Not one but many Tradeoffs: Privacy Vs. Utility in Differentially Private Machine Learning

TL;DR

This paper empirically evaluates various differential privacy implementations in machine learning, analyzing their privacy-utility tradeoffs and resistance to real-world attacks across different datasets and privacy budgets.

Contribution

It introduces a comprehensive evaluation framework for fair comparison of DP methods and highlights how the placement of noise affects privacy and utility tradeoffs.

Findings

Perturbing training data often yields better utility under high privacy constraints.

The number of classes in a dataset does not significantly affect the privacy-utility tradeoff.

Different DP implementations provide comparable privacy guarantees across datasets.

Abstract

Data holders are increasingly seeking to protect their user's privacy, whilst still maximizing their ability to produce machine models with high quality predictions. In this work, we empirically evaluate various implementations of differential privacy (DP), and measure their ability to fend off real-world privacy attacks, in addition to measuring their core goal of providing accurate classifications. We establish an evaluation framework to ensure each of these implementations are fairly evaluated. Our selection of DP implementations add DP noise at different positions within the framework, either at the point of data collection/release, during updates while training of the model, or after training by perturbing learned model parameters. We evaluate each implementation across a range of privacy budgets, and datasets, each implementation providing the same mathematical privacy guarantees. By measuring the models' resistance to real world attacks of membership and attribute inference, and their classification accuracy. we determine which implementations provide the most desirable tradeoff between privacy and utility. We found that the number of classes of a given dataset is unlikely to influence where the privacy and utility tradeoff occurs. Additionally, in the scenario that high privacy constraints are required, perturbing input training data does not trade off as much utility, as compared to noise added later in the ML process.