IEEE SYMPOSIUM ON SECURITY AND PRIVACY
FPO
Enhancing Selectivity in Big Data
Mathias Lecuyer, Riley Spahn, and Roxana Geambasu | Columbia University Tzu-Kuo Huang | Uber Advanced Technologies Group Siddhartha Sen | Microsoft Research
Today’s companies collect immense amounts of personal data, exposing it to external hackers and privacy-transgressing employees. This study shows that only a fraction of the data is needed to approach state-of-the-art accuracy. We propose selective data systems designed to pinpoint the data that is valuable for a company’s workloads.
riven by the immense perceived potential of “big and evolving workload, from data that is collected for D data,” Internet companies, advertisers, and gov- potential future needs. The former, calledin-use data, ernments are accumulating vast quantities of personal should be minimized in size, timespan, and sensitivity. data: clicks, locations, social interactions, and more. The latter, calledunused data, should be set aside and While data offers unique opportunities to improve tapped only in exceptional circumstances (see Figure 1). personal and business effectiveness, its aggressive col- The separation should permit day-to-day evolutions of lection and long-term archival pose significant risks for an organization’s workload, by accessing just the in-use organizations. Hacking and exploiting sensitive corpo- data and without the need to tap into the unused data. rate and governmental information have become com- A system that achieves these goals without damaging monplace. Privacy-transgressing employees have been functional properties, such as scalability, performance, discovered snooping into data stores to spy on friends and accuracy, is called a selective data system. and family. Although organizations strive to restrict access to particularly sensitive data (such as passwords, Selective Data Systems SSNs, emails, banking data), properly managing access Selective data systems can be used to improve data pro- controls for diverse and potentially sensitive informa- tection (see Figure 1). The ability to distinguish data tion is an open problem. needed now or in the likely future, from data collected We hypothesize that not all data that is collected “just in case,” can help organizations restrict the lat- and archived by today’s organizations is—or may ever ter’s exposure to attacks. For example, one could ship be—actually needed to satisfy their workloads. We ask unused data to a tightly controlled store, whose read whether it is possible to architect data-driven systems, accesses are carefully audited and mediated. Intuitively, such as machine learning–based targeting and person- data that is accessed day-to-day is less amenable to alization systems, to permit a clean separation between certain kinds of protection (such as auditing or data that is truly needed by an organization’s current case-by-case access control decisions) than data
2 January/February 2018 Copublished by the IEEE Computer and Reliability Societies 1540-7993/17/$33.00 © 2018 IEEE accessed only for exceptional situations (such as launch- ing a new application). Protect as possible, Turning selective data systems into a reality requires In-use minimize in size, achieving two conflicting goals: (1) minimizing the data time, sensitivity in-use data while (2) avoiding the need to access the unused data to meet both current and evolving work- Protect load needs. This tension is traditional in operating sys- Unused vigorously, tems, where many algorithms (for instance, caching) data avoid rely on processes having a working set of limited size that access captures their data needs for a period of time. However, the context of modern, data-driven ecosystems brings new challenges that likely make traditional working set Figure 1. Selectivity concept. algorithms ineffective. For example, many of today’s big data applications involve machine learning (ML) work- loads that are periodically retrained to incorporate new data, by accessing all of the data. How can we determine fall within the important class of supervised classifica- a minimal training set, the “working set” for emerging tion tasks. Historical raw data, which may be needed for ML workloads? And how can we ensure this training set workloads not supported by count featurization, such is sufficient even when workloads evolve? as unsupervised learning or regression tasks, is kept in an encrypted store whose decryption requires special Approach Highlights access. We observe that for ML workloads, significant research Our evaluation with two representative workloads— is devoted to limiting the amount of data required for targeted advertising on the Criteo dataset and movie training. The reasons are many but typically do not recommendation on the MovieLens dataset—reveals involve data protection. Rather, they include increas- that: (1) historical counts let ML models approach ing performance, dealing with sparsity, and limiting state-of-the-art accuracy by training on under 1 percent labeling effort. Techniques such as dimensionality of the data, (2) protecting historical counts with differ- reduction, feature hashing,1 vector quantization,2 and ential privacy has only 2 percent impact on accuracy, count featurization3 are routinely applied in practice to and (3) Pyramid works well for an important class of reduce data dimensionality so models can be trained on ML algorithms—supervised classification tasks—and manageable training sets. Active learning4 reduces the can support workload evolution within that class. amount of labeled data needed for training when label- ing requires manual effort. Can such mechanisms also Example Use Case be used to limit exposure of the data being collected? MediaCo, a media conglomerate, collects observations How can an organization that already uses these meth- of user behavior from its hundreds of affiliate news ods architect a selective data system around them? What and entertainment sites. Observations include the arti- kinds of protection guarantees can this system provide? cles users read and share, the ads they click, and so on. As a first step to answering these questions, we present MediaCo integrates all of this data into one repository Pyramid,5 a selective data system built around a specific and uses it to optimize many processes, such as article training set minimization method called count featuriza- recommendation and ad targeting. Because the data is tion.3 (Pyramid was first introduced at the 2017 IEEE needed by all of its engineering teams, MediaCo wants Symposium on Security and Privacy.) Count featuriza- to provide them with wide access to the repository, but it tion is a widely used technique for reducing training worries about the risks of doing so given recent external sets by feeding ML algorithms with a small subset of the hacking and insider attacks affecting other companies. collected data combined (or featurized) with historical MediaCo decides to use Pyramid to limit the expo- aggregates from much larger amounts of data. Pyramid sure of historical observations in anticipation of an builds upon count featurization to: keep a small, roll- attack. For MediaCo’s main workloads—targeting and ing window of accessible in-use data (the hot window); personalization—the company already uses count fea- summarize the history with privacy-preserving aggre- turization to address sparsity challenges; hence, Pyra- gates (called counts); and train application models using mid is directly applicable. It configures Pyramid by hot window data featurized with counts. The counts keeping its hot window of raw observations and its are infused with differentially private noise6 to protect noise-infused historical counts in the widely accessible individual observations that are no longer in the hot repository, allowing all engineers to train their mod- window. Counts can support a variety of models that els, tune them, and explore new algorithms. Pyramid www.computer.org/security 3 IEEE SYMPOSIUM ON SECURITY AND PRIVACY
Stop T TAttack-ΔHot Attack T attack
Time
Unrestricted access (can be compromised) Historical counts store Hot data store
Restricted access (assume not compromisable) Historical raw data store
Data exposure Unexposed Exposed Unexposed to attack
Figure 2. Threat model.
absorbs current and evolving workload needs as long as from the count tables but individual records will be the algorithms draw on the same user data to predict the protected with differential privacy. Pyramid forces same outcome (for instance, whether a user will click on models to be retrained when observations are removed an ad). In addition, MediaCo stores all raw observations from the hot raw data store to avoid past information in an encrypted store whose read accesses are disabled leaking through the models. We assume that no out-of- by default. Access to this store is granted temporarily bound copies of the hot data exist. and on a case-by-case basis to engineers who demon- strate the need for statistics beyond those that Pyramid Selectivity Requirements maintains. With this configuration, MediaCo minimizes Four requirements define selective data systems: data access (and hence exposure) to a needs basis. ■■ R1: Reduce in-use, exposed data. The hot data window Threat Model is exposed to attackers; hence, Pyramid must limit its Figure 2 illustrates Pyramid’s threat model and guaran- size and timespan subject to application-level func- tees. Pyramid ensures that a one-time compromise will tional requirements, such as the accuracy of models not allow an adversary to access past data. Attacks are trained with it. assumed to have a well-defined start time,T attack, when ■■ R2: Protect unused data from in-use data structures. the adversary gains access to the machines charged with Any state reflecting past, unused data and retained by stop running Pyramid, and a well-defined end time,T attack , Pyramid for prolonged periods of time (such as count when administrators discover and stop the intrusion. tables) must be protected with strong, differential Adversaries are assumed to not have had access to the privacy guarantees. system before Tattack, nor to have performed any action ■■ R3: Limit impact on accuracy and performance. Pyra- in anticipation of their attack (for example, monitor- mid must preserve the functional properties of appli- ing external predictions, the hot window, or the mod- cations, such as model accuracy. This requirement is stop els’ state), nor to have continued access afterT attack. The at odds with the preceding two, hence Pyramid must attacker aims to exfiltrate individual observations of find a balance between functionality and protection. user activities (for instance, to know if a user clicked ■■ R4: Allow workload evolution. The in-use data must on a specific ad). Historical raw data is assumed to be support as many current and evolving workload needs protected through independent means and not com- as possible to limit access to, and therefore exposure promised in this attack. Pyramid aims to limit the hot of, the historical raw data. data and protect the historical counts, both of which are accessible to the attacker. After compromising Pyramid’s internal state, the The Pyramid Architecture attacker gains access to data in three representations: Pyramid combines and augments two known methods— the hot data store containing raw observations, the his- count featurization from ML and differential privacy torical counts, and the trained models. The raw observa- from cryptography—to meet the preceding selectiv- tions are not protected in any way. The historical counts ity requirements for a specific class of workloads: clas- consist of differentially private count tables of the recent sification tasks such as targeting and personalization. past. The attacker learns some aggregate information Figure 3 shows Pyramid’s architecture. Pyramid is a
4 IEEE Security & Privacy January/February 2018 data management component to be deployed along- side a model management system. It acts as an inter- → Model manager face between the model manager and the organization’s Predict(x) datasets. Pyramid controls what data is exposed to the Model Model Model Future l models and the format of this data. 1 2 3 model Pyramid maintains two data structures—the hot raw data store and the historical count tables—and → → Count-featurized Featurize(x) x’ getTrainSet() hot data Retrain() leverages two functional building blocks: count fea- → (
by exactly one observation (that is, D2 adds or removes (a) Example count table, one per feature/combo, time window one observation), and S the range of all possible count userId clicks nonclk urlHash clicks nonclk tables that can result from a randomized query Q() that builds a count table from a window of observations. 0x1111 50 950 0x7777 15,000 85,000 The count table queryQ () is -differentially private if (b) Count featurization ≤× 6 adId clicks nonclk PQ[(DS12)]eP[(QD)]S . Adding or remov- of x => x’: ing an observation in D does not significantly change x : <0x1111,0x7777,0xAAAA, ...> 1 0xAAAA 20,000 180,000 x’ : <0.05, 0.15, 0.1, ...> the probability distribution of possible count tables. is the query’s privacy budget. Figure 4. Count featurization example: (a) count tables constructed by Pyramid In Pyramid, we apply DP as shown in Figure 5. We to count-featurize observations and (b) a sample count-featurized observation. split time into windows and maintain count tables sepa- rately for each window of time. Upon rolling over the hot window, we seal the window’s count tables and cre- ate new count tables for the new hot window. To cre- In more detail, an observation’s feature vector x ate a count table, we initialize each cell in that table might consist of user features (for instance, ID, gen- with a random draw from a Laplace distribution.6 As der, age, preferences) and contextual information (for observations arrive in the hot window, the count tables instance, the URL of the article or the ad shown to are updated by incrementing the appropriate cells. To the user). The labell might indicate whether the user count-featurize a feature xi, we sum the correspond- clicked on the article or ad. ing entries in the feature’s count tables across the past Once an observation stream of the preceding type is time windows, excluding the under-construction count registered with Pyramid, the system creates a number of tables for the current hot window. The sum constitutes a count tables. Each count table is stored as a count sketch noisy version of xi’s count over the data retention period data structure (described shortly). For example, the and is used to compute the conditional probabilities. userId table encodes the user’s propensity to click on ads With this mechanism, Pyramid ensures that past by maintaining for each user the total number of clicks observations, which have been phased out of the in-use, and nonclicks on any ad shown. hot window, are protected from the count tables. To To count-featurize a feature vector xx= 12,,xx..., d , protect past observations from the trained models, Pyramid first replaces each of its features with the condi- Pyramid additionally forces retraining of all application tional probabilities computed from the count tables, for models when rolling over the hot window. example, xP= (|clickx12),Pc(|lick xP),..., (|clickxd ) , clicks Count-Median Sketch (R3: Limit Impact Pc(|lick x )= where i clicks+nonclicks from the row on Accuracy and Performance) matching the value of xi in the table corresponding to Although CF and DP are known mechanisms, their xi. Pyramid also appends to x the conditional probabil- integration raises substantial accuracy challenges, which ities for any feature combinations it maintains. we have addressed by designing a number of mecha- Figure 4b shows an example of feature vector x and nisms (selectivity requirement R3). As an example, we its count-featurized version x. Suppose a boosted-tree find that DP interacts poorly with count-min sketches, model is trained on a count-featurized dataset ( xl, which are routinely used in CF implementations to pairs). It might find that for users with a click propen- keep the count table storage overhead practical. For a sity over 0.04, the chances of a click are high for ads categorical variable of cardinality K and a label of cardi- whose clickability exceeds 0.05 placed on websites with nality L, the count table is of size O(LK), an impractical ad-clickability over 0.1. Then, for the example feature prospect if one were to store the exact table. Count-min vector in Figure 4, the model would predict a “click” sketches store approximate counts in sublinear space label. by using a 2D array with an independent hash function for each row. Adding an entry to the sketch involves Differential Privacy (R2: Protect Unused using the hash function associated with each row to Data from In-Use Structures) map the value to a column in the row and increment- DP comprises a family of techniques that randomize ing that cell; reading an entry from the sketch involves function outputs to protect function inputs. We use taking the minimum of those cells. Without noise, tak- DP to protect unused, past observations from exposure ing the minimum reduces the chance of overcounting through count tables and other in-use data structures from collisions and results in tight error bounds for the (selectivity requirement R2). Let D1 be the database of counts. With Laplacian noise, which is centered around past observations, D2 be a database that differs fromD 1 zero, taking the minimum across multiple draws of the
6 IEEE Security & Privacy January/February 2018 →x Count → featurization x’
Hot raw data Σ (
In-progress DP count tables
Present Time Hot window
Figure 5. Windowed DP count tables.
Laplacian introduces substantial negative bias in the data, but it is lost through CF unless we explicitly main- counts, breaking the sketch’s error bounds. tain a count table for the (userId, adId) group. Our solution is to instead use count-median sketches Our goal in count table selection is to identify feature to store count tables compactly.7 These differ from the groups that provide more information about the label count-min sketches in two ways: (1) each row i has a than individual features. For each feature xi, we find second hash function si that maps the key to a random all other features xj such that xi and xj together exhibit 1 2 sign si (key) { 1, 1}, with each cell updated with higher mutual information (MI)—a general measure of si (key) hi (key), and (2) the estimate is the median dependence between two random variables—with the of all counts multiplied by its sign. Without noise, label than xi alone. From these groups, we select a con- count-median sketches offer worse error bounds than figurable number with the highest MIs. To find promis- count-min sketches for typical distributions. With ing groups of larger sizes, we apply this process greedily, Laplacian noise, the signed update of the count-median trying out new features with existing groups. For each sketch means the expected impact of collisions is zero, selected group, Pyramid creates and maintains a count because they have an equal chance of being negative or table. This exploration of promising groups operates positive. This removes the bias and improves the qual- periodically on the hot window. Count table selection ity of the count estimator. Our evaluation shows that must be performed differentially privately to ensure that for small , it is worth trading the count-min sketch’s the groups selected for a particular hot window do not better guarantees for reduced noise impact with the leak information about that window in the future. count-median sketch. Evaluation Count Table Selection (R4: Allow We evaluate how Pyramid meets the four selectivity Workload Evolution) requirements. We use two public datasets: (1) Criteo, Two aspects of Pyramid’s design enable workload which consists of 45M points of ad-click data that was evolution without tapping into the historical raw part of a Kaggle competition and (2) MovieLens,8 data store (selectivity requirement R4). First, CF is a which consists of 22M ratings in the range 0–5 on model-independent preprocessing step, allowing Pyra- 34K movies from 240K users. As baselines, we use a mid to support small model changes, such as hyperpa- feed-forward neural network for Criteo and collabora- rameter tuning or learning algorithm changes, without tive filtering for MovieLens, both trained using Vowpal accessing the historical raw data store. Second, Pyramid Wabbit on 80/20 percent train/test splits. We highlight includes an automatic process of count table selection four results: that inspects the data to identify feature groups worth counting together. This is important because CF does ■■ R1: CF reduces in-use data by two orders of magni- not capture relationships between features. For exam- tude while incurring less than 3 percent loss in accuracy. ple, a userId and adId together may be more predictive Figure 6a shows that for MovieLens, the CF than either of the individual features. That information boosted-tree algorithms perform within 4 per- could be inferred by a learning algorithm from the raw cent of the collaborative filtering baseline with only www.computer.org/security 7 IEEE SYMPOSIUM ON SECURITY AND PRIVACY
neural network when trained on 0.4 percent of the Log. reg. - raw Gbt - counts training set. CF fulfills its mission of reducing training Log. reg. - counts B: svd raw set exposure and provides a good basis for selectivity. Gbt - raw However, Pyramid must also protect past data using 1.35 DP which may have a negative impact on accuracy. 1.30 ■■ R2: DP provides meaningful protection of unused data 1.25 for up to 2 percent additional loss in accuracy. Figure 6c 1.20 shows the Criteo models’ accuracy when count tables 1.15 are protected with DP using various privacy bud- 1.10 gets. A lower value of corresponds to higher levels
Normalized logistic loss logistic Normalized 1.05 of noise and increased protection. All of the Criteo 1.00 models perform within 5 percent of the baseline 0.95 when using 5 0.2 as a privacy budget, which is con- 0.0001 0.001 0.01 0.1 1 sidered in the DP literature to give high-quality pro- (a) Fraction of training set (log scale) tection. MovieLens is less resilient to noise but still Log. reg. - raw Gbt - counts performs within 5 percent of the baseline when the Log. reg. - counts B: nn - raw privacy budget is at 5 1, a value still considered to Gbt - raw nn - counts offer meaningful protection. Thus, in both cases, Pyr- amid provides meaningful protection through data 1.35 reduction with CF and past-data protection with DP. 1.30 These results are obtained with the complete Pyramid 1.25 implementation, which includes several mechanisms 1.20 that augment CF and DP to address substantial accu- 1.15 racy challenges.5 We next show the importance of 1.10 one mechanism, the count-median sketch.
Normalized logistic loss logistic Normalized 1.05 ■■ R3: Count-median sketch helps mitigate the negative 1.00 impact on accuracy. The count-median sketch resolves 0.95 0.0001 0.001 0.01 0.1 1 a tension arising when applying DP to standard imple- (b) Fraction of training set (log scale) mentations of CF, which rely on count-min sketches to compactly store count tables for high-dimensional Log. reg. ε = 1 nn ε = 1 features. Count-min sketches exhibit a strong down- Log. reg. ε = 0.2 nn ε = 0.2 ward bias when initialized with DP noise because they Log. reg. ε = 0.1 nn ε = 0.1 1.25 take the minimum, whereas count-median sketches take the (unbiased) median. For our workloads 1.20 (MovieLens and Criteo), count-median sketches 1.15 bring us 0.5 percentage points closer to the baseline losses than count-min sketches when training with 1.10 0.8 percent of the data and DP parameters 5 1. By 1.05 contrast, without noise, count-min sketches perform
Normalized logistic loss logistic Normalized 1.00 better than count-median sketches, particularly for MovieLens, where the loss difference is about 2 per- 0.95 centage points. This result provides a broader lesson 0.0001 0.001 0.01 0.1 1 for anyone aiming to protect a sketch with DP: one (c) Fraction of training set (log scale) should choose an unbiased sketch implementation Figure 6. Normalized performance for raw and count algorithms: (a) MovieLens even if it is suboptimal in no-noise scenarios. algorithms, (b) Criteo algorithms, and (c) Criteo protection (performance at ■■ R4: Supported workloads and evolution. Our choice different levels of protection). B indicates baseline: neural network for Criteo, of CF as the core building block to address the collaborative filtering for MovieLens. first selectivity requirement—minimizing in-use data—exhibits both benefits and limitations. As a model-independent featurization layer, CF allows 0.8 percent of the training set. This is on par with the some common model changes without accessing raw logistic regression model. Figure 6b shows simi- historical raw data. Developers can fine-tune model lar results with the Criteo dataset. The CF neural net- hyperparameters, try different learning algorithms work performs within 3 percent of the baseline raw on the count-featurized data, change their learning
8 IEEE Security & Privacy January/February 2018 framework (for example, TensorFlow versus Vowpal Pyramid applies differential privacy6 to its count Wabbit), and add/remove features that are already tables to protect individual observations. However, counted to/from their models. Indeed, our evalua- selectivity differs from the standard threat model used tion applied various algorithms and hyperparameters by systems that enforce differential privacy:12–14 these using the same count tables. Augmented with count systems guarantee privacy of released results, but table selection, CF can additionally allow developers assume that there is a trusted party to mediate access to incorporate more complex count features into their to the entire raw dataset. Pan privacy15 has a similar models. For example, for MovieLens, the boosted-tree threat model to ours, allowing a one-time compromise algorithm using Pyramid selected feature groups gets of the system, but to our knowledge no such system has within 3 percent of the baseline loss, compared to been implemented or evaluated in practice. A major within 4 percent without the groups, training on the difference between Pyramid and all of this work is the same 0.8 percent of the raw data. exposure of raw data through the hot window. This brief exposure is what enables ML models to be trained with However, CF restricts the workloads we can sup- state-of-the-art performance. port. CF is designed for supervised classification tasks, which are commonly used in industry for targeting and personalization. The preceding evaluations exercised oday’s indiscriminate data collection and archi- such tasks. Regression and unsupervised classification T val practices are risky and unsustainable. It is time tasks, also popular in industry, are not easily modeled for a more selective approach to big data collection and with CF. In regression, the predicted label is continu- protection. Our vision involves architecting data sys- ous, while CF requires a discrete label to count its occur- tems to allow a clean separation of data needed by cur- rences with various feature values. Regression tasks can rent and evolving workloads, from data collected and be handled by binning the label value, but the outcome archived for possible future needs. The former should is poor. For example, we performed a regression for be minimized; the latter should be set aside, protected MovieLens that predicted a continuous 0–5 movie rat- vigorously, and only tapped under exceptional circum- ing. Using as baseline a linear regression running on the stances. This article has formulated the requirements for full raw data, count models get at best within 16 per- selective data systems and presented Pyramid, an initial cent of the baseline loss using linear regression and selective data system that combines and augments two within 13 percent using gradient boosted-tree regres- known methods—count featurization and differential sion. Our vision for supporting a wider range of work- privacy—to meet these requirements for supervised loads is to incorporate into Pyramid other training set classification workloads. Experiments with Pyramid minimization and modeling mechanisms that support show that data can be trimmed by two orders of magni- complementary workloads. The key challenge will be to tude without disrupting performance. preserve Pyramid’s protection semantics and selectivity requirements. References 1. Q. Shi et al., “Hash Kernels for Structured Data,” The Related Work Journal of Machine Learning Research, vol. 10, 2009, pp. Multiple data minimization methods exist in ML and 2615–2637. non-ML literature. Some are sketches, which com- 2. A. Gersho and R.M. Gray, Vector Quantization and Sig- pute compact representations of the data that sup- nal Compression, vol. 159, Springer Science & Business port queries of summary statistics;9 streaming/online Media, 2012. algorithms10 process data using bounded memory, 3. A. Srivastava, A.C. Konig, and M. Bilenko, “Time Adap- retaining only the information relevant to the problem tive Sketches (Ada-Sketches) for Summarizing Data at hand; hash featurization1 condenses high-cardinality Streams,” ACM SIGMOD Conference, 2016. categorical variables; autoencoders attempt to learn a 4. B. Settles, “Active Learning,”Synthesis Lectures on Artificial compressed identity function for deep learning work- Intelligence and Machine Learning, vol. 6, no. 1, 2012, pp. loads;11 and active learning4 reduces the amount of 1–114. labeled data needed for training. These methods have 5. M. Lecuyer et al., “Pyramid: Enhancing Selectivity in Big been shown to improve performance, robustness, or Data Protection with Count Featurization,” Proc. IEEE labeling cost, but have never been used for protection. Symposium on Security and Privacy (SP), 2017. This article gives a blueprint for how to retrofit one 6. C. Dwork et al., “Calibrating Noise to Sensitivity in Pri- training set minimization method—CF—for protec- vate Data Analysis,” Proceedings of the Third Conference on tion. Applying this blueprint to other methods is a fruit- Theory of Cryptography (TCC 06), Springer-Verlag, 2006, ful avenue for constructing selective data systems. pp. 265–284. www.computer.org/security 9 IEEE SYMPOSIUM ON SECURITY AND PRIVACY
7. M. Charikar, K. Chen, and M. Farach-Colton, “Finding of Columbia’s Data Sciences Institute. She joined Frequent Items in Data Streams,” Proceedings of the 29th Columbia in fall 2011 after finishing her PhD at the International Colloquium on Automata, Languages and University of Washington. For her work in cloud and Programming (ICALP 02), Springer-Verlag, 2002, pp. mobile data privacy, she received an Alfred P. Sloan 693–703. Faculty Fellowship, a Microsoft Research Faculty 8. F.M. Harper and J.A. Konstan, “The MovieLens Datasets: Fellowship, an NSF CAREER award, a “Brilliant 10” History and Context,” ACM Trans. Interact. Intell. Syst., Popular Science nomination, an Early Career Award vol. 5, no. 4, 2015, pp. 19:1–19:19. in Cybersecurity from the University of Washing- 9. G. Cormode and S. Muthukrishnan, “An Improved Data ton Center for Academic Excellence, the Honorable Stream Summary: The Count-Min Sketch and Its Appli- Mention for the 2013 inaugural Dennis M. Ritchie cations,” Journal of Algorithms, vol. 55, no. 1, 2005, pp. Doctoral Dissertation Award, a William Chan Dis- 58–75. sertation Award, two best paper awards at top systems 10. S. Shalev-Shwartz, “Online Learning and Online Convex conferences, and the first Google PhD Fellowship in Optimization,” Foundations and Trends in Machine Learn- cloud computing. ing, vol. 4, no. 2, 2011, pp. 107–194. 11. I. Goodfellow, Y. Bengio, and A. Courville, Deep Learning, Tzu-Kuo (TK) Huang is a senior engineer at Uber Cambridge, Massachusetts: The MIT Press, 2016. Advanced Technologies Group working on self-driving 12. F.D. McSherry, “Privacy Integrated Queries: An Exten- technology. He has worked on various topics in sible Platform for Privacy-Preserving Data Analysis,” machine learning, including active learning, dynamic Proceedings of the 2009 ACM SIGMOD International Con- model learning, and ranking. He completed his PhD ference on Management of Data (SIGMOD 09), 2009, pp. in machine learning at Carnegie Mellon University, 19–30. followed by post-doc research at Microsoft Research, 13. I. Roy et al., “Airavat: Security and Privacy for MapRe- New York City. duce,” NSDI, vol. 10, 2010, pp. 297–312. 14. F. McSherry and I. Mironov, “Differentially Private Rec- Siddhartha Sen is a researcher at Microsoft Research ommender Systems: Building Privacy into the Netflix in New York City. He creates distributed systems Prize Contenders,” Proceedings of the 15th ACM SIGKDD that use novel data structures and algorithms to International Conference Knowledge Discovery and Data deliver unprecedented functionality or performance. Mining, ACM, 2009, pp. 627–636. Recently, he has generalized this approach by using 15. C. Dwork et al., “Pan-Private Streaming Algorithms,” ICS, contextual machine learning to optimize various deci- 2010, pp. 66–80. sions in Microsoft’s cloud infrastructure. Sen received his BS degrees in computer science and mathematics Mathias Lecuyer is a PhD candidate at Columbia Uni- and his MEng degree in computer science from MIT. versity. Before joining Columbia’s PhD program, From 2004–2007 he worked as a developer at Micro- he received a BS and an MS from Ecole Polytech- soft and built a network load balancer for Windows nique in France. In his research, Lecuyer builds tools Server. He returned to academia and completed his and designs mechanisms that leverage statistics and PhD from Princeton University in 2013. Sen received machine learning to: increase the current web’s trans- the first Google Fellowship in Fault-Tolerant Comput- parency by revealing how personal data is being used, ing in 2009, the best student paper award at PODC and enable a more rigorous and selective approach to 2012, and the best paper award at ASPLOS 2017. big data collection, access, and protection, to reap its benefits without imposing undue risks.
Riley Spahn is a PhD candidate in computer science at Columbia University. He is interested in building sys- tems and tools that enable machine learning work- loads to be run more securely and privately. Spahn received his MS in computer science from Columbia University and his BS in software engineering from Auburn University. He received the 2015 Google PhD Fellowship in privacy. Read your subscriptions through the myCS publications portal at Roxana Geambasu is an associate professor of com- http://mycs.computer.org puter science at Columbia University and a member
10 IEEE Security & Privacy January/February 2018