Differentially private stochastic gradient descent (DP-SGD) is the workhorse algorithm for recent advances in private deep learning. It provides a single privacy guarantee to all datapoints in the dataset. We propose output-specific $(\varepsilon,\delta)$-DP to characterize privacy guarantees for individual examples when releasing models trained by DP-SGD. We also design an efficient algorithm to investigate individual privacy across a number of datasets. We find that most examples enjoy stronger privacy guarantees than the worst-case bound. We further discover that the training loss and the privacy parameter of an example are well-correlated. This implies groups that are underserved in terms of model utility simultaneously experience weaker privacy guarantees. For example, on CIFAR-10, the average $\varepsilon$ of the class with the lowest test accuracy is 44.2% higher than that of the class with the highest accuracy.

翻译：差分隐私随机梯度下降（DP-SGD）是近期私有深度学习进展中的核心算法。它为数据集中的所有数据点提供统一的隐私保障。我们提出面向输出的$(\varepsilon,\delta)$-差分隐私，用于刻画训练DP-SGD模型时单个样本的隐私保障。我们还设计了一种高效算法，用于探究多个数据集上的个体隐私差异。研究发现，大多数样本享有比最坏情况更强的隐私保障。进一步发现，训练损失与样本的隐私参数之间存在良好相关性。这意味着模型效用不足的群体同时承受着更弱的隐私保障。例如，在CIFAR-10数据集上，测试准确率最低类别的平均$\varepsilon$比最高类别高出44.2%。