In Differential Privacy, There is Truth: Evaluating PATE with Monte Carlo Adversaries

Abstract

The shift from centralized to decentralized machine learning (ML) addresses privacy concerns associated with centralized data collection. A prominent approach for learning from decentralized data is the Private Aggregation of Teacher Ensembles, or PATE, which aggregates the predictions of a collection of teacher models. Aggregation is performed through a noised voting mechanism to reveal a collective prediction for the ensemble while providing differential privacy guarantees for the training data of each teacher model. PATE’s differential privacy guarantees protect only against adversaries that observe a bounded number of predictions. PATE provides virtually no privacy guarantees in the realistic setting where an adversary is allowed to query the system continuously. However, the prospects of such an attack have never been evaluated. We contribute to the first study on the confidentiality and privacy guarantees provided by PATE. We devise and implement an attack using Monte Carlo sampling to recover the votes submitted by participants of the PATE protocol, thus breaking PATE’s confidentiality guarantees. Surprisingly, we also show that our adversary is more successful in recovering voting information when the vote-aggregation mechanism introduces noise with a larger variance. Because differential privacy generally benefits from noise with greater variance, this reveals a tension between achieving confidentiality and differential privacy in collaborative learning settings. Next, we observe that PATE and its myriad variants assume that protocol participants, who contribute model votes, are honest. We evaluate scenarios where they can be corrupted by the attacker, and find that attacks become drastically more potent as the attacker is able to control more participants. Robustly defending against the attacks reported in this paper is non-trivial, and is likely to result in a significantly reduced utility of PATE.