Quantifying Information Disclosure During Gradient Descent Using Gradient Uniqueness
This addresses privacy concerns for organizations and researchers publishing ML models, offering a novel auditing method with improved utility.
The paper tackles the problem of quantifying private information disclosure when publishing machine learning models by introducing a metric called gradient uniqueness, which provides an upper bound on information leakage and achieves privacy comparable to DP-SGD with better testing accuracy.
Disclosing private information via publication of a machine learning model is often a concern. Intuitively, publishing a learned model should be less risky than publishing a dataset. But how much risk is there? In this paper, we present a principled disclosure metric called \emph{gradient uniqueness} that is derived from an upper bound on the amount of information disclosure from publishing a learned model. Gradient uniqueness provides an intuitive way to perform privacy auditing. The mathematical derivation of gradient uniqueness is general, and does not make any assumption on the model architecture, dataset type, or the strategy of an attacker. We examine a simple defense based on monitoring gradient uniqueness, and find that it achieves privacy comparable to classical methods such as DP-SGD, while being substantially better in terms of (utility) testing accuracy.