Differential Privacy can provide provable privacy guarantees for training data in machine learning. However, the presence of proofs does not preclude the presence of errors. Inspired by recent advances in auditing which have been used for estimating lower bounds on differentially private algorithms, here we show that auditing can also be used to find flaws in (purportedly) differentially private schemes. In this case study, we audit a recent open source implementation of a differentially private deep learning algorithm and find, with 99.99999999% confidence, that the implementation does not satisfy the claimed differential privacy guarantee.
@article{arxiv.2202.12219,
title = {Debugging Differential Privacy: A Case Study for Privacy Auditing},
author = {Florian Tramer and Andreas Terzis and Thomas Steinke and Shuang Song and Matthew Jagielski and Nicholas Carlini},
journal= {arXiv preprint arXiv:2202.12219},
year = {2022}
}