Accepted for/Published in: Journal of Medical Internet Research
Date Submitted: Oct 19, 2022
Open Peer Review Period: Oct 19, 2022 - Dec 14, 2022
Date Accepted: Feb 19, 2023
(closed for review but you can still tweet)
Warning: This is an author submission that is not peer-reviewed or edited. Preprints - unless they show as "accepted" - should not be relied on to guide clinical practice or health-related behavior and should not be reported in news media as established information.
Exploring the Privacy-Utility Tradeoff in Differentially Private Federated Learning for Mobile Health: A Novel Approach using Simulated Privacy Attacks
ABSTRACT
Background:
While evidence supporting the feasibility of large scale mHealth systems continues to grow, privacy protection continues to be an important implementation challenge. The potential scale of publicly available mHealth applications and the sensitive nature of the data involved will inevitably attract unwanted attention from adversarial actors seeking to compromise user privacy. Although privacy-preserving technologies such as Federated Learning and Differential Privacy offers strong theoretical guarantees, it is not clear how such technologies actually perform under real-world conditions.
Objective:
Using data from the University of Michigan Intern Health Study (IHS), we assess the privacy protection capabilities of Federated Learning and Differential Privacy against the associated tradeoffs in model accuracy and training time using simulation methods. Specifically, our objectives are to (1) construct a “target” mHealth system using the demographic and sensor data available in the IHS (2) mount a simulated privacy attack that attempts to compromise IHS participant privacy (3) measure the effectiveness of such an attack under various levels of privacy protection on the target mHealth system, and (4) measure the costs to algorithmic performance associated with the chosen levels of privacy protection.
Methods:
For (1), we perform simple data processing/imputation and construct a neural network classifier that attempts to predict participant daily mood EMA score from sensor data. For (2) we make certain assumptions of the attacker’s capabilities and construct an attack intended to uncover statistical properties of private participant data based on techniques proposed in the literature. For (3) and (4), we report a collection of conventional metrics to evaluate the success of the privacy attack and performance of the original mHealth system under Federated Learning and various levels of Differential Privacy.
Results:
We find that Federated Learning alone does not provide adequate protection against the privacy attack proposed above, where the attacker’s success rate in identifying private data attributes is over 90% in the worst case. However, under the highest level of Differential Privacy tested in this paper, the attacker’s success rate falls to around 59.6% with only a 10 percentage point decrease in model R2 and a 42% increase in model training time. Finally, we show that those participants in the IHS most likely to require strong privacy protection are also most at risk from this particular privacy attack and subsequently stand to benefit the most from these privacy-preserving technologies.
Conclusions:
Our results demonstrate both the necessity of proactive privacy protection research and the feasibility of current Federated Learning and Differential Privacy methods implemented in a real mHealth scenario. Our simulation methods for privacy protection measurement provide a novel framework for characterizing the privacy-utility tradeoff and serve as a potential foundation for future research.
Citation
Request queued. Please wait while the file is being generated. It may take some time.
Copyright
© The authors. All rights reserved. This is a privileged document currently under peer-review/community review (or an accepted/rejected manuscript). Authors have provided JMIR Publications with an exclusive license to publish this preprint on it's website for review and ahead-of-print citation purposes only. While the final peer-reviewed paper may be licensed under a cc-by license on publication, at this stage authors and publisher expressively prohibit redistribution of this draft paper other than for review purposes.