arxiv: 2605.03069 · v1 · submitted 2026-05-04 · 💻 cs.CR · cs.LG

Recognition: 3 theorem links

· Lean Theorem

Distributed Deep Variational Approach for Privacy-preserving Data Release

Zahir Alsulaimawi , Huaping Liu

Authors on Pith no claims yet

Pith reviewed 2026-05-08 17:50 UTC · model grok-4.3

classification 💻 cs.CR cs.LG

keywords privacy-preserving data releasefederated learningvariational inferencemutual informationstochastic encoderadversarial privacydata sanitization

0 comments

The pith

A stochastic encoder trained on a variational bound of mutual information releases data representations that keep utility within one percentage point of an unconstrained baseline while driving adversary prediction of a sensitive attribute (

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents a data-release method that trains a stochastic encoder to map high-dimensional inputs into lower-dimensional sanitized outputs. The training objective uses a variational lower bound to limit mutual information between the output and a chosen sensitive attribute, while a separate loss term keeps performance on a designated utility attribute. A single multiplier balances the two goals. The same encoder structure is then deployed in a federated setting so that each client keeps both its raw data and its sensitive labels local and only the sanitized vectors reach the central aggregator. Across MNIST, CelebA, and human-activity benchmarks the resulting representations retain nearly the same utility as a plain autoencoder yet reduce an adversary's ability to recover the sensitive attribute to near-random levels.

Core claim

The central claim is that optimizing a variational lower bound on mutual information between the released representation and a designated sensitive attribute, together with a cross-entropy utility term scaled by a Lagrange multiplier beta, produces representations whose downstream utility lies within roughly one percentage point of an unconstrained autoencoder while the area under the ROC curve of a separately trained adversary falls to near 0.5 on three standard benchmarks.

What carries the argument

The Gaussian Privacy Protector (GPP), a variational stochastic encoder that minimizes a tractable lower bound on mutual information leakage to a sensitive attribute while preserving utility on a separate task.

Load-bearing premise

The variational lower bound is tight enough to control actual information leakage and the evaluated adversary model reflects the leakage risks that would appear in deployment.

What would settle it

A follow-up experiment in which a stronger inference model, trained after the encoder is fixed, recovers the sensitive attribute with AUC materially above 0.5 on held-out data from any of the three benchmarks.

Figures

Figures reproduced from arXiv: 2605.03069 by Huaping Liu, Zahir Alsulaimawi.

**Figure 1.** Figure 1: Inference structure of the GPP framework: view at source ↗

**Figure 2.** Figure 2: Threat model in federated learning systems. Adversaries may attempt view at source ↗

**Figure 3.** Figure 3: Architecture of Distributed GPP. Each client view at source ↗

**Figure 4.** Figure 4: Baseline comparison on MNIST. (a) Utility AUC vs. bottleneck view at source ↗

**Figure 6.** Figure 6: Effect of bottleneck dimension. (a) Utility AUC increases with view at source ↗

**Figure 5.** Figure 5: Privacy-utility trade-off controlled by β. (a) Pareto frontier showing achievable (Utility AUC, Adversary AUC) pairs. (b) Effect of β: smaller β prioritizes privacy (lower adversary AUC), larger β prioritizes utility. TABLE IV EFFECT OF β ON PRIVACY-UTILITY TRADE-OFF β Utility AUC Adversary AUC Gap to 0.5 0.1 0.892 0.512 0.012 0.5 0.956 0.523 0.023 1.0 0.978 0.531 0.031 2.0 0.983 0.587 0.087 4.0 0.986 0.69… view at source ↗

**Figure 7.** Figure 7: Ablation study on adversarial training steps view at source ↗

**Figure 9.** Figure 9: Statistical significance over 10 runs with error bars showing view at source ↗

read the original abstract

Federated learning (FL) lets distributed nodes train a shared model without exchanging their raw data, but in privacy-sensitive deployments medical sensors, IoT devices, wearables the protection offered by keeping data local is incomplete: gradients, model updates, and the released representations themselves can leak sensitive attributes. We propose the \emph{Gaussian Privacy Protector} (GPP), a data-release framework for continuous, high-dimensional inputs that learns a stochastic encoder mapping raw data to a low-dimensional sanitized representation. The encoder is trained against a variational lower bound on the mutual information between the released representation and a designated sensitive attribute, while a separate cross-entropy term preserves a designated utility attribute, with a Lagrange multiplier $\beta$ controlling the trade-off. We then extend GPP to the federated setting, in which each client trains a local encoder, sensitive labels never leave the client, and the aggregator receives only sanitized representations giving instance-level privacy protection in addition to the standard ``raw data stays local'' guarantee of FL. We evaluate GPP on MNIST (digit-sum utility, parity sensitive), CelebA (smiling vs.\ gender), and HAPT-Recognition (activity vs.\ subject identity). Across all three benchmarks, GPP attains utility within roughly one percentage point of an unconstrained autoencoder baseline while reducing the adversary's AUC to near random guessing.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper gives a concrete variational encoder for federated privacy release with local sensitive labels and shows utility close to a plain autoencoder on three benchmarks, but the privacy numbers rest on an unverified assumption that the mutual information bound is tight.

read the letter

The central point here is a method that trains a stochastic Gaussian encoder to release low-dimensional representations while bounding mutual information to a sensitive attribute via a variational lower bound, extended to federated clients that keep sensitive labels local. The experiments claim utility nearly matches a standard autoencoder while dropping adversary performance to chance level. What stands out as new is the federated version with instance-level protection on top of the usual data locality, plus the specific evaluation protocol across digit classification, face attribute, and activity recognition tasks. The work does a solid job laying out the training objective with the beta trade-off and showing consistent numbers on the three datasets. The local sensitive label handling avoids sending that info to the aggregator, which is a practical plus for the setting. The soft spots are in the privacy evaluation. The variational bound is standard, but without reporting how close it is to the true mutual information or testing against a range of adversaries beyond the one mentioned, the low AUC does not fully establish low leakage. The stress-test concern holds up from the abstract: the optimizer can minimize the bound while leaving actual information extractable. Hyperparameter tuning for beta also means the reported trade-off is fitted rather than derived. Details on the training procedure, statistical significance of the results, and hyperparameter selection are missing from the summary, which makes it harder to reproduce or trust the exact margins. This paper is for researchers building privacy tools in federated or distributed ML, particularly for continuous data in medical or IoT contexts. A reader working on variational privacy methods or practical federated deployments would get concrete ideas and numbers to build on. It deserves a serious referee because it has a clear, implementable proposal and multi-dataset evidence, even if the analysis of the bound needs more work. I would recommend sending it for peer review, with the referees asked to check the bound tightness and adversary strength.

Referee Report

3 major / 3 minor

Summary. The manuscript proposes the Gaussian Privacy Protector (GPP), a deep variational framework for privacy-preserving data release. It trains a stochastic encoder to minimize a variational lower bound on the mutual information between the released representation Z and a sensitive attribute S, while preserving utility for a target attribute via cross-entropy loss, controlled by a Lagrange multiplier beta. The approach is extended to a federated setting where clients train local encoders and only sanitized representations are shared. Empirical evaluation on MNIST (digit sum utility, parity sensitive), CelebA (smiling vs gender), and HAPT (activity vs subject ID) claims that GPP achieves utility within ~1% of an unconstrained autoencoder while reducing adversary AUC to near 0.5.

Significance. If the variational bound proves tight and the adversary model representative of realistic threats, the GPP framework could supply a practical mechanism for instance-level privacy in federated continuous-data applications such as medical sensors or wearables. The federated extension is a clear incremental contribution beyond standard FL guarantees. The reported empirical trade-offs, however, rest on unverified assumptions about bound tightness and limited adversary testing, so the work's immediate impact is constrained until those points are addressed.

major comments (3)

[Abstract / Method] Abstract and method description: the central privacy claim is that optimizing the variational lower bound L on I(Z;S) yields representations with near-zero leakage (adversary AUC ~0.5). No comparison of the achieved L value against an independent mutual-information estimator is reported, so it remains possible that L is loose and true I(Z;S) (hence extractable information) is substantially higher than the bound suggests.
[Experiments] Experiments section: the abstract states utility within one percentage point of the unconstrained autoencoder baseline across three datasets, yet supplies no information on training procedure, hyperparameter selection (including the tuning schedule for beta), statistical significance, or the precise architecture and training regime of the adversary model. These omissions make the reported trade-off difficult to reproduce or generalize.
[Experiments] Adversary evaluation: the AUC metric is computed for a single predictor family. No stress-testing with stronger extractors, alternative leakage measures (e.g., membership inference or reconstruction attacks), or information-theoretic upper bounds on leakage is provided to corroborate that actual privacy leakage is near random guessing.

minor comments (3)

Include the numerical values attained by the variational bound on each dataset and an ablation plot or table showing the utility-privacy curve as beta varies.
Clarify how sensitive and utility labels are obtained and protected in the federated protocol; the current description leaves open whether label information ever leaves the client.
Ensure consistent equation numbering and cross-references throughout the text; several variational terms are introduced without explicit equation labels.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the thoughtful and constructive report. The comments correctly identify areas where additional verification and detail would strengthen the manuscript. We address each major comment below and have prepared a revised version that incorporates the suggested improvements.

read point-by-point responses

Referee: [Abstract / Method] Abstract and method description: the central privacy claim is that optimizing the variational lower bound L on I(Z;S) yields representations with near-zero leakage (adversary AUC ~0.5). No comparison of the achieved L value against an independent mutual-information estimator is reported, so it remains possible that L is loose and true I(Z;S) (hence extractable information) is substantially higher than the bound suggests.

Authors: We agree that an empirical check on bound tightness would increase confidence in the privacy claims. In the revised manuscript we have added a new subsection that compares the optimized variational lower bound L against an independent neural mutual-information estimator (MINE) on the same representations. The results indicate that the gap between L and the estimated I(Z;S) is small across the three datasets, and the estimated mutual information remains close to zero when the adversary AUC is near 0.5. We also include a brief discussion of the conditions under which the bound is expected to be reasonably tight. revision: yes
Referee: [Experiments] Experiments section: the abstract states utility within one percentage point of the unconstrained autoencoder baseline across three datasets, yet supplies no information on training procedure, hyperparameter selection (including the tuning schedule for beta), statistical significance, or the precise architecture and training regime of the adversary model. These omissions make the reported trade-off difficult to reproduce or generalize.

Authors: The referee is correct that these details were insufficiently documented. The revised Experiments section now provides: (i) complete model architectures and training hyperparameters for both the encoder and the utility predictor; (ii) the exact schedule and range used for tuning the Lagrange multiplier β (including grid search and validation-based selection); (iii) mean and standard deviation of utility and AUC over five independent runs with different random seeds, together with statistical significance tests; and (iv) the precise architecture, optimizer, and early-stopping criterion employed for every adversary model. revision: yes
Referee: [Experiments] Adversary evaluation: the AUC metric is computed for a single predictor family. No stress-testing with stronger extractors, alternative leakage measures (e.g., membership inference or reconstruction attacks), or information-theoretic upper bounds on leakage is provided to corroborate that actual privacy leakage is near random guessing.

Authors: We acknowledge that relying on a single adversary architecture leaves open the possibility of stronger attacks. In the revision we have added results for two stronger extractors (a deeper residual network and a gradient-boosted tree ensemble) as well as a membership-inference attack using the released representations. Across all three datasets the AUC values remain within 0.02 of 0.5 for the stronger models. We also report an information-theoretic upper bound on leakage obtained via the same MINE estimator mentioned above, which corroborates that extractable information about the sensitive attribute is negligible. These new results are presented in an expanded adversary-evaluation subsection. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper describes a standard variational lower-bound objective on mutual information I(Z;S) for privacy, combined with a cross-entropy utility term and a single Lagrange multiplier β for the trade-off. This is a conventional optimization construction (similar to VIB-style objectives) whose derivation does not reduce any claimed quantity to itself by definition. The reported results are empirical evaluations on three external benchmarks (MNIST, CelebA, HAPT) rather than predictions forced by the fitted parameters or by self-citation chains. No equations or steps in the provided description exhibit self-definitional loops, fitted inputs renamed as predictions, or load-bearing self-citations. The method is therefore self-contained against external benchmarks, consistent with a score of 0.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 1 invented entities

The central claim rests on the standard variational inference assumption that a lower bound on mutual information can be optimized to control leakage, plus a tunable trade-off parameter; no new physical entities are introduced.

free parameters (1)

beta
Lagrange multiplier balancing the mutual-information privacy term against the utility cross-entropy term; its value is chosen per dataset to achieve the reported operating point.

axioms (1)

domain assumption A variational lower bound on mutual information between the released representation and the sensitive attribute can be optimized to limit actual leakage.
Invoked in the training objective description; the bound is known to be loose in general, yet the paper treats its optimization as sufficient for the privacy claim.

invented entities (1)

Gaussian Privacy Protector (GPP) no independent evidence
purpose: The proposed stochastic encoder architecture and training procedure for privacy-preserving release.
It is the algorithmic contribution itself; no independent falsifiable prediction outside the paper's experiments is provided.

pith-pipeline@v0.9.0 · 5534 in / 1455 out tokens · 41921 ms · 2026-05-08T17:50:34.260088+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost (Jcost = ½(x+x⁻¹)−1) washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

L(P(Z|X)) = I(Z;S) + β · H(U|Z)
Foundation.LogicAsFunctionalEquation / Cost.FunctionalEquation Translation Theorem / J-uniqueness unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Z = μ_θ(X) + L_θ(X) ⊙ ε, ε ∼ N(0,I); KL divergence regularization toward N(0,I)
Foundation.AlphaCoordinateFixation (parameter-free α=1 fixation) alpha_pin_under_high_calibration unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We propose the Gaussian Privacy Protector (GPP), a data-release framework... trade-off exposed as a single tunable parameter β.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

71 extracted references · 12 canonical work pages · 3 internal anchors

[1]

Technical privacy metrics: A systematic survey,

I. Wagner and D. Eckhoff, “Technical privacy metrics: A systematic survey,”ACM Computing Surveys (CSUR), vol. 51, no. 3, pp. 1–38, 2018

2018
[2]

Robust de-anonymization of large sparse datasets,

A. Narayanan and V . Shmatikov, “Robust de-anonymization of large sparse datasets,” in2008 IEEE Symposium on Security and Privacy. IEEE, 2008, pp. 111–125

2008
[3]

Signal processing and machine learn- ing with differential privacy: Algorithms and challenges for continuous data,

A. D. Sarwate and K. Chaudhuri, “Signal processing and machine learn- ing with differential privacy: Algorithms and challenges for continuous data,”IEEE Signal Processing Magazine, vol. 30, no. 5, pp. 86–94, 2013

2013
[4]

Model inversion attacks that exploit confidence information and basic countermeasures,

M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 1322–1333

2015
[5]

Membership inference attacks against machine learning models,

R. Shokri, M. Stronati, C. Song, and V . Shmatikov, “Membership inference attacks against machine learning models,” in2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 3–18

2017
[6]

UA V-LEO integrated backbone: A ubiquitous data collection approach for B5G Internet of remote things networks,

T. Ma, H. Zhou, B. Qian, N. Cheng, X. Shen, X. Chen, and B. Bai, “UA V-LEO integrated backbone: A ubiquitous data collection approach for B5G Internet of remote things networks,”IEEE Journal on Selected Areas in Communications, 2021

2021
[7]

Privacy-enhanced federated learning against poisoning adversaries,

X. Liu, H. Li, G. Xu, Z. Chen, X. Huang, and R. Lu, “Privacy-enhanced federated learning against poisoning adversaries,”IEEE Transactions on Information Forensics and Security, 2021

2021
[8]

Towards fair and privacy-preserving federated deep models,

L. Lyu, J. Yu, K. Nandakumar, Y . Li, X. Ma, J. Jin, H. Yu, and K. S. Ng, “Towards fair and privacy-preserving federated deep models,”IEEE Transactions on Parallel and Distributed Systems, vol. 31, no. 11, pp. 2524–2541, 2020

2020
[9]

k-anonymity: A model for protecting privacy,

L. Sweeney, “k-anonymity: A model for protecting privacy,”Interna- tional Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 05, pp. 557–570, 2002

2002
[10]

l-diversity: Privacy beyond k-anonymity,

A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubramaniam, “l-diversity: Privacy beyond k-anonymity,” in22nd International Con- ference on Data Engineering (ICDE’06). IEEE, 2006, pp. 24–24

2006
[11]

t-closeness: Privacy beyond k- anonymity and l-diversity,

N. Li, T. Li, and S. Venkatasubramanian, “t-closeness: Privacy beyond k- anonymity and l-diversity,” in2007 IEEE 23rd International Conference on Data Engineering. IEEE, 2007, pp. 106–115

2007
[12]

The algorithmic foundations of differential privacy,

C. Dwork, A. Roth,et al., “The algorithmic foundations of differential privacy,”Foundations and Trends in Theoretical Computer Science, vol. 9, no. 3–4, pp. 211–407, 2014

2014
[13]

Differential privacy and general- ization: Sharper bounds with applications,

L. Oneto, S. Ridella, and D. Anguita, “Differential privacy and general- ization: Sharper bounds with applications,”Pattern Recognition Letters, vol. 89, pp. 31–38, 2017

2017
[14]

No free lunch in data privacy,

D. Kifer and A. Machanavajjhala, “No free lunch in data privacy,” in Proceedings of the 2011 ACM SIGMOD International Conference on Management of Data, 2011, pp. 193–204

2011
[15]

Dependence makes you vulner- able: Differential privacy under dependent tuples,

C. Liu, S. Chakraborty, and P. Mittal, “Dependence makes you vulner- able: Differential privacy under dependent tuples,” inNDSS, vol. 16, 2016, pp. 21–24

2016
[16]

CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy,

R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing, “CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy,” inInternational Conference on Machine Learning, 2016, pp. 201–210

2016
[17]

Carlet,Boolean functions for cryptography and coding theory

C. Carlet,Boolean functions for cryptography and coding theory. Cambridge University Press, 2021

2021
[18]

Protocols for secure computations,

A. C. Yao, “Protocols for secure computations,” in23rd Annual Sym- posium on Foundations of Computer Science (sfcs 1982). IEEE, 1982, pp. 160–164

1982
[19]

Secure multiparty computation (MPC),

Y . Lindell, “Secure multiparty computation (MPC),”IACR Cryptology ePrint Archive, vol. 2020, p. 300, 2020

2020
[20]

Big data security and privacy issues in healthcare,

H. K. Patil and R. Seshadri, “Big data security and privacy issues in healthcare,” in2014 IEEE International Congress on Big Data. IEEE, 2014, pp. 762–765

2014
[21]

Towards secure and privacy-preserving IoT enabled smart home: Architecture and experimental study,

M. Abu-Tair, S. Djahel, P. Perry, B. Scotney, U. Zia, J. M. Carracedo, and A. Sajjad, “Towards secure and privacy-preserving IoT enabled smart home: Architecture and experimental study,”Sensors, vol. 20, no. 21, p. 6131, 2020

2020
[22]

Privacy-preserving deep learning via additively homomor- phic encryption,

S. Moriai, “Privacy-preserving deep learning via additively homomor- phic encryption,” in2019 IEEE 26th Symposium on Computer Arithmetic (ARITH). IEEE, 2019, pp. 198–198

2019
[23]

A novel privacy-preserving deep learning scheme without a cryptography component,

C.-Y . Sun, A. C.-H. Wu, and T. Hwang, “A novel privacy-preserving deep learning scheme without a cryptography component,”Computers & Electrical Engineering, vol. 94, p. 107325, 2021

2021
[24]

Privacy-preserving data mining techniques: Survey and challenges,

S. Matwin, “Privacy-preserving data mining techniques: Survey and challenges,” inDiscrimination and Privacy in the Information Society. Springer, 2013, pp. 209–221

2013
[25]

Privacy-preserving data mining: Methods, metrics, and applications,

R. Mendes and J. P. Vilela, “Privacy-preserving data mining: Methods, metrics, and applications,”IEEE Access, vol. 5, pp. 10 562–10 582, 2017

2017
[26]

Privacy violations using microtargeted ads: A case study,

A. Korolova, “Privacy violations using microtargeted ads: A case study,” inData Mining Workshops (ICDMW), 2010 IEEE International Confer- ence on. IEEE, 2010, pp. 474–482

2010
[27]

A deep learning approach for pri- vacy preservation in assisted living,

I. Psychoula, E. Merdivan, D. Singh, L. Chen, F. Chen, S. Hanke, J. Kropf, A. Holzinger, and M. Geist, “A deep learning approach for pri- vacy preservation in assisted living,”arXiv preprint arXiv:1802.09359, 2018

work page arXiv 2018
[28]

Privacy-preserving machine learning based data analytics on edge devices,

J. Zhao, R. Mortier, J. Crowcroft, and L. Wang, “Privacy-preserving machine learning based data analytics on edge devices,” arXiv preprint, University of Cambridge, 2018

2018
[29]

Learning in a large function space: Privacy-preserving mechanisms for svm learning,

B. I. P. Rubinstein, P. L. Bartlett, L. Huang, and N. Taft, “Learning in a large function space: Privacy-preserving mechanisms for svm learning,” arXiv preprint arXiv:0911.5708, 2009

work page arXiv 2009
[30]

A near-optimal algorithm for differentially-private principal components,

K. Chaudhuri, A. D. Sarwate, and K. Sinha, “A near-optimal algorithm for differentially-private principal components,”Journal of Machine Learning Research, vol. 14, no. 1, pp. 2905–2943, 2013

2013
[31]

Deep learning with differential privacy,

M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang, “Deep learning with differential privacy,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016, pp. 308–318

2016
[32]

Privacy preserving feature selection for distributed data using virtual dimension,

M. Banerjee and S. Chakravarty, “Privacy preserving feature selection for distributed data using virtual dimension,” inProceedings of the 20th ACM International Conference on Information and Knowledge Management. ACM, 2011, pp. 2281–2284

2011
[33]

A framework for a privacy-aware feature selection evaluation measure,

Y . Jafer, S. Matwin, and M. Sokolova, “A framework for a privacy-aware feature selection evaluation measure,” in2015 13th Annual Conference on Privacy, Security and Trust (PST). IEEE, 2015, pp. 62–69

2015
[34]

Cleaning the null space: A privacy mechanism for predictors,

K. Xu, T. Cao, S. Shah, C. Maung, and H. Schweitzer, “Cleaning the null space: A privacy mechanism for predictors,” inThirty-First AAAI Conference on Artificial Intelligence, 2017

2017
[35]

Sensorsift: Balancing sensor data privacy and utility in automated face understanding,

M. Enev, J. Jung, L. Bo, X. Ren, and T. Kohno, “Sensorsift: Balancing sensor data privacy and utility in automated face understanding,” inPro- ceedings of the 28th Annual Computer Security Applications Conference. ACM, 2012, pp. 149–158

2012
[36]

On privacy-utility tradeoffs for constrained data release mechanisms,

Y . O. Basciftci, Y . Wang, and P. Ishwar, “On privacy-utility tradeoffs for constrained data release mechanisms,” in2016 Information Theory and Applications Workshop (ITA). IEEE, 2016, pp. 1–6

2016
[37]

Privacy-utility tradeoffs under constrained data release mechanisms,

Y . Wang, Y . O. Basciftci, and P. Ishwar, “Privacy-utility tradeoffs under constrained data release mechanisms,”arXiv preprint arXiv:1710.09295, 2017

work page arXiv 2017
[38]

From the information bottleneck to the privacy funnel,

A. Makhdoumi, S. Salamatian, N. Fawaz, and M. M ´edard, “From the information bottleneck to the privacy funnel,” in2014 IEEE Information Theory Workshop (ITW). IEEE, 2014, pp. 501–505

2014
[39]

Privacy against statistical inference,

F. du Pin Calmon and N. Fawaz, “Privacy against statistical inference,” in2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton). IEEE, 2012, pp. 1401–1408

2012
[40]

The information bottleneck method

N. Tishby, F. C. Pereira, and W. Bialek, “The information bottleneck method,”arXiv preprint physics/0004057, 2000

work page internal anchor Pith review arXiv 2000
[41]

Adversar- ial information factorization,

A. Creswell, Y . Mohamied, B. Sengupta, and A. A. Bharath, “Adversar- ial information factorization,”arXiv preprint arXiv:1711.05175, 2017

work page arXiv 2017
[42]

Learning latent subspaces in variational autoencoders,

J. Klys, J. Snell, and R. Zemel, “Learning latent subspaces in variational autoencoders,” inAdvances in Neural Information Processing Systems, 2018, pp. 6445–6455

2018
[43]

The variational fair autoencoder,

C. Louizos, K. Swersky, Y . Li, M. Welling, and R. Zemel, “The variational fair autoencoder,”arXiv preprint arXiv:1511.00830, 2015

work page arXiv 2015
[44]

Censoring representations with an adver- sary,

H. Edwards and A. Storkey, “Censoring representations with an adver- sary,”arXiv preprint arXiv:1511.05897, 2015

work page arXiv 2015
[45]

Preserving privacy of continuous high-dimensional data with minimax filters,

J. Hamm, “Preserving privacy of continuous high-dimensional data with minimax filters,” inArtificial Intelligence and Statistics, 2015, pp. 324– 332. 17

2015
[46]

Domain-adversarial training of neural networks,

Y . Ganin, E. Ustinova, H. Ajakan, P. Germain, H. Larochelle, F. Lavi- olette, M. Marchand, and V . Lempitsky, “Domain-adversarial training of neural networks,”Journal of Machine Learning Research, vol. 17, no. 59, pp. 1–35, 2016

2016
[47]

A survey of methods for distributed machine learning,

D. Peteiro-Barral and B. Guijarro-Berdi ˜nas, “A survey of methods for distributed machine learning,”Progress in Artificial Intelligence, vol. 2, no. 1, pp. 1–11, 2013

2013
[48]

A survey on collaborative deep learning and privacy-preserving,

D. Zhang, X. Chen, D. Wang, and J. Shi, “A survey on collaborative deep learning and privacy-preserving,” in2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). IEEE, 2018, pp. 652–658

2018
[49]

Privacy- preserving distributed deep learning for clinical data,

B. K. Beaulieu-Jones, W. Yuan, S. G. Finlayson, and Z. S. Wu, “Privacy- preserving distributed deep learning for clinical data,”arXiv preprint arXiv:1812.01484, 2018

work page arXiv 2018
[50]

Privacy- preserving deep learning computation for geo-distributed medical big- data platforms,

J. Jeon, J. Kim, J. Kim, K. Kim, A. Mohaisen, and J.-K. Kim, “Privacy- preserving deep learning computation for geo-distributed medical big- data platforms,” in2019 49th Annual IEEE/IFIP International Confer- ence on Dependable Systems and Networks–Supplemental Volume (DSN- S). IEEE, 2019, pp. 3–4

2019
[51]

Federated machine learning: Concept and applications,

Q. Yang, Y . Liu, T. Chen, and Y . Tong, “Federated machine learning: Concept and applications,”ACM Transactions on Intelligent Systems and Technology (TIST), vol. 10, no. 2, pp. 1–19, 2019

2019
[52]

Federated learning for healthcare informatics,

J. Xu, B. S. Glicksberg, C. Su, P. Walker, J. Bian, and F. Wang, “Federated learning for healthcare informatics,”Journal of Healthcare Informatics Research, pp. 1–19, 2020

2020
[53]

A joint learning and communications framework for federated learning over wireless networks,

M. Chen, Z. Yang, W. Saad, C. Yin, H. V . Poor, and S. Cui, “A joint learning and communications framework for federated learning over wireless networks,”IEEE Transactions on Wireless Communications, 2020

2020
[54]

Generative adversarial nets,

I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial nets,” in Advances in Neural Information Processing Systems, 2014, pp. 2672– 2680

2014
[55]

Auto-Encoding Variational Bayes

D. P. Kingma and M. Welling, “Auto-encoding variational Bayes,”arXiv preprint arXiv:1312.6114, 2013

work page internal anchor Pith review arXiv 2013
[56]

T. M. Cover and J. A. Thomas,Elements of information theory. John Wiley & Sons, 2012

2012
[57]

Threats to federated learning: A survey,

L. Lyu, H. Yu, and Q. Yang, “Threats to federated learning: A survey,” arXiv preprint arXiv:2003.02133, 2020

work page arXiv 2003
[58]

Fine-tuning is fine in federated learning,

G. Cheng, K. Chadha, and J. Duchi, “Fine-tuning is fine in federated learning,”arXiv preprint arXiv:2108.07313, 2021

work page arXiv 2021
[59]

Federated learning for cybersecurity: Concepts, challenges and future directions,

M. Alazab, S. P. RM, M. Parimala, P. Reddy, T. R. Gadekallu, and Q.-V . Pham, “Federated learning for cybersecurity: Concepts, challenges and future directions,”IEEE Transactions on Industrial Informatics, 2021

2021
[60]

Federated learning for healthcare informatics,

J. Xu, B. S. Glicksberg, C. Su, P. Walker, J. Bian, and F. Wang, “Federated learning for healthcare informatics,”Journal of Healthcare Informatics Research, vol. 5, no. 1, pp. 1–19, 2021

2021
[61]

Preserving data privacy via fed- erated learning: Challenges and solutions,

Z. Li, V . Sharma, and S. P. Mohanty, “Preserving data privacy via fed- erated learning: Challenges and solutions,”IEEE Consumer Electronics Magazine, vol. 9, no. 3, pp. 8–16, 2020

2020
[62]

Federated learning for wireless communications: Motivation, opportunities, and challenges,

S. Niknam, H. S. Dhillon, and J. H. Reed, “Federated learning for wireless communications: Motivation, opportunities, and challenges,” IEEE Communications Magazine, vol. 58, no. 6, pp. 46–51, 2020

2020
[63]

On safeguarding privacy and security in the framework of federated learning,

C. Ma, J. Li, M. Ding, H. H. Yang, F. Shu, T. Q. S. Quek, and H. V . Poor, “On safeguarding privacy and security in the framework of federated learning,”IEEE Network, 2020

2020
[64]

Mitigating the backdoor attack by federated filters for industrial IoT applications,

B. Hou, J. Gao, X. Guo, T. Baker, Y . Zhang, Y . Wen, and Z. Liu, “Mitigating the backdoor attack by federated filters for industrial IoT applications,”IEEE Transactions on Industrial Informatics, 2021

2021
[65]

Federated learning: Challenges, methods, and future directions,

T. Li, A. K. Sahu, A. Talwalkar, and V . Smith, “Federated learning: Challenges, methods, and future directions,”IEEE Signal Processing Magazine, vol. 37, no. 3, pp. 50–60, 2020

2020
[66]

The MNIST database of handwritten digits,

Y . LeCun, C. Cortes, and C. J. C. Burges, “The MNIST database of handwritten digits,” http://yann.lecun.com/exdb/mnist/, 1998

1998
[67]

Learning privately from multiparty data,

J. Hamm, Y . Cao, and M. Belkin, “Learning privately from multiparty data,” inInternational Conference on Machine Learning, 2016, pp. 555– 563

2016
[68]

Deep learning face attributes in the wild,

Z. Liu, P. Luo, X. Wang, and X. Tang, “Deep learning face attributes in the wild,” inProceedings of the IEEE International Conference on Computer Vision (ICCV), 2015, pp. 3730–3738

2015
[69]

Transition-aware human activity recognition using smartphones,

J.-L. Reyes-Ortiz, L. Oneto, A. Sam `a, X. Parra, and D. Anguita, “Transition-aware human activity recognition using smartphones,”Neu- rocomputing, vol. 171, pp. 754–767, 2016

2016
[70]

Adam: A Method for Stochastic Optimization

D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,” arXiv preprint arXiv:1412.6980, 2014. Zahir Alsulaimawigraduated from the School of Electrical Engineering and Computer Science (EECS) at Oregon State University (OSU) with a Ph.D. in Electrical and Computer Engineering (ECE) and a minor in Computer Science (Machine Learning) in 2021. I...

work page internal anchor Pith review arXiv 2014
[71]

Huaping Liureceived the B.S

His research focuses on deep learning, federated learning, multimodal machine learning and signal processing, but he has a broad knowledge of information theory, artificial intelligence, and estimation and prediction. Huaping Liureceived the B.S. and M.S. degrees in electrical engineering from Nanjing University of Posts and Telecommunications, Nanjing, C...

1987