Subtitles section Play video Print subtitles [MUSIC PLAYING] CATHERINE XU: Hi. I'm Kat from the TensorFlow team, and I'm here to talk to you about responsible AI with TensorFlow. I'll focus on fairness for the first half of the presentation, and then my colleague, Miguel, will end with privacy considerations. Today, I'm here to talk about three things. The first, an overview of ML fairness. Why is it important? Why should we care? And how does it affect an ML system exactly? Next, we'll walk through what I'll call throughout the presentation a fairness workflow. Surprisingly, this isn't too different from what you're already familiar with-- for example, a debugging or a model evaluation workflow. We'll see how fairness considerations can fit into each of the discrete steps. Finally, we'll introduce tools in the TensorFlow ecosystem, such as Fairness Indicators that can be used in the fairness workflow. Fairness Indicators is a suite of tools that enables easy evaluation of commonly used fairness metrics for classifiers. Fairness Indicators also integrates well with remediation libraries in order to mitigate bias found and a structure to help in your deployment decision with features such as model comparison. We must acknowledge that humans are at the center of technology design, in addition to being impacted by it, and humans have not always made product design decisions that are in line with the needs of everyone. Here's one example. Quick, Draw! was developed through the Google AI experiments program where people drew little pictures of shoes to train a model to recognize them. Most people drew shoes that look like the one on the top right, so as more people interacted with the game, the model stopped being able to recognize shoes like the shoe on the bottom. This is a social issue first, which is then amplified by fundamental properties of ML-- aggregation and using existing patterns to make decisions. Minor repercussions in a faulty shoe classification product, perhaps, but let's look at another example that can have more serious consequences. Perspective API was released in 2017 to protect voices in online conversations by detecting and scoring toxic speech. After its initial release, users experimented with the web interface found something interesting. The user tested two clearly non-toxic sentences that were essentially the same, but with the identity term changed from straight to gay. Only the sentence using gay was perceived by the system as likely to be toxic, with the classification score of 0.86. This behavior not only constitutes a representational harm. When used in practice, such as a content moderation system, this can lead to the systematic silencing of voices from certain groups. How did this happen? For most of you using TensorFlow, a typical machine learning workflow will look something like this. Human bias can enter into the system at any point in the ML pipeline, from data collection and handling to model training to deployment. In both of the cases mentioned above, bias primarily resulted from a lack of diverse training data-- in the first case, diverse shoe forms, and in the second case, examples of comments containing gay that were not toxic. However, the causes and effects of bias are rarely isolated. It is important to evaluate for bias at each step. You define the problem the machine learning system will solve. You collect your data and prepare it, oftentimes checking, analyzing, and validate it. You build your model and train it of the data you just prepared. And if you're applying ML to a real world use case, you'll deploy it. And finally, you'll iterate and improve your model, as we'll see throughout the next few slides. The first question is, how can we do this? The answer, as I mentioned before, isn't that different from a general model quality workflow. The next few slides will highlight the touch points where fairness considerations are especially important. Let's dive in. How do you define success in your model? Consider what your metrics and fairness-specific metrics are actually measuring and how they relate to areas of product risk and failure. Similarly, the data sets you choose to evaluate on should be carefully selected and representative of the target population of your model or product in order for the metrics to be meaningful. Even if your model is performing well at this stage, it's important to recognize that your work isn't done. Good overall performance may obstruct poor performance on certain groups of data. Going back to an earlier example, accuracy of classification for all shoes was high, but accuracy for women's shoes was unacceptably low. To address this, we'll go one level deeper. By slicing your data and evaluating performance for each slice, you will be able to get a better sense of whether your model is performing equitably for a diverse set of user characteristics. Based on your product use case and audience, what groups are most at risk? And how might these groups be represented in your data, in terms of both identity attributes and proxy attributes? Now you've evaluated your model. Are there slices that are performing significantly worse than overall or worse than other slices? How do we get intuition as to why these mistakes are happening? As we discussed, there are many possible sources of bias in a model, from the underlying training data to the model and even in the evaluation mechanism itself. Once the possible sources of bias have been identified, data and model remediation methods can be applied to mitigate the bias. Finally, we will make a deployment decision. How does this model compare to the current model. This is a highly iterative process. It's important to monitor changes as they are pushed to a production setting or to iterate on evaluating and remediating models that aren't meeting the deployment threshold. This may seem complicated, but there are a suite of tools in the TensorFlow ecosystem that make it easier to regularly evaluate and remediate for fairness concerns. Fairness Indicators is a tool available via TFX, TensorBoard, Colab, and standalone model-agnostic evaluation that helps automate various steps of the workflow. This is an image of what the UI looks like, as well as a code snippet detailing how it can be included in the configuration. Fairness Indicators offers a suite of commonly-used fairness metrics, such as false positive rate and false negative rate, that come out of the box for developers to use for model evaluation. In order to ensure responsible and informed use, the toolkit comes with six case studies that show how Fairness Indicators can be applied across use cases and problem domains and stages of the workflow. By offering visuals by slice of data, as well as confidence intervals, Fairness Indicators help you figure out which slices are underperforming with significance. Most importantly, Fairness Indicators works well with other tools in the TensorFlow ecosystem, leveraging their unique capabilities to create an end-to-end experience. Fairness Indicators data points can easily be loaded into the What If tool for a deeper analysis, allowing users to test counterfactual use cases and examine problematic data points in detail. This data can also be loaded into TensorFlow Data Validation to identify the effects of data distribution on model performance. This Dev Summit, we're launching new capabilities to expand the Fairness Indicators workflow with remediation, easier deployments, and more. We'll first focus on what we can do to improve once we've identified potential sources of bias in our model. As we've alluded to previously, technical approaches to remediation come in two different flavors-- data-based and model-based. Data-based remediation involves collecting data, generating data, re-weighting, and rebalancing in order to make sure your data set is more representative of the underlying distribution. However, it isn't always possible to get or to generate more data, and that's why we even investigated model-based approaches. One of these approaches is adversarial training, in which you penalize the extent to which a sensitive attribute can be predicted by the model, thus mitigating the notion that the sensitive attribute affects the outcome of the model. Another methodology is demographic-agnostic remediation, an early research method in which the demographic attributes don't need to be specified in advance. And finally, constraint-based optimization we will go into more detail in over the next few slides in a case study that we have released. Remediation, like evaluation, must be used with care. We aim to provide both the tools and the technical guidance to encourage teams to use this technology responsibly. CelebA is a large-scale face attributes data set with more than 200,000 celebrity images, each with 40 binary attribute annotations, such as is smiling, age, and headwear. I want to take a moment to recognize that binary attributes do not accurately reflect the full diversity of real attributes and is highly contingent on the annotations and annotators. In this case, we are using the data set to test a smile detection classifier and how it works for various age groups characterized as young and not young. I also recognize that this is not the possible full span of ages, but bear with me for this example. We trained an unconstrained-- and you'll find out what unconstrained means-- tf.keras.Sequential model and evaluated and visualized using Fairness Indicators. As you can see, not young has a significantly higher false positive rate. Well, what does this mean in practice? Imagine that you're at a birthday party and you're using this new smile detection camera that takes a photo whenever everyone in the photo frame is smiling. However, you notice that in every photo, your grandma isn't smiling because the camera falsely detected her smiles when they weren't actually there. This doesn't seem like a good product experience. Can we do something about this? TensorFlow constraint optimization is a technique released by the Glass Box research team here at Google. And here, we incorporate it into our case study. TF constraint optimization works by first defining the subsets of interest. For example, here, we look at the not young group, represented by groups_tensor less than 1. Next, we set the constraints on this group, such that the false positive rate of this group is less than or equal to 5%. And then we define the optimizer and train. As you can see here, the constrained sequential model performs much better. We ensured that we picked a constraint where the overall rate is equalized for the unconstrained and constrained model, such that we know that we're actually improving the model, as opposed to merely shifting the decision threshold. And this applies to accuracy, as well-- making sure that the accuracy and AUC has not gone down over time. But as you can see, the not young FPR has decreased by over 50%, which is a huge improvement. You can also see that the false positive rate for young has actually gone up, and that shows that there are often trade-offs in these decisions. If you want to find out more about this case study, please see the demos that we will post online to the TF site. Next, we finally we want to figure out how to compare our models across different decision thresholds so that we can help them in your deployment decision to make sure that you're launching the right model. Model Comparison is a feature that we launched such that you can compare models side by side. In this example, which is the same example that we used before, we're comparing the CNN and SVM model for the same smile detection example. Model comparison allows us to see that CNN outperforms SVM-- in this case, has a lower false positive rate-- across these different groups. And we can also do this comparison across multiple thresholds, as well. You can also see the tabular data and see that CNN outperforms SVM at all of these thresholds. In addition to remediation and Model Comparison, we also launched Jupyter notebook support, as well as a Fairness Lineage with ML Metadata Demo Colab, which traces the root cause of fairness disparities using stored run artifacts, helping us detect which parts of the workflow might have contributed to the fairness disparity. Fairness Indicators is still early and we're releasing it here today so we can work with you to understand how it works for your needs and how we can partner together to build a stronger suite of tools to support various questions and concerns. Learn more about Fairness Indicators here at our tensorflow.org landing page. Email us if you have any questions. And the Bitly link is actually our GitHub page and not our tf.org landing page, but check it out if you're interested in our code or case studies. This is just the beginning. There are a lot of unanswered questions. For example, we didn't quite address, where do I get relevant features from if I want to slice my data by those features? And how do I get them in a privacy-preserving way? I'm going to pass it on to Miguel to discuss privacy tooling in TensorFlow in more detail. Thank you. MIGUEL GUEVARA: Thank you, Cat. So today, I'm going to talk to you about machine learning and privacy. Before I start, let me give you some context. We are in the early days of machine learning and privacy. The field at the intersection of machine learning and privacy has existed for a couple of years, and companies across the world are deploying models to be used by regular users. Hundreds, if not thousands, of machine learning models are deployed to production every day. Yet, we have not ironed the prize issues out with these deployments. For this, we need you, and we've got your back in terms of in TensorFlow. Let's walk through some of those privacy concerns and ways in which you can mitigate them. First of all, as you all probably know, data is a key component of any machine learning model. Data is at the core of any aspect that's needed to train a machine learning model. However, I think one of the pertinent questions that we should ask ourselves is, what are the primary considerations that there are when we're building a machine learning system? We can start by looking at the very basics. We're generally collecting data from an end device. Let's say it's a cell phone. The first privacy question that comes up is, who can see the information in the device? As a second step, we need to send that information to the server. And there are two questions there. While the data is transiting to the server, who has access to the network? And third, who can see the information in the server once it's been collected? Is this only reserved for admins, or can regular [INAUDIBLE] also access that data? And then finally, when we deploy a model to the device, there's a question as to who can see the data that was used to train the model. In a nutshell, if I were to summarize these concerns, I think that I can summarize them with those black boxes. The first concern is, how can we minimize data exposure? The second one is, how can we make sure that we're only collecting what we actually need? The third one is, how do we make sure that the collection is only ephemeral for the purposes that we actually need? Fourth, when we're releasing it to the world, are we releasing it only in aggregate? And are the models that we're releasing memorizing or not? One of the biggest motivations for privacy is some ongoing research that some of my colleagues have done here at Google. A couple of years ago, they released this paper where they show how neural networks can have unintended memorization attacks. So for instance, let's imagine that we are training a learning model to predict a next word. Generally, we need text to train that machine learning model. But imagine that that data or that core piece of text has, or potentially has, sensitive information, such as social security numbers, credit card numbers, or others. What the paper describes is a method in which we can prove what's the propensity that the model will actually memorize some data? I really recommend you to read it, and I think that one of the interesting aspects is that we're still in the very early days of this field. The research that I showed you is very good for neural networks, but there are ongoing questions around classification models. We're currently exploring more attacks against machine learning models that can be more generalizable and used by developers like you, and we hope to update you on that soon. So how can you get started? What are the steps that you can take to do machine learning in a privacy preserving way? Well, one of the techniques that we use is differential privacy, and I'll walk you through what that means. You can look at the image there and imagine that that image is the collection of data that we've collected from a user. Now let's zoom into one specific corner, that blue square that you see down there. So assume that we're training on the individual data that I'm zooming in. If we trained without privacy, we'll train with that piece of data. However, we can be clever about the way that we train a model. And what we could do, for instance, is just let's flip each bit with a 25% probability. One of the biggest concerns that people have when doing this approach is that it naturally introduces some noise, and people have questions as to, what's the performance of the resulting model? Well, I think one of the interesting things from this image is that even after flipping 25% of the bits, the image is still there. And that's kind of the big idea around differential privacy, which is what powers TensorFlow Privacy. As I said, differential privacy is the notion of privacy that protects the presence or absence of a user in a data set, and it allows us to train models in a privacy-preserving way. We released, last year, TensorFlow Privacy, which you can check at our GitHub repository, github.com/tensorflow/privacy. However, I want to talk to you also about some trade-offs. Training with privacy might reduce the accuracy of the models and increase training time, sometimes exponentially. Furthermore, and I think more worryingly and tied to Cat's talk, if a model is already biased, differential privacy might make things even worse, as in even more biased. However, I do want to encourage you to try to use differential privacy because it's one of the few ways in which we have to do privacy in ML. The second one is our Federated learning. So a refresher, TensorFlow Federated is an approach to machine learning where a shared global model is trained across many participating clients that keep their training data locally. It allows you to train a model without ever collecting the raw data, therefore, reducing some privacy concerns. And of course, you can also check it out at our GitHub repository. This is kind of what I was thinking with or mentioning about TensorFlow Federated learning. The idea is that devices generate a lot of data all the time-- phones, IoT devices, et cetera. Traditional ML requires us to centralize all of that data in a server and then train the models. One of the really cool aspects about Federated learning is that each device runs locally only, and the outputs are aggregated to create improved models, allowing the orchestrator not to see any private user data. In terms of Federated, as a recap, allows you to train models without ever collecting the raw data. So if you remember the first slide that I showed, it really protects the data at the very edge. In terms of next steps, we would really want you to reach out to tf-privacy. We would love to partner with you to build responsible AI cases with privacy. As I said earlier, we're in this together. We are still learning. The research is ongoing. And we want to learn more from your use cases. I hope that from the paper that I showed you, you have the sense that keeping user data private is super important. But I think most importantly is that this is not trivial. The trade-offs in machine learning and privacy are real, and we need to work together to find what the right balance is. [MUSIC PLAYING]
B1 fairness model privacy data machine learning learning Responsible AI with TensorFlow (TF Dev Summit '20) 2 1 林宜悉 posted on 2020/04/04 More Share Save Report Video vocabulary