Dec 27, 2022	I am honored to have been nominated by SFU to attend the 10th Heidelberg Laureate Forum in Germany. There is only one nomination from the entire university. Students meet the recipients of the most prestigious awards in mathematics and computer science.
Dec 26, 2022	Paper "TEM: High Utility Metric Differential Privacy on Text" was accepted to SDM 2023.
Aug 04, 2022	I have presented my Thesis Proposal.
Feb 03, 2022	I have been awarded a student scholarship for AAAI-22.
Dec 07, 2021	I will be serving as a PC member for the research track of KDD 2022.
Dec 01, 2021	Paper "Incorporating Item Frequency for Differentially Private Set Union" was accepted to AAAI 2022.
Oct 11, 2021	Paper "Differentially Private Ensemble Classifiers for Data Streams" was accepted to WSDM 2022.
Aug 19, 2021	I will be serving as a PC member for the Fifteenth International Conference on Web Search and Data Mining (WSDM 2022).
Jul 12, 2021	Paper "Training Differentially Private Neural Networks With Lottery Tickets" was accepted to ESORICS 2021.
Jul 08, 2021	Paper "TEM: High Utility Metric Differential Privacy on Text" was accepted to the ICML 2021 Workshop on Theory and Practice of Differential Privacy.
Jul 01, 2021	Paper "BRR: Preserving Privacy of Text Data Efficiently on Device" was accepted to the ICML 2021 Workshop on Machine Learning for Data.
Nov 30, 2020	I will be serving as a PC member for the research track of KDD 2021.
Nov 24, 2020	I am giving a talk about differential privacy for the graduate data mining class at Simon Fraser University (SFU).
Sep 21, 2020	Our paper "BRR: Preserving Privacy of Text Data Efficiently on Device" received a best paper award at the Shareable NLP Technologies workshop at Amazon's internal ML conference (AMLC 2020)!
May 14, 2020	Paper "Differentially Private Top-k Selection via Stability on Unknown Domain" was accepted to UAI 2020!
Feb 17, 2020	I will be joining Amazon during this Summer as an Applied Scientist Intern!
Dec 11, 2019	I presented my current work on differentially private GANs at the BC AI Student Showcase 2019.
Nov 24, 2019	I have been selected as student volunteer for NeurIPS 2019.
Oct 01, 2019	Poster on differentially private lottery ticket accepted to Workshop on Machine Learning with Guarantees at NeurIPS 2019!

Please see complete list of publications here.

TEM: High Utility Metric Differential Privacy on Text Ricardo Silva Carvalho, Theodore Vasiloudis, Oluwaseyi Feyisetan, Ke Wang --- Work done during an internship at Amazon SIAM International Conference on Data Mining (SDM 2023) Workshop on Theory and Practice of Differential Privacy (TPDP 2021) at ICML 2021 Paper Poster Amazon Science
Incorporating Item Frequency for Differentially Private Set Union Ricardo Silva Carvalho, Ke Wang, Lovedeep Gondara AAAI Conference on Artificial Intelligence (AAAI 2022) Paper Poster Code
Differentially Private Ensemble Classifiers for Data Streams Lovedeep Gondara, Ke Wang, Ricardo Silva Carvalho ACM International WSDM Conference (WSDM 2022) Paper Code
BRR: Preserving Privacy of Text Data Efficiently on Device Ricardo Silva Carvalho, Theodore Vasiloudis, Oluwaseyi Feyisetan --- Work done during an internship at Amazon Workshop on Machine Learning for Data (ML4Data 2021) at ICML 2021 Workshop on Shareable NLP Technologies at Amazon's Machine Learning Conference (AMLC 2020) - best paper award Paper Poster Amazon Science
Differentially Private Top-k Selection via Stability on Unknown Domain Ricardo Silva Carvalho, Ke Wang, Lovedeep Gondara, Chunyan Miao Conference on Uncertainty in Artificial Intelligence (UAI 2020) Paper Supplementary File Video Code
Training Differentially Private Neural Networks With Lottery Tickets Lovedeep Gondara, Ricardo Silva Carvalho, Ke Wang European Symposium on Research in Computer Security (ESORICS 2021) Workshop on Machine Learning with Guarantees at NeurIPS 2019 Paper Extended Abstract
Privacy-Preserving Publication of Sensitive Data using Differentially Private GANs Ricardo Silva Carvalho BC AI Student Showcase 2019 Paper Poster Code

Project Reviewer	Udacity	Reviewer of 7 projects on the Data Analyst and Data Scientist nanodegrees, involving hypothesis testing with digital advertising, querying databases, exploratory analysis, and machine learning.
Technical Writer	Medium.com \| Towards Data Science	Writer of technical content related to data science. The most popular post has almost 40,000 views.
Open Source Contributor	Privacy libraries	Contributor to PipelineDP by Google and OpenMined.
Conference Reviewer (PC Member)	Multiple AI/ML/DM conferences	Reviewer or PC member for AI/ML/DM conferences, such as KDD 2022, AISTATS 2022, WSDM 2022, ICDM 2021, KDD 2021, WSDM 2021, IEEE BigData 2020, KDD 2020, ICDM 2020, ICDE 2020.
Teaching Assistant	Data Mining at SFU	Only Teaching Assistant (TA) for the Data Mining course at Simon Fraser University (SFU) with more than 80 undergraduate students enrolled.

Ricardo Silva Carvalho

Differentially Private SQL Queries

Page last updated: December 2022.

To answer SQL queries to a database while satisfying Differential Privacy (DP), my research focused on the ubiquitous problem of performing GROUP BY queries - more specifically the privacy aspects of releasing the partitions of such aggregate queries.

[PAPER]: The work described below was published at AAAI 2022 and can be found here. Poster available here.
[CODE]: The complete code and datasets used in the experiments are also available here.
[CITATION]: To cite this work, please click here to get the corresponding BibTex.

Motivation: GROUP BY queries and partitions

Consider the following table tbl_patients with sensitive data about patients, and suppose you want to perform the following SQL query:

tbl_patients

Query:

SELECT diagnosis, COUNT(user_id) as nr_users
FROM tbl_patients
GROUP BY diagnosis

The query above will group the results by "diagnosis", which are our partitions, and then count the number of "user_id" per partition.

If we use standard DP mechanisms to answer this query, we would basically add noise to the total counts of each partition/diagnosis, and release e.g. the following result on the right:

(without differentiating noise added and total count, here shown just for illustration)

What is the problem with releasing this result on the right?

In tbl_patients the user with id "003" is the only one that has "diabetes". Therefore, just by outputting the partition "diabetes" using a standard DP mechanism, it becomes easy to differentiate tbl_patients from a neighboring table without the user with id "003", since the partition "diabetes" would not appear in the result without this user.
For this reason, the algorithm use above would violate differential privacy, as intuitively we should not be able to differentiate the results of neighboring datasets/tables.

Result:

How do we solve this problem?

If you have domain knowledge (i.e. you know which partitions exist without looking at the data) you can pass the list of possible partitions and the DP mechanism would release only the result for these partitions (adding noise to them even if their total count is zero).
More generally, another option is to use a DP mechanism just to find the possible partitions and then pass these partitions to a noise-adding mechanism such as the one seen above, to release the noisy result only for such partitions.

In the literature, this approach is referenced as differentially private "partition selection" or "set union".

Defining DP Set Union (DPSU)

Consider we have a dataset/table $D$ with data of users.
Moreover, consider each user $i$ has a set of items $W_{i}$ (in the example above, "item" = "diagnosis").

In DPSU, our goal is to output as many items as possible as the existing items in the dataset/table from the users, while satisfying DP.
In other words, we want to use a DP mechanism on $D$ to output a subset $S \subseteq \cup_{i} W_{i}$ such that the size of $S$ is as large as possible.

How DPSU mechanisms work

Previous work related to DPSU [1, 2] designed mechanisms with two phases:

Phase 1 builds a histogram on $\cup_{i} W_{i}$ by iterating over the users and getting their contributions in terms of items.

To provide DP, the contribution of every single user needs to be bounded in terms of number of items and weights.
Thus, STEP 1 samples items from $W_{i}$ into $\overset{―}{W_{i}}$ to limit user contribution to at most $Δ_{0}$ items.
In STEP 2 a total weight budget of $1$ is distributed among the items in $\overset{―}{W_{i}}$ , and the histogram is updated for each item in $\overset{―}{W_{i}}$ .

After Phase 1, which runs the two steps above for all existing users, a histogram $H$ is built.
Phase 2 takes as input the histogram $H$ constructed in the previous phase.

STEP 3 adds noise to the total weights of each item in the histogram.
Finally, in STEP 4, only items with a noisy weight above the threshold $ρ$ will be outputted.

Our Contributions to DPSU

Our work introduced the following improvements over previous DPSU mechanisms:

Introducing item frequency
- All previous works treat $W_{i}$ as a set of distinct items, ignoring items' frequencies for the user $i$ when available.
- For example, for our patient/diagnosis scenario above (where "item" = "diagnosis"), a patient could have the same diagnosis multiple times (e.g. a cancer that reappears), but previous works represent each user by a set of distinct items.
- Our first contribution is introducing an item frequency array $C_{i}$ associated with the items in $W_{i}$ .
- The goal is to use $C_{i}$ to output more items in the set union while meeting DP.
Eliminating sampling
- All previous works implement STEP 1 in the image above using uniform sampling.
- Uniform sampling tends to waste the weight budget on updating items that occur among many users, as such items do not require many updates to reach the threshold $ρ$ .
- We introduce a mechanism that eliminates the need for sampling in STEP 1.
- By eliminating sampling, each user $i$ moves on to STEP 2 with all items $W_{i}$ .
- This means that, unlike previous work, we do not need to set the $Δ_{0}$ parameter, which would cost additional privacy budget to choose privately.
- To the best of our knowledge, this is the first work that eliminates the sampling step.
DP greedy update:
- [3] shows that some well thought greedy update for STEP 2 does not satisfy DP.
- We propose a novel update algorithm for STEP 2 that follows a greedy approach guided by the item frequency $C_{i}$ for each user $i$ .
- However, our greedy update provably satisfies DP and enables a smaller threshold $ρ$ compared to [3].
- The reduced threshold increases the probability of outputting more items.
Knowledge transfer:
- Looking at the data of each individual user $i$ to get the frequency array $C_{i}$ may not reflect the global frequency distribution for all users.
- On the other hand, getting $C_{i}$ by aggregating all users’ sensitive data would not satisfy DP.
- To address this issue, we propose a variant of our mechanism with knowledge transfer that uses the frequency of items in the histogram built from a public dataset.

In experiments, compared to the previous state-of-the-art in DPSU, our mechanisms had utility improvements of up to 25%.

Ricardo Silva Carvalho

Differentially Private Top-k Selection

Page last updated: December 2022.

In this topic, my research focuses on making DP top-k selection viable and easy-to-use as part of scalable systems.

[PAPERS]: Part of the work described below (the framework) is under review, and can be shared upon request. Another part (restricted domain) was published at UAI 2020 and can be found here.
[CODE]: The complete code and datasets used in the UAI paper are also available here.
[CITATION]: To cite the work published at UAI 2020, please click here to get the corresponding BibTex.

Defining DP top-k selection

Consider a dataset from users, where each user has a set of binary elements, where a value of 1 indicates the presence of the element. Moreover, we can define a "score" for every element, which denotes its importance in the dataset, as the sum of the values of the element for all the users.

Below we an example of such dataset:

Elements can be for example:

Symptoms: a value of 1 indicates the existence of the symptom for that user/patient.
Products: a value of 1 indicates that the user purchased the product.
Pages: a value of 1 indicates that the user visited the page.
Photos: a value of 1 indicates that the user liked the photo

The histogram we see above on the right is then showing the score of the elements (i.e. sum of each column).

So a top-k selection is interested in the most valuable elements, i.e. the elements with the highest scores.
For example, a top-3 selection in the example above (without considering privacy) would return $[F, C, G]$ .
Moreover, taking privacy into account, we want to select the top-k such that the result is not giving away the presence of elements of any specific user.

There are a few options for DP selection mechanisms, with the Exponential Mechanism (EM) [1] being one of the most used.

Using EM, we select some element $i$ from a dataset $D$ with probability: $Pr [E M (D) = i] \propto \exp (\frac{ε \cdot f (i, D)}{2 \cdot Δ f})$
So in practice we have a random selection with a probability of selection for every element in the full domain of elements (i.e. all known/existing elements - the image above shows the full domain of the example).
Moreover, the random selection is biased towards elements with high score (which is want we want), and we also have DP guaranteed (going into details of EM is out of scope now).
To select k elements, we simply use EM iteratively, renormalizing probabilities and removing elements selected at every iteration.

Motivation: Efficiency of DP top-k selection

Now consider a dataset with 1 million elements to select the top-10. How do we do this with DP?

As mentioned above we can apply EM 10 times

This means normalizing probabilities of 1 million elements 10 times, and then also running a random selection 10 times.
It easy to see that this iterative process is not practical for real-world systems, especially when the selection is part of a larger and more complex analysis pipeline.

There is an equivalent approach in the literature [2] that is more efficient:

It adds Gumbel noise once to all 1 million scores, then sorts the noisy score and returns the 10 elements with highest noisy scores.
However, even this one-shot approach can still be time consuming for large datasets.
In fact, we saw that, without considering the time to access the database, (i.e. only counting the time for the private top-k selection) this approach takes around 0.5 seconds to do a DP top-10 selection on a dataset with one million elements.

How can we improve the computational efficiency of DP top-k selection?

To address computational efficency within DP top-k selection, [2] proposed selecting elements from a restricted domain, which we explain below.

Restricted domain

Restricted domain top-k mechanisms select k elements by choosing from the elements that have the top- $\bar{k}$ scores, for a chosen $\bar{k} \geq k$ . The image on the right illustrates this setting.

This means only processing $\bar{k}$ elements, instead of the full domain (as it was with EM).
This improves computational efficiency dramatically.
In fact, our experiments showed DP top-k selection on restricted domain up to 200 times faster than traditional DP selection.

What is the problem with DP top-k selection on Restricted domain?

DP mechanisms working on restricted domain still need to provide DP guarantees for the full domain of all elements.

That's because the restricted domain itself (i.e. the top- $\bar{k}$ elements) is sensitive.
Therefore, simply enforcing DP on the restricted domain is not sufficient to guarantee privacy.
Moreover, proving DP on the full domain when accessing only the restricted domain is a really complex task.

In this context, the current approach is to start with a traditional DP top-k mechanism, and modify it such that it maintains the DP guarantee on the full domain while only selecting from the restricted domain.

The problem with this approach is that you have to go through a complex DP analysis for every DP top-k mechanism you want to use on restricted domain.
This limits the applicability of restricted domain mechanisms, especially because new improved top-k mechanisms are being proposed every year.
Therefore, a highly practical setting (restricted domain selection) becomes of limited use in practice.

How can we solve this problem?

In our work detailed below, we propose a "framework" that takes a novel mechanism-agnostic approach to create restricted domain mechanisms.

We develop an easy-to-use framework to allow any DP top-k mechanism to be used on restricted domain.
Our framework guarantees DP for the full domain by default, therefore it does not need any additional DP proof.

Our framework to make DP top-k selection practical

Our "framework" for differentially private top-k selection aims to be highly practical.

It takes as a black-box any given DP top- $k$ mechanism and automatically "converts" it into a restricted domain mechanism.
The framework provides a unified proof of privacy "for free", which is already valid by default for any given mechanism.
This property greatly simplifies adoption in practice, as it eliminates the need for any privacy analysis to work on restricted domain.

The framework can be built on top of any regular database system without internal modification, leveraging existing optimized data infrastructure. See the image below.

When a user requests DP top- $k$ queries.
Our framework first queries the database system.
The database returns the true top- $\bar{k}$ elements.

Then the framework applies, as a blackbox, any traditional DP top- $k$ selection mechanism to the top- $\bar{k}$ together with additional private computation.

Finally it returns at most $k$ elements while guaranteeing DP by default for the full domain.

The novelty is that our framework can be used to easily create new restricted domain mechanisms from any traditional DP top- $k$ mechanism, while guaranteeing DP for the full domain by default and without needing any additional DP proof.
Therefore, our approach eliminates the hassle involved in the DP analysis of individual mechanisms.
This means that every time a new traditional DP selection mechanism is proposed in the literature, e.g. [3, 4], we can already directly leverage it on restricted domain by using our framework.

Aside from being practical, our framework also have better utility (formally proven) compared to previous restricted domain mechanisms [2].

Moreover, our experiments confirm the improved utility on multiple datasets and settings.
Some settings show our framework returning three times more elements than previous restricted domain mechanisms [2].

In summary, our framework has FOUR main advantages that make it highly practical:

It adapts traditional DP top-k mechanisms to restricted domain automatically, without needing any DP proof.
By selecting from a restricted domain, it is computationally efficient (e.g. 200 times faster than one-shot full domain approaches).
Has better utility compared to previous restricted domain mechanisms (e.g. returning three times more elements than previous mechanisms).
Can be directly used on top of any database system, without needing to modify such system.

Ricardo Silva Carvalho

Differentially Private Text

Page last updated: December 2022.

In Natural Language Processing (NLP), my research focuses on improving the utility of DP text generation algorithms.

[PAPERS]: Part of the work described below was published at ML4Data/ICML 2021 and is available here. Another part will be published at SDM 2023 and a preview can be found here.
[CODE]: Code will be released soon.
[CITATION]: To cite the work published at ML4Data/ICML 2021, please use this BibTex, and for the work to be published at SDM 2023, please use this BibTex.

Defining Text Privatization

Consider we have a dataset of users, where each user has a set of words.

In this setting, we consider potential privacy problems with one sensitive word per user.
The idea is to replace each sensitve word by a new word that cannot be easily linked back to the original word, thus improving privacy.
Additionally, we want to keep the context of the sentence.

Below we an example of such dataset:

Thus, in this setting, we are protecting users at the individual word level.

Our main goal is to take an input word and perturb it to obtain an output word that would be indistinguishable from the input word.

i.e. an adversary that sees the output word would not be able to tell the input word with high probability, which in turn protects the user's identity.

But we also intentionally want to maintain the original context that can be observed by the aggregation of words from each user.

i.e. we are still interested in the Context for, e.g., Intent Classification, in a downstream NLP task.

Note that we could also privatize all words in a sentence, while still keeping the context, with similar results.

It is no surprise that disclosing just a single word is enough to impact a user's privacy, as it may represent a password, disease diagnosis or political preference. So this is a really important problem to address.

How Text Privatization works

For text privatization, standard DP approaches do not work well in the context above.

For standard DP to work, we would have to ensure that a word can be replaced by any other word in the vocabulary
This would potentially ruin the utility of any DP algorithm by adding an excessive amount of noise.

To deal with this issue, previous research [1] has proposed two modifications:

Privatize words in the continuous embedding space.
Use a generalization of DP for metric spaces called metric differential privacy (mDP) [2]

See below an example of word embeddings where each user's data is a word with their home city.

For each word, we perform a lookup in the embedding space (in this case 2-dimensional) and the word embedding is the returned vector numerically representing each word.

Using mDP, previous methods [1] generally work with three main steps as we see in the image below.

First, they retrieve the embedding vector of the input word that needs to be privatized.
In the second step, the vector is perturbed by, for example, adding random noise.
Finally, as a noisy vector is unlikely to exactly represent a valid word, the output is the word that is closest to the noisy vector (obtained via nearest neighbor search in the representation space).

What are the problems with the privatization approach above?

That approach considers the representation space as non-sensitive (i.e. public), as it does not account for privacy loss in the nearest neighbor search (STEP 3).
Moreover, each existing mechanism assumes one specific distance metric (e.g. Euclidean in [1]) is being used when proving DP.
Also, the approach would not be viable to privatize text on-device, due to large storage and computational requirements.
Finally, the noise added to a vector does not take into account the density of the region that the vector lies in, which tends to reduce utility.

For example, if a word is on a highly dense area in the embedding space, the noise added could be small, as the word already has some indistinguishability.
However, the current mechanisms do not adapt the noise depending on the area of the word embedding vector being privatized.

How do we solve the problems above?

In our work shown below, instead of seeing text privatization as a vector perturbation problem, we pose the task as a selection problem.
Additionally, we use binary embeddings and optimized nearest-neighbors search, to make our approach possible to be used on-device.

These two modifications will solve all the problems described above, as we detail next.

Our contributions to text privatization

Our approach to text privatization is completely different from previous work: we pose the problem as a selection task.

Instead of perturbing an input embedding vector, our method selects an output from a set of possible candidates
For the candidates, the words closer to the input word in the metric space will have higher probability of being selected.
Moreover, our work adapts the probabilities of words being selected to the regions of a given input word, basically adjusting the randomness for better utility.

We illustrate and detail this last property now:

See the following image as an example:

Example of embedding space

Let the image on the left be a two-dimensional embedding space, with a few vectors represented as dots.
In previous work, the perturbation method was the same for all vectors, including both the red and the green embedding vectors.
On the other hand, our approach adds less randomness/noise to high density areas (red vector) and also adds more randomness/noise to low density areas (green vector).
This dynamic noise behavior, adapted to the density, intuitively makes sense:

The high density areas (red vector) already have vectors that are somewhat indistinguishable, so less randomness is required.
In other words, if you add small noise to the red vector, it is already hard to know which of the vectors in that area was the actual input.
However, if you add small noise to the green vector (low density area), then it is still easy to identify it as the input - so more noise is required here to make the output indistinguishable.

This more-efficient randomness adaptation approach led to 42% better utility than previous work [1].

Moreover, as usual on selection problems, we do not release the scores, just the selected element.

Therefore, unlike previous work, the embedding space can be sensitive, as they are used to define the scores.
Moreover, the mechanisms do not depend on the distance metric used to define the scores.

This means we can use any distance metric, and the mDP guarantee will still hold.

As mentioned above we also use binary embeddings to represent the words.

We use recent research [3] that converts real-valued embedding vectors into binary representations, explicitly aiming at keeping the semantic meaning while transforming representations.

They show binary embeddings losing only approximately 2% in semantics, but with the upside of reducing the embeddings' size by 97%.
They use an autoencoder model, where an encoder binarizes the real-valued word vector and a decoder reconstructs such input vector - so the binarized vector is the latent representation of the autoencoder.

Another advantage is that binary data leverages hardware-level optimizations for nearest neighbors search.
Additionally, we can implement randomization with efficient operations such as XOR.
These properties allow privatization on-device, as showed in our experiments:

The required disk space for the embeddings decreased 98% compared to previous work [1].
Execution time decreased by 68% compared to previous work.

Therefore, our approach has the following THREE main practical advantages:

It allows text privatization on-device (fast execution time and small storage requirement)
Improved utility with density-aware randomness
More flexibility of use in practice: allows the use of sensitive embeddings and any distance metric.

Under construction! - Come back soon..