Privacy-Preserving In-Context Learning for Large Language Models
Tong Wu, Ashwinee Panda, Jiachen T. Wang, Prateek Mittal
TL;DR
This paper introduces Differentially Private In-context Learning (DP-ICL), a method to protect sensitive information in large language models' responses while maintaining high accuracy across classification and generation tasks.
Contribution
The paper proposes a novel DP-ICL paradigm that privatizes in-context learning responses using ensemble-based noisy consensus, applicable to various NLP tasks.
Findings
DP-ICL achieves a strong utility-privacy tradeoff.
Effective privatization for text classification and language generation.
Empirical results on multiple benchmarks demonstrate its effectiveness.
Abstract
In-context learning (ICL) is an important capability of Large Language Models (LLMs), enabling these models to dynamically adapt based on specific, in-context exemplars, thereby improving accuracy and relevance. However, LLM's responses may leak the sensitive private information contained in in-context exemplars. To address this challenge, we propose Differentially Private In-context Learning (DP-ICL), a general paradigm for privatizing ICL tasks. The key idea for DP-ICL paradigm is generating differentially private responses through a noisy consensus among an ensemble of LLM's responses based on disjoint exemplar sets. Based on the general paradigm of DP-ICL, we instantiate several techniques showing how to privatize ICL for text classification and language generation. We evaluate DP-ICL on four text classification benchmarks and two language generation tasks, and our empirical results…
Peer Reviews
Decision·ICLR 2024 poster
1. **Well-motivated problem.** Differential privacy of LLMs is an interesting and important problem.
1. **Rooms for the improvement of the draft.** First, lots of details are currently missing. For example, there is no explanation of how $\epsilon$ determines the noise $\sigma$. While there is no explicit mention in the main draft, the results in Appendix B (Theorems 3 and 4) might be used. But, even if this is true, there is no mention of how $\delta$ is set. In addition, how the given # of queries (e.g., 10,000 queries in Sec 4.1) is used for the algorithm? In Algorithms 1~4, there is no rele
1. The problem the authors are studying is timely, as practitioners are not really fine-tuning models any more and rely on prompting more and more, therefore solutions like DP-SGD are not relevant. 2. The paper is very well-written and flows really well. The visuals are well-crafted and help the understanding of the paper a lot. 3. I like how thorough the paper is, in terms of the cases they study: classification and generation, and I also like the workarounds proposed for generation to limit
1. Limited number of queries: as there is budget expenditure per query, the model deployed with DP-ICL can only be queried a limited number of times, making the method/data unusable after the budget is finished. This is not a huge concern in scenarios where there is temporal data available, and the in-context examples would get updated regularly. However, it could be a problem during deployment for long term. 2. Zero-shot performance is already really high, would probably be even higher for GPT
The proposed methods are intuitive and in the experimental section, authors find DP-ICL achieves a comparable performance with non-private ICL. Thorough experimental studies ranging from text classification, question answering, and summarization. In particular, the proposed framework can be applied to QA and summarization tasks which are complex and challenging tasks.
It is a little confusing on how the author analyzed the sensitivity and how are the neighboring database is defined. How much extra cost (monetary and privacy budget) does the proposed framework incurs? It would be great if the author can include some insights on the cost vs accuracy trade off. Is comparing 4-shot vs 0-shot a fair comparison? In the related work section, the author mentioned work using examples from public dataset. Perhaps a better comparison is between private 4-shot using ex
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data