Mechanisms used in privacy-preserving machine learning often aim to guarantee differential privacy (DP) during model training. Practical DP-ensuring training methods use randomization when fitting model parameters to privacy-sensitive data (e.g., adding Gaussian noise to clipped gradients). We demonstrate that such randomization incurs predictive multiplicity: for a given input example, the output predicted by equally-private models depends on the randomness used in training. Thus, for a given input, the predicted output can vary drastically if a model is re-trained, even if the same training dataset is used. The predictive-multiplicity cost of DP training has not been studied, and is currently neither audited for nor communicated to model designers and stakeholders. We derive a bound on the number of re-trainings required to estimate predictive multiplicity reliably. We analyze -- both theoretically and through extensive experiments -- the predictive-multiplicity cost of three DP-ensuring algorithms: output perturbation, objective perturbation, and DP-SGD. We demonstrate that the degree of predictive multiplicity rises as the level of privacy increases, and is unevenly distributed across individuals and demographic groups in the data. Because randomness used to ensure DP during training explains predictions for some examples, our results highlight a fundamental challenge to the justifiability of decisions supported by differentially-private models in high-stakes settings. We conclude that practitioners should audit the predictive multiplicity of their DP-ensuring algorithms before deploying them in applications of individual-level consequence.
翻译:在保护隐私的机器学习中使用的机制往往是为了在示范培训期间保证不同的隐私(DP) 。实用的DP确保培训方法在将模型参数与隐私敏感数据(例如,在斜坡梯度上增加高山噪音)相适应时使用随机化。我们证明,这种随机化会产生预测性的多重性:对于一个特定的投入来说,由同等私人模式预测的产出取决于培训中使用的随机性。因此,对于一个特定的投入来说,如果对一个模型进行再培训,即使使用同样的培训数据集,预测的产出也会有很大差异。 DP培训的预测性多重性费用尚未研究,目前既没有为模范设计者和利益攸关方进行审计,也没有向模型设计者和利益攸关方进行传达。 我们对这种随机性随机性培训的数量进行了限制,以便可靠地估计预测多重性。 我们从理论上和通过广泛试验分析了三种DP保证性算法的预测性成本的多重性:产出扰动性模型、目标扭曲性和DP-SGD。我们表明,随着隐私水平的提高,预测性多重性增长程度的程度,目前既没有为模型设计者和利益攸关方进行审计设计师进行审计时,我们所使用的基本预测性预测性决定的概率性分析的结果是用来解释。</s>