Stable Estimators for Fast Private Statistics

Before this work, differentially private linear regression estimators faced significant challenges. They either required a large number of samples (d^1.5 examples, where d is dimension), had error guarantees that depended polynomially on the data's condition number (which can be high), or demanded exponential computation time. These limitations made practical application difficult, especially in high-dimensional settings or with poorly conditioned data.

Prior estimators needed either d to the three haves examples more than OLS, or had an error that depended polynomially on the condition number, or required exponential time. (05:28)

Gavin Brown and collaborators developed an algorithm called 'insufficient statistics perturbation' that avoids the prior limitations. This algorithm is private, fast (computation time dominated by empirical OLS), and provides good accuracy for data from well-specified Gaussian linear models. It achieves an error guarantee with a privacy term scaling as d^2/n^2, implying asymptotic privacy for free as n grows, and requires only d/epsilon^2 samples to start.

Our algorithm is private, it's fast, it's for most privacy regimes, the computation time is dominated by the time to compute the empirical OLS solution. And when we give it data from a well specified Gaussian linear model, it has good accuracy. (11:58)

The core innovation lies in using stronger, statistically motivated notions of outliers. Instead of simple L2 norm bounds, the algorithm identifies outliers based on statistical leverage scores (for mean/covariance/leverage filtering) and residuals (for linear regression). While these notions are harder to handle privately because they depend on the entire dataset, improved filtering algorithms enable tighter error guarantees.

Statistically what seems like a better thing to do is actually to work with the notion of statistical leverage... whether or not I'm an outlier depends on the rest of the data set. That's a big issue. (16:18)

The proposed algorithmic template for differentially private statistical tasks involves three steps: 1) Limiting the effect of outliers through a filtering routine, 2) Computing an empirical estimate (e.g., weighted OLS solution), and 3) Adding calibrated noise (e.g., Gaussian noise). The filtering routine must satisfy three properties: 'soundness' (removes outliers), 'completeness' (does nothing if no outliers), and 'stability' (output weights are close on adjacent inputs). Stability is the most challenging to prove.

We'll first like somehow limit the effect of outliers, we'll compute an empirical estimate and then we'll add noise... The first I'll call soundness... The second is completeness... And the third and most like crucial thing is stability. (15:14, 19:05)

The specific leverage filtering algorithm iteratively applies a greedy filtering subroutine with exponentially decreasing thresholds. This process generates multiple subsets of data, and points are weighted based on how many subsets they appear in. This layered approach, combined with properties of leverage scores (monotonicity and bounded change upon point removal), enables the crucial stability guarantee for the filtering routine, which is essential for the overall privacy analysis.

My algorithm is going to like go over for J equal K, K minus one all the way down to one. it's going to call some greedy leverage filtering subruine that'll output a set a set of indices... I'm calling it a slightly different threshold. (37:05)