Privacy Preserving AI (Andrew Trask) | MIT Deep Learning Series

In this MIT Deep Learning Series talk, Andrew Trask walks through the toolkit of privacy-preserving AI from a data scientist's point of view: remote execution, private search, differential privacy, and secure multi-party computation. He shows how these techniques combine so researchers can train models on sensitive data (like medical records) without ever seeing it. In the second half he zooms out to the societal implications, sketching four big use-case categories: open data for science, single-use accountability systems, end-to-end encrypted services, and better recommendation systems. He argues the theory exists and what remains is adoption, engineering, and infrastructure.

• Trask points out almost everyone trains classifiers on MNIST/CIFAR while virtually no one works on dementia, diabetes, or Alzheimer's because private data is so hard to access.
  00:03:35
• He warns that simple data anonymization 'by and large does not work' and is very dangerous to rely on.
  00:19:29
• The Netflix Prize anonymized dataset was de-anonymized by UT Austin researchers who scraped IMDB and matched users.
  00:20:01
• Trask says he knows of companies whose business model is buying anonymized datasets, de-anonymizing them, and selling intelligence to insurance companies.
  00:21:38
• He argues individuals, not hospitals or data scientists, should ultimately set their own personal epsilon (privacy) budgets.
  00:26:49
• Secure multi-party computation lets multiple parties share ownership of a number and compute on it while it stays encrypted.
  00:30:34
• He describes 'structured transparency': combining MPC for input privacy and differential privacy for output privacy to enable end-to-end encrypted services.
  00:57:30
• The 2020 US Census will protect its data using differential privacy, some of the leading real-world deployment of the technique.
  01:04:15

• Randomized response (a coin-flip survey technique) gives respondents plausible deniability while still recovering the true population mean.
  00:14:19
• Adding noise for plausible deniability is the 'secret weapon' of differential privacy.
  00:16:22
• Local differential privacy adds noise before data is sent; global adds noise to query outputs but requires trusting the database owner.
  00:17:26
• In secure MPC, neither shareholder can tell the encrypted number from their own share alone; decryption requires all shareholders to agree.
  00:29:31
• State-of-the-art encrypted deep learning runs about a 13x slowdown versus plaintext.
  00:33:09
• The next-word prediction on your phone keyboard is trained on-device using federated learning, pioneered by Google.
  00:37:20
• Federated learning alone is not secure; a model can memorize and later spit out training data unless combined with differential privacy.
  00:39:26
• A sniffing dog at the airport is a great privacy-preserving system: it reveals only one bit of information without searching the whole bag.
  00:51:01
• The PyTorch team sponsored $250,000 in open-source grants to fund work on the PySyft library.
  01:05:17
• Trask argues recommendation systems' biggest flaw is optimizing for engagement rather than holistic goals like good sleep or meaningful friendships.
  01:12:00

Books, products and media the guest or host genuinely endorsed here — with the buy link.

Affiliate link — we may earn a commission at no extra cost to you.