Federated Learning with Bayesian Differential Privacy

--We consider the problem of reinforcing federated learning with formal privacy guarantees. We propose to employ Bayesian differential privacy, a relaxation of differential privacy for similarly distributed data, to provide sharper privacy loss bounds. We adapt the Bayesian privacy accounting method to the federated setting and suggest multiple improvements for more efficient privacy budgeting at different levels. Our experiments show significant advantage over the state-of-the-art differential privacy bounds for federated learning on image classification tasks, including a medical application, bringing the privacy budget below ε 1 at the client level, and below ε 0 .1 at the instance level. Lower amounts of noise also benefit the model accuracy and reduce the number of communication rounds. I NTRODUCTION The rise of data analytics and machine learning (ML) presents countless opportunities for companies, governments and individuals to benefit from the accumulated data. At the same time, their ability to capture fine levels of detail potentially compromises privacy of data providers. Recent research [1], [2] suggests that even in a black-box setting it is possible to argue about the presence of individual records in the training set or recover certain features of these records. To tackle this problem a number of solutions has been proposed. They vary in how privacy is achieved and to what extent data is protected. One approach that assumes privacy at its core is federated learning (FL) [3]. In the FL setting, a central entity ( server) trains a model on user data without actually copying data from user devices. Instead, users ( clients) update models locally, and the server aggregates these updates. In spite of all the advantages, federated learning does not provide theoretical privacy guarantees, like it is done by differential privacy (DP) [4], which is viewed by many researchers as the privacy gold standard.