Can Differentially Private Fine-tuning LLMs Protect Against Privacy Attacks?
Hao Du, Shang Liu, Yang Cao
TL;DR
This paper investigates whether differentially private fine‑tuning can mitigate privacy attacks on LLMs across both full and parameter‑efficient fine‑tuning (PEFT) methods. It systematically evaluates DP via a Book Keeping DP mechanism against two empirical attacks—data extraction and SPV‑MIA—across GPT‑2 and GPT‑2 XL, varying privacy budgets. The study finds that DP generally reduces empirical privacy risk but degrades model utility, with the severity of utility loss depending on the fine‑tuning method; full fine‑tuning offers the best privacy‑utility balance under DP, while LoRA and P‑tuning trade off utility and privacy differently, and prefix‑tuning performs poorly under DP. The results provide practical guidance for privacy‑sensitive deployments and highlight directions for optimizing the DP‑utility trade‑off in future PEFT research.
Abstract
Fine-tuning large language models (LLMs) has become an essential strategy for adapting them to specialized tasks; however, this process introduces significant privacy challenges, as sensitive training data may be inadvertently memorized and exposed. Although differential privacy (DP) offers strong theoretical guarantees against such leakage, its empirical privacy effectiveness on LLMs remains unclear, especially under different fine-tuning methods. In this paper, we systematically investigate the impact of DP across fine-tuning methods and privacy budgets, using both data extraction and membership inference attacks to assess empirical privacy risks. Our main findings are as follows: (1) Differential privacy reduces model utility, but its impact varies significantly across different fine-tuning methods. (2) Without DP, the privacy risks of models fine-tuned with different approaches differ considerably. (3) When DP is applied, even a relatively high privacy budget can substantially lower privacy risk. (4) The privacy-utility trade-off under DP training differs greatly among fine-tuning methods, with some methods being unsuitable for DP due to severe utility degradation. Our results provide practical guidance for privacy-conscious deployment of LLMs and pave the way for future research on optimizing the privacy-utility trade-off in fine-tuning methodologies.
