An Interactive Framework for Implementing Privacy-Preserving Federated Learning: Experiments on Large Language Models
Kasra Ahmadi, Rouzbeh Behnia, Reza Ebrahimi, Mehran Mozaffari Kermani, Jeremiah Birrell, Jason Pacheco, Attila A Yavuz
TL;DR
This paper tackles the challenge of privacy-preserving federated learning for large language models by recognizing that standard differential privacy can overprotect and hinder utility, especially on memory-limited devices. It proposes FLIP, a framework that introduces a human privacy practitioner and a memory-stable privacy engine using the fixed-minibatch FSRDP accountant to balance privacy and utility during LLM fine-tuning on GLUE tasks. The study provides a comprehensive evaluation of DP/FL parameter interactions across data partitions, demonstrating memory stability and modest accuracy losses (e.g., ≈1.33% at ε=10 and ≈1.9% at ε=6) compared with RDP-based approaches, and discusses the trade-offs between partition policies and accountant choices. The findings offer practical guidance for deploying privacy-preserving FL on resource-constrained devices and highlight directions for further work, including broader data modalities and adjacency considerations.
Abstract
Federated learning (FL) enhances privacy by keeping user data on local devices. However, emerging attacks have demonstrated that the updates shared by users during training can reveal significant information about their data. This has greatly thwart the adoption of FL methods for training robust AI models in sensitive applications. Differential Privacy (DP) is considered the gold standard for safeguarding user data. However, DP guarantees are highly conservative, providing worst-case privacy guarantees. This can result in overestimating privacy needs, which may compromise the model's accuracy. Additionally, interpretations of these privacy guarantees have proven to be challenging in different contexts. This is further exacerbated when other factors, such as the number of training iterations, data distribution, and specific application requirements, can add further complexity to this problem. In this work, we proposed a framework that integrates a human entity as a privacy practitioner to determine an optimal trade-off between the model's privacy and utility. Our framework is the first to address the variable memory requirement of existing DP methods in FL settings, where resource-limited devices (e.g., cell phones) can participate. To support such settings, we adopt a recent DP method with fixed memory usage to ensure scalable private FL. We evaluated our proposed framework by fine-tuning a BERT-based LLM model using the GLUE dataset (a common approach in literature), leveraging the new accountant, and employing diverse data partitioning strategies to mimic real-world conditions. As a result, we achieved stable memory usage, with an average accuracy reduction of 1.33% for $ε= 10$ and 1.9% for $ε= 6$, when compared to the state-of-the-art DP accountant which does not support fixed memory usage.