[Paper Review] Individual Privacy Accounting via a Renyi Filter
This paper introduces a personalized privacy accounting method using a Rényi differential privacy filter that tracks individual privacy loss per data point, enabling tighter privacy-utility tradeoffs in adaptive data analysis. By dynamically excluding individuals who exceed their privacy budget, the method improves utility—especially under suboptimal hyperparameter settings—without compromising privacy guarantees.
We consider a sequential setting in which a single dataset of individuals is used to perform adaptively-chosen analyses, while ensuring that the differential privacy loss of each participant does not exceed a pre-specified privacy budget. The standard approach to this problem relies on bounding a worst-case estimate of the privacy loss over all individuals and all possible values of their data, for every single analysis. Yet, in many scenarios this approach is overly conservative, especially for "typical" data points which incur little privacy loss by participation in most of the analyses. In this work, we give a method for tighter privacy loss accounting based on the value of a personalized privacy loss estimate for each individual in each analysis. To implement the accounting method we design a filter for Rényi differential privacy. A filter is a tool that ensures that the privacy parameter of a composed sequence of algorithms with adaptively-chosen privacy parameters does not exceed a pre-specified budget. Our filter is simpler and tighter than the known filter for $(ε,δ)$-differential privacy by Rogers et al. We apply our results to the analysis of noisy gradient descent and show that personalized accounting can be practical, easy to implement, and can only make the privacy-utility tradeoff tighter.
Motivation & Objective
- Address the over-conservatism of standard differential privacy composition theorems, which assume worst-case privacy loss for all individuals.
- Enable tighter privacy accounting by estimating and tracking individual-specific privacy loss per data point during adaptive analysis.
- Develop a practical, implementable method for personalized privacy budgeting that improves utility in real-world settings with suboptimal hyperparameters.
- Demonstrate that personalized accounting can yield significant accuracy gains in differentially private optimization, especially when model hyperparameters are not optimally tuned.
Proposed method
- Propose a personalized privacy loss estimate for each individual, computed as the Rényi divergence between the output distributions of an algorithm when applied to datasets differing by that individual’s data.
- Design a Rényi privacy filter that ensures the cumulative privacy loss for each individual remains within a pre-specified budget across adaptive compositions.
- Use the filter to dynamically exclude data points whose estimated privacy loss exceeds their remaining budget, allowing only active points to participate in subsequent analyses.
- Apply the method to differentially private stochastic gradient descent (DP-SGD), where the privacy budget is tracked per data point based on gradient norms and noise injection.
- Implement the filter using Rényi differential privacy (RDP), which allows for tighter composition bounds than traditional (ε,δ)-DP, especially under adaptive settings.
- Integrate the filter into optimization pipelines by adjusting clipping and noise levels per data point, ensuring privacy is preserved while maximizing model utility.
Experimental results
Research questions
- RQ1Can personalized privacy accounting reduce the over-conservative nature of standard composition theorems in adaptive data analysis?
- RQ2How can individual privacy loss be estimated and tracked in a way that remains compatible with adaptive composition theorems?
- RQ3What is the impact of personalized privacy accounting on model utility in differentially private training, especially when hyperparameters are suboptimal?
- RQ4Can a Rényi-based privacy filter be both simpler and tighter than existing filters for (ε,δ)-differential privacy?
- RQ5To what extent does individual filtering improve performance in real-world settings where hyperparameter tuning is impractical?
Key findings
- The proposed Rényi filter provides a simpler and tighter privacy accounting mechanism than existing (ε,δ)-DP filters, particularly in adaptive settings.
- In differentially private SGD, individual privacy accounting leads to measurable accuracy improvements: for ε=0.3, accuracy increased from 84.47% to 92.25% under suboptimal clipping.
- For ε=0.5, accuracy improved from 92.07% to 94.30% when using suboptimal clipping, demonstrating significant gains in non-optimized regimes.
- Even under suboptimal noise levels, the method improved accuracy from 86.88% to 91.20% at ε=0.3, showing robustness to hyperparameter misconfigurations.
- The benefits of individual filtering are most pronounced at small ε values, where the utility gap between tuned and suboptimal settings is largest.
- The method is practical and easy to implement, as shown by successful integration into private training pipelines with minimal changes to existing codebases.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.