Assessing differentially private deep learning with Membership Inference
This work addresses privacy risks for individuals in training datasets, but it is incremental as it compares existing mechanisms without introducing new methods.
The paper tackled the problem of protecting neural network training data from membership inference attacks by comparing local and central differential privacy mechanisms, finding that both offer similar privacy-accuracy trade-offs across datasets.
Attacks that aim to identify the training data of public neural networks represent a severe threat to the privacy of individuals participating in the training data set. A possible protection is offered by anonymization of the training data or training function with differential privacy. However, data scientists can choose between local and central differential privacy and need to select meaningful privacy parameters $ε$ which is challenging for non-privacy experts. We empirically compare local and central differential privacy mechanisms under white- and black-box membership inference to evaluate their relative privacy-accuracy trade-offs. We experiment with several datasets and show that this trade-off is similar for both types of mechanisms. This suggests that local differential privacy is a sound alternative to central differential privacy for differentially private deep learning, since small $ε$ in central differential privacy and large $ε$ in local differential privacy result in similar membership inference attack risk.