The Limits and Possibilities of One Run Auditing
Quick Read
Summary
Takeaways
- ❖Differential privacy guarantees that an adversary cannot distinguish between two datasets differing by a single element, meaning a guesser's success rate shouldn't be much better than random.
- ❖Classical privacy auditing estimates epsilon by repeatedly running experiments with neighboring datasets, but this is impractical for complex ML models.
- ❖One-run auditing inserts many 'canary' elements into a single dataset, runs the algorithm once, and guesses the participation of each canary.
- ❖The theoretical 'looseness' of one-run auditing stems from non-uniform privacy loss across elements, reliance on typical (not worst-case) scenarios, and interference between elements.
- ❖Despite theoretical limitations, one-run auditing works in practice because high-dimensional machine learning models can effectively 'bury' individual elements in orthogonal 'coordinates,' minimizing interference.
- ❖Adaptive one-run auditing, where the guesser learns from previous guesses and can abstain, significantly improves auditing success by focusing on elements with higher privacy loss.
- ❖Developing smarter score functions for blackbox auditing, particularly those leveraging high-dimensional gradient information (e.g., KKT conditions), can further reduce interference and improve accuracy.
Insights
1One-Run Auditing for Practical DP Assessment
One-run auditing offers a practical alternative to classical multi-run auditing for differential privacy. Instead of repeating an experiment many times for a single user, it involves guessing the participation of many users (canaries) within a single run of the algorithm. This approach is crucial for complex mechanisms like training large neural networks, where repeated full training runs are infeasible.
Two years ago, Thomas and Nasa came up with one-run auditing, basically they say instead of repeating many many times the auditing process of guessing a single user, repeat once the process of guessing many users. So now the setting is that we have we can either think of it as many elements each one independently we choose if it will participate or not or we can think of it as many many pairs and from each pair we sample randomly which of the two will be used. Again for the purpose of this talk it won't matter.
2Theoretical Looseness: Three Sources of Inaccuracy
One-run auditing, while valid, is not 'tight' in the same way classical auditing is. Its 'looseness' stems from three main issues: 1) non-uniform privacy loss among elements (e.g., 'name and shame' where only one element is revealed), 2) reliance on a typical scenario rather than worst-case (e.g., 'all or nothing' mechanisms that rarely reveal information), and 3) interference between elements (e.g., XOR parity where elements are interdependent). These factors mean the auditor has partial knowledge and averages over individuals and outcomes, leading to a weaker privacy bound than the true worst-case epsilon.
The answer is absolutely not. So I'll give three toy examples but these two examples are not here to convince you that this is not a good auditing method because all three of them are very unnatural by definition they are here mostly to explain what are the three and to the best of our knowledge the only three sources of looseness in this method. So first example is think about name and shame... Second option is a mechanism which sometimes is called all or nothing... And the third example that is a bit more interesting is the parity or exor function.
3Practical Effectiveness: The Role of Model Locality
Despite its theoretical looseness, one-run auditing works in practice because many machine learning mechanisms are more 'local' than they initially appear. In high-dimensional models, individual data elements can be effectively placed in orthogonal 'coordinates' within the model's parameter space. This minimizes interference between elements, allowing the auditor to distinguish their presence with greater accuracy, effectively mimicking a series of independent local mechanisms.
And the short answer is basically because many more mechanisms are local than it might seem at first. So here's an example... if you have enough coordinates, you can place each element in its own coordinate, in which case you're summing. You're effectively running a local mechanism because each element lives in its own coordinate and everything that happens with the rest of the elements has no effect on it.
4Adaptive Guessing and Abstention for Improved Auditing
One-run auditing can be significantly improved by allowing the auditor to be 'adaptive'—meaning it can observe the outcome of previous guesses and decide whether to guess or abstain on subsequent elements. This strategy allows the auditor to focus on elements where it has higher certainty, leading to a better overall success rate and tighter privacy bounds, especially when dealing with mechanisms where privacy loss is not uniform.
Now if we go over the proof carefully, we know that it's okay if the guesser is told if their previous guess was correct. That we called it adaptive one on auditing and and basically it's a slightly stronger guesser because it can't know the future but it can remember the past.
5Leveraging Gradients for Smarter Blackbox Auditing
For blackbox auditing, where only the model's output is accessible, using smarter score functions beyond simple loss can dramatically improve results. By accessing the full gradient of the model parameters with respect to an input, auditors can lift elements from a low-dimensional input space to the very high-dimensional model parameter space. This high-dimensional representation can create better orthogonality between elements, reducing interference and enabling more accurate membership inference attacks or privacy audits.
But when you are in the one run auditing and your biggest problem is that you need to create some kind of orthogonality in that setting it might be the case that these gradients are the key because they sort of lift the elements from living in the like one-dimensional space of loss or maybe lowdimensional space of of inputs to the very high dimensional space of the model parameters.
Bottom Line
The 'online learning' framing of the auditor's decision-making process (choosing which element to guess next and whether to guess) could lead to theoretically formalized optimal guessing strategies.
This perspective could yield novel algorithms for auditors that dynamically adapt their strategy based on observed outcomes, maximizing the information gained and the tightness of the privacy bound.
Research into multi-armed bandit or reinforcement learning approaches for privacy auditing could discover more efficient and effective auditing protocols.
Constructing 'orthogonal' canaries in the gradient space, rather than just input space, is a promising direction for improving blackbox auditing, even for models with limited input dimensions.
This implies that the inherent complexity and high dimensionality of modern neural networks can be exploited to create more effective privacy auditing tools, even when direct model access is limited.
Develop methods for generating adversarial or 'meta-gradient' based canaries that are maximally distinguishable in the model's internal representation space, leading to stronger privacy guarantees.
Key Concepts
Stochastic Dominance
The probability distribution of correct guesses in one-run auditing is upper-bounded or 'stoastically dominated' by a binomial distribution, providing a statistical basis for privacy bounds (07:05).
Locality Principle
A mechanism can be tightly audited by one-run methods if and only if it can be approximated by a collection of local mechanisms, each operating on a single, independent element (25:32).
Exploration vs. Exploitation
The process of an adaptive auditor choosing which element to guess next and whether to guess or abstain can be framed as an online learning problem, balancing gathering information (exploration) with making optimal guesses (exploitation) (44:47).
Lessons
- Implement adaptive one-run auditing strategies that allow the auditor to make sequential guesses, learn from previous outcomes, and abstain when certainty is low to improve privacy bound estimates.
- For blackbox auditing of machine learning models, explore and develop score functions that leverage high-dimensional information, such as gradients of model parameters, rather than relying solely on one-dimensional loss metrics.
- Investigate methods for constructing 'canary' data points that are designed to be orthogonal or maximally distinguishable in the model's internal representation space, especially for blackbox scenarios.
Notable Moments
Introduction of one-run auditing as a practical solution for privacy assessment.
This moment sets the stage for the entire talk, highlighting the core innovation that addresses the impracticality of classical auditing for complex ML models.
The speaker challenges the audience with the argument that one-run auditing 'shouldn't work' theoretically.
This creates a compelling narrative tension, leading into the detailed explanation of theoretical limitations that are central to understanding the method's nuances.
Explanation of why one-run auditing *does* work in practice, despite theoretical limitations.
This resolves the central paradox of the talk, providing the key insight into the practical applicability of one-run auditing in real-world machine learning contexts.
Quotes
"The probability of being correct can't be much larger than the probability of being wrong or in other words the success rate of the guesser can't be much better than a random guess."
"I just showed that it works very well, but now I will try to convince you that it shouldn't work at all."
"Many more mechanisms are local than it might seem at first."
Q&A
Recent Questions
Related Episodes
Differentially Private Synthetic Data without Training
"Microsoft Research introduces 'Private Evolution,' a novel framework that generates differentially private synthetic data using only inference APIs, bypassing the high costs and limitations of traditional DP fine-tuning."
Tom Griffiths on The Laws of Thought | Mindscape 343
"Cognitive scientist Tom Griffiths explores the historical quest for the 'laws of thought,' revealing how logic, probability, and neural networks offer distinct yet complementary frameworks for understanding human and artificial intelligence, especially concerning resource constraints and inductive biases."
How Much Do Language Models Memorize?
"Meta researcher Jack Morris introduces a new metric for 'unintended memorization' in language models, revealing how model capacity, data rarity, and training data size influence generalization versus specific data retention."
Continual Release Moment Estimation with Differential Privacy
"This research introduces a novel differentially private algorithm, Joint Moment Estimation (JME), that efficiently estimates both first and second moments of streaming private data with a 'second moment for free' property, outperforming baselines in high privacy regimes."