Differentially Private Learning Needs Better Features (or Much More Data)
This work establishes strong baselines for differentially private learning, highlighting a critical performance gap for researchers developing privacy-preserving machine learning methods.
This paper demonstrates that differentially private deep neural networks underperform linear models trained on handcrafted features for moderate privacy budgets in vision tasks. To surpass this, private learning needs significantly more private data or features pre-trained on public data from a similar domain.
We demonstrate that differentially private machine learning has not yet reached its "AlexNet moment" on many canonical vision tasks: linear models trained on handcrafted features significantly outperform end-to-end deep neural networks for moderate privacy budgets. To exceed the performance of handcrafted features, we show that private learning requires either much more private data, or access to features learned on public data from a similar domain. Our work introduces simple yet strong baselines for differentially private learning that can inform the evaluation of future progress in this area.