DP-SGD vs PATE: Which Has Less Disparate Impact on Model Accuracy?

06/22/2021 ∙ by Archit Uniyal, et al. ∙ 34

Recent advances in differentially private deep learning have demonstrated that application of differential privacy, specifically the DP-SGD algorithm, has a disparate impact on different sub-groups in the population, which leads to a significantly high drop-in model utility for sub-populations that are under-represented (minorities), compared to well-represented ones. In this work, we aim to compare PATE, another mechanism for training deep learning models using differential privacy, with DP-SGD in terms of fairness. We show that PATE does have a disparate impact too, however, it is much less severe than DP-SGD. We draw insights from this observation on what might be promising directions in achieving better fairness-privacy trade-offs.



There are no comments yet.


page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

There are a plethora of attacks that exploit the vulnerabilities in machine learning models and infer membership of certain individuals (Shokri et al., 2016; Jayaraman et al., 2020) or infer sensitive attributes such as age, ethnicity or genetic markers of given data instances, from released models in both black and white-box settings  (Shokri et al., 2017; Fredrikson et al., 2014). One approach to protect against such attacks is Differential Privacy (DP). DP can protect against attempts to infer the contribution of a given individual to the training set by adding noise to the computations (Chaudhuri et al., 2009; Abadi et al., 2016; Mireshghallah et al., 2020; Jayaraman and Evans, 2019).

A widely adopted DP mechanism in deep learning is DP-Stochastic Gradient Descent (DP-SGD) 

(Abadi et al., 2016) wherein noise is added to clipped gradients during training. Although DP-SGD offers rigorous privacy guarantees, it degrades the accuracy of the resulting model. Furthermore, it has recently been shown that this degradation is disparate, and that differential privacy exacerbates the already existing gap between the utility of the model for under-represented and well-represented subgroups of data (Bagdasaryan et al., 2019; Kuppam et al., 2019; Farrand et al., 2020). Given how machine learning models are deployed in real life and are sometimes used to make high-stake decisions such as who to hire for a role or how much someone should pay for insurance, it is paramount that we find, acknowledge and mitigate biases induced by different algorithms, in this case DP.

To this end, we aim at studying the fairness implications of yet another DP mechanism for training deep neural networks, named PATE 

(Papernot et al., 2017)

. In PATE (Private Aggregation of Teacher Ensembles), sensitive data is split into a certain number of disjoint training sets, on each of which a teacher classifier is trained. Then, a student model is trained by transferring the noisy aggregate knowledge of the teachers. The noisy aggregation is where the privacy guarantees are induced through DP.

While DP-SGD has been studied with regards to its disparate impact on imbalanced data, there has been no rigorous study on how PATE performs in such scenarios. In this work, we seek to extensively compare the utility loss across DP-SGD and PATE on imbalanced datasets, where there are under-represented sub-populations. Through outlining the performance of both these approaches across varying levels of privacy. We seek to answer the following question: “Do both DP-SGD and PATE have similar disparate impacts on minority classes?” To answer briefly, through our experiments with MNIST and SVHN datasets, we observe that PATE has significantly higher utility on under-represented groups (i.e. lower accuracy parity), which we attribute to its teacher-ensemble setup. The code for this paper can be found at 

DP-SGD vs PATE Github repository.

2 Related Work

It has been shown in the literature that training models with the ultimate goal of maximizing accuracy leads to learning and even amplifying the biases in data. Bias in machine learning can be defined as the phenomena of observing results which are systematically prejudiced due to faulty assumptions. The survey by Mehrabi et al. covers various types of bias, such as historic bias, representation bias and algorithmic bias. Differential privacy is used in many contexts, including but not limited to healthcare settings (Singh et al., 2020; Suriyakumar et al., 2021), commerce (US Census data release) (Abowd, 2018; Fioretto et al., 2021b)

and natural language processing applications such as next word prediction in keyboards 

(Kairouz et al., 2021).

The works by Bagdasaryan et al. and  Farrand et al. empirically demonstrates that when DP-SGD is used on highly imbalanced class data the less represented groups which already have lower accuracy end up losing more utility: “the poor become poorer”. They also show that as stricter privacy guarantees are imposed, this gap gets wider. Our work is similar in nature to these works, however we seek to study another differentially private learning mechanism, named PATE (Private aggregation of Teacher Ensembles,  Papernot et al. (2017)) and compare it to DP-SGD in terms of the parity in accuracy of different subgroups.  Kuppam et al. and  Fioretto et al. show that if DP was used in the decision making of a fund allocation problem (based on US Census data), smaller districts would end up with comparatively more funding than what they would receive without DP, and larger districts would get less funding.  Jagielski et al. propose differentially private variants of existing bias mitigation techniques for creating fair classifiers. Tran et al. propose a differentially private learning algorihtm, with fairness constraints imposed.

3 Differential Privacy for Deep Learning

Here we discuss the main privacy concepts used in the paper.

3.1 Differentially Private SGD (DP-SGD)

For , an algorithm is understood to be Differentially Private (Dwork et al., 2006a, b) if and only if for any pair of datasets that differ in only one element, the following statement holds true.

Where and are differing datasets by at most one element, and

denotes the probability that

is the output of . This setting approximates the effect of individual opt-outs by minimising the inclusion effect of an individual’s data.

DP-SGD (Abadi et al., 2016)

is a modification of the stochastic gradient descent algorithm which provides provable privacy guarantees. DP-SGD bounds the sensitivity of each gradient and is paired with a moments accountant algorithm to amplify and track the privacy loss across weight updates. Moments accountant significantly improves on earlier privacy analysis of SGD and allows for meaningful privacy guarantees for deep learning trained on realistically sized datasets

(Bu et al., 2019).

3.2 Private Aggregation of Teacher Ensembles (PATE)

PATE (Papernot et al., 2017) is based on knowledge aggregation and transfer from “teacher” models, trained on disjoint data, to a “student” model whose attributes may be made public. The approach involves transferring knowledge of multiple models trained on sensitive disjoint datasets. Since these models rely directly on sensitive data, they are not published, but are used as “teachers” for a “student” model. The student learns to predict an output chosen by noisy voting among all of the teachers, and cannot directly access an individual teacher or the underlying data or parameters. The student is trained on a publicly available, unlabeled dataset, where the labels come from the aggregate votes of the teachers. That is why PATE is considered a semi-supervised approach, and it cannot be applied as it is in as setup where we do not have public data (even small in number) available.

(a) DP-SGD for
(b) DP-SGD for
(c) DP-SGD for
(d) PATE for
(e) PATE for
(f) PATE for
Figure 1: Average test accuracy of each digit (class) for models trained on imbalanced MNIST data, where samples of class “8” are decreased to 0.1 their original count.
(a) DP-SGD for
(b) DP-SGD for
(c) PATE for
(d) PATE for
Figure 2: Average test accuracy of each digit (class) for models trained on imbalanced SVHN data, where samples of class “8” are decreased to half their original count.
(a) MNIST w/ PATE for
(b) SVHN w/ PATE for
Figure 3: Effect the number of teachers has on accuracy of each class for PATE.

4 Empirical Evaluations

To compare the effect that the two differentially private deep learning algorithms, DP-SGD and PATE have on sub-populations with different sizes, we run a series of experiments on MNIST and SVHN datasets. We have selected these two datasets, as they are the ones used for the evaluations of the PATE framework (Papernot et al., 2017).

4.1 Experimental Setup

For MNIST dataset, we artificially imbalance the class “8”, to have only 500 samples. For SVHN we imbalance the same class as well. We decide to imbalance class to maintain consistency with (Bagdasaryan et al., 2019). The ratio of imbalance is set to 1:10 i.e for every 10 images in each class, there was only 1 image in class 8. We apply this imbalance for the train set as well as the test set. In total, we sample 5000 training and 1000 test samples for each class except class 8. Class 8 gets 500 training and 100 test samples, respectively. For SVHN, as the dataset (Netzer et al., 2011) is already imbalanced (i.e. class and have nearly 4 training images than other classes causing the vote counts biased towards these classes in PATE), we balance it with each class containing images 111Classes with training images were left untouched.. We imbalance class by performing a imbalance i.e. for every images in each class, only image in class . Therefore, class is alloted training examples while other classes comprise of images each.

We use a 4-layer deep CNN for performing our experiments on MNIST dataset. The reason for using such a small CNN for MNIST is that the dataset contains grayscale images and performing feature extraction on such images is quite easier in comparison to RGB images. For SVHN dataset, we utilized the ResNet-18 architecture

(He et al., 2015)

. we use learning rates 0.01 and 0.05 for DP-SGD and PATE, respectively. We train PATE with 50 teachers and 30 students. We train each model 5 times and report the mean and standard deviation of accuracy in our experiments.

4.2 MNIST Results

Figure 1 displays test accuracies on the imbalanced MNIST dataset for . We observe that the deviation of the test accuracy for the imbalanced class decreased with the increase in the values of in DP-SGD (refer Figures 0(a), 0(b), 0(c)). We also notice that over different values of , PATE exhibits “stable” results for the test accuracy of the imbalanced class. In PATE, the accuracy of the imbalanced class is almost (more than) twice the accuracy obtained by DP-SGD for the same value (see Figures 0(d), 0(e), 0(f)). We hypothesize that this is because (1) DP-SGD adds noise during every update of the model, destroying the gradient signals from underrepresented groups. This doesn’t happen during training of the teachers. (2) teachers are not learning exactly the same patterns (due the data distribution). Therefore the set of teachers is diverse. This diversity allows to cancel biases among teaches, ie. aggregating decisions of different teachers may help to reduce the confusion to classify underrepresented class. Grgić-Hlača et al. shows theoretically that diversity is key of achieving fairness.

4.3 SVHN Results

Figure 2 showcases the test accuracies on the imbalanced SVHN dataset for . We experiment with these two values as demonstrated in the Papernot et al. (2017) paper. We observe that both DP-SGD and PATE produce similar results with the averaged accuracies for the imbalanced class being . However, it is important to note that PATE gives rise to robust results while DP-SGD exhibits higher standard deviations over different values of (refer Fig. 1(a), 1(b), 1(c), 1(d)). This property can again be referred to how the “students” learn different patterns on the disjoint data present within “teachers”.

4.4 Ablation Study: Number of Teachers

We analyze the impact of the number of teachers on the accuracy of different classes of PATE. Figure 3 shows test accuracy for different numbers of teachers (). For , PATE shows a drop in the accuracy as the results are obtained from only one teacher, which makes them noisy and less robust, hampering the performance of the model. For , PATE shows the best performance considering the size of the datasets we’re using. The number of teachers seem to be optimal, making it the most fair outcome. For , the performance of PATE decreases overall and it could be observed that unfairness of the model increased for the imbalanced class 8. For and for MNIST and SVHN respectively, we observed that the accuracy of the imbalanced class 8 was very low (close to 0% accuracy) as the number of training set samples that could be distributed among the number of teachers became very small, causing the teachers not to train. The main take-away from this experiment is that there is a sweet spot for the number of teachers, and going up or going low would not necessarily have a positive or negative impact on accuracy of the sub-classes.

5 Conclusion and Future Work

Our work provides a comprehensive analysis of the comparison of utility provided across DP-SGD and PATE on imbalanced datasets. To summarize:

  1. Even though both DP-SGD and PATE have disparate impact on the under-represented groups i.e.“Poor get poorer” - PATE has significantly less disproportionate impact on utility compared to DP-SGD.

  2. We note that the standard deviation of the accuracy for each class over 5 runs was much lower in PATE compared to DP-SGD.

  3. By experimenting with various teacher counts, we observe that having multiple teachers often provides a higher utility than a single teacher for under-represented groups. However beyond the tipping point of this ensemble (10 teachers in our case), the utility stagnates and then starts dropping significantly.

It is worth noting, however, that although PATE has the above advantages, it is a semi-supervised approach, in which part of the training is done on publicly available, unlabeled data. Therefore, PATE assumes such data (even if very small in size) is available. In situations where we do not have access to such data, for instance for medical purposes where no patient note is released, PATE cannot be applied.


  • M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang (2016) Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 308–318. Cited by: §1, §1, §3.1.
  • J. M. Abowd (2018) The us census bureau adopts differential privacy. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pp. 2867–2867. Cited by: §2.
  • E. Bagdasaryan, O. Poursaeed, and V. Shmatikov (2019) Differential privacy has disparate impact on model accuracy. In Advances in Neural Information Processing Systems, pp. 15479–15488. Cited by: §1, §2, §4.1.
  • Z. Bu, J. Dong, Q. Long, and W. J. Su (2019) Deep learning with gaussian differential privacy. arXiv preprint arXiv:1911.11607. Cited by: §3.1.
  • K. Chaudhuri, C. Monteleoni, and A. D. Sarwate (2009) Differentially private empirical risk minimization. arXiv preprint arXiv:0912.0071. External Links: 0912.0071 Cited by: §1.
  • C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor (2006a) Our data, ourselves: privacy via distributed noise generation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 486–503. Cited by: §3.1.
  • C. Dwork, F. McSherry, K. Nissim, and A. Smith (2006b) Calibrating noise to sensitivity in private data analysis. In Theory of cryptography conference, pp. 265–284. Cited by: §3.1.
  • T. Farrand, F. Mireshghallah, S. Singh, and A. Trask (2020) Neither private nor fair: impact of data imbalance on utility and fairness in differential privacy. In Proceedings of the 2020 Workshop on Privacy-Preserving Machine Learning in Practice, pp. 15–19. Cited by: §1, §2.
  • F. Fioretto, C. D. Tran, and P. V. Hentenryck (2021a) Decision making with differential privacy under a fairness lens. ArXiv abs/2105.07513. Cited by: §2.
  • F. Fioretto, P. Van Hentenryck, and K. Zhu (2021b) Differential privacy of hierarchical census data: an optimization approach. Artificial Intelligence 296, pp. 103475. Cited by: §2.
  • M. Fredrikson, E. Lantz, S. Jha, S. Lin, D. Page, and T. Ristenpart (2014) Privacy in pharmacogenetics: an end-to-end case study of personalized warfarin dosing. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, USA, pp. 17–32. External Links: ISBN 9781931971157 Cited by: §1.
  • N. Grgić-Hlača, M. B. Zafar, K. P. Gummadi, and A. Weller (2017) On fairness, diversity and randomness in algorithmic decision making. arXiv preprint arXiv:1706.10208. Cited by: §4.2.
  • K. He, X. Zhang, S. Ren, and J. Sun (2015) Deep residual learning for image recognition. CoRR abs/1512.03385. External Links: Link, 1512.03385 Cited by: §4.1.
  • M. Jagielski, M. Kearns, J. Mao, A. Oprea, A. Roth, S. Sharifi-Malvajerdi, and J. Ullman (2018) Differentially private fair learning. arXiv preprint arXiv:1812.02696. Cited by: §2.
  • B. Jayaraman and D. Evans (2019) Evaluating differentially private machine learning in practice. In 28th USENIX Security Symposium (USENIX Security 19), pp. 1895–1912. Cited by: §1.
  • B. Jayaraman, L. Wang, K. Knipmeyer, Q. Gu, and D. Evans (2020) Revisiting membership inference under realistic assumptions. arXiv preprint arXiv:2005.10881. Cited by: §1.
  • P. Kairouz, B. McMahan, S. Song, O. Thakkar, A. Thakurta, and Z. Xu (2021) Practical and private (deep) learning without sampling or shuffling. arXiv preprint arXiv:2103.00039. Cited by: §2.
  • S. Kuppam, R. McKenna, D. Pujol, M. Hay, A. Machanavajjhala, and G. Miklau (2019) Fair decision making using privacy-protected data. arXiv preprint arXiv:1905.12744. Cited by: §1, §2.
  • N. Mehrabi, F. Morstatter, N. Saxena, K. Lerman, and A. Galstyan (2019) A survey on bias and fairness in machine learning. arXiv preprint arXiv:1908.09635. Cited by: §2.
  • F. Mireshghallah, M. Taram, P. Vepakomma, A. Singh, R. Raskar, and H. Esmaeilzadeh (2020) Privacy in deep learning: a survey. In ArXiv, Vol. abs/2004.12254. Cited by: §1.
  • Y. Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Y. Ng (2011) Reading digits in natural images with unsupervised feature learning. Cited by: §4.1.
  • N. Papernot, M. Abadi, U. Erlingsson, I. Goodfellow, and K. Talwar (2017) Semi-supervised knowledge transfer for deep learning from private training data. Cited by: §1, §2, §3.2, §4.3, §4.
  • R. Shokri, M. Stronati, C. Song, and V. Shmatikov (2017) Membership inference attacks against machine learning models. In IEEE Symposium on Security and Privacy (S&P), Cited by: §1.
  • R. Shokri, M. Stronati, and V. Shmatikov (2016) Membership inference attacks against machine learning models. CoRR abs/1610.05820. External Links: Link, 1610.05820 Cited by: §1.
  • S. Singh, H. Sikka, S. Kotti, and A. Trask (2020) Benchmarking differentially private residual networks for medical imagery. arXiv preprint arXiv:2005.13099. Cited by: §2.
  • V. M. Suriyakumar, N. Papernot, A. Goldenberg, and M. Ghassemi (2021) Chasing your long tails: differentially private prediction in health care settings. In Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency, pp. 723–734. Cited by: §2.
  • C. Tran, F. Fioretto, and P. Van Hentenryck (2020) Differentially private and fair deep learning: a lagrangian dual approach. arXiv preprint arXiv:2009.12562. Cited by: §2.