PASS: Private Attributes Protection with Stochastic Data Substitution

Download PDF

Yizhuo Chen, Chun-Fu Chen, Hsiang Hsu, Shaohan Hu, Tarek F. Abdelzaher

Published: 01 May 2025, Last Modified: 18 Jun 2025ICML 2025 spotlightposterEveryoneRevisionsBibTeXCC BY 4.0
Abstract: The growing Machine Learning (ML) services require extensive collections of user data, which may inadvertently include people's private information irrelevant to the services. Various studies have been proposed to protect private attributes by removing them from the data while maintaining the utilities of the data for downstream tasks. Nevertheless, as we theoretically and empirically show in the paper, these methods reveal severe vulnerability because of a common weakness rooted in their adversarial training based strategies. To overcome this limitation, we propose a novel approach, PASS, designed to stochastically substitute the original sample with another one according to certain probabilities, which is trained with a novel loss function soundly derived from information-theoretic objective defined for utility-preserving private attributes protection. The comprehensive evaluation of PASS on various datasets of different modalities, including facial images, human activity sensory signals, and voice recording datasets, substantiates PASS's effectiveness and generalizability.
Lay Summary: Modern AI systems often require users to share personal data—such as facial images, voice recordings, or sensor readings—to function effectively. However, this data can unintentionally contain sensitive personal details, like gender or identity, which can be extracted and misused by malicious attackers. To address this risk, many advanced techniques have been developed to “hide” sensitive information from the data while preserving the useful parts needed for AI tasks—for example, modifying an image to make it “gender-neutral” while keeping the facial expression and age unchanged. Unfortunately, in this paper, we discovered that these existing methods share a common flaw: they rely on a strategy called “adversarial training,” which makes them notably vulnerable to slightly more powerful attackers. To overcome this, we introduce a new method called PASS. Instead of trying to “hide” sensitive information, PASS replaces each data point—such as a facial image—with another similar example in a carefully designed, probabilistic way. We show that PASS is backed by strong theoretical foundations and makes it significantly harder for attackers to extract private information. This research moves us a step closer to safer AI systems that respect personal privacy.
Primary Area: Social Aspects->Privacy
Keywords: Privacy Protection, Utility Preservation, Information Theory
Submission Number: 13173