CS 442: Trustworthy Machine Learning

Lecture 1: Overview and Introduction

Han Zhao
01/21/2025
 Brief Bio
• Name: Han Zhao
• Current position: Assistant Professor @ CS
• Research Interests: Machine Learning
- Domain adaptation / generalization
- Multitask learning / Multi-objective Optimization
- Algorithmic fairness
- Probabilistic circuits (e.g., arithmetic circuits, sum-product
networks)

Adaptation

Target images without labels

Source images with labels 2

Logistics
• Course website: https://canvas.illinois.edu/courses/54775

3
Logistics
• Discussion forum:
• Piazza, UIUC, CS 442, signup code: s25-cs442
• Registration link: https://piazza.com/illinois/spring2025/cs442

4
Logistics
• Homework submission: Gradescope
• Link: https://www.gradescope.com/courses/957044
• Entry code: 4JN4GR

5
Logistics
My O ce Hour:
• Tue 3:30pm - 4:30pm (right after the class)
• Email: [email protected]
• My o ce: 3320 Siebel Center

6
ffi
ffi
 Logistics
Teaching Assistant: Weixin Chen
• Email: [email protected]
• O ce Hour: F 4pm - 5pm
• Location: Lounge in front of 3102 Siebel Center

7
ffi
Course Topics
What is trustworthy ML and why should we care?
Accuracy on the training distribution is not enough!

8
Course Topics
What is trustworthy ML and why should we care?
Accuracy on the training distribution is not enough!
Aiming to build ML systems that are:
- Fair
- Generalizable
- Interpretable / Explainable
- Robust
- Privacy-preserving

9
 Course Topics

Five parts:
- Basic Machine Learning
- Algorithmic Fairness
- Robustness
- Privacy
- Generalization under distribution shift
10
Course Topics
A brief introduction to supervised learning models
- Linear models:
- Classi cation: logistic regression
- Regression: linear / ridge regression
- Nonlinear models:
- Feed-forward neural networks
- Convolutional neural networks

11
fi
 Course Topics
Algorithmic Fairness
- De nitions of group and individual fairness
- Tensions between di erent fairness de nitions
- Tradeo s between fairness and accuracy
- Classi cation
- Regression
- Methods to achieve fairness in supervised learning
- Learning fair representations

12
fi
fi
ff
ff
fi
Course Topics
Generalization
- Domain generalization
- distribution shift, domain adaptation /generalization
- distributional robust optimization

13
Course Topics
Robustness
- Adversarial robustness
- adversarial examples, empirical defense techniques
- certi ed robustness

14
fi
 Course Topics
Privacy-Preserving
- Di erential Privacy
- De nition
- Laplacian mechanism / Gaussian mechanism
- Membership inference attacks
- Inferential Privacy
- Information obfuscation, information bottleneck, privacy funnel
- Attribute inference attacks

15
ff
fi
Course Overview
Mostly focus on the theory and algorithms of these topics.

Prerequisites:

- Probability and statistics

- Linear algebra
- Mathematical analysis
- Comfortable with programming in Python (Numpy, TensorFlow,
PyTorch, etc)

Note: course will be self-contained so no prior background on ML is OK

16
Course Overview
Lecture-based course:
- 4 Homework (Homework 0 does not count towards nal grade)
- Section TMG: one nal project (due May 7th)
- One nal exam

17
fi
fi
fi
Course Overview
(TMG) Project
- Must be nished individually
- Either a literature review or original review on a topic related to this
course
- Three components:
- Proposal (due Feb. 15th, 20%): 2 pages, brie y describing the
type and goal of this project.
- Oral/Poster Presentation (date TBD, 40%): in-person
presentation
- Final report (due May 7th, 40%): ~8 pages
Format: pdf in NeurIPS LaTeX template (https://neurips.cc/Conferences/2021/PaperInformation/
StyleFiles)
Note: The score for the course project will be normalized towards 30% of your nal grade

18
fi
fl
fi
Course Overview
Homework today:
- Sign up for Piazza, Gradescope and Canvas
- Take a look of the course syllabus on Canvas
- Homework 0

Questions?

19
Introduction
The success of large-scaled supervised learning in
computer vision:

ImageNet: ~1M images, ~1K classes [Deng et al. 09]

20
Introduction
The success of large-scaled supervised learning in
natural language understanding:

35 45

Machine Translation, ~3M parallel sentences [Cho et al. 2014; Devlin et al. 2014]

21
Introduction
But is it enough?
Models could be accurate at the cost of a minority group

22
Introduction
A real-world example: recidivism prediction

COMPAS (Northpointe):
Recidivism risk assessment
tool used in a county in
Florida

Figure credit: ProPublica, Larson et al., 2016

23
 Introduction
A real-world example: recidivism prediction
COMPAS (high level):
0 1
prior arrests
B prior sentences C
B C
B age C
B C
B drug history C

=
<latexit sha1_base64="DtnBsMFJKt0GW8M0Mud6iLS7M5Q=">AAAETnicfZPNbhMxEMfdboEQvlo4clkRVeIUJQWpXCJVLZXCrQ1NWymJKq93NrHij63tbbKx9gm4wntx5UW4IfCmQUkcwUgrjeb3nxl71hOljGrTaPzY2g52Hjx8VHlcffL02fMXu3svL7XMFIEukUyq6whrYFRA11DD4DpVgHnE4Coan5T86g6UplJcmDyFAcdDQRNKsHGh89bNbq1Rb8wt3HSaC6eGFnZ2sxcc9mNJMg7CEIa17jUbqRlYrAwlDIpqP9OQYjLGQ+g5V2AOemDnJy3CfReJw0Qq9wkTzqOrGRZzrXMeOSXHZqR9Vgb/xcyIF36s7KKLcG5rzImNlEyvZ5R1N8O9zCQfBpaKNDMgyP0tkoyFRoblTMOYKiCG5c7BRFE3iJCMsMLEuMlX90O/RYpnsqiuteB4DEpK7iaFBQHmDiBgQiTnWMS2T0Vc2H6ZG0X2U+HRCdDhyPwVJHbiC6bTJZz6MM+XMPfhbLaEs42+k//01KlYUIKZ/byJjQJYUVz4inZ7hbZ9Ckq5B2X7d1hBqimTwhPEbnlWCnz0C8SQwG1ZgJQv2T1E0fJb3DpNYVsrEk9xOk2Xv+XU79DpLGGnKNyqNf3F2nQuD+rNd/WD8/e1o+PF0lXQa/QGvUVNdIiOUBudoS4iCNAX9BV9C74HP4Nfwe976fbWIucVWrOdyh/3CoRU</latexit>
B
B
B
B
race

Beducation historyC
C
C
C
Bage at first arrestC
C
COMPAS
B C
Defendant @ vocation history A
gender
<latexit sha1_base64="/Nqzz8mjoLYeKQvmI2jBWmr3N8A=">AAAFNnicfZPNbhMxEMc3bYASvlI4crGoKnGqklKpXCpVQKVwQCqlX1I2irze2cSK197a3iabZd+LV+HCDfXKIzCbBrJxKD6N5/efGdszDhLBjW21vtfW1uv37j/YeNh49PjJ02fNzefnRqWawRlTQunLgBoQXMKZ5VbAZaKBxoGAi2D0vuQX16ANV/LUZgn0YjqQPOKMWnT1mzd+AAMu8ySmVvNJ0fAtTGyeaK40oVqDsaYgvr/kNyAtSAZVQgdQ2YU6HZAhHl/prOLWlMFyDKGWRFwbOy9WoRCmt6f8R6JrdScagAxBF6Tho/H3Xv3mVmunNVtk1WjPjS1vvo77m+v7fqhYGuNdmaDGdNutxPZyqi1nAvChUgMJZSO8RBdNSWMwvXzWkYJsoyckEb5VpKQlM281IqexMVkcoBIPODQuK513MTuMC9dXVsFuzNYSQ7FVSpjliDLvqrub2uhtL+cyScv23t4iSgWxipSzQ0KugVmRoUGZ5vgQhA0pNtXihDW2iVsioVNVNJZKxHQEWqkYX4riBAk8gIQxU3FMsVs+l2GR+2VsEOQfC4eOgQ+G9o8gyseuYDJZwIkLs2wBMxdOpws4Xak7/k9Nk8g5ZVTkX1ax1QAVxamr6HQqtONS0BoHKvevqYbEcKGkIwjxB1QSfHAThBDBVZmAlZOMgygP3BJXqCnyg4rEURxNkkVbjtwKJycLeFKUX63tfqxV43x3p/1mZ/fz3tbhu/mn2/Beeq+8117b2/cOvY537J15rPapZmpfa0X9W/1H/Wf95la6VpvHvPCWVv3XbyzL3oI=</latexit>

Risk score: C(x) 2 (0, 1)

<latexit sha1_base64="4eCQUFiUYhOt+viYVwC517oAuz4=">AAAEWnicfZPfa9swEMfVJtvadD/abW97MQuFFEawu0H3UijrCtlblzVtIQlFls+JiH44ktzEMf479rr9WYP9MZPTjCQK24HhuM/37uSTLkwY1cb3f21tV6qPHj/Z2a3tPX32/MX+wctrLVNFoEMkk+o2xBoYFdAx1DC4TRRgHjK4CUfnJb+5B6WpFFcmS6DP8UDQmBJsbKh/3pge9aho+O+84Ohuv+43/bl5m06wcOpoYZd3B5WTXiRJykEYwrDW3cBPTD/HylDCoKj1Ug0JJiM8gK51Beag+/n81IV3aCORF0tlP2G8eXQ1I8dc64yHVsmxGWqXlcF/MTPkhRsru+jCm9sas2IjJdPrGWXdzXA3NfHHfk5FkhoQ5OEv4pR5RnrlfL2IKiCGZdbBRFE7CI8MscLE2FuoHXpuiwTPZFFba8HxCJSU3E4KCwLMHkDAhEjOsYhye11RkffK3DDMvxQOnQAdDM1fQZxPXMF0uoRTF2bZEmYunM2WcLbRd/KfnjoRC0owy79tYqMAVhRXrqLVWqEtl4JS9kHlvXusINGUSeEIIrtIKwU+uwUiiGFcFiDlS7YPUZy6LcZWU+SnKxJHcTFNltdy4XZot5ewXRR21QJ3sTad6+Nm8L55/PVD/ezTYul20Bv0FjVQgE7QGWqhS9RBBI3Rd/QD/az8rm5Xd6t7D9LtrUXOK7Rm1dd/ADsRhM8=</latexit>

- Risk score ~ likelihood of defendant to recidivate

- Inputs have (noisy) true label: 0 (not recidivate) / 1 (will recidivate)
- The risk score + thresholding: 0 (low risk) / 1 (high risk)
24
 Introduction
ProPublica criticism:

- Black defendants more likely than white to be incorrectly labeled “high risk”
- White defendants more likely than black to be incorrectly labeled “low risk”

Bias: Disparate FPR/FNR across groups!

Source: ProPublica, Larson et al., 2016 25

Introduction
Northpointes’ defense:
Defendants labeled as “high risk” equally likely to recidivate,
regardless of race

COMPAS Risk score: C(x) 2 (0, 1)

<latexit sha1_base64="4eCQUFiUYhOt+viYVwC517oAuz4=">AAAEWnicfZPfa9swEMfVJtvadD/abW97MQuFFEawu0H3UijrCtlblzVtIQlFls+JiH44ktzEMf479rr9WYP9MZPTjCQK24HhuM/37uSTLkwY1cb3f21tV6qPHj/Z2a3tPX32/MX+wctrLVNFoEMkk+o2xBoYFdAx1DC4TRRgHjK4CUfnJb+5B6WpFFcmS6DP8UDQmBJsbKh/3pge9aho+O+84Ohuv+43/bl5m06wcOpoYZd3B5WTXiRJykEYwrDW3cBPTD/HylDCoKj1Ug0JJiM8gK51Beag+/n81IV3aCORF0tlP2G8eXQ1I8dc64yHVsmxGWqXlcF/MTPkhRsru+jCm9sas2IjJdPrGWXdzXA3NfHHfk5FkhoQ5OEv4pR5RnrlfL2IKiCGZdbBRFE7CI8MscLE2FuoHXpuiwTPZFFba8HxCJSU3E4KCwLMHkDAhEjOsYhye11RkffK3DDMvxQOnQAdDM1fQZxPXMF0uoRTF2bZEmYunM2WcLbRd/KfnjoRC0owy79tYqMAVhRXrqLVWqEtl4JS9kHlvXusINGUSeEIIrtIKwU+uwUiiGFcFiDlS7YPUZy6LcZWU+SnKxJHcTFNltdy4XZot5ewXRR21QJ3sTad6+Nm8L55/PVD/ezTYul20Bv0FjVQgE7QGWqhS9RBBI3Rd/QD/az8rm5Xd6t7D9LtrUXOK7Rm1dd/ADsRhM8=</latexit>

Defendant

- The COMPAS tool C(x) is statistically calibrated by group

<latexit sha1_base64="YasfLgl4fpon2gv9pSXcwJ2rkEY=">AAAEUXicfZPNbhMxEMfdJEBJ+WjhyGVFVKlcoqRFKpdKFaVSuJXQtJWSqPJ6Z7NW/LG1vU021r4CV3gvTjwKN7xpUBJHMNJKo/n9Z8ae9YQpo9q0Wr+2KtXao8dPtp/Wd549f/Fyd+/VlZaZItAjkkl1E2INjAroGWoY3KQKMA8ZXIfjs5Jf34PSVIpLk6cw5HgkaEwJNmXo7GD67na30Wq25hZsOu2F00ALu7jdqx4PIkkyDsIQhrXut1upGVqsDCUMivog05BiMsYj6DtXYA56aOeHLYJ9F4mCWCr3CRPMo6sZFnOtcx46Jccm0T4rg/9iJuGFHyu76CKY2xpzYiMl0+sZZd3NcD8z8YehpSLNDAjycIs4Y4GRQTnWIKIKiGG5czBR1A0iIAlWmBg3/Pp+4LdI8UwW9bUWHI9BScndpLAgwNwBBEyI5ByLyA6oiAo7KHPD0H4uPDoBOkrMX0FsJ75gOl3CqQ/zfAlzH85mSzjb6Dv5T0+digUlmNmvm9gogBXFpa/odFZox6eglHtQdnCPFaSaMik8QeT2Z6XAJ79ABDHclQVI+ZLdQxQnfos7pynsyYrEU5xP0+VvOfc7dLtL2C0Kt2ptf7E2navDZvuoefjlfeP042LpttEb9BYdoDY6Rqeogy5QDxGUoG/oO/pR/Vn9XUO1yoO0srXIeY3WrLbzB1U3g0M=</latexit>

26
 Introduction
Northpointes’ defense:
Defendants labeled as “high risk” equally likely to recidivate,
regardless of race

COMPAS Risk score: C(x) 2 (0, 1) <latexit sha1_base64="4eCQUFiUYhOt+viYVwC517oAuz4=">AAAEWnicfZPfa9swEMfVJtvadD/abW97MQuFFEawu0H3UijrCtlblzVtIQlFls+JiH44ktzEMf479rr9WYP9MZPTjCQK24HhuM/37uSTLkwY1cb3f21tV6qPHj/Z2a3tPX32/MX+wctrLVNFoEMkk+o2xBoYFdAx1DC4TRRgHjK4CUfnJb+5B6WpFFcmS6DP8UDQmBJsbKh/3pge9aho+O+84Ohuv+43/bl5m06wcOpoYZd3B5WTXiRJykEYwrDW3cBPTD/HylDCoKj1Ug0JJiM8gK51Beag+/n81IV3aCORF0tlP2G8eXQ1I8dc64yHVsmxGWqXlcF/MTPkhRsru+jCm9sas2IjJdPrGWXdzXA3NfHHfk5FkhoQ5OEv4pR5RnrlfL2IKiCGZdbBRFE7CI8MscLE2FuoHXpuiwTPZFFba8HxCJSU3E4KCwLMHkDAhEjOsYhye11RkffK3DDMvxQOnQAdDM1fQZxPXMF0uoRTF2bZEmYunM2WcLbRd/KfnjoRC0owy79tYqMAVhRXrqLVWqEtl4JS9kHlvXusINGUSeEIIrtIKwU+uwUiiGFcFiDlS7YPUZy6LcZWU+SnKxJHcTFNltdy4XZot5ewXRR21QJ3sTad6+Nm8L55/PVD/ezTYul20Bv0FjVQgE7QGWqhS9RBBI3Rd/QD/az8rm5Xd6t7D9LtrUXOK7Rm1dd/ADsRhM8=</latexit>

Defendant

- The COMPAS tool C(x) is statistically calibrated by group <latexit sha1_base64="YasfLgl4fpon2gv9pSXcwJ2rkEY=">AAAEUXicfZPNbhMxEMfdJEBJ+WjhyGVFVKlcoqRFKpdKFaVSuJXQtJWSqPJ6Z7NW/LG1vU021r4CV3gvTjwKN7xpUBJHMNJKo/n9Z8ae9YQpo9q0Wr+2KtXao8dPtp/Wd549f/Fyd+/VlZaZItAjkkl1E2INjAroGWoY3KQKMA8ZXIfjs5Jf34PSVIpLk6cw5HgkaEwJNmXo7GD67na30Wq25hZsOu2F00ALu7jdqx4PIkkyDsIQhrXut1upGVqsDCUMivog05BiMsYj6DtXYA56aOeHLYJ9F4mCWCr3CRPMo6sZFnOtcx46Jccm0T4rg/9iJuGFHyu76CKY2xpzYiMl0+sZZd3NcD8z8YehpSLNDAjycIs4Y4GRQTnWIKIKiGG5czBR1A0iIAlWmBg3/Pp+4LdI8UwW9bUWHI9BScndpLAgwNwBBEyI5ByLyA6oiAo7KHPD0H4uPDoBOkrMX0FsJ75gOl3CqQ/zfAlzH85mSzjb6Dv5T0+digUlmNmvm9gogBXFpa/odFZox6eglHtQdnCPFaSaMik8QeT2Z6XAJ79ABDHclQVI+ZLdQxQnfos7pynsyYrEU5xP0+VvOfc7dLtL2C0Kt2ptf7E2navDZvuoefjlfeP042LpttEb9BYdoDY6Rqeogy5QDxGUoG/oO/pR/Vn9XUO1yoO0srXIeY3WrLbzB1U3g0M=</latexit>

- Let A 2 {0, 1} be the group membership (race), Y 2 {0, 1} be the true

label (recidivism), then
<latexit sha1_base64="6fi2GTFiy14AAAc4YCYM9QAj5kg=">AAAEWXicfZPfa9swEMeVJtuy7Fe7Pu7FLBT2MILdDrqXQvejkL11WdMW4lBk+ZyIyJIryU0c4X9jr9u/NfbPTE4zkihsB4bjPt+7k0+6KGNUad//VdupNx48fNR83Hry9NnzF7t7Ly+VyCWBPhFMyOsIK2CUQ19TzeA6k4DTiMFVNPlU8as7kIoKfqGLDIYpHnGaUIK1DYUfQspD47/1grC82W37HX9h3rYTLJ02Wtr5zV79OIwFyVPgmjCs1CDwMz00WGpKGJStMFeQYTLBIxhYl+MU1NAsDl16BzYSe4mQ9uPaW0TXMwxOlSrSyCpTrMfKZVXwX0yP09KNVV1U6S1sg1mxFoKpzYyq7nZ4kOvk/dBQnuUaOLn/iyRnnhZeNV4vphKIZoV1MJHUDsIjYywx0fYSWgee2yLDc1G2NlqkeAJSiNROCnMCzB6Aw5SINMU8NvbC4tKEVW4UmS+lQ6dAR2P9V5CYqSuYzVZw5sKiWMHChfP5Cs63+k7/01NlfEkJZubbNtYSYE1x4Sq63TXadSlIaR+UCe+whExRJrgjiO0erRX47BaIIYHbqgCpXrJ9iPzEbXFrNaU5WZM4irNZtrqWM7dDr7eCvbJatcBdrG3n8rATHHUOv75rn35cLl0TvUKv0RsUoGN0irroHPURQRn6jn6gn/XfjVqj2WjdS3dqy5x9tGGN/T9W8oVZ</latexit> <latexit sha1_base64="jR7JUlQWTVMD+T2oLDOI9lSbqiM=">AAAEWXicfZPfb9MwEMfdtUApvzb2yEtENYkHVCUb0niZNAGTytso6zbUVJPjXFqrjp3ZztrUyr/BK/xbiH8Gpytq6wpOinS6z/funLMvyhhV2vd/1XbqjQcPHzUft548ffb8xe7ey0slckmgTwQT8jrCChjl0NdUM7jOJOA0YnAVTT5W/OoOpKKCX+gig2GKR5wmlGBtQ+G3kPLQ+G+9ICxvdtt+x1+Yt+0ES6eNlnZ+s1c/DmNB8hS4JgwrNQj8TA8NlpoSBmUrzBVkmEzwCAbW5TgFNTSLQ5fegY3EXiKk/bj2FtH1DINTpYo0ssoU67FyWRX8F9PjtHRjVRdVegvbYFashWBqM6Oqux0e5Dp5PzSUZ7kGTu7/IsmZp4VXjdeLqQSiWWEdTCS1g/DIGEtMtL2E1oHntsjwXJStjRYpnoAUIrWTwpwAswfgMCUiTTGPjb2wuDRhlRtF5nPp0CnQ0Vj/FSRm6gpmsxWcubAoVrBw4Xy+gvOtvtP/9FQZX1KCmfm6jbUEWFNcuIpud412XQpS2gdlwjssIVOUCe4IYrtHawU+uQViSOC2KkCql2wfIj9xW9xaTWlO1iSO4myWra7lzO3Q661gr6xWLXAXa9u5POwER53DL+/apx+WS9dEr9Br9AYF6Bidoi46R31EUIa+ox/oZ/13o9ZoNlr30p3aMmcfbVhj/w+16oVx</latexit>

<latexit sha1_base64="KZzhH5viBCQmZGMDRQp39WZ6lRY=">AAAEn3icfVPbbhMxEHXbACVcmsIjL4aqUipFUVKQykukQqkILyiUXpWNKq93kljxZWt7m8tqf4t/QeIVvgNvmiqJIxhpteNzzszYHk8Yc2ZsrfZzbX2j8ODho83HxSdPnz3fKm2/ODcq0RTOqOJKX4bEAGcSziyzHC5jDUSEHC7CwVHOX9yCNkzJUzuOoSNIT7Iuo8Q66LrUCrpKE84xCZgM0loF14Osgu9R6tByDu5VgpuEREFLl69ww4kEi/BRebTnFrSCP7gfmfrXpZ1atTY1vOrUZ84OmlnrenvjIIgUTQRISzkxpl2vxbaTEm0Z5ZAVg8RATOiA9KDtXEkEmE46PXqGdx0SYbdb90mLp+hiREqEMWMROqUgtm98Lgf/xdm+yHwsr2IyPLUlzomtUtwsR+R5V+F2YrvvOymTcWJB0rtTdBOOrcJ5k3DENFDLx84hVDN3EZj2iSbUulYWd7FfIiYTlRWXSggyAK2UcDdFJAXuNiBhSJUQREapa2uUpUEeG4bpl8xjh8B6fXsv6KZDXzAazcmRT47Hc3Lsk5PJnJys1B3+p6aJ5YylhKffV2mrARYUp76i2Vxgmz4LWrsHlQa3RENsGFfSE0RuGhcSfPITRNCFmzwBzV+ye4iy4Ze4cZosbSxIPMXxKJ635divcHIyJ0+yzI1a3R+sVed8v1p/W93/9m7n8ONs6DbRK/QGlVEdHaBD1EQtdIYo+oF+od/oT+F14XPha6F1J11fm8W8REtWuPoL7B6awQ==</latexit>
8a 2 {0, 1}, 8c 2 (0, 1), Pr(Y = 1 | C(x) = c, A = a) = c

No Bias: Equal treatment!

27
 Introduction
What’s the problem here?
Fundamental incompatibility between di erent notions of fairness:
- True label: Y 2 {0, 1} <latexit sha1_base64="jR7JUlQWTVMD+T2oLDOI9lSbqiM=">AAAEWXicfZPfb9MwEMfdtUApvzb2yEtENYkHVCUb0niZNAGTytso6zbUVJPjXFqrjp3ZztrUyr/BK/xbiH8Gpytq6wpOinS6z/funLMvyhhV2vd/1XbqjQcPHzUft548ffb8xe7ey0slckmgTwQT8jrCChjl0NdUM7jOJOA0YnAVTT5W/OoOpKKCX+gig2GKR5wmlGBtQ+G3kPLQ+G+9ICxvdtt+x1+Yt+0ES6eNlnZ+s1c/DmNB8hS4JgwrNQj8TA8NlpoSBmUrzBVkmEzwCAbW5TgFNTSLQ5fegY3EXiKk/bj2FtH1DINTpYo0ssoU67FyWRX8F9PjtHRjVRdVegvbYFashWBqM6Oqux0e5Dp5PzSUZ7kGTu7/IsmZp4VXjdeLqQSiWWEdTCS1g/DIGEtMtL2E1oHntsjwXJStjRYpnoAUIrWTwpwAswfgMCUiTTGPjb2wuDRhlRtF5nPp0CnQ0Vj/FSRm6gpmsxWcubAoVrBw4Xy+gvOtvtP/9FQZX1KCmfm6jbUEWFNcuIpud412XQpS2gdlwjssIVOUCe4IYrtHawU+uQViSOC2KkCql2wfIj9xW9xaTWlO1iSO4myWra7lzO3Q661gr6xWLXAXa9u5POwER53DL+/apx+WS9dEr9Br9AYF6Bidoi46R31EUIa+ox/oZ/13o9ZoNlr30p3aMmcfbVhj/w+16oVx</latexit>

- Group membership: A 2 {0, 1} <latexit sha1_base64="6fi2GTFiy14AAAc4YCYM9QAj5kg=">AAAEWXicfZPfa9swEMeVJtuy7Fe7Pu7FLBT2MILdDrqXQvejkL11WdMW4lBk+ZyIyJIryU0c4X9jr9u/NfbPTE4zkihsB4bjPt+7k0+6KGNUad//VdupNx48fNR83Hry9NnzF7t7Ly+VyCWBPhFMyOsIK2CUQ19TzeA6k4DTiMFVNPlU8as7kIoKfqGLDIYpHnGaUIK1DYUfQspD47/1grC82W37HX9h3rYTLJ02Wtr5zV79OIwFyVPgmjCs1CDwMz00WGpKGJStMFeQYTLBIxhYl+MU1NAsDl16BzYSe4mQ9uPaW0TXMwxOlSrSyCpTrMfKZVXwX0yP09KNVV1U6S1sg1mxFoKpzYyq7nZ4kOvk/dBQnuUaOLn/iyRnnhZeNV4vphKIZoV1MJHUDsIjYywx0fYSWgee2yLDc1G2NlqkeAJSiNROCnMCzB6Aw5SINMU8NvbC4tKEVW4UmS+lQ6dAR2P9V5CYqSuYzVZw5sKiWMHChfP5Cs63+k7/01NlfEkJZubbNtYSYE1x4Sq63TXadSlIaR+UCe+whExRJrgjiO0erRX47BaIIYHbqgCpXrJ9iPzEbXFrNaU5WZM4irNZtrqWM7dDr7eCvbJatcBdrG3n8rATHHUOv75rn35cLl0TvUKv0RsUoGN0irroHPURQRn6jn6gn/XfjVqj2WjdS3dqy5x9tGGN/T9W8oVZ</latexit>

- b 2 (0, 1) or binary classi er: Yb 2 {0, 1}

Probabilistic classi er: Y <latexit sha1_base64="p0gBuoTrSywvFxn6QWWTqwDQ3VE=">AAAEY3icfZNRb9MwEMe9tcDogHVjbwgpopo0JDQlA2m8TJqASeVtlHUbaqrKca6tVcfObGdtauW78ArfiA/A98Dpitq6gpMine73vzvn7ItSRpX2/V8bm5Xqg4ePth7Xtp88fbZT3927UiKTBNpEMCFvIqyAUQ5tTTWDm1QCTiIG19HoY8mv70AqKvilzlPoJnjAaZ8SrG2oV98PxzSGIdbmWxFSfui/8YLXvXrDP/Jn5q07wdxpoLld9HYrJ2EsSJYA14RhpTqBn+quwVJTwqCohZmCFJMRHkDHuhwnoLpmdvzCO7CR2OsLaT+uvVl0OcPgRKk8iawywXqoXFYG/8X0MCncWNlFFd7MVpgVayGYWs0o666HO5nuv+8aytNMAyf3f9HPmKeFVw7ai6kEolluHUwktYPwyBBLTLS9jtqB57ZI8VQUtZUWCR6BFCKxk8KcALMH4DAmIkkwj429rrgwYZkbReZz4dAx0MFQ/xX0zdgVTCYLOHFhni9g7sLpdAGna33H/+mpUj6nBDPzdR1rCbCkuHQVzeYSbboUpLQPyoR3WEKqKBPcEcR2o5YKfHILxNCH27IAKV+yfYj81G1xazWFOV2SOIrzSbq4lnO3Q6u1gK2isKsWuIu17lwdHwVvj46/vGucfZgv3RZ6gV6hQxSgE3SGmugCtRFBU/Qd/UA/K7+r29W96v69dHNjnvMcrVj15R8Vd4jN</latexit>

<latexit sha1_base64="m3HdvcKSV6lBw8mcjFlDJfMgrOU=">AAAEZXicfZNRb9MwEMe9tcAoDDpAe+GBiGoSD6hKBtJ4mTQBk8rbKOs21FSV41xaq46d2e7a1OTL8ApfiE/A18Dpitq6gpMine73v7v47IsyRpX2/V9b25Xqnbv3du7XHjzcffS4vvfkQomxJNAhggl5FWEFjHLoaKoZXGUScBoxuIxGH0p+eQNSUcHPdZ5BL8UDThNKsLahfn0/nNAYhlibr0VIeWj8114QFv16w2/6c/M2nWDhNNDCzvp7laMwFmScAteEYaW6gZ/pnsFSU8KgqIVjBRkmIzyArnU5TkH1zPwAhXdgI7GXCGk/rr15dDXD4FSpPI2sMsV6qFxWBv/F9DAt3FjZRRXe3NaYFWshmFrPKOtuhrtjnbzrGcqzsQZObk+RjJmnhVeO2oupBKJZbh1MJLWD8MgQS0y0vZDagee2yPBMFLW1FikegRQitZPCnACzP8BhQkSaYh4be2FxYcIyN4rMp8KhE6CDof4rSMzEFUynSzh1YZ4vYe7C2WwJZxt9J//pqTK+oAQz82UTawmwojh3Fa3WCm25FKS0D8qEN1hCpigT3BHEdqdWCnx0C8SQwHVZgJQv2T5Efuy2uLaawhyvSBzF6TRbXsup26HdXsJ2Ua5a4C7WpnNx2AzeNA8/v22cvF8s3Q56jl6iVyhAR+gEtdAZ6iCCvqHv6Af6Wfld3a0+q+7fSre3FjlP0ZpVX/wB0+uKQA==</latexit>

- Base rate: Pr(Y = 1 | A = a), a 2 {0, 1} <latexit sha1_base64="neK+S9CXzS5ea4sZvu083814swc=">AAAEcXicfZPbbhMxEIbdJkAJh6ZwhbixElUqoqqSglRuIpVDpXAXQtMWZaPI650kVnzY2k5zWC3XPA238Co8By+ANw1K4ghGWmk03z8z67EnjDkztlL5tbWdy9+5e2/nfuHBw0ePd4t7Ty6MGmkKLaq40lchMcCZhJZllsNVrIGIkMNlOHyf8csb0IYpeW6nMXQE6UvWY5RYF+oWS0FDH3zBNVwNBIvwW+eRF4dfScBkkFQOXTjtFsuVo8rc8KZTXThltLBGdy93EkSKjgRISzkxpl2txLaTEG0Z5ZAWgpGBmNAh6UPbuZIIMJ1kfpgU77tIhHtKu09aPI+uZiREGDMVoVMKYgfGZ1nwX8wOROrHsi4mxXNbY05sleJmPSOruxluj2zvTSdhMh5ZkPT2FL0Rx1bhbOw4Yhqo5VPnEKqZGwSmA6IJte5yCvvYbxGTmUoLay0EGYJWSrhJEUmBux+QMKZKCCKjxF1YlCZBlhuGycfUo2Ng/YH9K+glY18wmSzhxIfT6RJOfTibLeFso+/4Pz1NLBeUEp583sRWA6wozn1Fvb5C6z4Frd2DSoIboiE2jCvpCSK3XysFPvgFIujBdVaAZi/ZPURZ81tcO02a1FYknuJsEi+v5czv0GwuYTPNVq3qL9amc3F8VH11dPzpdfn03WLpdtBzVEIHqIpO0CmqowZqIYq+oe/oB/qZ+51/lsf50q10e2uR8xStWf7lH9hPjHs=</latexit>

- Di erence of base rates:

BR = | Pr(Y = 1 | A = 0) <latexit sha1_base64="Hf3NlwUaFulX0jwmXKO4tdBcUrE=">AAAEkXicfZPbbhMxEIbdNkAJp5RecmNRVWoviLIFqXARqZRWCuKmlJ5QNoq83klixYet7TSH7b4PT8Mt8DZ404UkjmCklUb/93tmfZgo4czYWu3Xyupa6d79B+sPy48eP3n6rLLx/MKogaZwThVX+ioiBjiTcG6Z5XCVaCAi4nAZ9T/k/PIGtGFKntlxAi1BupJ1GCXWSe3KYXgE3JJ2Ggpie1qkh6dZhuv4NjzRO19dEoSCxfg9rtd28StcqH9FHOzetitbtWptGng5CYpkCxVx0t5Y2w9jRQcCpKWcGNMMaoltpURbRjlk5XBgICG0T7rQdKkkAkwrnW42w9tOiXFHafdJi6fq/IqUCGPGInLOfEvGZ7n4L2Z7IvO1vIvJ8DQWmDNbpbhZXJHXXZabA9t520qZTAYWJL3bRWfAsVU4vxYcMw3U8rFLCNXMHQSmPaIJte7yytvYb5GQicrKCy0E6YNWSriTIpICdz8gYUiVEETGachknN3dchSlHzOPDoF1e/aPoZMOfcNoNIMjH47HMzj24WQyg5OlvsP/9DSJLCglPP2yjK0GmHOc+Y5GY442fApauweVhjdEQ2IYV9IzxG7+5goc+QVi6MB1XoDmL9k9RFn3W1w7T5bW5yye43iUzK7l2O9wejqDbjDdqAX+YC0nF3vV4HV17/ObrYPDYujW0Qv0Eu2gAO2jA9RAJ+gcUfQNfUc/0M/SZuld6aBUeFdXijWbaCFKn34D+C2Wuw==</latexit>
Pr(Y = 1 | A = 1)|

Theorem (Chouldechova’17, Kleinberg, Mullainathan, Raghavan’16):

Statistical calibration and Equalized FPR/FNR cannot hold simultaneously
unless BR = 0 ( A ? Y ) or Yb = Y (perfect prediction).
<latexit sha1_base64="OuIqSkE7YleidTzi8I4BDqibZ4I=">AAAEZ3icfZPdahNBFMenTdQaP5oqSMGb1VDwKmyqUG8CpbYQ72ps2kI2hNnZk2TIfGxnZptslvVpvNX38RF8C2eTSJIJemDhcH7/Of/ZmTlhzKg2vv9rZ7dUfvDw0d7jypOnz57vVw9eXGuZKAIdIplUtyHWwKiAjqGGwW2sAPOQwU04/lTwm3tQmkpxZdIYehwPBR1Qgo0t9auHwTkwg/tZwLEZKZ6dtfPca3p+v1rz6/48vO2ksUxqaBmX/YPSSRBJknAQhjCsdbfhx6aXYWUoYZBXgkRDjMkYD6FrU4E56F42/4XcO7KVyBtIZT9hvHl1fUWGudYpD62y2Kh2WVH8FzMjnru1wkXn3jw2mBUbKZneXFH03S53EzP42MuoiBMDgiz+YpAwz0ivOGwvogqIYalNMFHUHoRHRlhhYuyVVI481yLGM5lXNiw4HoOSktuTwoIAsxsQMCGScyyiLKAiyhd3F4bZ59yhE6DDkfkrGGQTVzCdruDUhWm6gqkLZ7MVnG35Tv7jqWOxpASz7Os2NgpgTXHlKlqtNdpyKShlH1QW3GMFsaZMCkcQ2alaa3DuNohgAHdFA1K8ZPsQRdO1uLOaPGuuSRzFxTReXcuF69Bur6AdNztqDXewtpPr43rjff34y4fa6dly6PbQa/QWvUMNdIJOUQtdog4i6Bv6jn6gn6Xf5f3yq/LhQrq7s1zzEm1E+c0fhk2K7A==</latexit>
<latexit sha1_base64="wQ24AKaKBZZCOY02NaRA9crF7gU=">AAAEVXicfZNLaxsxEMeV2E1T95GkPfay1AR6MnYaSC+B9BFwb6kbJy5eE7TaWVtYr0ja2Otlv0Sv7fcq/TCFah0X2zLtwMIwv//MaEeaSDFqbLP5a2u7Un2w83D3Ue3xk6fP9vYPnl8ZmWoCXSKZ1L0IG2BUQNdSy6CnNGAeMbiOxh9Kfn0H2lApLm2mYMDxUNCEEmxdqPcuVKBV8PVmv95sNOcWbDqthVNHC7u4OaichLEkKQdhCcPG9FtNZQc51pYSBkUtTA0oTMZ4CH3nCszBDPL5gYvg0EXiIJHafcIG8+hqRo65MRmPnJJjOzI+K4P/YnbECz9WdjFFMLc15sRWSmbWM8q6m+F+apO3g5wKlVoQ5P4vkpQFVgblaIOYaiCWZc7BRFM3iICMsMbEuguoHQZ+C4VnsqitteB4DFpK7iaFBQHmDiBgQiTnWMR5SEVc5GGZG0X5p8KjE6DDkf0rSPKJL5hOl3DqwyxbwsyHs9kSzjb6Tv7T0yixoASz/MsmthpgRXHpK9rtFdr2KWjtHlQe3mENylAmhSeI3Q6tFPjoF4ghgduyAClfsnuI4tRvces0RX66IvEU51O1vJZzv0Ons4SdonCr1vIXa9O5Omq03jSOPh/Xz94vlm4XvUSv0GvUQifoDLXRBeoighj6hr6jH5Wfld/VanXnXrq9tch5gdasuvcH2M6FLA==</latexit>

<latexit sha1_base64="iPtlB8FbW97rYGCFjS33FX91OC0=">AAAEXnicfZPNbhMxEMfdJpQSKEnhgsTFIqrEqUoKUrlEqoBK4VZC0w9lo8jrnSRW/LG1vU02q30SrvBQ3HgUvGlQEkcw0kqj+f1nxjv2hDFnxjYav3Z2S+VHe4/3n1SePjt4Xq0dvrgyKtEUulRxpW9CYoAzCV3LLIebWAMRIYfrcPKp4Nf3oA1T8tKmMfQFGUk2ZJRYFxrUqsGURTAmNrvNcQvfDmr1xnFjYXjbaS6dOlraxeCwdBpEiiYCpKWcGNNrNmLbz4i2jHLIK0FiICZ0QkbQc64kAkw/W5w8x0cuEuGh0u6TFi+i6xkZEcakInRKQezY+KwI/ovZscj9WNHF5HhhG8yJrVLcbGYUdbfDvcQOP/QzJuPEgqQPfzFMOLYKFzPGEdNALU+dQ6hmbhCYjokm1LqbqBxhv0VM5iqvbLQQZAJaKeEmRSQF7g4gYUqVEERGWcBklGdBkRuG2Zfco1Ngo7H9KxhmU18wm63gzIdpuoKpD+fzFZxv9Z3+p6eJ5ZJSwrNv29hqgDXFpa9ot9do26egtXtQWXBPNMSGcSU9QeSWaa3AZ79ABEO4KwrQ4iW7hyhbfos7p8mz1prEU5zP4tW1nPsdOp0V7OS5W7Wmv1jbztXJcfPd8cnX9/Wzj8ul20ev0Rv0FjXRKTpDbXSBuoiiBH1HP9DP0u/yXvmgXH2Q7u4sc16iDSu/+gPgfodA</latexit>

28
ff
fi
ff
fi
Introduction
Lesson learned:
Depending on the problem, choose the appropriate criterion
But, there are just too many de nitions…

29
fi
Introduction
Key assumption underlying the success: large-scale
labeled data from stationary domains

Source (Train) = Target (Test)

Source Target

30
Introduction
But, often the case, such an assumption does not hold

Source (with Labels) Target (No Labels)

31
Introduction
But, often the case, such an assumption does not hold

Source Target Corpora size BLEU Scores

English French ~3M ~40
English German ~1.92M ~35
Finnish English ~1.96M ~34
Romanian English ~400K ~30
WMT ’16-19, Europarl Parallel Corpus
32
Introduction
Domain adaptation: given unlabeled data from the target
domain + labeled data from the source domain, can we
do better?

Note: closely related to the setting of semi-supervised

learning, but with a key di erence:

Semi-supervised learning:
Training distribution = Test distribution
<latexit sha1_base64="XkZUfwlYn+/vaB2uR9tWXCTHxRE=">AAAETnicfZPNbhMxEMfdboEQvlo4clkRVeIUJaiiXCJVLZXCrQ1NWymJKq93NrHij63tbbKx9gm4wntx5UW4IfCmQUkcwUgrjeb3nxl71hOljGrTaPzY2g52Hjx8VHlcffL02fMXu3svL7XMFIEukUyq6whrYFRA11DD4DpVgHnE4Coan5T86g6UplJcmDyFAcdDQRNKsHGh89bNbq1Rb8wt3HSaC6eGFnZ2sxcc9mNJMg7CEIa17jUbqRlYrAwlDIpqP9OQYjLGQ+g5V2AOemDnJy3CfReJw0Qq9wkTzqOrGRZzrXMeOSXHZqR9Vgb/xcyIF36s7KKLcG5rzImNlEyvZ5R1N8O9zCQfBpaKNDMgyP0tkoyFRoblTMOYKiCG5c7BRFE3iJCMsMLEuMlX90O/RYpnsqiuteB4DEpK7iaFBQHmDiBgQiTnWMS2T0Vc2H6ZG0X2U+HRCdDhyPwVJHbiC6bTJZz6MM+XMPfhbLaEs42+k//01KlYUIKZ/byJjQJYUVz4inZ7hbZ9Ckq5B2X7d1hBqimTwhPEbnlWCnz0C8SQwG1ZgJQv2T1E0fJb3DpNYVsrEk9xOk2Xv+XU79DpLGGnKNyqNf3F2nQu39Wb7+sH5we1o+PF0lXQa/QGvUVNdIiOUBudoS4iCNAX9BV9C74HP4Nfwe976fbWIucVWrOdyh/4qoRZ</latexit>

Domain adaptation:
6= Test distribution
<latexit sha1_base64="R2b0WzHucRcXZRVR1rHQtxaOj5A=">AAAEUXicfZPNbhMxEMfdJEBJ+WjhyGVFVIlTlKCKcqlUtVQKtxKatlI2qrze2cSKPza2t8nG2lfgCu/FiUfhhjcNSuIIRlppNL//zNiznihlVJtW69dOpVp79PjJ7tP63rPnL17uH7y61jJTBHpEMqluI6yBUQE9Qw2D21QB5hGDm2h8XvKbe1CaSnFl8hQGHA8FTSjBpgyFAiZ3+41Ws7WwYNtpL50GWtrl3UH1OIwlyTgIQxjWut9upWZgsTKUMCjqYaYhxWSMh9B3rsAc9MAuDlsEhy4SB4lU7hMmWETXMyzmWuc8ckqOzUj7rAz+i5kRL/xY2UUXwcI2mBMbKZnezCjrbof7mUk+DiwVaWZAkIdbJBkLjAzKsQYxVUAMy52DiaJuEAEZYYWJccOvHwZ+ixTPZVHfaMHxGJSU3E0KCwLMHUDAlEjOsYhtSEVc2LDMjSL7ufDoFOhwZP4KEjv1BbPZCs58mOcrmPtwPl/B+Vbf6X966lQsKcHMft3GRgGsKa58RaezRjs+BaXcg7LhPVaQasqk8ASx25+1Ap/8AjEkMCkLkPIlu4coTvwWE6cp7MmaxFNczNLVb7nwO3S7K9gtCrdqbX+xtp3r9832h+bRl6PG6dly6XbRG/QWvUNtdIxOUQddoh4iaIS+oe/oR/Vn9XcN1SoP0srOMuc12rDa3h+bAYPc</latexit>

Training distribution

33
ff
Introduction
Domain adaptation: Training phase

Source domain:

···
(4, 8, 5)
+
Target domain:
(7, 3, 0)

··· 34
Introduction
Domain adaptation: Training phase

Source domain:

(4, 8, 5) (7, 3, 0)

+
Target domain:
Classi er

35
fi
Introduction
Domain adaptation: Testing phase
Target domain:

···
(4, 0, 1) (0, 4, 2)
36
The Net ix Prize Competition
Net ix’s goal: better movie recommendation

37
fl
fl
The Net ix Prize Competition
Movie recommendation: collaborative ltering

Goal: given (sparse) existing ratings from the seed users, how to
complete this user-movie rating matrix?

38
fl
fi
The Net ix Prize Competition
The Net ix Prize:
- An open competition for the best collaborative ltering algorithm to
predict user ratings for movies
- Data: ~100M ratings, ~480K users, ~18K movies
- In the context data, no other information about the users or movies are
available
- Grand prize $1M by BellKor’s Pragmatic Chaos team: ensemble model
(matrix factorization) using gradient boosted decision trees (GBDT).
Beating Net ix’s own algorithm by more than 10%

The data was appropriately anonymized (regulated

by the Video Privacy Protection Act of 1988)

39
fl
fl
fl
fi
 The Net ix Prize Competition
Unfortunately, this naive form of anonymization was insu cient

Main idea: using side information to cross-reference

- Try to match users between the two datasets by nding users who
gave similar ratings to a movie at similar times
- IMDB data is public: each review is associated with either the
user’s name or an online pseudonym

This discovery led to a class action lawsuit against Net ix, and the cancellation
of a sequel competition

“Robust De-anonymization of Large Sparse Datasets”, Narayanan and Shmatikov, IEEE S&P’ 08 40
fl
fl
fi
ffi
Memorization in Neural Networks
What if we instead just release some function or model of the
dataset?
- This only gives a restricted view of the dataset
- Perhaps this partial release prevents it from revealing private
information about the data used to train the model?

Unfortunately, once again this is not the case

Consider training a neural network for the task of language modeling:

41
Model Interpretability
Problem: machine learning models (esp. neural networks) can be
a black-box

42
Model Interpretability
Example: credit lending with a black-box ML model

43
Model Interpretability
Black-box AI creates confusion and doubt, hence reducing its
trustworthiness

Key question: why did the model make certain predictions?

44
The Feature Attribution Problem
Attribute a model’s prediction on an input to features of the input

Examples:
- Attribute an object recognition network’s prediction to its pixels
- Attribute a text sentiment network’s prediction to individual words
- Attribute a credit scoring model’s prediction to its features

45
Summary
- Course overview, syllabus, covered topics
- Real-world examples on fairness, robustness, privacy
and explanation

46