It's My Data Too: Private ML for Datasets with Multi-User Training Examples

TL;DR

This work defines and analyzes private model training under multi-attribution user-level DP, where each training example may involve multiple users. It introduces fixed-graph DP and the contribution-bounding preprocessing that selects a subset S with at most $k$ examples per user, enabling standard DP-SGD/DP-MF training with established privacy accounting. The authors propose greedy baselines for the challenging NP-hard contribution-bounding problem, compare DP-SGD and DP-MF across tasks, and examine the bias–variance tradeoff inherent in subset selection. Empirical results on arXiv transformer fine-tuning and synthetic logistic regression illustrate when duplicates help, how DP algorithms compare, and how bias mitigation affects performance, providing practical guidance for private multi-user learning. Overall, the paper advances practical DP training for data with overlapping user contributions by combining formal privacy definitions, algorithmic preprocessing, and empirical evaluation of tradeoffs.

Abstract

We initiate a study of algorithms for model training with user-level differential privacy (DP), where each example may be attributed to multiple users, which we call the multi-attribution model. We first provide a carefully chosen definition of user-level DP under the multi-attribution model. Training in the multi-attribution model is facilitated by solving the contribution bounding problem, i.e. the problem of selecting a subset of the dataset for which each user is associated with a limited number of examples. We propose a greedy baseline algorithm for the contribution bounding problem. We then empirically study this algorithm for a synthetic logistic regression task and a transformer training task, including studying variants of this baseline algorithm that optimize the subset chosen using different techniques and criteria. We find that the baseline algorithm remains competitive with its variants in most settings, and build a better understanding of the practical importance of a bias-variance tradeoff inherent in solutions to the contribution bounding problem.

Figures (16)

• Figure 1: Different approaches to DP modeling for a toy email dataset. Each training example is the text of an email message. Viewing the dataset simply as a flat list of messages, (a), naturally gives rise to example-level DP. This may be too weak of a notion, as the same "secret" might occur in multiple emails. In (b), each email is attributed to the sender only, which leads to the standard (single-attribution) user-level DP notion. Again, this may not be sufficient if some secret from user Bob was contained both in emails he sent and received (for example, suppose he receives a message from Alice "Hi Bob, I hope your recovery from surgery is going well."). To address this issue, in \ref{['sec:multiattributorship']} we use a hypergraph model of the dataset, (c): We attribute each example to the full set of senders and receivers, leading to the hypergraph with nodes (users) $V = (A, B, C, D)$ and edges (examples) $V = (e_1 \!=\! \{A,B\}, e_2 \!=\! \{A, B, C\}, e_3 \!=\! \{B, D\}, e_4 \!=\! \{C, B\}, e_5 \!=\! \{D, C\})$. With this structure, in (d) we can apply our contribution bounding algorithms (\ref{['sec:contributionBounding']}) to select a subset of the training examples $S$ so that each user contributes at most $k$ selected examples, for example selecting $S = \{e_1, e_4, e_5\}$ satisfies $k=2$. After this pre-processing, user-level DP guarantees can be obtained using relatively standard ML infrastructure and DP algorithms.
• Figure 2: Results on the arXiv dataset. We plot the test loss as a function of $\varepsilon$.
• Figure 3: Impact of duplication in the regression task.
• Figure 4: Comparing DP-SGD vs. DP-MF in regression.
• Figure 5: Examples selected by the greedy algorithm and the ILP from the arXiv dataset.

Theorems & Definitions (2)

• Definition 2.1
• Definition 2.2: FangDY22