Individual Privacy Accounting for Differentially Private Stochastic Gradient Descent
This addresses privacy fairness issues in machine learning by revealing disparities in privacy guarantees across data groups, which is an incremental but important step for domain-specific applications like private deep learning.
The paper tackles the problem of providing uniform privacy guarantees in differentially private stochastic gradient descent (DP-SGD) by proposing output-specific (ε,δ)-DP to characterize privacy for individual examples, finding that most examples have stronger privacy than the worst-case bound and that lower model utility correlates with weaker privacy, with an example showing a 44.2% higher average ε for the least accurate class on CIFAR-10.
Differentially private stochastic gradient descent (DP-SGD) is the workhorse algorithm for recent advances in private deep learning. It provides a single privacy guarantee to all datapoints in the dataset. We propose output-specific $(\varepsilon,δ)$-DP to characterize privacy guarantees for individual examples when releasing models trained by DP-SGD. We also design an efficient algorithm to investigate individual privacy across a number of datasets. We find that most examples enjoy stronger privacy guarantees than the worst-case bound. We further discover that the training loss and the privacy parameter of an example are well-correlated. This implies groups that are underserved in terms of model utility simultaneously experience weaker privacy guarantees. For example, on CIFAR-10, the average $\varepsilon$ of the class with the lowest test accuracy is 44.2\% higher than that of the class with the highest accuracy.