Empirical Calibration and Metric Differential Privacy in Language Models
Pedro Faustini, Natasha Fernandes, Annabelle McIver, Mark Dras
TL;DR
The paper tackles empirical privacy calibration for NLP under differential privacy, showing MIAs are unreliable indicators while gradient-based reconstruction attacks provide clearer leakage signals as the privacy budget $\epsilon$ varies. It introduces metric DP with a directional VMF mechanism (DirDP-SGD) that perturbs gradient directions using the VMF distribution and compares it to standard isotropic Gaussian DP-SGD. Using GPT-2 and BERT on IMDb, SST2, and CoLA, it demonstrates that VMF can yield competitive utility and sometimes superior protection for short texts. The study highlights task- and model-dependent privacy-utility trade-offs and motivates broader adoption of directional privacy and gradient-based diagnostics in NLP privacy research.
Abstract
NLP models trained with differential privacy (DP) usually adopt the DP-SGD framework, and privacy guarantees are often reported in terms of the privacy budget $ε$. However, $ε$ does not have any intrinsic meaning, and it is generally not possible to compare across variants of the framework. Work in image processing has therefore explored how to empirically calibrate noise across frameworks using Membership Inference Attacks (MIAs). However, this kind of calibration has not been established for NLP. In this paper, we show that MIAs offer little help in calibrating privacy, whereas reconstruction attacks are more useful. As a use case, we define a novel kind of directional privacy based on the von Mises-Fisher (VMF) distribution, a metric DP mechanism that perturbs angular distance rather than adding (isotropic) Gaussian noise, and apply this to NLP architectures. We show that, even though formal guarantees are incomparable, empirical privacy calibration reveals that each mechanism has different areas of strength with respect to utility-privacy trade-offs.