PrivNet: Safeguarding Private Attributes in Transfer Learning for Recommendation

Transfer learning in recommendation Cantador et al. (2015) is an effective technique to alleviate the data sparsity issue in one domain by exploiting the knowledge from other domains. Typical methods apply matrix factorization Singh and Gordon (2008); Pan et al. (2010); Yang et al. (2017b) and representation learning Zhang et al. (2016); Man et al. (2017); Yang et al. (2017a); Gao et al. (2019a); Ma et al. (2019a) on each domain and share the user (item) factors, or learn a cluster level rating pattern Li et al. (2009); Yuan et al. (2019). Transfer learning is to improve the target performance by exploiting knowledge from auxiliary domains Pan and Yang (2009); Elkahky et al. (2015); Zhang and Yang (2017); Chen et al. (2019); Gao et al. (2019b). One transfer strategy (two-stage) is to initialize a target network with transferred representations from a pre-trained source network Oquab et al. (2014); Yosinski et al. (2014). Another transfer strategy (end-to-end) is to transfer knowledge in a mutual way such that the source and target networks benefit from each other during the training, with examples including the cross-stitch networks Misra et al. (2016) and collaborative cross networks Hu et al. (2018). These transfer learning methods have access to the input or representations from source domain. Therefore, it raises a concern on privacy leaks and provides an attack possibility during knowledge transfer.

Existing privacy-preserving techniques mainly belong to three research threads. One thread adds noise (e.g., differential privacy Dwork et al. (2006)) to the released data or the output of recommender systems McSherry and Mironov (2009); Jia and Gong (2018); Meng et al. (2018); Wang et al. (2018b); Wang and Zhou (2020). One thread perturbs user profiles such as adding (or deleting/changing) dummy items to the user history so that it hides the user’s actual ratings Polat and Du (2003); Weinsberg et al. (2012). Adding noise and perturbing ratings may still suffer from privacy inference attacks when the attacker can successfully distinguish the true profiles from the noisy/perturbed ones. Furthermore, they may degrade performance since data is corrupted. Another thread uses adversary loss Resheff et al. (2019); Beigi et al. (2020) to formulate the privacy attacker and the recommender system as an adversarial learning problem. However, they face the data sparsity issues. A recent work Ravfogel et al. (2020) trains linear classifiers to predict a protected attribute and then remove it by projecting the representation on its null-space. Some other work uses encryption and federated learning so as to protect the personal data without affecting performance Nikolaenko et al. (2013); Chen et al. (2018); Wang et al. (2019). They suffer from efficiency and scalability due to high cost of computation and communication.

In this section, we introduce a novel transfer-learning recommender which has three parts, a source network for the source domain, a target network for the target domain, and a knowledge transfer unit between the two domains.

Target network The input is a pair of (user, item) and the output is their matching degree. The user is represented by their $w$-sized historical items $[i_{1},...,i_{w}]$. First, an item embedding matrix $\bm{A}_{T}$ projects the discrete item indices to the $d$-dimensional continuous representations: $\bm{x}_{i}$ and $\bm{x}_{i_{*}}$ where $*\in[1,2,...,w]$. Second, the user representation $\bm{x}_{u}$ is computed by the user encoder module based on an attention mechanism by querying their historical items with the predicted item: $\bm{x}_{u}=\sum\nolimits_{i_{*}}\alpha_{i_{*}}\bm{x}_{i_{*}},$ where $\alpha_{i_{*}}=\bm{x}_{i}^{T}\bm{x}_{i_{*}}$ (normalized: $\sum\alpha_{i_{*}}=1$). Third, a multilayer perceptron (MLP) $f_{T}$ parameterized by $\phi_{T}$ is used to compute target preference score (the notation $[\cdot,\cdot]$ denotes concatenation):

where $\theta_{T}=\{\bm{A}_{T},\phi_{T}\}$ is the model parameter.

Source network Similar to the three-step computing process in the target network, we compute the source preference score by: $\hat{r}_{uj}=P(r_{uj}|u,j;\theta_{S})=f_{S}([\bm{x}_{u},\bm{x}_{j}])$ where $\theta_{S}=\{\bm{A}_{S},\phi_{S}\}$ is the model parameter with item embedding matrix $\bm{A}_{S}$ and multilayer perceptron $\phi_{S}$.

Transfer unit The transfer unit implements the knowledge transfer from the source to the target domain. Since typical neural networks have more than one layer, say $L$, the representations are transferred in a multilayer way. Let $\bm{x}_{u|\#}^{\ell}$ where $\#\in\{S,T\}$ be user $u$’s source/target representation in the $\ell$-th layer ($\ell=1,2,...,L-1$) where $\bm{x}_{u|S}^{1}=[\bm{x}_{u},\bm{x}_{j}]$ and $\bm{x}_{u|T}^{1}=[\bm{x}_{u},\bm{x}_{i}]$. The transferred representation is computed by projecting the source representation to the space of target representations with a translation matrix $\bm{H}^{\ell}$:

With the knowledge from the source domain, the target network learns a linear combination of the two input activations from both networks and then feeds these combinations as input to the successive layer’s filter. In detail, the $(\ell+1)$-th layer’s input of the target network is computed by: $\bm{W}_{T}^{\ell}\bm{x}_{u|T}^{\ell}+\bm{x}_{u|trans}^{\ell}$ where $\bm{W}_{T}^{\ell}$ is the connection weight matrix in the $\ell$-th layer of the target network. The total transferred knowledge is concatenated by all layers’s representations:

Objective The recommender minimizes the negative logarithm likelihood:

where $\theta=\{\theta_{T},\theta_{S},\{\bm{H}^{\ell}\}_{\ell=1}^{L-1}\}$, $D_{T}$ and $D_{S}$ are target and source training examples, respectively. We introduce how to generate them in Section 4.4.

The recommender can fulfil the Problem 1 (see Section 3) if there is no attacker existing. A challenge for the recommender is that it does not know the attacker models in advance. To address this challenge, we add an attacker component during the training to simulate the attacks for the test. By integrating a simulated attacker into the recommender, it can deal with the unseen attacks in the future. In this section, we introduce an attacker to infer the user private information from the transferred knowledge. In the next Section 4.3, we will introduce an adversarial recommender by exploiting the simulated attacker to regularize the recommendation process in order to fool the adversary so that it can protect the privacy of unseen users in the future.

The attacker model predicts the private user attribute from their source representation sent to the target domain:

where $\hat{y}_{u,p}$ is the predicted value of user $u$’s $p$-th private attribute and $p=1,...,n$. $f_{p}$ is the prediction model parameterized by $\theta_{p}$. Note that, an attacker can use any prediction model and here we use an MLP due to its nonlinearity and generality.

For all $n$ private user attributes, the attacker model minimizes the multitask loss:

where $\Theta=\{\theta_{p}\}_{p=1}^{n}$ and $D_{p}$ is training examples for the $p$-th attribute. We introduce how to generate them in Section 4.4.

So far, we have introduced a recommender to exploit the knowledge from a source domain and a privacy attacker to infer user private information from the transferred knowledge. To fulfill the Problem 1 in Section 3, we need to achieve two goals: improving the target recommendation and protecting the source privacy. In this section, we propose a novel model (PrivNet) by exploiting the attacker component to regularize the recommender.

Since we have two rival objectives (i.e., target quality and source privacy), we adopt the adversarial learning technique Goodfellow et al. (2014) to learn a privacy-aware transfer model. The generator is a privacy attacker which tries to accurately infer the user privacy, while the discriminator is an recommender which learns user preferences and deceives the adversary. The recommender of PrivNet minimizes:

where the hyperparameter $\lambda$ controls the influence from the attacker component. PrivNet seeks to improve the recommendation quality (the first term on the right-hand side) and fools the adversary by maximizing the loss of the adversary (the second term,). The adversary has no control over the transferred knowledge, i.e., $\bm{x}_{u|trans}$. Losses of the two components are interdependent but they optimize their own parameters. PrivNet is a general framework since both the recommender and the attacker can be easily replaced by their variants. PrivNet reduces to privacy-agnostic transfer model when $\lambda=0$.

We generate $D_{T}$ and $D_{S}$ as follows and take the target domain as an example since the procedure is the same for the source domain. Suppose we have a whole item interaction history for some user $u$, say $[i_{1},i_{2},...,i_{l}]$. Then we generate the positive training examples by sliding over the sequence of the history: $D_{T}^{+}=\{([i_{w}]_{w=1}^{c-1},i_{c}):c=2,...,l\}$. We adopt the random negative sampling technique Pan et al. (2008) to generate the corresponding negative training examples $D_{T}^{-}=\{([i_{w}]_{w=1}^{c-1},i_{c}^{\prime}):i_{c}^{\prime}\notin[i_{1},i_{2},...,i_{l}]\}$. As the same with Weinsberg et al. (2012); Beigi et al. (2020), we assume that some users $\mathcal{U}^{pub}\subset\mathcal{U}$ share their private attributes with the public profile. Then we have the labelled privacy data $D_{priv}=\{D_{p}\}_{p=1}^{n}$ where $D_{p}=\{(u,y_{u,p}):u\in\mathcal{U}^{pub}\}$.

The training process of PrivNet is illustrated in Algorithm 1. Lines 1-3 are to optimize the privacy part related parameter, i.e., $\Theta$ in $\mathcal{L}(\Theta)$. On line 1, it creates a mini-batch size examples from data $D_{priv}$. Each example contains a user and their corresponding private attributes $(u,\{y_{u,p}\}_{p=1}^{n})$. On line 2, it feeds users and their historical items in the source domain to the source network so as to generate transferred knowledge $\bm{x}_{u|trans}$. On line 3, the transferred knowledge and their corresponding private attributes $(\bm{x}_{u|trans},\{y_{u,p}\}_{p=1}^{n})$ are used to train the privacy attacker component by descending its stochastic gradient using the mini-batch examples: $\nabla_{\Theta}\mathcal{L}(\Theta).$ Line 4 is to optimize the recommender part related parameter, i.e., $\theta$ by descending its stochastic gradient with adversary loss using mini-batch examples:$\nabla_{\theta}\tilde{\mathcal{L}}(\theta).$

The parameter complexity of PrivNet is the addition of its recommender component and the privacy component. The embedding matrices of the recommender dominate the number of parameters as they vary with the input. As a result, the parameter complexity of PrivNet is $\mathcal{O}(d\cdot(n_{S}+n_{T}))$ where $d$ is the embedding dimension, and $n_{S}$ and $n_{T}$ are the number of items in the source and target domains respectively.

The learning complexity of PrivNet divides into two parts: the forward prediction and backward parameter update. The forward prediction of PrivNet is the addition of its recommender component and two times of the privacy component since the recommender component needs the loss from the privacy component. The complexity of backward parameter update is the addition of its recommender component and the privacy component since they optimize their own parameters.

We evaluate on the following real-world datasets.

Foursquare (FS) It is a public available data on user-venue checkins Yang et al. (2019a). The source and target domains are divided by the checkin’s time, i.e., dealing with the covariate shift issues where the distribution of the input variables change between the old data and the newly collected one. The private user attribute is Gender.

MovieLens (ML) It is a public available data on user-movie ratings Harper and Konstan (2016). We reserve those ratings over three stars as positive feedbacks. The source and target domains are divided by the movie’s release year, i.e., transferring from old movies to the new ones. The private user attributes are Gender and Age. Following Beigi et al. (2020), we categorize Age into three groups: over-45, under-35, and between 35 and 45.

The statistics are summarized in Table 1 and we can see that all of the datasets have more than 99% sparsity. It is expected that the transfer learning technique is helpful to alleviate the data sparsity issues in these real-world recommendation services.

We compare PrivNet with various kinds of baselines as summarized in Table 3.

The following methods are privacy-agnostic. BPRMF: Bayesian personalized ranking Rendle et al. (2009) is a latent factors approach which learns user and item factors via matrix factorization. MLP: Multilayer perceptron He et al. (2017) is a neural CF approach which learns the user-item interaction function using neural networks. CSN: The cross-stitch network Misra et al. (2016) is a deep transfer learning model which couples the two basic networks via a linear combination of activation maps using a translation scalar. CoNet: Collaborative cross network Hu et al. (2018) is a deep transfer learning method for cross-domain recommendation which learns linear combination of activation maps using a translation matrix.

The following methods are privacy-aware. BlurMe: This method Weinsberg et al. (2012) perturbs a user’s profile by adding dummy items to their history. It is a representative of the perturbation-based technique to recommend items while protect private attributes. LDP: Local differential privacy Bassily and Smith (2015) modifies user-item ratings by adding noise to them based on the differential privacy. It is a representative of the noise-based technique to recommend items while protect private attributes. Note, the original LDP and BlurMe are single-domain models which are also used as comparing baselines in Beigi et al. (2020). To be fair and to investigate the influence of privacy-preserving strategies, we replace the adversary strategy of PrivNet with the strategy of LDP (adding noise) and BlurMe (perturbing ratings), and keep the other components the same.

The results of different methods on recommendation are summarized in Table 4. A higher value indicates better recommendation performance.

Comparing with the privacy-agnostic methods (BPRMF, MLP, CSN, and CoNet), PrivNet is superior than them with a large margin on the MovieLens dataset. This shows that PrivNet is effective in recommendation while it protects the source private attributes. Since these four methods represent a wide range of typical recommendation methods (matrix factorization, neural CF, transfer learning), we can see that the architecture of PrivNet is a reasonable design for recommender systems.

Comparing with the privacy-aware methods (LDP and BlurMe), we can see that LDP significantly degrades recommendation performance with a reduction about six to ten percentage points on the Foursquare dataset. This shows that LDP suffers from the noisy source information since it harms the usefulness of the transferred knowledge to the target task. For BlurMe, we can see that BlurMe still degrades recommendation performance on the Foursquare dataset, for example with relative 4.0% performance reduction in terms of MRR. This shows that BlurMe suffers from the perturbed source information since it harms the usefulness of the transferred knowledge to the target task.

Among the privacy-aware methods, PrivNet achieves the best recommendation performance in terms of all HR, NDCG, and MRR on the Foursquare dataset, and the best in terms of HR on the MovieLens dataset. It shows that PrivNet is better for improving the usefulness of the transferred knowledge by comparing with LDP and BlurMe.

In summary, PrivNet is effective in transferring the knowledge, showing that the adversary strategy of PrivNet achieves state-of-the-art performance by comparing with the strategies of adding noise (LDP) and perturbing ratings (BlurMe).

The results of different methods on privacy inference are summarized in Table 5 (Note, there are no results for the four privacy-agnostic methods). A lower value indicates better privacy protection.

Comparing PrivNet and BlurMe, we can see that the perturbation method by adding dummy items still suffers from privacy inference attacks in terms of Precision and Recall on the Foursquare dataset, and in terms of F1 on the MovieLens dataset. The reason may be that the attacker can effectively distinguish the true profiles from the dummy items. That is, it can accurately learn from the true profiles while ignore the dummy items. Comparing PrivNet and LDP, we can see that adding noise to ratings still suffers from privacy inference attacks in terms of Recall on the Foursquare dataset, and in terms of all three metrics on the MovieLens dataset. It implies that the occurrence of a rating, regardless of its numeric value (true or noisy), leaks the user privacy. That is, the binary event of excluding or including an item in a user’s profile is a signal for user privacy inference nearly as strong as numerical ratings. In particular, there are 50 movies rated by Female only (e.g., Country Life (1994)) while 350 by Male only (e.g., Time Masters (1982)). Adding noise to these ratings may not influence the inference of Gender for these users very much.

PrivNet achieves nearly half the best results on privacy protection in terms of three evaluation metrics on the two datasets. It has significantly lower F1 scores in comparison to all baselines on the MovieLens dataset. It is effective to hide private information during the knowledge transfer. By simulating the attacks during the training, PrivNet is prepared against the malicious attacks for unseen users in the future. In summary, PrivNet is an effective source privacy-aware transfer model such that it makes the malicious attackers more difficult to infer the source user privacy during the knowledge transfer, compared with the strategies of adding noise (LDP) and perturbing ratings (BlurMe).

In this section, we analyse the model ablation, impact of privacy inference component, and impact of public users who share their profiles.

One advantage of PrivNet is that it can explain which item in a user’s history matters the most for a candidate item by using the attention weights. Table 7 shows an example of interactions between a user’s historical movies (No. 0$\sim$9) and the candidate movie (No. 10). We can see that the latest movie matters a lot since the user interests may remain the same during a short period. The oldest movie, however, also has some impact on the candidate movie, reflecting that the user interests may mix with a long-term characteristic. PrivNet can capture these subtle short-/long-term user interests. Furthermore, the movie (No. 7) belonging to the same genre as the candidate movie matters the most. PrivNet can also capture this high-level category relationship.