search_ads_recsys / 39 · Privacy and compliance lesson 39 / 39

Privacy, compliance, and privacy computing - useful, lawful, and measurable

The book's privacy material is not just a list of techniques. This lesson linearizes how recommender systems can keep personalization useful while respecting data minimization, consent, localization, deletion, anonymization limits, federated learning, differential privacy, secure computation, and the privacy-effectiveness trade-off.

Book anchors
Based on 1.6.5 federated learning in recommendation, 18.2-18.7 federated recommendation and privacy protection, 21.1-21.7 data privacy, desensitization, differential privacy, compliance, privacy-effectiveness trade-offs, and privacy computing, plus 22.9.7 federated learning advantages and limitations.

1 · Start with the legal and product question

Privacy engineering does not start with encryption. It starts with purpose: what data is needed, why it is needed, whether the user knows, how long it is retained, where it is processed, and whether the same recommendation value can be achieved with less sensitive data.

QuestionRecommender-system interpretation
Purpose limitationUse watch history for personalization only if that purpose is declared and justified.
Data minimizationPrefer coarse region over precise location if coarse region is enough.
Consent and transparencyUsers should understand personalization and meaningful data uses.
RetentionRaw logs should expire or aggregate; old behavior should not live forever by default.
DeletionDeletion must affect raw logs, feature stores, embeddings, training exclusions, and backfills where required.
Cross-border transferData localization, contracts, transfer assessments, and audit trails may shape architecture.

The book repeatedly mentions GDPR, China's Data Security Law, and Personal Information Protection Law. The interview-level point is not to recite statutes; it is to show that compliance changes system boundaries.

2 · Map data sensitivity before choosing technology

DataRecommendation valuePrivacy riskSafer alternative
Watch historySequence modeling and interest profileSensitive interests and re-identificationShort retention, local summary, coarse topics, federated training
LocationLanguage, regional content, legal regionPrecise trackingCoarse region, user-declared locale
Device fingerprintFraud detection and cold startPersistent trackingRotating pseudonymous ID and strict anti-fraud purpose
Social graphCreator/friend recommendationsThird-party privacyExplicit consent, limited graph features
EmbeddingsCompact user/item representationMay encode sensitive behaviorAccess control, DP training, deletion/retraining policy

A user embedding is not automatically anonymous. If it is derived from identifiable behavior and linked over time, it can remain personal data in practice.

3 · Desensitization is not anonymity

The book separates desensitization, anonymization, k-anonymity, differential privacy, and privacy computing. Treat them as a ladder, not synonyms.

TechniqueWhat it doesLimitation
PseudonymizationReplaces direct identifiers with stable tokensStill linkable across events
HashingHides raw ID stringDictionary attacks and linkability remain
GeneralizationCoarsens age, time, or locationLoses utility and may still be unique in combination
k-anonymity / l-diversityPrevents small identifiable groupsWeak against auxiliary data in high-dimensional logs
Differential privacyBounds single-user contribution through noisePrivacy budget and accuracy trade-off
Behavior logs are high-dimensional
Removing names does not remove identity. Unique sequences of videos, timestamps, regions, devices, and interactions can re-identify users when joined with external information.

4 · Federated learning keeps raw data local

The book's federated-learning chapters repeat one core idea: data does not move; model updates move. In recommendation, clients or data holders train locally, then a coordinator aggregates encrypted or protected updates.

client / region / partner local data stays local local model trains on local behavior update is clipped / noised / encrypted │ ▼ secure aggregation service │ ▼ global or personalized model │ ▼ evaluated against utility and privacy metrics
BenefitRecommendation exampleCost
Privacy and complianceRaw watch logs stay on device or in regionHarder debugging and monitoring
Data-silo collaborationShort-video and e-commerce platforms learn shared signalsID alignment and feature heterogeneity
Cold-start transferNew app/region borrows global representationDomain mismatch
On-device personalizationLocal ranker adapts to recent behaviorDevice compute, battery, network constraints

Federated learning is not a complete privacy solution by itself. Updates can leak information through gradients, so the book pairs it with secure aggregation, differential privacy, encryption, and attack monitoring.

Federated typeData splitShort-video fit
Horizontal FLParticipants share feature schema but hold different usersCommon for cross-device or cross-region user behavior training
Vertical FLParticipants share users/items but hold different feature columnsUseful when one party has content features and another has behavior or commerce features
Federated transferDomains differ but share transferable representationsUseful for cold-start regions/apps when raw data cannot be pooled

5 · Handle Non-IID data and multi-objective ranking

Federated recommendation is harder than centralized training because users, regions, devices, and partners have different data distributions. The book names Non-IID as a central challenge.

ProblemStrategyReason
Regions behave differentlyPersonalized federated learning, local heads, FedProx-style constraintsGlobal average may erase local preference
Devices differ in computeClient sampling, asynchronous updates, model compressionMobile participation is unreliable
Objectives conflictFederated multi-task heads for CTR, completion, interactionWatch-time and interaction labels differ by segment
Gradient leakage riskClipping, noise, secure aggregation, attack testingUpdates may reveal behavior
Poisoned client updatesRobust aggregation, anomaly filters, trust scoring, known-good validationMalicious clients can degrade or bias the global model
Communication costQuantization, sparse updates, low-frequency uploadRecommendation models can be large

Robustness is part of privacy computing. A system that protects raw data but accepts poisoned gradients can still harm users. In interviews, name defenses such as update clipping, anomaly detection on client updates, robust aggregation, secure aggregation with auditability, and canary evaluation before model rollout.

6 · Differential privacy gives a measurable privacy knob

The book's DP sections emphasize the epsilon budget and the trade-off with model effect. DP adds noise so the presence or absence of one user's data has bounded impact on the output.

Where to use DPExampleTrade-off
AnalyticsNoised category CTR or aggregate watch-time reportingLess accurate small segments
Feature engineeringDP-protected group profilesLong-tail signal weakens
Model trainingDP-SGD with gradient clipping and noiseAUC/watch-time prediction may fall
Federated learningClient-side or server-side DP on updatesPrivacy budget management and convergence cost

Do not say "add DP" without saying what epsilon, what data, what threat, and what utility loss are acceptable. The book's framing is a privacy-effect Pareto problem, not a binary switch.

7 · Match privacy computing to the threat model

TechnologyProtects againstGood fitCost
Federated learningRaw data leaving device/region/partnerCross-device or cross-region trainingCommunication, Non-IID, debugging
Differential privacySingle-user contribution inferenceAnalytics, gradients, aggregatesNoise and utility loss
Secure aggregation / MPCServer or parties seeing individual updatesFederated updates, cross-party statisticsProtocol complexity and latency
Homomorphic encryptionComputation over encrypted valuesSmall high-value encrypted joins or scoresLarge compute overhead
TEEHost/operator access to plaintext during computeSensitive joins or controlled inferenceHardware trust and side-channel concerns
On-device inferenceSending raw behavior to serverFast local personalizationModel size and update management

The interview move is to pick the simplest technology that matches the actual risk. Encryption does not fix excessive collection. Federated learning does not fix unauthorized use. DP does not fix a missing deletion path.

8 · Evaluate privacy and utility together

The book repeatedly asks how to balance privacy protection and recommendation effect. Treat privacy changes as product and model changes with their own experiment plan.

  1. Define protected data. Watch history, location, social graph, device ID, embeddings, or gradients?
  2. Define threat model. Curious server, cross-party leakage, membership inference, re-identification, model inversion?
  3. Choose mechanism. Minimization, local summary, DP, FL, MPC, HE, TEE, or on-device inference.
  4. Measure utility. AUC/GAUC, NDCG, calibration, per-user watch time, retention, cold-start lift.
  5. Measure privacy. Epsilon, attack success rate, re-identification risk, access logs, deletion coverage.
  6. Ship with guardrails. Decide acceptable utility loss for risk reduction; monitor segments and long-tail impact.

Mini-scenario: replacing raw watch-history training with federated learning plus DP may reduce offline AUC by 1%, improve privacy-risk scores, increase communication cost, and affect new users more than mature users. The decision is not "privacy won" or "model lost"; it is a Pareto read across utility, privacy, cost, and segment fairness.

9 · Compliance changes data lifecycle

RequirementSystem implication
Minimum necessary principleFeature review asks whether a less granular feature can achieve similar lift.
User deletionDelete or exclude raw logs, feature rows, embeddings, training datasets, and future backfills where required.
Consent changesFeature generation and model serving must be consent-aware.
Data localizationRegional training, federated aggregation, or local serving may be required.
AuditabilityMaintain lineage from raw event to feature to model to decision.
Model memorizationTest membership inference, rare-pattern leakage, and sensitive-feature reconstruction.

10 · Local DP - protect the data before it leaves the device

Sections 6 and 7 use differential privacy on gradients and aggregates - that is central DP: a trusted server collects raw data and noises the answer. But the engineering question for a recommender is collection: the raw click belongs to the user and the server is exactly the party we may not want to trust. Local DP (LDP) moves the trust boundary to the client - the device perturbs each value before upload, so the raw signal never exists off-device. The mechanics of ε (sensitivity Δf, Laplace/Gaussian scale, composition) are derived in lesson 22; here we cover the collection-side mechanisms that 22 does not.

StageCentral DP (server-side)Local DP (client-side)
Who sees raw dataTrusted serverNobody - perturbed on device
Where noise is addedAggregate / gradientEach raw value before upload
Noise needed for same εLower (one query)Higher (per record), so debiasing matters
Recsys useCategory CTR reporting, DP-SGDBehavior collection, interest-tag upload

Randomized response - worked debiasing

For a categorical or boolean signal (did the user watch a health video? did they like?) the classic LDP primitive is randomized response: the device reports the truth with probability p and flips with probability 1 − p. A single report is plausibly deniable, but the aggregate is still estimable - you just have to undo the flip. The flip probability sets ε via p / (1 − p) = eε (binary case); see lesson 22 for the ε derivation.

Let the observed "yes" rate over n reports be and the true rate be π. Each report is "yes" either because it was truly yes and kept (πp) or truly no and flipped ((1 − π)(1 − p)):

ŷ = πp + (1 − π)(1 − p)  ⇒  π̂ = (ŷ + p − 1) / (2p − 1)

Worked example. Pick p = 0.75 (so ε = ln(0.75/0.25) ≈ 1.10). Suppose 30% of users truly watched a sensitive category, π = 0.30. The raw observed rate is biased toward 0.5:

ŷ = 0.30(0.75) + 0.70(0.25) = 0.225 + 0.175 = 0.400

Naively reading 40% would over-report by a third. Debiasing recovers the truth:

π̂ = (0.400 + 0.75 − 1) / (2(0.75) − 1) = 0.150 / 0.500 = 0.300  ✓
Cost of locality
Debiasing is unbiased but it inflates variance: rescaling the observed flipped rate by 1/(2p−1) rescales its variance by the square, so Var(π̂) ≈ ŷ(1−ŷ) / (n(2p−1)2). As p → 0.5 (more privacy) the denominator (2p−1)2 → 0 and you need quadratically more users to keep the estimate tight - the concrete face of the privacy-utility trade-off at the collection layer. This is why LDP is used on signals with millions of reports, not long-tail events.

Per-feature ε budgets

One global ε is the wrong knob: a static demographic and a 30-event click sequence are not equally sensitive, and they do not carry equal utility. Spend the budget per feature, by sensitivity:

FeatureεReasoning
Gender / age bucket0.1 (strong)Highly identifying, low marginal lift once coarse
Click / watch sequence1.5 (weaker)Core ranking signal; over-noising kills personalization
Coarse region0.5Sensitive but needed for locale routing

A useful refinement the book repeats: scale noise inversely to user activity - heavy users already emit many reports, so the same ε per report buys them a tighter aggregate; sparse users get more protection per event. The total spend is then tracked by a budget ledger (Section 12).

Exponential mechanism on Top-K recall

Randomized response and Laplace noise assume a numeric or boolean output. The recall layer instead emits a discrete selection - which K items to surface. The right primitive is the Exponential mechanism: sample item v with probability ∝ exp(ε · s(v) / 2Δs), where s(v) is a utility score. A practical scoring blend is

s(v) = η · CTR(v) + (1 − η) · noise,   η = 0.8

so high-CTR items still dominate the Top-K but the exact ranking is randomized enough that the list does not deterministically reveal the user's strongest interests. This also blunts the sequence-inference attack (reconstructing history by reverse-inferring from the recommendation list) - the same attack the book pairs with a max-entropy regularizer; see lesson 22 for the membership-inference family. Note the tension with transparency: a user-facing reason (lesson 21) that names the exact triggering video re-exposes the very history this mechanism is hiding, so explanation templates should cite coarse interest tags, not raw items.

On-device pre-aggregation

The cheapest privacy is to never upload the raw event at all. Before any DP noise, the device can summarize:

TechniqueWhat leaves the deviceWhy it helps
Top-K interest tags"pets, cooking, fitness" not the 400 video IDsCollapses a unique sequence into a coarse, shared vocabulary
Thousand-user bucketingA group ID; features updated per bucket, not per userAny upload is shared by ≈1000 users - k-anonymity by construction
Bloom-filter encodingA fixed-width bit array of the history setMembership is queryable; exact items are not recoverable

Pre-aggregation and LDP compose: bucket on device, then add randomized-response noise to the bucket-level counts. The trust boundary stays at the device, and the server only ever sees coarse, noised, debiasable statistics. This is also the collection layer that feeds federated training - the device noises and summarizes before any update is computed, so client-side DP and on-device pre-aggregation are the first line of defense even when raw gradients never leave.

Randomized-response debiaser
Set the flip probability (privacy) and the true rate, then read the biased observed rate and the debiased estimate. Watch the variance blow up as p → 0.5.
ε (binary)
1.10
observed ŷ (biased)
0.400
debiased π̂
0.300
std err (±)
0.001

11 · Desensitization that preserves utility - and how to prove it

Section 3 listed the desensitization ladder (pseudonymization → hashing → generalization → k-anonymity → DP) and warned that removing names does not remove identity. The missing engineering is the recsys-specific question: how do you mask IDs without destroying the structure the model relies on, and how do you prove the masked data is still usable?

Similarity-preserving masking and rare-ID handling

TechniqueMechanismWhy naive masking fails without it
LSH for IDsLocality-sensitive hashing maps similar users to nearby buckets, so the hash preserves the neighbor structureSHA-256 of a user ID is uniform - it destroys all similarity, so collaborative signal (similar users → similar recs) is lost
Rare-ID clusteringMerge singleton / long-tail item IDs into a parent class (e.g. plays < 100 → "other")A video watched by one user is a unique fingerprint; left alone it re-identifies that user even after the user ID is hashed
GAN synthesisTrain a generator on the real distribution, then share synthetic rows / face-removed thumbnails for external researchAny real row is linkable; synthetic rows keep the distribution but cut the link to a real person

The engineering line: hashing for anonymity and hashing for utility pull in opposite directions. A cryptographic hash maximizes unlinkability and minimizes usefulness; LSH deliberately keeps collisions among similar users so clustering survives - which means LSH alone is not anonymization (similar users still cluster, by design) and must be paired with DP or access control on the sensitive features.

Validate utility with a divergence check - worked

Desensitization is only safe to ship if the masked distribution still matches the original. The book's rule of thumb: compare pre/post distributions with KL or JS divergence and require statistical deviation < 5%. Worked example on a 3-category interest distribution before and after generalization:

CategoryP (original)Q (desensitized)
pets0.500.46
cooking0.300.32
fitness0.200.22

Jensen-Shannon is the symmetric, bounded choice. With M = (P + Q)/2 and JS = ½KL(P‖M) + ½KL(Q‖M), using log base 2 so JS ∈ [0, 1]:

M = (0.48, 0.31, 0.21) KL(P‖M) = 0.50·log₂(0.50/0.48) + 0.30·log₂(0.30/0.31) + 0.20·log₂(0.20/0.21) ≈ 0.00118 KL(Q‖M) ≈ 0.00118  ⇒  JS ≈ 0.00118,   √JS ≈ 0.0343 = 3.4%

The JS distance (3.6%) is under the 5% gate, so this generalization ships. Had we collapsed pets and cooking into one bucket, P and Q would diverge past the line and the check would block it - a concrete, automatable guardrail rather than "it looks fine." Pair the distribution check with an A/B read on AUC/GAUC, because a small global divergence can still hide a large long-tail hit.

12 · Put concrete numbers on the privacy-utility bill

"Add privacy" is not a plan until the cost is quantified. The recurring numbers from the book, assembled so a design review can price the trade-off (the ε mechanics behind these live in lesson 22):

MechanismUtility / cost hitEngineering consequence
DP-SGD trainingConvergence 20-40% slower; AUC down ~1-3% at ε ≤ 2 (DeepFM 3-5% in worse cases)Budget extra GPU-hours per training run; long-tail users lose the most
ε = 0.1 on a feature~2% AUC drop, recoverable to ~0.5% with feature compensation (context features)Strong per-feature privacy is shippable if you add back signal elsewhere
Crypto serving path (FL + HE/MPC)Latency 50ms → 200ms (4×)Reserve the encrypted path for high-value joins; keep GPU HE inference < 50ms target
Homomorphic encryption~1000× ciphertext blow-up, ~100× computeOffline feature engineering or small encrypted scores only - not the full ranker

The ε ledger - privacy is a spent budget, not a setting

ε is consumed every time a user's data touches a noised computation, and composition theorems add it up. So privacy is accounted like a budget that depletes: set a per-day cap and a per-month ceiling, and stop (or fall back to non-personalized serving) when the user's ledger is exhausted.

per-user privacy ledger ┌───────────────────────────────────────────────┐ │ ε_daily = 0.10 (cap per day) │ │ ε_total < 1.00 (ceiling per month) │ │ │ │ day 1: collection 0.04 + analytics 0.03 = 0.07 │ │ day 2: 0.05 → cumulative 0.12 ... │ │ advanced composition keeps Σ sub-linear │ │ month sum must stay < 1.00 → else throttle │ └───────────────────────────────────────────────┘

Advanced (or Renyi) composition is what makes this viable: naive composition would sum ε linearly and blow the monthly ceiling in days, whereas advanced (Rényi) composition grows the cumulative bound sub-linearly — asymptotically like √k for k queries, though the bound carries a √(2 ln 1/δ) constant so the real savings show up at the thousands-of-steps scale, not after a handful of reads — letting a real system run many noised reads under a fixed budget. The ledger is the operational artifact that turns "we use DP" into an auditable, enforceable claim.

Interview prompts you should be ready for

  1. "How do you personalize while collecting less data?" Minimize raw data, use coarse/local summaries, shorten retention, move training/inference on-device or federated when justified, and measure utility loss.
  2. "Is hashing user IDs enough?" No. Stable behavior logs remain linkable and re-identifiable; you still need purpose, access control, retention, aggregation, and stronger mechanisms where needed.
  3. "How would you use federated learning for recommendation?" Local training, clipped/noised/encrypted updates, secure aggregation, global/personalized model, Non-IID handling, communication compression, and A/B evaluation.
  4. "How do you choose between FL, DP, MPC, HE, and TEE?" Name the threat model first, then select the lowest-cost mechanism that protects against that threat while preserving utility.
  5. "How do you handle deletion requests?" Trace raw logs, online/offline features, embeddings, training snapshots, derived datasets, and future backfills; maintain auditability.
  6. "Local vs central DP - which would you use to collect click data, and what's the catch?" Local DP if the server is the untrusted party: perturb on device (randomized response) so raw data never leaves. The catch is variance - debiasing is unbiased but the estimator's variance scales like 1/(n(2p−1)²), so LDP only works on high-volume signals; sparse/long-tail events stay central or get pre-aggregated (Top-K tags, thousand-user buckets, Bloom filters) first.
  7. "You hashed every user ID with salted SHA-256 - is the data now both anonymous and still useful for collaborative filtering?" No, those goals conflict. A crypto hash destroys similarity, so neighbor-based signal is gone; LSH preserves it but is therefore not anonymization. And rare item IDs re-identify users even after the user ID is hashed, so you also cluster long-tail IDs. Prove utility survived with a KL/JS divergence < 5% check plus an A/B on AUC, not by eyeballing.
Takeaway
The book's privacy-computing material becomes one engineering principle: collect less, protect what remains, measure privacy and utility together, and make compliance part of the data/model lifecycle rather than a patch after the ranker is built.