6.4.10AI Safety & Alignment

Privacy (differential privacy, membership inference)

3,058 words14 min readdifficulty · medium2 backlinks

Overview

Machine learning models can memorize training data, creating serious privacy risks. Two key concepts protect against this:

  1. Differential Privacy (DP): A mathematical framework guaranteeing that any individual's data has minimal impact on model outputs
  2. Membership Inference Attacks: Adversarial techniques that determine whether a specific record was in the training set

These form complementary perspectives: DP is the defense, membership inference is the attack that motivates the defense.


Core Intuition


Differential Privacy: The Mathematical Defense

Deriving the Privacy Guarantee

Step 1: What does "neighboring datasets" mean?

There are two standard definitions of "neighboring," and they change the sensitivity by a factor of 2:

  • Add/Remove definition: D2D_2 is D1D_1 with one record added or removed. D1D2|D_1| \neq |D_2|.
  • Replace-one definition: D2D_2 is D1D_1 with one record replaced by another. D1=D2|D_1| = |D_2|.

Example (add/remove):

  • D1={x1,x2,,xn}D_1 = \{x_1, x_2, \ldots, x_n\}
  • D2={x1,x2,,xn,xn+1}D_2 = \{x_1, x_2, \ldots, x_n, x_{n+1}\} (one extra person)

Why this matters: Under add/remove, a summed query changes by at most one record's contribution. Under replace-one, it can change by two record's worth (remove old + add new), doubling the sensitivity. We state which definition we use in every derivation below.

Step 2: Why the exponential bound?

Take the ratio of probabilities:

Pr[M(D1)S]Pr[M(D2)S]eε\frac{\Pr[\mathcal{M}(D_1) \in S]}{\Pr[\mathcal{M}(D_2) \in S]} \leq e^{\varepsilon}

Why this form? The exponential makes ε additive under composition (we'll see why this matters). For small ε, eε1+εe^{\varepsilon} \approx 1 + \varepsilon, meaning probabilities are "close."

Step 3: What's a "mechanism"?

A mechanism M\mathcal{M} is any algorithm that takes data and produces output. For ML:

  • Computing gradients
  • Releasing model parameters
  • Answering queries about data statistics

The guarantee: An adversary with unlimited computational power, seeing M(D)\mathcal{M}(D), cannot confidently determine whether any specific individual is in DD.

Why this step? The Laplace distribution's exponential tails create the exact bound we need. Gaussian noise doesn't satisfy pure DP (though it satisfies approximate DP).

DP-SGD: Differential Privacy in Deep Learning

Standard SGD computes:

θt+1=θtη1Bi=1Bθ(θt,xi)\theta_{t+1} = \theta_t - \eta \cdot \frac{1}{B}\sum_{i=1}^B \nabla_\theta \ell(\theta_t, x_i)

Problem: Each gradient (θ,xi)\nabla \ell(\theta, x_i) can contain unbounded information about individual xix_i.

DP-SGD Fix (Abadi et al., 2016):

  1. Clip each gradient: gˉi=gi/max(1,gi2/C)\bar{g}_i = g_i / \max(1, \|g_i\|_2 / C)

    • Why? Bounds each per-example gradient norm to CC. Under the add/remove neighboring definition, removing one clipped gradient from the sum igˉi\sum_i \bar{g}_i changes it by at most CC, so the sensitivity of the summed gradient is Δ=C\Delta = C. (Under the replace-one definition it would be 2C2C, since you remove one contribution of norm C\leq C and add another.) We use add/remove throughout.
  2. Add Gaussian noise: To the summed clipped gradient igˉi\sum_i \bar{g}_i we add noise with standard deviation proportional to the sensitivity CC: g~=1B(i=1Bgˉi+N(0,σ2C2I))\tilde{g} = \frac{1}{B}\left(\sum_{i=1}^B \bar{g}_i + \mathcal{N}(0, \sigma^2 C^2 I)\right)

    • Why the 1/B1/B outside? Noise is calibrated to the sensitivity of the sum (σC\sim \sigma C), and then the whole sum (signal + noise) is averaged by 1/B1/B. Equivalently, the noise added to the averaged gradient has standard deviation σC/B\sigma C / B per coordinate. Both statements describe the same mechanism; the noise is scaled to sensitivity CC of the sum before averaging.
    • Why Gaussian? We use (ε, δ)-DP (approximate DP) where small failure probability δ is acceptable.
  3. Update: θt+1=θtηg~\theta_{t+1} = \theta_t - \eta \tilde{g}

Privacy accounting: After TT steps with Poisson subsampling rate q=B/Nq = B/N, privacy degrades. The moments accountant / advanced-composition bound for the subsampled Gaussian mechanism is:

ε(T)    q2Tln(1/δ)/σ\varepsilon(T) \;\approx\; q \,\sqrt{2\,T \ln(1/\delta)} \,\Big/\, \sigma

Why this scaling? Privacy loss accumulates as T\sqrt{T} (not linearly!) due to advanced composition, and is amplified by subsampling through the factor q=B/Nq = B/N: an individual only appears in a qq fraction of steps. Note the sensitivity CC and batch size BB do not appear separately here — they are absorbed into the noise multiplier σ\sigma (the ratio of noise std to sensitivity), which is the quantity that actually controls privacy.


Membership Inference Attacks: The Threat

Why Models Leak Membership

Core insight: Models overfit to training data, behaving differently on train vs test examples.

Signal 1: Confidence

  • Training examples → high confidence predictions
  • Test examples → lower confidence

Why? The model has "seen" training examples many times, memorizing details.

Signal 2: Loss value

  • Training loss < Test loss (by definition of overfitting)
  • If (f,x)\ell(f, x) is unusually low, xx likely in training set

The Classic Attack (Shokri et al., 2017)

Setup:

  • Target model ftargetf_{\text{target}} trained on DtargetD_{\text{target}}
  • Attacker has access to ftarget(x)f_{\text{target}}(x) (black-box queries)
  • Attacker trains shadow models on similar data

Attack Steps:

  1. Train shadow models: fshadow(1),,fshadow(k)f_{\text{shadow}}^{(1)}, \ldots, f_{\text{shadow}}^{(k)} on datasets D1,,DkD_1, \ldots, D_k

    • Why? Simulate target model's behavior to generate training data
  2. Create attack training set:

    • For each shadow model, label examples as "in" or "out" of training
    • Features: prediction vector fshadow(x)=[p1,,pC]f_{\text{shadow}}(x) = [p_1, \ldots, p_C]
  3. Train binary classifier: A(f(x)){0,1}\mathcal{A}(f(x)) \to \{0, 1\}

    • Input: prediction confidence scores
    • Output: membership prediction
  4. Apply to target: Use A(ftarget(x))\mathcal{A}(f_{\text{target}}(x)) to infer membership


The DP-Privacy Connection

Privacy-Utility Tradeoff

The fundamental tension:

Utility1σ21ε2\text{Utility} \propto \frac{1}{\sigma^2} \propto \frac{1}{\varepsilon^2}

  • Low ε (strong privacy): Need large noise → poor model accuracy
  • High ε (weak privacy): Less noise → better accuracy but more leakage

Practical values:

  • ε < 1: Strong privacy, significant utility loss
  • ε = 1-10: Moderate privacy, acceptable utility
  • ε > 10: Weak privacy, minimal utility impact

Why no free lunch? Information-theoretically, learning requires extracting signal from data. Privacy requires hiding individual contributions. These goals conflict.


Common Mistakes

Concept Map

creates

motivates

attack

defense

determines record in training set

guarantees via

defined over

add/remove or replace-one

scales

applies to

bounds impact of

counters

Model memorizes training data

Privacy risk

Two key concepts

Membership Inference

Differential Privacy

epsilon-DP bound e^epsilon

Neighboring datasets

Sensitivity

Randomized mechanism M

Gradients and parameters

Any individual record

Hinglish (regional understanding)

Intuition Hinglish mein samjho

Dekho, yaha core baat samajhne ki hai — ML models sirf patterns nahi seekhte, wo apne training data ko literally memorize bhi kar lete hain. Matlab agar tumne kisi language model ko private emails pe train kiya, to wo model kisi ki private email word-by-word wapas nikaal sakta hai. Ya ek medical classifier bata sakta hai ki kisi specific person ka record training set mein tha ya nahi. Traditional privacy poochti thi "kya tum raw data dekh sakte ho?" — par ML privacy ek deeper sawaal poochti hai: "kya tum model se hi individuals ke baare mein infer kar sakte ho?" Yahi reason hai ki model khud ek privacy leak ban jaata hai, chahe tum training data kabhi na dekho.

Ab isse bachne ke liye do concepts kaam aate hain jo ek dusre ke opposite side pe khade hain. Membership Inference Attack ek adversarial technique hai jo pata lagati hai ki koi specific record training mein tha ya nahi — ye attack hai. Aur Differential Privacy (DP) uska defense hai. DP ka core idea simple intuition pe based hai: agar kisi ek bhi individual ka data add ya remove karne se model ke output pe bilkul minimal farak padta hai, to attacker kabhi confidently nahi keh paayega ki wo banda dataset mein tha ya nahi. Mathematically ye guarantee "epsilon" se control hoti hai — jitna chhota epsilon, utni strong privacy. Practically ye Laplace noise add karke achieve karte hain, jaha noise ka amount "sensitivity" (Δf) pe depend karta hai — yaani ek record maximum kitna output badal sakta hai.

Ye matter isliye karta hai kyunki aaj real-world mein healthcare, finance, aur personal data pe models train ho rahe hain, aur ek chhoti si leak legal aur ethical disaster ban sakti hai. DP ki khoobsurti ye hai ki ye ek mathematical guarantee deta hai — even agar attacker ke paas unlimited computing power ho, tab bhi wo individual ke baare mein confidently kuch nahi nikaal paayega. Isliye jab bhi tum sensitive data pe ML padhoge, ye samajhna zaroori hai ki privacy ek afterthought nahi, balki design ka core part honi chahiye — attack aur defense dono ko saath samajhna hi asli picture deta hai.

Go deeper — visual, from zero

Test yourself — AI Safety & Alignment

Connections