Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Fairness of Privacy Protection: Measuring and Mitigating the Disparity of Group Privacy Risks for Differentially Private Machine Learning

Zhi Yang, Changwu Huang, Ke Tang, Xin Yao

TL;DR

This work investigates whether differential privacy protections are equitably distributed across demographic groups in ML models. It identifies that average-case membership inference attacks can understate inter-group privacy disparities and introduces an efficient approximate worst-case MIG, PA-ALOOA, to audit per-sample privacy risk and derive a group privacy risk parity metric (GPRP). The authors then exploit a canary-inspired insight to design DP-SGD-S, an adaptive per-group gradient clipping scheme that reduces group-level privacy risk disparities while preserving model utility in many settings. Across multiple datasets and privacy budgets, PA-ALOOA reveals stronger group-level privacy risks than prior auditing methods, and DP-SGD-S demonstrably lowers the disparity parameter $\Delta$ with acceptable accuracy trade-offs. The results support the practical feasibility of fair privacy protection in DPML and highlight future directions for balancing outcome and privacy fairness.

Abstract

While significant progress has been made in conventional fairness-aware machine learning (ML) and differentially private ML (DPML), the fairness of privacy protection across groups remains underexplored. Existing studies have proposed methods to assess group privacy risks, but these are based on the average-case privacy risks of data records. Such approaches may underestimate the group privacy risks, thereby potentially underestimating the disparity across group privacy risks. Moreover, the current method for assessing the worst-case privacy risks of data records is time-consuming, limiting their practical applicability. To address these limitations, we introduce a novel membership inference game that can efficiently audit the approximate worst-case privacy risks of data records. Experimental results demonstrate that our method provides a more stringent measurement of group privacy risks, yielding a reliable assessment of the disparity in group privacy risks. Furthermore, to promote privacy protection fairness in DPML, we enhance the standard DP-SGD algorithm with an adaptive group-specific gradient clipping strategy, inspired by the design of canaries in differential privacy auditing studies. Extensive experiments confirm that our algorithm effectively reduces the disparity in group privacy risks, thereby enhancing the fairness of privacy protection in DPML.

On the Fairness of Privacy Protection: Measuring and Mitigating the Disparity of Group Privacy Risks for Differentially Private Machine Learning

TL;DR

This work investigates whether differential privacy protections are equitably distributed across demographic groups in ML models. It identifies that average-case membership inference attacks can understate inter-group privacy disparities and introduces an efficient approximate worst-case MIG, PA-ALOOA, to audit per-sample privacy risk and derive a group privacy risk parity metric (GPRP). The authors then exploit a canary-inspired insight to design DP-SGD-S, an adaptive per-group gradient clipping scheme that reduces group-level privacy risk disparities while preserving model utility in many settings. Across multiple datasets and privacy budgets, PA-ALOOA reveals stronger group-level privacy risks than prior auditing methods, and DP-SGD-S demonstrably lowers the disparity parameter with acceptable accuracy trade-offs. The results support the practical feasibility of fair privacy protection in DPML and highlight future directions for balancing outcome and privacy fairness.

Abstract

While significant progress has been made in conventional fairness-aware machine learning (ML) and differentially private ML (DPML), the fairness of privacy protection across groups remains underexplored. Existing studies have proposed methods to assess group privacy risks, but these are based on the average-case privacy risks of data records. Such approaches may underestimate the group privacy risks, thereby potentially underestimating the disparity across group privacy risks. Moreover, the current method for assessing the worst-case privacy risks of data records is time-consuming, limiting their practical applicability. To address these limitations, we introduce a novel membership inference game that can efficiently audit the approximate worst-case privacy risks of data records. Experimental results demonstrate that our method provides a more stringent measurement of group privacy risks, yielding a reliable assessment of the disparity in group privacy risks. Furthermore, to promote privacy protection fairness in DPML, we enhance the standard DP-SGD algorithm with an adaptive group-specific gradient clipping strategy, inspired by the design of canaries in differential privacy auditing studies. Extensive experiments confirm that our algorithm effectively reduces the disparity in group privacy risks, thereby enhancing the fairness of privacy protection in DPML.

Paper Structure

This paper contains 46 sections, 4 equations, 14 figures, 7 tables, 6 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Differential privacy
  4. Differentially private stochastic gradient descent (DP-SGD).
  5. Black-box member inference attacks
  6. Different definitions of membership inference games (MIGs).
  7. Privacy auditing.
  8. The fairness of privacy
  9. Measuring the disparity of group privacy risks with approximate worst-case privacy auditing
  10. Approximate worst-case privacy auditing
  11. Comparison with PA-LOOA.
  12. Definition of group privacy risk parity
  13. Comparison with privacy auditing by average-case attacks
  14. Mitigating the disparity of group privacy risks for DP-SGD
  15. Experimental observations
  16. ...and 31 more sections

Figures (14)

  • Figure 1: Left: PA-LOOA audits a single sample. Right: PA-ALOOA audits $m$ samples. Solid circles indicate training points; hollow circles are excluded. Arrows denote model training using solid-circle data.
  • Figure 2: Left: The horizontal axis represents the number of random experiments for a single audit, while the vertical axis represents the absolute difference in auditing performance between the two attacks for each audited sample. Right: The horizontal axis represents different groups of the MNIST dataset, while the vertical axis indicates the performance difference between PA-LOOA and PA-ALOOA for individual data points in each group at $2R=400$.
  • Figure 3: The comparison of GPR value across three model types—Logistic Regression (LR), Multilayer Perceptron (MLP), and CNN—trained on the MNIST dataset using SGD algorithm. The x-axis represents the groups, and the y-axis shows the corresponding GPR value at $2R=400$.
  • Figure 4: The results of the SGD and DP-SGD algorithms on the MNIST dataset under varying privacy guarantees and model architectures.
  • Figure 5: The results of the DP-SGD-S algorithm on the MNIST dataset using a CNN model under varying scale bounds.
  • ...and 9 more figures

Theorems & Definitions (7)

  • Definition 1: $(\epsilon, \delta)$-Differential Privacy dwork2006our
  • Definition 2: Approximate Worst-case MIG
  • Definition 3: Individual Privacy Risk
  • Definition 4: Group Privacy Risk
  • Definition 5: Group Privacy Risk Parity
  • Definition 6: Average-case Membership Inference Game yeom2018privacy
  • Definition 7: Worst-case Membership Inference Game ye2022enhanced