When training a machine learning model with differential privacy, one sets a privacy budget. This budget represents a maximal privacy violation that any user is willing to face by contributing their data to the training set. We argue that this approach is limited because different users may have different privacy expectations. Thus, setting a uniform privacy budget across all points may be overly conservative for some users or, conversely, not sufficiently protective for others. In this paper, we capture these preferences through individualized privacy budgets. To demonstrate their practicality, we introduce a variant of Differentially Private Stochastic Gradient Descent (DP-SGD) which supports such individualized budgets. DP-SGD is the canonical approach to training models with differential privacy. We modify its data sampling and gradient noising mechanisms to arrive at our approach, which we call Individualized DP-SGD (IDP-SGD). Because IDP-SGD provides privacy guarantees tailored to the preferences of individual users and their data points, we find it empirically improves privacy-utility trade-offs.
翻译:当使用差分隐私训练机器学习模型时,需要设置一个隐私预算。该预算代表任何用户在向训练集中贡献其数据时愿意面对的最大隐私侵犯。我们认为这种方法是有限制的,因为不同的用户可能有不同的隐私期望。因此,在所有点上设置统一的隐私预算可能会过于保守,对于某些用户而言过于宽松。在本文中,我们通过个性化的隐私预算捕捉这些个性差异。为了展示其实用性,我们引入了一个DP-SGD的变种,支持这样的个性化预算。DP-SGD是用差分隐私训练模型的基本方法。我们修改了它的数据采样和梯度噪声机制,从而得到我们的方法,称为个性化DP-SGD(IDP-SGD)。由于IDP-SGD提供的隐私保证是根据个别用户和其数据点的偏好量身定制的,我们发现它在实际中改善了隐私-效用权衡。