TLDR: RecPS is a new method that quantifies privacy risks in recommender systems at both the individual interaction and user levels. It uses a powerful new Membership Inference Attack (MIA) called RecLiRA to estimate these risks. This allows users to understand which of their data is most sensitive and helps system owners selectively remove high-risk interactions, preserving more system performance compared to traditional full-user data removal, while still enhancing privacy.
Recommender systems, which suggest products, movies, or music you might like, have become a fundamental part of our online lives. From Amazon to Netflix, these systems analyze your past interactions – like what you’ve clicked, rated, or reviewed – to predict your future preferences. While incredibly convenient, their success hinges on collecting vast amounts of highly sensitive personal data, leading to significant privacy concerns.
Historically, privacy protection in these systems has been a challenge. Early attempts focused on anonymizing data, but these often fell short. More recently, approaches like Federated RecSys allow data to stay local, but they don’t protect the learned model itself from privacy breaches. Differentially private machine learning offers strong privacy guarantees, but it often comes at a cost: a noticeable reduction in the quality of recommendations due to added noise.
In practice, many recommender system developers still rely on basic protections like controlled access, where only authorized individuals can view sensitive data. However, this isn’t foolproof, as insider threats, system vulnerabilities, and sophisticated attacks can still expose private information. A major gap exists: users don’t have a clear way to know which of their interactions are more sensitive than others, making it difficult for them to make informed decisions about data sharing.
Introducing RecPS: Quantifying Privacy Risk
To address this critical need, researchers have developed RecPS, a novel method designed to quantify privacy risks within recommender systems. RecPS provides a privacy score for individual user-item interactions (like a specific movie rating) and extends this to an overall score for an entire user’s profile. This allows both users and system owners to understand the potential privacy exposure of their data.
The core of RecPS is based on a sophisticated type of privacy attack called a Membership Inference Attack (MIA). An MIA tries to determine if a specific piece of data was used to train a machine learning model. If an attacker can confidently identify that your interaction was part of the training data, it reveals sensitive information about your preferences and actions.
RecLiRA: The Engine Behind RecPS
A key component of RecPS is a newly developed interaction-level MIA method called RecLiRA. While other MIA methods exist for recommender systems, they often operate at the user level or have limited effectiveness at the granular interaction level. RecLiRA, adapted from a powerful attack method called Likelihood Ratio Attack (LiRA), is specifically designed to work with common recommender models like Neural Collaborative Filtering (NCF) and LightGCN, which predict the probability of a user interacting with an item.
RecLiRA works by analyzing the model’s output confidence for a given interaction. Intuitively, a model is much more confident about data it was trained on (an “IN” sample) compared to data it hasn’t seen (an “OUT” sample). RecLiRA leverages this difference to estimate the likelihood of an interaction being part of the training data. The privacy score itself is derived from the ratio of True Positive Rate (TPR) to False Positive Rate (FPR) of this attack, which has a theoretical link to the concept of differential privacy.
Also Read:
- FedFlex: A New Approach to Diverse and Private Netflix Recommendations
- Optimizing LLM Privacy with Dynamic Reinforcement Learning
Real-World Impact and Benefits
The researchers conducted extensive experiments using well-known datasets like MovieLens-1M and Amazon Digital Music. Their findings demonstrate that RecLiRA significantly outperforms existing interaction-level MIA methods, ensuring that the privacy scores generated by RecPS are of high quality and accurately reflect the risk. For instance, RecLiRA achieved AUC values above 0.9 for all dataset/model combinations, indicating its strong performance.
One of the most significant applications of RecPS is in guiding data removal and “unlearning” processes. Privacy regulations like GDPR and CCPA grant users the right to request their data be removed. Current unlearning methods often remove all data associated with a user, which can severely degrade the recommender system’s performance and lead to “cold-start” issues for those users (where the system has no data to make recommendations). RecPS offers a more nuanced approach.
By identifying the most sensitive interactions, RecPS allows for selective removal. This means that instead of deleting all of a user’s data, only the highest-risk interactions can be removed, preserving more of the system’s overall utility while still meeting privacy demands. Experiments showed that partially removing sensitive interactions based on RecPS scores resulted in significantly less performance degradation compared to removing all of a user’s data. Furthermore, score-guided removal was far more effective at reducing privacy risk than random removal.
The research also touched upon the “privacy onion effect,” where removing some data can subtly change the privacy risk of remaining data. While this effect exists, RecPS helps manage it, showing that interaction-level removal can mitigate these shifts more effectively.
In conclusion, RecPS represents a crucial step forward in enabling privacy-aware development and deployment of recommender systems. By providing a quantitative measure of privacy risk at both interaction and user levels, it empowers users to make informed decisions about their data and equips system owners with a tool to balance privacy protection with model utility. You can read the full research paper here: RecPS: Privacy Risk Scoring for Recommender Systems.
