Individualized PATE: Differentially Private Machine Learning with Individual Privacy Guarantees

TL;DR

This paper introduces two novel methods based on PATE that enable machine learning models to have individualized privacy guarantees, improving utility while respecting diverse privacy requirements of data holders.

Contribution

The paper proposes and analyzes two new PATE-based methods for training ML models with personalized privacy guarantees, addressing limitations of uniform privacy budgets.

Findings

Individualized privacy methods outperform non-individualized baselines in accuracy.

Theoretical privacy bounds are formally established for the proposed methods.

Experimental results on MNIST, SVHN, and Adult datasets demonstrate improved privacy-utility trade-offs.

Abstract

Applying machine learning (ML) to sensitive domains requires privacy protection of the underlying training data through formal privacy frameworks, such as differential privacy (DP). Yet, usually, the privacy of the training data comes at the cost of the resulting ML models' utility. One reason for this is that DP uses one uniform privacy budget epsilon for all training data points, which has to align with the strictest privacy requirement encountered among all data holders. In practice, different data holders have different privacy requirements and data points of data holders with lower requirements can contribute more information to the training process of the ML models. To account for this need, we propose two novel methods based on the Private Aggregation of Teacher Ensembles (PATE) framework to support the training of ML models with individualized privacy guarantees. We formally describe the methods, provide a theoretical analysis of their privacy bounds, and experimentally evaluate their effect on the final model's utility using the MNIST, SVHN, and Adult income datasets. Our empirical results show that the individualized privacy methods yield ML models of higher accuracy than the non-individualized baseline. Thereby, we improve the privacy-utility trade-off in scenarios in which different data holders consent to contribute their sensitive data at different individual privacy levels.