EMNLP acceptance rate: 754/3359 = 22.4% (long: 24.6%, short: 16.7%) Findings of EMNLP: 520/3359 = 15.5% ============================================================================ EMNLP 2020 Reviews for Submission #3368 ============================================================================ Title: PrivNet: Safeguarding Private Attributes in Transfer Learning for Recommendation Authors: Guangneng Hu and Qiang Yang ============================================================================ META-REVIEW ============================================================================ Comments: The paper presents a concern about privacy issues when applying transfer learning for recommender systems. It addresses a timely topic and introduces a reasonable solution. Please address reviewers' comments in the revision if appropriate. ============================================================================ REVIEWER #1 ============================================================================ What is this paper about, what contributions does it make, and what are the main strengths and weaknesses? --------------------------------------------------------------------------- The paper describes an approach for transfer learning of a recommendation system that preserves the privacy of source attributes. They introduce the notion of adversarial game simulating attacks on the model during the training process. The primary purpose of that is to protect the privacy of unseen users' privacy. The strengths of the paper are: 1. They propose a method that achieves a good balance between the privacy and utility of the transfer approach. 2. The use of an attacker model during training is novel. The attacker model predicts the source attributes from the source instance representation which is very interesting. The key idea is to achieve a robust representation that is difficult to break. 3. As per the claims of the author, their approach is better than the approaches for differential privacy that can cause degradation in performance. The author show that PrivNet shows best recommendation performance in most cases while achieving good privacy production. The weakness of the paper are: 1. Limited set of experiments. The authors have just evaluate on two primary tasks. The results do not appear to be conclusive towards the PrivNet approach in comparion to LDP and BlurMe. 2. The private attribute needs to be specified which is not practical in many use cases. --------------------------------------------------------------------------- Reasons to accept --------------------------------------------------------------------------- A very well-written paper that presents an approach for making a model transfer more robust to privacy attacks. --------------------------------------------------------------------------- Reasons to reject --------------------------------------------------------------------------- The method performs good in most cases. However, it is not clear if that technique works best for a broader set of problems. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Reviewer's Scores --------------------------------------------------------------------------- Reproducibility: 4 Overall Recommendation: 3.5 ============================================================================ REVIEWER #2 ============================================================================ What is this paper about, what contributions does it make, and what are the main strengths and weaknesses? --------------------------------------------------------------------------- This paper proposes a transfer learning recommendation task with a privacy issue. Specifically, one can leverage the knowledge from the source domain to help the recommendation system in the target domain, while some attributes in the source domain are private, and they should be protected. To help improve the recommendation in the target domain as well as protect the private information in the source domain, the authors propose PrivNet, which simulates an attacker in the transfer learning trained by public users' profile. The experiments on Foursquare (FS) and MovieLens (ML) show that their model can achieve similar performance to the methods without privacy protection, as well as outperforming the other methods with privacy protection. Strength: - An interesting, novel and practical problem - Reasonable model - Clear writting Weakness: - The experiments design does not perfectly match the motivation - Some experimental results are a little bit rough --------------------------------------------------------------------------- Reasons to accept --------------------------------------------------------------------------- An interesting, novel, and practical problem, with a reasonable model as a baseline. --------------------------------------------------------------------------- Reasons to reject --------------------------------------------------------------------------- Experiments setting and some minor issues in the experiments --------------------------------------------------------------------------- --------------------------------------------------------------------------- Reviewer's Scores --------------------------------------------------------------------------- Reproducibility: 4 Overall Recommendation: 3.5 Questions for the Author(s) --------------------------------------------------------------------------- 1. The privacy issue in transfer settings is very interesting. Is there any previous work considering this issue? If so, what's the difference? 2. About the settings of experiments, I have some concerns: the motivation of this work is transferring knowledge from the source domain S to the target domain T without leaking the privacy. To my understanding, the ideal experiment setting would be: - S and T have some common things so that we can do transfer learning - T has private information that should be protected, while one cannot infer that information from S. In the experiments, the source and target domain are from the same dataset separated by time. The private information (Age, Gender) is included in both S and T, and actually their distribution (or the information about users they include) is quite similar. Your model may not benefit from this, but it has some potential risk, like: - The source model passes partial information (without private information) to the target mode, and the whole information can be reconstructed on the target side. - Your model is pretty easy to beat those without knowledge transfer 3. The experiments are a little bit rough to me. Here are some questions with respect to the experiments: - The privacy prediction is a kind of multi-class classification. What kind of F1 score do you use? The P / R / F score in Table 4 seems a little bit wired. - What is the ratio of U^{pub} in Figure 3(a) and what is the \lambda in Figure 3(b)? (Also Table 5 last row). I tried to match these two figures and find \lambda is about 0.05. If I do not make a mistake, since your default \lambda=1, what is the reason to do analyze the results in Figure 3(b), Table 5 when \lambda = 0.05? - From Figure 3(a) \lambda=0.25 seems to be a better choice. What is the reason to use \lambda=1? - Still in Figure 3, as \lambda getting large (e.g. +\inf), the F1 score should be closer to the minimum. This minimum should be a min-max function that min_{transferKnowledge) max_{attacker} attack(transferKnowledge), and it should be the F1 score for random guess. The random guess F1 score for Age and Gender should be 0.33, 0.5, respectively, but your results do not have a tendency to converge at these points. What is the reason? Also, I'm pretty interested in whether you have some analysis or results about: - The performance curve about \lambda. In the experiments, there are only result for privacy F1 about \lambda. - On the top of my head, one possible baseline to compare with is some representation disentanglement work. They disentangle the representation based on GAN or mutual information. Your model is like a GAN-based disentanglement part (attacker + source) and a transfer learning part, with joint training. It would be interesting to see the comparison. --------------------------------------------------------------------------- ============================================================================ REVIEWER #3 ============================================================================ What is this paper about, what contributions does it make, and what are the main strengths and weaknesses? --------------------------------------------------------------------------- This paper proposes PrivNet, a neural network architecture capable of leveraging the benefits of transfer learning while protecting user privacy. More specifically, this is achieved through an adversarial loss, reducing the amount of privacy sensitive information stored in the knowledge transfer process between the source and target domain. Experimental results on two datasets demonstrate the effectiveness of the proposed methods over a number of baselines. Strengths: This paper is well motivated and clearly written and presented. I find it easy to follow. Weaknesses: I am not sure if the topic of this paper is highly relevant to NLP. It is perhaps better to submit it to a different conference (I may have missed something and may be wrong here). I am also a little concerned about the novelty of the proposed methods. It seems similar methods have been proposed in the NLP domain, for example: Adversarial Multi-task Learning for Text Classification. In Proc. ACL 2017 (while focusing on multi-task learning, this paper proposes a similar adversarial setting, should be included in Sec 2). --------------------------------------------------------------------------- Reasons to accept --------------------------------------------------------------------------- Well motivated and clearly written. Easy to follow. --------------------------------------------------------------------------- Reasons to reject --------------------------------------------------------------------------- Perhaps not the best fit for EMNLP. Slight lack of novelty. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Reviewer's Scores --------------------------------------------------------------------------- Reproducibility: 5 Overall Recommendation: 2.5 Questions for the Author(s) --------------------------------------------------------------------------- 1. I am not sure if I see much difference in Figure 1. My understanding is that with PrivNet training, it would be more difficult to tell the difference between gender groups? I am afraid I do not think there is much difference between the blue and red groups. Could you please elaborate more on this? 2. Line 290, I do not see any activation functions applied to the target domain, is that correct? 3. This is perhaps out of scope but can the same adversarial loss be applied to some of the baselines? I am curious to see how they compare against PrivNet. --------------------------------------------------------------------------- Typos, Grammar, Style, and Presentation Improvements --------------------------------------------------------------------------- 1. Please make sure that colors are differentiable when printed in black & white. 2. Please keep the reference format consistent: initial vs full first name of authors. ---------------------------------------------------------------------------