Beyond the Calibration Point: Mechanism Comparison in Differential Privacy
This work addresses a foundational issue in differential privacy for researchers and practitioners by providing a rigorous comparison method, though it is incremental as it builds on existing DP frameworks.
The paper tackles the problem of comparing differential privacy mechanisms beyond single (ε, δ)-pairs, which can overlook privacy vulnerabilities, by introducing Δ-divergence to quantify worst-case excess privacy risks. The result shows that current practices in DP-SGD often lead to mechanisms with high vulnerabilities, as demonstrated through application examples.
In differentially private (DP) machine learning, the privacy guarantees of DP mechanisms are often reported and compared on the basis of a single $(\varepsilon, δ)$-pair. This practice overlooks that DP guarantees can vary substantially even between mechanisms sharing a given $(\varepsilon, δ)$, and potentially introduces privacy vulnerabilities which can remain undetected. This motivates the need for robust, rigorous methods for comparing DP guarantees in such cases. Here, we introduce the $Δ$-divergence between mechanisms which quantifies the worst-case excess privacy vulnerability of choosing one mechanism over another in terms of $(\varepsilon, δ)$, $f$-DP and in terms of a newly presented Bayesian interpretation. Moreover, as a generalisation of the Blackwell theorem, it is endowed with strong decision-theoretic foundations. Through application examples, we show that our techniques can facilitate informed decision-making and reveal gaps in the current understanding of privacy risks, as current practices in DP-SGD often result in choosing mechanisms with high excess privacy vulnerabilities.