Open LLMs are Necessary for Current Private Adaptations and Outperform their Closed Alternatives

TL;DR

Open LLMs are essential for private data adaptation, outperforming closed models in privacy, cost, and performance, as current methods for closed LLMs leak private data and are less effective.

Contribution

This paper provides a comprehensive analysis of recent private adaptation methods for closed LLMs, highlighting their privacy leaks, performance limitations, and cost issues, advocating for open LLMs.

Findings

All methods leak query data to LLM providers.

Most methods leak significant private training data.

Open LLMs outperform closed LLM adaptation methods in privacy and cost.

Abstract

While open Large Language Models (LLMs) have made significant progress, they still fall short of matching the performance of their closed, proprietary counterparts, making the latter attractive even for the use on highly private data. Recently, various new methods have been proposed to adapt closed LLMs to private data without leaking private information to third parties and/or the LLM provider. In this work, we analyze the privacy protection and performance of the four most recent methods for private adaptation of closed LLMs. By examining their threat models and thoroughly comparing their performance under different privacy levels according to differential privacy (DP), various LLM architectures, and multiple datasets for classification and generation tasks, we find that: (1) all the methods leak query data, i.e., the (potentially sensitive) user data that is queried at inference time, to the LLM provider, (2) three out of four methods also leak large fractions of private training data to the LLM provider while the method that protects private data requires a local open LLM, (3) all the methods exhibit lower performance compared to three private gradient-based adaptation methods for local open LLMs, and (4) the private adaptation methods for closed LLMs incur higher monetary training and query costs than running the alternative methods on local open LLMs. This yields the conclusion that, to achieve truly privacy-preserving LLM adaptations that yield high performance and more privacy at lower costs, taking into account current methods and models, one should use open LLMs.