AI Infrastructure, Safety & Ethics

Differential Privacy

Definition

Differential privacy (DP) is a formal mathematical definition of privacy that provides a rigorous guarantee: an algorithm is epsilon-differentially private if the probability of any output changes by at most e^epsilon when any single individual's data is added or removed. In ML, DP is applied through DP-SGD (Differentially Private Stochastic Gradient Descent), which adds calibrated Gaussian noise to gradients during training, preventing the model from memorizing any individual's data to the degree that their participation can be inferred. The privacy budget epsilon controls the tradeoff: smaller epsilon provides stronger privacy but more noise (and worse model performance). Federated learning with differential privacy is the gold standard for privacy-preserving ML.

Why It Matters

Differential privacy provides mathematical proof of privacy protection—a guarantee that no attacker can determine whether a specific individual's data was used in training. This contrasts with anonymization techniques (removing names and identifiers) that can be defeated by re-identification attacks using auxiliary information. For organizations training AI on sensitive personal data—medical records, financial data, private communications—differential privacy provides the privacy guarantee needed to use this data ethically and compliantly. Apple and Google use differential privacy for learning from user behavior data at scale; healthcare and finance AI increasingly requires it for regulatory compliance.

How It Works

DP-SGD implementation: during training, gradients computed per individual example are clipped to a maximum L2 norm (limiting each individual's influence), then Gaussian noise is added to the clipped gradients before the model update step. The noise scale is calibrated to the privacy budget (epsilon) and sensitivity. The privacy budget accumulates with each training step; after the full training run, the total privacy expenditure is calculated using privacy accountants (moments accountant, Rényi differential privacy). Libraries like TensorFlow Privacy and Opacus (PyTorch) implement DP-SGD. The tradeoff: DP typically reduces model accuracy by 2-8% at useful privacy budgets (epsilon < 10).

Differential Privacy — Noise Injection

Original Query

Avg salary: $95,000

Exact, private

+ Laplace Noise

ε = 1.0 (privacy budget)

Privatized Result

Avg salary: ~$97,200

Plausible deniability

No single record can be inferred — mathematically guaranteed privacy

Real-World Example

A hospital network wanted to train a diagnostic AI model on patient records from 5 hospitals without sharing patient data across institutions. They implemented federated learning with differential privacy: each hospital trained a local model update on their patient data using DP-SGD (epsilon=3), clipping gradients and adding calibrated noise. Only the noisy model updates were shared with a central aggregation server—never the patient data itself. The federated DP model achieved 89% diagnostic accuracy vs. 93% for a centralized model trained with data sharing—a 4-point accuracy cost accepted in exchange for a formal mathematical privacy guarantee that patient data never left each hospital's secure environment.

Common Mistakes

  • Treating epsilon as a fixed constant without calibrating to the data sensitivity and threat model—epsilon requirements vary dramatically across domains
  • Applying differential privacy without measuring the accuracy-privacy tradeoff for the specific task—the accuracy cost of DP varies widely and must be validated
  • Confusing differential privacy with anonymization—DP is a mathematical guarantee about model training; anonymization attempts to de-identify the data itself

Related Terms

Data Privacy

Data privacy in AI governs how personal information is collected, stored, and used to train and operate AI systems—requiring organizations to protect individuals' rights, minimize data collection, and obtain proper consent.

Federated Learning

Federated learning trains ML models across multiple distributed devices or organizations without centralizing raw data—each party trains on local data and shares only model updates, preserving privacy while enabling collaborative model improvement.

Responsible AI

Responsible AI is a framework of organizational practices and principles—encompassing fairness, transparency, privacy, safety, and accountability—that guide how teams build and deploy AI systems that are trustworthy and beneficial.

AI Governance

AI governance is the set of policies, processes, and oversight structures that organizations use to ensure their AI systems are developed and deployed responsibly, compliantly, and in alignment with organizational values and regulatory requirements.

PII Detection

PII detection automatically identifies personally identifiable information—names, emails, phone numbers, SSNs, and other sensitive data—in text or structured data, enabling redaction, masking, or compliance flagging before data is used in AI systems.

AI Infrastructure, Safety & Ethics← Glossary Hub

Ready to build your AI chatbot?

Put these concepts into practice with 99helpers — no code required.

Start free trial →
What is Differential Privacy? Differential Privacy Definition & Guide | 99helpers | 99helpers.com