Modern machine learning systems use models trained on ever-growing corpora. Typically, metadata such as ownership, access control, or licensing information is ignored during training. Instead, to mitigate privacy risks, we rely on generic techniques such as dataset sanitization and differentially private model training, with inherent privacy/utility trade-offs that hurt model performance. Moreover, these techniques have limitations in scenarios where sensitive information is shared across multiple participants and fine-grained access control is required. By ignoring metadata, we therefore miss an opportunity to better address security, privacy, and confidentiality challenges. In this paper, we take an information flow control perspective to describe machine learning systems, which allows us to leverage metadata such as access control policies and define clear-cut privacy and confidentiality guarantees with interpretable information flows. Under this perspective, we contrast two different approaches to achieve user-level non-interference: 1) fine-tuning per-user models, and 2) retrieval augmented models that access user-specific datasets at inference time. We compare these two approaches to a trivially non-interfering zero-shot baseline using a public model and to a baseline that fine-tunes this model on the whole corpus. We evaluate trained models on two datasets of scientific articles and demonstrate that retrieval augmented architectures deliver the best utility, scalability, and flexibility while satisfying strict non-interference guarantees.

翻译：现代机器学习系统使用基于不断增长的语料库训练得到的模型。通常，所有权、访问控制或许可信息等元数据在训练过程中被忽略。相反，为了缓解隐私风险，我们依赖于数据集清洗和差分隐私模型训练等通用技术，但这些技术存在固有的隐私/效用权衡，会损害模型性能。此外，在敏感信息在多个参与者之间共享且需要细粒度访问控制的场景中，这些技术存在局限性。因此，忽略元数据使我们错失了更好地应对安全、隐私和保密性挑战的机会。本文从信息流控制视角描述机器学习系统，从而能够利用访问控制策略等元数据，并通过可解释的信息流定义清晰的隐私和保密性保证。在此视角下，我们对比了两种实现用户级无干扰的方法：1）为每个用户微调模型，以及2）在推理时访问用户特定数据集的检索增强模型。我们将这两种方法与使用公共模型实现简单无干扰的零样本基线，以及在整个语料库上微调该模型的基线进行比较。我们在两个科学文章数据集上评估了训练后的模型，结果表明，检索增强架构在满足严格无干扰保证的同时，实现了最佳的效用、可扩展性和灵活性。