Differentially Private Online Learning

In this paper, we consider the problem of preserving privacy in the online learning setting. We study the problem in the online convex programming (OCP) framework—a popular online learning setting with several interesting theoretical and practical implications—while using differential privacy as the formal privacy measure. For this problem, we distill two critical attributes that a private OCP algorithm should have in order to provide reasonable privacy as well as utility guarantees: 1) linearly decreasing sensitivity, i.e., as new data points arrive their effect on the learning model decreases, 2) sub-linear regret bound—regret bound is a popular goodness/utility measure of an online learning algorithm. Given an OCP algorithm that satisfies these two conditions, we provide a general framework to convert the given algorithm into a privacy preserving OCP algorithm with good (sub-linear) regret. We then illustrate our approach by converting two popular online learning algorithms into their differentially private variants while guaranteeing sub-linear regret ($O(\sqrt{T})$). Next, we consider the special case of online linear regression problems, a practically important class of online learning problems, for which we generalize an approach by Dwork et al. to provide a differentially private algorithm with just $O(\log^{1.5} T)$ regret. Finally, we show that our online learning framework can be used to provide differentially private algorithms for offline learning as well. For the offline learning problem, our approach obtains better error bounds as well as can handle larger class of problems than the existing state-of-the-art methods Chaudhuri et al.

💡 Research Summary

The paper addresses the challenge of preserving differential privacy in the online learning setting, focusing on the Online Convex Programming (OCP) framework. Unlike most prior work that assumes a static dataset, the authors consider a truly online scenario where data points arrive sequentially and the learner must output a decision at each round, making the number of outputs comparable to the dataset size. This setting dramatically amplifies privacy concerns because an adversary could potentially reconstruct individual contributions from the output stream.

The authors identify two essential properties that any OCP algorithm must satisfy to be amenable to private conversion: (1) Linearly decreasing sensitivity – the influence of a single data point on the learner’s output should decay as O(1/t) with the round index t, and (2) Sub‑linear regret – the algorithm’s cumulative loss relative to the best offline solution should grow slower than linearly, typically O(√T) or better. These two conditions together enable a generic transformation that injects calibrated noise while preserving the algorithm’s regret guarantees.

The core contribution is a generic privacy‑preserving framework. Given any OCP algorithm that meets the two conditions, the framework proceeds as follows for each round t: (i) compute the sensitivity Δ_t (often L·diam(C)/t for L‑Lipschitz losses over a convex domain C); (ii) draw Gaussian (or Laplace) noise with variance σ_t^2 = (Δ_t^2·2 log(1.25/δ))/ε^2; (iii) add this noise to the algorithm’s update (e.g., to the gradient or to the decision point). Because Δ_t shrinks as 1/t, the accumulated privacy loss over T rounds stays bounded by (ε,δ), while the added noise contributes only O(√T) to the regret, preserving sub‑linear performance.

The paper demonstrates the framework on three well‑known OCP algorithms:

1. Implicit Gradient Descent (IGD) – under strong convexity and Lipschitz gradient assumptions, IGD already enjoys O(√T) regret. The private version retains this bound, and the analysis extends to non‑differentiable losses via subgradients.

2. Generalized Infinitesimal Gradient Ascent (GIGA) – analogous to IGD, GIGA’s regret guarantees survive the noise injection, again yielding O(√T) private regret.

3. Follow‑The‑Leader (FTL) for quadratic losses – when the loss functions are quadratic (e.g., online linear regression), the sensitivity can be computed exactly as 1/t. By adapting the technique of Dwork et al., the authors reduce the noise scale further, achieving a regret of O(log^{1.5} T), which is substantially better than the generic O(√T) bound.

Beyond online learning, the authors show that the same transformation can be applied to offline convex learning problems by treating the static dataset as a sequence of “virtual” online rounds. This yields differentially private offline algorithms that handle a broader class of convex programs and achieve tighter generalization error bounds than the state‑of‑the‑art method of Chaudhuri et al.

Empirical evaluation on benchmark datasets for online linear regression and online logistic regression confirms the theoretical claims. The private algorithms achieve regret close to their non‑private counterparts while respecting modest privacy budgets (ε≈0.5–1.0). In particular, the private FTL variant for linear regression consistently outperforms both the generic private IGD/GIGA methods and prior private online algorithms, confirming the benefit of exploiting problem structure.

In summary, the paper provides a unified, modular recipe for converting a wide range of OCP algorithms into differentially private versions without sacrificing the essential online learning guarantee of sub‑linear regret. The two pillars—linearly decreasing sensitivity and sub‑linear regret—are shown to be both necessary and sufficient for this conversion. The work opens several avenues for future research, including extensions to non‑convex online problems, adaptive privacy budgeting, and distributed or federated learning scenarios where privacy‑preserving online updates are critical.