Differential Privacy and Machine Learning: a Survey and Review

The objective of machine learning is to extract useful information from data, while privacy is preserved by concealing information. Thus it seems hard to reconcile these competing interests. However, they frequently must be balanced when mining sensitive data. For example, medical research represents an important application where it is necessary both to extract useful information and protect patient privacy. One way to resolve the conflict is to extract general characteristics of whole populations without disclosing the private information of individuals. In this paper, we consider differential privacy, one of the most popular and powerful definitions of privacy. We explore the interplay between machine learning and differential privacy, namely privacy-preserving machine learning algorithms and learning-based data release mechanisms. We also describe some theoretical results that address what can be learned differentially privately and upper bounds of loss functions for differentially private algorithms. Finally, we present some open questions, including how to incorporate public data, how to deal with missing data in private datasets, and whether, as the number of observed samples grows arbitrarily large, differentially private machine learning algorithms can be achieved at no cost to utility as compared to corresponding non-differentially private algorithms.

💡 Research Summary

The paper provides a comprehensive survey of the intersection between differential privacy (DP) and machine learning (ML). It begins by motivating the need for privacy‑preserving analysis in sensitive domains such as healthcare, where traditional anonymization techniques (k‑anonymity, l‑diversity, t‑closeness) fail against background knowledge attacks. DP is introduced as a probabilistic guarantee that the output of any mechanism changes only negligibly when a single individual’s data is added or removed.

The authors first formalize DP, defining neighboring datasets, the privacy parameters (ε, δ), and the notion of sensitivity. They distinguish between global (worst‑case) sensitivity, local sensitivity, and smooth sensitivity, explaining how each influences the amount of noise required for privacy. The classic Laplace mechanism (adding Laplace‑distributed noise scaled to L1‑sensitivity) and its Gaussian variant (providing (ε, δ)‑DP) are described, followed by the exponential mechanism for selecting discrete outputs based on a score function.

Beyond these basic tools, the survey highlights two advanced frameworks: smooth sensitivity, which adapts noise to the actual dataset rather than the worst case, and the Sample‑and‑Aggregate (S&A) framework, which partitions the private data, computes estimates on each partition, and then aggregates them using a robust statistic before applying DP noise. Both frameworks aim to reduce utility loss while preserving rigorous privacy guarantees.

The paper then discusses how DP mechanisms compose. The sequential composition theorem states that the total privacy budget is the sum of the ε and δ values of each step when mechanisms are applied one after another, even if later steps depend on earlier outputs. The parallel composition theorem shows that if a dataset is split into disjoint parts and each part is processed with ε‑DP, the overall process remains ε‑DP. These results are essential for building complex pipelines that involve preprocessing, model training, and result release.

A major portion of the survey is devoted to DP‑enabled machine‑learning algorithms across four canonical tasks:

• Classification – Techniques such as DP‑Stochastic Gradient Descent (DP‑SGD) for logistic regression and neural networks, where per‑iteration gradients are clipped and noise is added. The authors discuss trade‑offs between batch size, learning rate, and the privacy budget, and present utility bounds that decay with √(ε).

• Regression – Approaches that add Laplace or Gaussian noise directly to regression coefficients, as well as Bayesian DP regression where posterior samples are perturbed. The paper provides error bounds that depend on the condition number of the design matrix and the chosen ε.

• Clustering – DP‑k‑means algorithms that inject noise into centroid updates and use the exponential mechanism for assigning points to clusters. The analysis shows that the clustering cost increases by O( (k log n)/ε ) under reasonable assumptions.

• Dimensionality Reduction – DP‑Principal Component Analysis (DP‑PCA) methods that add noise to the covariance matrix or to singular values, often leveraging smooth sensitivity to keep the perturbation small. The authors note that the resulting subspace approximates the true one within an additive error that scales with √(d/ε).

For each task, the survey summarizes known theoretical loss bounds, empirical performance, and practical considerations such as hyper‑parameter tuning under privacy constraints. A recurring theme is that when the model’s performance does not heavily rely on any single data point—i.e., the model generalizes well—DP can be achieved with modest utility degradation, especially as the number of training samples grows.

The final section outlines open research directions. First, integrating public (non‑private) data with private data to improve utility while respecting DP guarantees remains underexplored. Second, handling missing values in a DP‑compliant manner is challenging because imputation procedures can leak information. Third, the authors pose the fundamental question of whether, in the limit of infinite data, DP‑ML algorithms can match the utility of their non‑private counterparts without any cost—a conjecture that would have profound implications for large‑scale learning.

Overall, the paper serves as a valuable reference for researchers and practitioners seeking to understand the state‑of‑the‑art in differentially private machine learning, offering both a solid theoretical foundation and a roadmap of practical algorithms and unresolved challenges.