How to DP-fy ML: A Practical Guide to Machine Learning with Differential Privacy

Abstract: ML models are ubiquitous in real world applications and are a constant focus of research. At the same time, the community has started to realize the importance of protecting the privacy of ML training data. Differential Privacy (DP) has become a gold standard for making formal statements about data anonymization. However, while some adoption of DP has happened in industry, attempts to apply DP to real world complex ML models are still few and far between. The adoption of DP is hindered by limited practical guidance of what DP protection entails, what privacy guarantees to aim for, and the difficulty of achieving good privacy-utility-computation trade-offs for ML models. Tricks for tuning and maximizing performance are scattered among papers or stored in the heads of practitioners. Furthermore, the literature seems to present conflicting evidence on how and whether to apply architectural adjustments and which components are "safe" to use with DP. This work is a self-contained guide that gives an in-depth overview of the field of DP ML and presents information about achieving the best possible DP ML model with rigorous privacy guarantees. Our target audience is both researchers and practitioners. Researchers interested in DP for ML will benefit from a clear overview of current advances and areas for improvement. We include theory-focused sections that highlight important topics such as privacy accounting and its assumptions, and convergence. For a practitioner, we provide a background in DP theory and a clear step-by-step guide for choosing an appropriate privacy definition and approach, implementing DP training, potentially updating the model architecture, and tuning hyperparameters. For both researchers and practitioners, consistently and fully reporting privacy guarantees is critical, and so we propose a set of specific best practices for stating guarantees.

• The paper provides a practical guide and comprehensive survey on integrating differential privacy into machine learning models, discussing theoretical foundations and implementation approaches.
• Key methods explored include applying differential privacy at the input level, during training via algorithms like DP-SGD, and at the model output or prediction stage.
• Practical considerations highlighted involve crucial trade-offs between privacy and model utility, effective hyperparameter tuning, and careful selection of data processing patterns.

An Overview of Differential Privacy in Machine Learning: A Practical Guide

The paper "How to DP-fy ML: A Practical Guide to Machine Learning with Differential Privacy" by Natalia Ponomareva et al. provides a comprehensive survey of integrating differential privacy (DP) into ML models. The paper articulates the challenges of deploying DP in real-world applications and provides structured guidance for researchers and practitioners. Below, we summarize the key aspects covered in the paper, focusing on the theoretical underpinnings, practical considerations, and implications of applying DP in ML.

Theoretical Foundations and Mechanisms

Differential privacy is established as the gold standard for data anonymization. The paper discusses both exact ($-DP) and approximate ($(\epsilon, \delta)$$-DP) definitions. It emphasizes the importance of understanding the sensitivity of queries, which impacts the level of noise required to achieve DP guarantees. The mechanisms detailed include: - **Laplace Mechanism**: Suitable for queries with$$\ell_1$-sensitivity, ensuring$-DP.

• Gaussian Mechanism: Applied for $\ell_2$-sensitivity, providing $(\epsilon, \delta)$-DP and often preferred for high-dimensional data.
• Exponential Mechanism: Used when outputs are non-numeric, connected to a scoring function that quantifies the quality of outputs relative to the data.

These mechanisms are pivotal in creating building blocks for more complex DP systems.

Differential Privacy in Machine Learning

The survey explores several approaches to implement DP in ML:

1. DP at the Input Level: This includes local differential privacy (LDP) and mechanisms such as DP-fying the inputs via noise induction in features or generating DP-compliant synthetic data.
2. DP During Training: This is the focal point of many applications, with DP-SGD being extensively explored. The algorithm applies noise to the gradients during training, enabling end-to-end training with privacy guarantees.
3. Model Output and Prediction-Level DP: Adding DP mechanisms to the predictions rather than the training process, suitable when models operate as black-box services.

Practical Considerations and Challenges

The adoption of DP in practice is challenged by trade-offs between privacy, utility, and computation. The paper highlights:

• Hyperparameter Tuning: Critical to achieving feasible utility while maintaining DP. Specific guidelines for tuning batch sizes, gradient clipping norms, and noise multipliers are provided. Effective hyperparameter search can significantly influence the utility-privacy balance.
• Data Processing Patterns: The paper discusses the nuances of data sampling methods—Poisson sampling, batch shuffling, and sequential composition—and their implications on privacy guarantees.
• Utility and Architectural Adjustments: Empirical observations suggest strategies such as using bounded activation functions and modifying architectures to achieve better privacy-utility trade-offs.

Implications and Future Directions

The paper concludes with several implications:

• Auditability and Transparency: Emphasizes the necessity for rigorous reporting of DP implementations, including detailing the units of privacy, data processing assumptions, and the mechanisms used.
• Real-world Applications: While there are few documented production uses of DP in ML, as seen with Gboard's LLM, these instances illustrate the feasibility and limitations of current approaches.
• Open Challenges: Points to ongoing research directions, such as improving the privacy accounting methods for DP mechanisms and exploring DP in federated learning.

In summary, this paper serves as a vital resource for understanding and implementing DP in machine learning. It bridges theoretical aspects with practical implementations, providing both a detailed overview for experts and actionable guidelines for practitioners aiming to responsibly integrate privacy in AI systems. Future advancements in this domain will likely focus on refining computational efficiency and expanding the applicability of DP to more complex data modalities and machine learning frameworks.