Quantifying identifiability to choose and audit $epsilon$ in differentially private deep learning. (arXiv:2103.02913v3 [cs.CR] UPDATED)

Differential privacy allows bounding the influence that training data records
have on a machine learning model. To use differential privacy in machine
learning, data scientists must choose privacy parameters $(epsilon,delta)$.
Choosing meaningful privacy parameters is key, since models trained with weak
privacy parameters might result in excessive privacy leakage, while strong
privacy parameters might overly degrade model utility. However, privacy
parameter values are difficult to choose for two main reasons. First, the
theoretical upper bound on privacy loss $(epsilon,delta)$ might be loose,
depending on the chosen sensitivity and data distribution of practical
datasets. Second, legal requirements and societal norms for anonymization often
refer to individual identifiability, to which $(epsilon,delta)$ are only
indirectly related.

We transform $(epsilon,delta)$ to a bound on the Bayesian posterior belief
of the adversary assumed by differential privacy concerning the presence of any
record in the training dataset. The bound holds for multidimensional queries
under composition, and we show that it can be tight in practice. Furthermore,
we derive an identifiability bound, which relates the adversary assumed in
differential privacy to previous work on membership inference adversaries. We
formulate an implementation of this differential privacy adversary that allows
data scientists to audit model training and compute empirical identifiability
scores and empirical $(epsilon,delta)$.