Quantifying identifiability to choose and audit $\epsilon$ in differentially private deep learning

TL;DR

This paper introduces a method to quantify and audit the identifiability of data records in differentially private deep learning models, providing practical tools for choosing privacy parameters aligned with societal norms.

Contribution

It transforms differential privacy parameters into bounds on adversarial belief, enabling empirical auditing and tighter privacy-utility trade-offs in deep learning.

Findings

Bound on Bayesian posterior belief for privacy loss

Empirical identifiability scores for models

Tightness of bounds in practice

Abstract

Differential privacy allows bounding the influence that training data records have on a machine learning model. To use differential privacy in machine learning, data scientists must choose privacy parameters $(\epsilon,\delta)$. Choosing meaningful privacy parameters is key, since models trained with weak privacy parameters might result in excessive privacy leakage, while strong privacy parameters might overly degrade model utility. However, privacy parameter values are difficult to choose for two main reasons. First, the theoretical upper bound on privacy loss $(\epsilon,\delta)$ might be loose, depending on the chosen sensitivity and data distribution of practical datasets. Second, legal requirements and societal norms for anonymization often refer to individual identifiability, to which $(\epsilon,\delta)$ are only indirectly related. We transform $(\epsilon,\delta)$ to a bound on the Bayesian posterior belief of the adversary assumed by differential privacy concerning the presence of any record in the training dataset. The bound holds for multidimensional queries under composition, and we show that it can be tight in practice. Furthermore, we derive an identifiability bound, which relates the adversary assumed in differential privacy to previous work on membership inference adversaries. We formulate an implementation of this differential privacy adversary that allows data scientists to audit model training and compute empirical identifiability scores and empirical $(\epsilon,\delta)$.