.05492 (2016).
One of the key points of our proposed method is the
[2] P. Kairouz, H. B. McMahan, B. Avent, A. Bellet,
frequency filtering module. The module has only one
M. Bennis, A. N. Bhagoji, K. Bonawitz, Z. Charles,
parameter to consider, the filter’s radius. To gain insight
G. Cormode, R. Cummings, et al., Advances and
into choosing the parameter, we conducted experiments
open problems in federated learning, Foundations
with various radii. The same experiment from Section 5
and Trends® in Machine Learning (2021).
on FairFace is done with 5 radii (0.01, 0.015, 0.02, 0.025,
[3] O. Gupta, R. Raskar, Distributed learning of deep
0.03). The radius of 0.01 is the most extreme low-pass
neural network over multiple agents, Journal of
filter.
Network and Computer Applications (2018).
Figure 4 (left) shows a trend of consistent utility accu-
[4] P. Vepakomma, O. Gupta, T. Swedish, R. Raskar,
racy and increasing privacy accuracy. The utility accura-
Split learning for health: Distributed deep learning
cies are around 89% with a small variance. The privacy
without sharing raw patient data, arXiv preprint
accuracies show an increasing tendency from 23.64% to
arXiv:1812.00564 (2018).
30.45% as the radius increases. It leads the privacy-utility
[5] C. Dwork, Differential privacy: A survey of re-
gap to decrease (Figure 4, right).
sults, in: International conference on theory and
The increased privacy accuracy aligns with our intu-
applications of models of computation, 2008.
ition of limiting information in the obfuscated representa-
[6] Z. Ji, Z. C. Lipton, C. Elkan, Differential privacy
tion. The wider radius allows the representation to have
and machine learning: a survey and review, arXiv
more information, leading the adversary to exploit it for
preprint arXiv:1412.7584 (2014).
� [7] M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, drigues, G. Reeves, G. Sapiro, Adversarially learned
I. Mironov, K. Talwar, L. Zhang, Deep learning with representations for information obfuscation and in-
differential privacy, in: ACM SIGSAC conference ference, in: International Conference on Machine
on computer and communications security, 2016. Learning (ICML), 2019.
[8] E. Hesamifard, H. Takabi, M. Ghasemi, Cryptodl: [22] A. Singh, A. Chopra, E. Garza, E. Zhang,
Deep neural networks over encrypted data, arXiv P. Vepakomma, V. Sharma, R. Raskar, Disco: Dy-
preprint arXiv:1711.05189 (2017). namic and invariant sensitive channel obfuscation
[9] C. Juvekar, V. Vaikuntanathan, A. Chandrakasan, for deep neural networks, in: Conference on Com-
{GAZELLE}: A low latency framework for secure puter Vision and Pattern Recognition (CVPR), 2021.
neural network inference, in: USENIX Security [23] P. C. Roy, V. N. Boddeti, Mitigating information
Symposium, 2018. leakage in image representations: A maximum en-
[10] K. Nandakumar, N. Ratha, S. Pankanti, S. Halevi, To- tropy approach, in: Proceedings of the IEEE/CVF
wards deep neural network training on encrypted Conference on Computer Vision and Pattern Recog-
data, in: Conference on Computer Vision and Pat- nition, 2019, pp. 2586–2594.
tern Recognition Workshops (CVPR-W), 2019. [24] A. Li, J. Guo, H. Yang, F. D. Salim, Y. Chen, Deep-
[11] Y. Fu, H. Wang, K. Xu, H. Mi, Y. Wang, Mixup based obfuscator: Obfuscating intermediate representa-
privacy preserving mixed collaboration learning, tions with privacy-preserving adversarial learning
in: International Conference on Service-Oriented on smartphones, in: International Conference
System Engineering (SOSE), 2019. on Internet-of-Things Design and Implementation,
[12] Y. Huang, Z. Song, K. Li, S. Arora, Instahide: 2021.
Instance-hiding schemes for private distributed [25] H. Edwards, A. Storkey, Censoring representations
learning, in: International Conference on Machine with an adversary, in: International Conference on
Learning (ICML), 2020. Learning Representations (ICLR), 2016.
[13] M. Shin, C. Hwang, J. Kim, J. Park, M. Bennis, S.- [26] C. Louizos, K. Swersky, Y. Li, M. Welling, R. Zemel,
L. Kim, Xor mixup: Privacy-preserving data aug- The variational fair autoencoder (2016).
mentation for one-shot federated learning, arXiv [27] D. Madras, E. Creager, T. Pitassi, R. Zemel, Learning
preprint arXiv:2006.05148 (2020). adversarially fair and transferable representations,
[14] E. Borgnia, J. Geiping, V. Cherepanova, L. Fowl, in: International Conference on Machine Learning
A. Gupta, A. Ghiasi, F. Huang, M. Goldblum, (ICML), 2018.
T. Goldstein, Dp-instahide: Provably defusing [28] P. Vepakomma, A. Singh, O. Gupta, R. Raskar,
poisoning and backdoor attacks with differen- Nopeek: Information leakage reduction to share
tially private data augmentations, arXiv preprint activations in distributed deep learning, in: 2020 In-
arXiv:2103.02079 (2021). ternational Conference on Data Mining Workshops
[15] T.-h. Kim, D. Kang, K. Pulli, J. Choi, Training (ICDMW), 2020.
with the invisibles: Obfuscating images to share [29] S. A. Osia, A. S. Shamsabadi, S. Sajadmanesh,
safely for learning visual recognition models, arXiv A. Taheri, K. Katevas, H. R. Rabiee, N. D. Lane,
preprint arXiv:1901.00098 (2019). H. Haddadi, A hybrid deep learning architecture for
[16] C. Xu, J. Ren, D. Zhang, Y. Zhang, Z. Qin, K. Ren, privacy-preserving mobile analytics, IEEE Internet
Ganobfuscator: Mitigating information leakage un- of Things Journal (2020).
der gan via differential privacy, Transactions on [30] F. Pittaluga, S. Koppal, A. Chakrabarti, Learning
Information Forensics and Security (2019). privacy preserving encodings through adversarial
[17] J. Donahue, K. Simonyan, Large scale adversar- training, in: Winter Conference on Applications of
ial representation learning, Advances in Neural Computer Vision (WACV), 2019.
Information Processing Systems 32 (2019). [31] S. Liu, J. Du, A. Shrivastava, L. Zhong, Privacy
[18] L. Lyu, H. Yu, Q. Yang, Threats to federated learning: adversarial network: representation learning for
A survey, arXiv preprint arXiv:2003.02133 (2020). mobile data privacy, ACM on Interactive, Mobile,
[19] D. Pasquini, G. Ateniese, M. Bernaschi, Unleash- Wearable and Ubiquitous Technologies (2019).
ing the tiger: Inference attacks on split learning, [32] Z. Wu, Z. Wang, Z. Wang, H. Jin, Towards privacy-
in: ACM SIGSAC Conference on Computer and preserving visual recognition via adversarial train-
Communications Security, 2021. ing: A pilot study, in: European Conference on
[20] O. Li, J. Sun, X. Yang, W. Gao, H. Zhang, J. Xie, Computer Vision (ECCV), 2018.
V. Smith, C. Wang, Label leakage and protec- [33] B. Sadeghi, R. Yu, V. Boddeti, On the global optima
tion in two-party split learning, arXiv preprint of kernelized adversarial representation learning,
arXiv:2102.08504 (2021). in: International Conference on Computer Vision
[21] M. Bertran, N. Martinez, A. Papadaki, Q. Qiu, M. Ro- (ICCV), 2019.
�[34] R. Shokri, M. Stronati, C. Song, V. Shmatikov, Mem- quality assessment: from error visibility to struc-
bership inference attacks against machine learning tural similarity, Transactions on Image Processing
models, in: Symposium on security and privacy (2004).
(SP), 2017. [49] Z. Wang, E. P. Simoncelli, A. C. Bovik, Multiscale
[35] M. Fredrikson, S. Jha, T. Ristenpart, Model inversion structural similarity for image quality assessment,
attacks that exploit confidence information and ba- in: The Thrity-Seventh Asilomar Conference on
sic countermeasures, in: ACM SIGSAC conference Signals, Systems & Computers, 2003, volume 2, Ieee,
on computer and communications security, 2015. 2003, pp. 1398–1402.
[36] D. Yin, R. G. Lopes, J. Shlens, E. D. Cubuk, J. Gilmer, [50] A. Horé, D. Ziou, Image quality metrics: Psnr
A fourier perspective on model robustness in com- vs. ssim, in: International Conference on Pattern
puter vision, in: Advances in neural information Recognition, 2010.
processing systems (NeurIPS), 2019. [51] R. Zhang, P. Isola, A. A. Efros, E. Shechtman,
[37] H. Wang, X. Wu, Z. Huang, E. P. Xing, High- O. Wang, The unreasonable effectiveness of deep
frequency component helps explain the generaliza- features as a perceptual metric, in: Proceedings of
tion of convolutional neural networks, in: Confer- the IEEE conference on computer vision and pat-
ence on Computer Vision and Pattern Recognition tern recognition, 2018, pp. 586–595.
(CVPR), 2020. [52] T. Karras, S. Laine, M. Aittala, J. Hellsten, J. Lehti-
[38] R. Geirhos, P. Rubisch, C. Michaelis, M. Bethge, F. A. nen, T. Aila, Analyzing and improving the im-
Wichmann, W. Brendel, Imagenet-trained cnns are age quality of stylegan, in: Proceedings of the
biased towards texture; increasing shape bias im- IEEE/CVF Conference on Computer Vision and Pat-
proves accuracy and robustness., in: International tern Recognition (CVPR), 2020.
Conference on Learning Representations (ICLR), [53] A. Howard, M. Sandler, G. Chu, L.-C. Chen, B. Chen,
2019. M. Tan, W. Wang, Y. Zhu, R. Pang, V. Vasudevan,
[39] A. A. Abello, R. Hirata, Z. Wang, Dissecting the et al., Searching for mobilenetv3, in: Proceedings
high-frequency bias in convolutional neural net- of the IEEE/CVF International Conference on Com-
works, in: Proceedings of the IEEE/CVF Confer- puter Vision, 2019.
ence on Computer Vision and Pattern Recognition,
2021, pp. 863–871.
[40] A. Ilyas, S. Santurkar, D. Tsipras, L. Engstrom,
B. Tran, A. Madry, Adversarial examples are not
bugs, they are features, Advances in neural infor-
mation processing systems (NeurIPS) (2019).
[41] J. S. Lim, Two-dimensional signal and image pro-
cessing, Englewood Cliffs (1990).
[42] O. Ronneberger, P. Fischer, T. Brox, U-net: Convolu-
tional networks for biomedical image segmentation,
in: International Conference on Medical image com-
puting and computer-assisted intervention, 2015.
[43] K. He, X. Zhang, S. Ren, J. Sun, Deep residual learn-
ing for image recognition, in: Conference on com-
puter vision and pattern recognition (CVPR), 2016.
[44] Z. Liu, P. Luo, X. Wang, X. Tang, Deep learning face
attributes in the wild, in: International Conference
on Computer Vision (ICCV), 2015.
[45] K. Karkkainen, J. Joo, Fairface: Face attribute
dataset for balanced race, gender, and age for bias
measurement and mitigation, in: Winter Confer-
ence on Applications of Computer Vision (WACV),
2021.
[46] A. Krizhevsky, Learning multiple layers of features
from tiny images, Technical Report, 2009.
[47] D. P. Kingma, J. Ba, Adam: A method for stochas-
tic optimization, arXiv preprint arXiv:1412.6980
(2014).
[48] Z. Wang, A. Bovik, H. Sheikh, E. Simoncelli, Image
�