Data Vaccination: Balancing Data Security and Utility

By Changkyu Choi. He received his PhD in machine learning from UiT The Arctic University of Norway in 2023 and is currently a postdoctoral researcher at Visual Intelligence (VI), a Norwegian Centre for Research-Based Innovation, his research interests focus on robust representation learning in latent spaces, with a particular emphasis on shared representations across diverse data modalities, such as image-language and natural image-marine acoustics. Based at the VI Oslo Hub at the University of Oslo, he actively collaborates with the VI Tromsø Hub at UiT, where he contributes to ongoing research projects and teaches advanced topics in machine learning and

Marius Aasan. A PhD researcher in the Digital Signal Processing and Image Analysis group at the Institute of Informatics at the University of Oslo, as well as a researcher in the Visual Intelligence consortium, his research investigates geometric priors and hierarchical learning on natural images and seismic data, and probabilistic modelling of hierarchical structures in signals. His work involves explainability and interpretability in artificial intelligence systems, representation learning, and theoretical machine learning.

The recent decision by the newly elected President of the United States to designate an anti-vaccine theorist as the prospective Secretary of the Department of Health and Human Services prompts reflection on the implications for public health and immunization in society as a whole. Vaccines act as a critical safeguard against pathogens in an increasingly globalized world, where the degree of separation between individuals is much lower than in previous times, increasing the likelihood of interactions between humans and other species across the globe.

The notion of safety through vaccination provides an interesting analogy for data security and privacy in the information era. Digital interactions between online users have become a major source of large-scale data-gathering efforts, and collecting and processing vast amounts of data has become central to business operations. The momentum of data acquisition and curation has only increased with the rise of artificial intelligence (AI) systems, which can automate the curation of enormous quantities of data. As a result, privacy is facing growing threats from malicious attacks and unauthorized use.

Foundation models

A recent trend in AI is the increased use of foundation models for data processing pipelines. At their core, these foundation models are trained to learn relationships and associations from raw data through a form of semantic data compression. Documents, images, and signals are compressed into a latent vector representation space. While this compressed representation abstracts away the original input dimensions, it remains fundamentally rooted in the structure and semantics of the input data.

The notion of safety through vaccination provides an interesting analogy for data security and privacy in the information era.

Today, large-scale training is often conducted using contrastive learning raw data is processed in a way that similar data points are mapped closer together in the representation space, while dissimilar data points are mapped further apart. This learning paradigm is commonly categorized as self-supervised learning, distinguishing it from traditional frameworks where supervision provides explicit guidance for learning.

In a supervised learning setup, human annotations are required to define a specific class or target variable that the model aims to predict for each individual data point. By exposing the model to a sufficient number of annotated examples during training, it learns to associate input data with the corresponding annotations. In contrast, the self-supervised learning paradigm circumvents the need for costly and labor-intensive human annotations by leveraging intrinsic structures or relationships within the data itself. This approach has emerged as a pivotal innovation, facilitating the development of more general and scalable foundation models.

The dilemma

Foundation models enable fast and high-quality information retrieval through vector databases, which offer remarkably efficient storage and retrieval of data. While this form of information retrieval provides significant societal benefits, it also raises critical concerns, particularly regarding data security. A single vector, or a collection of vectors, can potentially be exploited to infer sensitive details such as an individual’s location, health status, personal relationships, or economic information.

This pressing challenge lies at the forefront of current AI research: is it possible to obfuscate sensitive data embedded within representation vectors while preserving their utility for legitimate applications? Extending the analogy, can we vaccinate representation vectors against privacy risks while minimizing the loss of their representational power and functionality?

Information theory and compression

To achieve an optimal balance between ensuring security and preserving utility, it is crucial to mathematically formulate these two contrasting concepts, enabling the AI model to learn the optimal representations. Within the field of information theory, this challenge is addressed through a mathematically rigorous framework known as the informational bottleneck.

This framework can be understood as a process of funneling raw data through a bottleneck to distill its most essential semantic information into a compressed representation space. When processing high-dimensional raw data, models employ this approach to retain only the information most relevant for downstream tasks. Typically, the system is divided into two components: an encoder, which compresses the raw data into a succinct representation, and a decoder, which retrieves the necessary information for downstream tasks. The term “bottleneck” highlights the constrained dimensionality of the encoded data, defining the representation space where these effective vector representations reside.

Adversarial attacks

One particularly fruitful area of AI research has focused on developing methods to both create and defend against adversarial attacks—small perturbations specifically designed to cause a model to consistently misclassify data. The art of designing such attacks lies in identifying minimal perturbations to input data that remain imperceptible to human observers while being effective at deceiving the model. The theoretical advancements in adversarial attacks have significantly improved model robustness, paving the way for more secure and accurate AI systems in everyday practical applications.

By subverting the principles underlying adversarial attacks, we find that the problem can be reposed as a way to mitigate privacy concerns in vectors extracted from foundational models. Our research focuses on the discovery of representational vaccines, where a representation vector is vaccinatedby adding a carefully crafted vaccine vector. Within this framework, the highest level of security is achieved when the data becomes completely unidentifiable, for instance, by introducing strong, unstructured, noise-like representations. However, this approach inherently reduces utility, as the resulting vectors lose all representational power. Conversely, the highest utility is achieved when the vaccine vector is weak, but this compromises security, as insufficient protection leaves the data vulnerable to unauthorized use.

The challenge of designing data vaccines parallels the task of creating adversarial attacks but operates in a different domain. While attacks manipulate raw data, vaccines act within the latent representation space. Our research applies the trade-off between utility and security to establish principles that enable models to learn representations that optimally balance these competing objectives. Leveraging the informational bottleneck framework, we systematically process representations to eliminate information outside the scope of the model’s intended use, thereby aligning security and utility in a structured and principled manner.

VACCINE

Our proposed method—appropriately named VACCINE (Visually Alike, Covertly Contaminated, Information-theoretic Neural Embeddings)—is designed to mitigate risks associated with the unauthorized exploitation of data in AI systems. Specifically, our approach focuses on learning secure representations that cannot be utilized for unauthorized tasks. These representations are designed such that, even if exposed, they cannot be easily repurposed for illegitimate or unauthorized uses. Importantly, these learned representations retain the functional utility of the data, ensuring its continued applicability for legitimate purposes. Consequently, achieving an optimal balance between ensuring security and preserving utility is a critical challenge that ultimately determines the success of data vaccinations.

The development of representational data vaccines is grounded in the the information bottleneck framework. Within this framework, our proposed VACCINE learns the vaccine representation to ensure that vaccinated data retains sufficient information for task-specific functionality in authorized systems. Conversely, for unauthorized systems that attempt to exploit the underlying data structure, the vaccine representation is tailored to obscure exploitable information while preserving only the minimal structural information of the original data within the vaccinated data space.

This is achieved by learning a representation that minimizes the mutual information between the vaccinated data and the original data for security, under the condition that functional utility is preserved. We conducted experiments on image reconstruction tasks to evaluate functionality. The reconstructions of both the vaccinated data and the original data appear visually alike; however, their structural information differs significantly. For instance, the closest data sample to a given instance in the original data may no longer be the closest in the vaccinated data.

By safeguarding sensitive information at a fundamental representational level, methods like VACCINE offer jurists and policymakers valuable tools to translate legal mandates surrounding data minimization, privacy, and compliance into practical technical measures.

Implications for legal practice and regulation

Our research focuses on improving the alignment of technological innovation with regulatory compliance, while retaining the practical utility of AI models for the benefit of society as a whole. Work on representational vaccines offers a promising approach to embedding secure representations within data processing pipelines, providing a proactive solution to the unauthorized exploitation of sensitive data.

The principles and techniques described in our research aim to align data-driven AI systems with evolving legal standards and regulatory requirements. By safeguarding sensitive information at a fundamental representational level, methods like VACCINE offer jurists and policymakers valuable tools to translate legal mandates surrounding data minimization, privacy, and compliance into practical technical measures.

Nevertheless, the adoption of these technologies raises important questions about legal accountability, ownership of modified data, and the ethical boundaries of data obfuscation. As foundational AI models are integrated into critical infrastructure, the responsibility for ensuring secure and ethical AI systems will increasingly intersect with privacy laws in complex and unforeseen ways. For legal practitioners, understanding the trade-offs between security and utility in modern large-scale data acquisition and curation is becoming ever more essential. A detailed knowledge of how these pipelines are constructed can help inform future discussions on liability, compliance, and the creation of legal frameworks that accommodate the evolving landscape of AI technologies.