Covers research frontiers in privacy-preserving computation and provides practical strategies for training machine learning & AI models over sensitive data based on the lessons learned from Swoop's work with leading pharmaceutical and automotive companies. Example code in Apache Spark.

1. High-accuracy ML & AI
over sensitive data
Simeon Simeonov, Swoop
@simeons / sim at swoop dot com

3. omni-channel marketing for your ideal population
supported by privacy-preserving ML/AI
e.g., we improve health outcomes by increasing the
diagnosis rate of rare diseases through doctor/patient education

4. Swoop & IPM.ai data for 300+M people
• Anonymized patient data
• Online activity
• Imprecise location data
• Demographics, psychographics, purchase behavior, …
Privacy by design: HIPAA-compliant prAIvacy™ platform.
Trusted by the largest pharma companies. GDPR compliant.

5. Privacy-preserving computation frontiers
• Stochastic
– Differential privacy
• Encryption-based
– Fully homomorphic encryption
• Protocol-based
– Secure multi-party computation (SMC)

6. When privacy-preserving algorithms are immature,
sanitize the data the algorithms are trained on

7. Privacy concerns stem from identifiability
• Direct (via personally-identifiable information)
• Indirect (via quasi-identifiers)
Sim Simeonov; Male; July 7, 1977
One Swoop Way, Cambridge, MA 02140

9. Addressing identifiability in a single dataset
• Direct
– Generate secure pseudonymous identifiers
– Often uses clean room to process PII
• Indirect
– Sanitize quasi-identifiers to desired anonymity trade-offs
– Control data enhancement to maintain anonymity
anonymity == indistinguishability

10. Sanitizing quasi-identifiers
• Deterministic
– Generalize or suppress quasi-identifiers
– k-anonymity + derivatives
• any given record maps onto at least k-1 other records
• Stochastic
– Add noise to data
– (k, ℇ)-anonymity
• Domain-specific

11. Addressing identifiability across datasets
• Centralized approach
– Join all data + sanitize the whole
– Big increase in dimensionality
• Federated approach
– Keep data separate + sanitize operations across data
– Smallest possible increase in dimensionality

12. We show that when the data contains a large number of attributes which may be
considered quasi-identifiers, it becomes difficult to anonymize the data without an
unacceptably high amount of information loss. ... we are faced with ... either
completely suppressing most of the data or losing the desired level of anonymity.
On k-Anonymity and the Curse of Dimensionality
2005 Aggarwal, C. @ IBM T. J. Watson Research Center
Centralized sanitization hurts ML/AI accuracy

13. We find that for privacy budgets effective at preventing attacks,
patients would be exposed to increased risk of stroke,
bleeding events, and mortality.
Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing
2014 Fredrikson, M. et. al. @ UW Madison and Marshfield Clinic Research Foundation
Centralized sanitization increases risk

14. Normalized Certainty Penalty (NCP)
0%
5%
10%
15%
20%
25%
30%
35%
40%
2 3 4 5 6 7 8 9 10
k age gender & age
k-anonymizing Titanic passenger survivability

15. Federated sanitization: Swoop’s prAIvacy™
• Secure, isolated data pools
• Automated sanitization
• Min dimensionality growth
• Deterministic + stochastic
• Optimal + often lossless
Model condition X
score on other data

16. Putting it all to practice (using Spark)
• Pre-process data
• Generate secure pseudonymous identifiers
• Sanitize quasi-identifiers

17. dirty quasi-identifiers increase distinguishability:
clean data before sanitization
to prevent increased sanitization loss

18. no anonymization framework for unstructured data:
suppress or structure

19. Word embedding for text anonymization
• Text ➞ high-dimensionality vector
– Capture semantics
“Texas” + “Milwaukee” – “Wisconsin” ≃ “Dallas”
– ML/AI-friendly representation
– word2vec, doc2vec, GloVe, …
• Anonymizing embeddings
– Train secret embeddings model
– Add noise to vectors

20. Secure pseudonymous ID generation
Sim|Simeonov|M|1977-07-07|02140
8daed4fa67a07d7a5 … 6f574021
gPGIoVw … wnNpij1LveZRtKeWU=
Sim Simeonov; Male; July 7, 1977
One Swoop Way, Cambridge, MA 02140
// consistent serialization
// secure destructive hashing (SHA-xxx)
// master encryption (AES-xxx)
Vw50jZjh6BCWUzSVu … mfUFtyGZ3q // partner A encryption
6ykWEv7A2lisz8KUi … VT2ZddaOeML // partner B encryption
Sim Simeonov; M; 1977-07-07
One Swoop Way, Suite 305, Cambridge, MA 02140
...

21. Multiple IDs for dirty data
Sim|Simeonov|M|1977-07-07|02140 // full entry when data is clean
S|S551|M|1977-07-07|02140 // fuzzify names to handle limited entry & typos
Sim|Simeonov|M|1977-07|02140 // also may reduce dob/geo accuracy
tune fuzzification to use cases & desired FP/FN rates

22. Build pseudonymous IDs with Spark
(and sanitize PII-based quasi-identifiers)

23. We need a few user-defined functions
• Strong secure hash function with very few collisions
– sha256(data) computes SHA-256
• Strong symmetric key encryption
– aes_encrypt(data, secret) in Hive but not ported to Spark
– aes__encrypt(data, secret) is a UDF to avoid name conflict
• Demo sugar to build secrets from pass phrases
– secret(pass_phrase)

24. Let’s create some PII
case class PII(firstName: String, lastName: String,
gender: String, dob: String, zip: String)
val sim = PII("Sim", "Simeonov", "M", "1977-07-07", "02140")
val ids = spark.createDataset(Seq(sim))

25. Consistent serialization
val p = lit("|") // just a pipe symbol to save us typing
lazy val idRules = Seq(
// Rule 1: Use all PII
concat(upper('firstName), p, upper('lastName), p, 'gender, p, 'dob, p, 'zip),
// Rule 2: Use only first initial of first name and soundex of last name
concat(upper('firstName.substr(1, 1)), p, soundex(upper('lastName)), p,
'gender, p, 'dob, p, 'zip)
)

26. Hash & encrypt
// The pseudonymous ID columns built from the rules
lazy val psids = {
val masterPassword = "Master Password" // master password to encrypt IDs with
// Serialize -> Hash -> Encrypt
idRules.zipWithIndex.map { case (serialization, idx) =>
aes__encrypt(sha256(serialization), secret(lit(masterPassword)))
.as(s"psid${idx + 1}")
}
}

27. PII-based quasi-identifiers
// Generalization of quasi-identifying columns
lazy val quasiIdCols: Seq[Column] = Seq(
'gender,
'dob.substr(1, 4).cast(IntegerType).as("yob"), // only year of birth
'zip.substr(1, 3).cast(IntegerType).as("zip3") // only first 3 digits of zip
)

28. Generate master IDs
// Master pseudonymous IDs
lazy val masterIds = ids.select(quasiIdCols ++ psids: _*)

29. Generate per partner IDs
val partnerPasswords = Map("A" -> "A Password", "B" -> "B Password")
val partnerIds = spark.createDataset(partnerPasswords.toSeq)
.toDF("partner_name", "pwd").withColumn("pwd", secret('pwd))
.crossJoin(masterIds)
.transform { df =>
psids.indices.foldLeft(df) { case (current, idx) =>
val colName = s"psid${idx + 1}"
current.withColumn(colName, base64(aes__encrypt(col(colName), 'pwd)))
}
}
.drop("pwd")

30. The end result

31. Sanitizing quasi-identifiers in Spark
• Optimal k-anonymity is an NP-hard problem
– Mondrian algorithm: greedy O(nlogn) approximation
• https://github.com/eubr-bigsea/k-anonymity-mondrian
• Active research
– Locale-sensitive hashing (LSH) improvements
– Risk-based approaches (e.g., LBS algorithm)

32. Interested in challenging data engineering, ML & AI on petabytes of data?
I’d love to hear from you. @simeons / sim at swoop dot com
https://databricks.com/session/great-models-with-great-privacy-optimizing-ml-ai-under-gdpr
https://databricks.com/session/the-smart-data-warehouse-goal-based-data-production
https://swoop-inc.github.io/spark-records/
Privacy matters. Thank you for caring.