159 Photos and videos
Bogdan Kulynych retweeted
The NeurIPS position paper track was flooded with submissions that substantially used AI. More than other tracks, and despite a requirement otherwise.
I appreciate the chairs' strong action. People are not entitled to reviewers' time, AI makes it exceptionally easy to waste it.
This year, the NeurIPS 2026 Position Paper Track made the decision to require that all papers be substantially human-written, with AI used for only copy-editing or similar peripheral changes to the main text!
For more details, please check our blogpost: blog.neurips.cc/2026/06/02/a…
16
15
187
33,543
Bogdan Kulynych retweeted
Mar 23
A Gaussian mechanism with ε = 6 can be less private than one with ε = 8. This points to a problem with how we report privacy guarantees in machine learning. A thread 🧵
1
6
8
950
Mar 23
Here's an example for a specific instantiation of DP-SGD in terms of f-DP trade-off curves (an equivalent operational version of privacy profiles). As we see, a non-asymptotic GDP trade-off curve fits the DP-SGD trade-off curve almost exactly.
1
1
130
Mar 23
We've built a new Python package gdpnum to compute non-asymptotic GDP guarantees and estimate their precision for many practical algorithms:
github.com/interpretable-dp/…
1
1
90
Mar 23
Here's a paper with all the details:
arxiv.org/abs/2503.10945
@physics_Felipe presenting it at #SatML on Tuesday March 24.
w/ @physics_Felipe, Borja Balle, Jamie Hayes, @FlavioCalmon, @ahonkela
2
97
Mar 23
Many ML algorithms, especially those involving many compositions like DP-SGD, can be very precisely characterized with GDP. This is a *non-asymptotic* result, not just a central limit approximation!
1
64
Mar 23
A Gaussian mechanism with ε = 6 can be less private than one with ε = 8. This points to a problem with how we report privacy guarantees in machine learning. A thread 🧵
1
6
8
950
Mar 23
GDP characterizes the entire privacy profile ε(δ) of a Gaussian mechanism exactly using a single number μ. Interpretation: if a mechanism satisfies μ-GDP, then running membership inference against it is as hard as distinguishing N(0,1) from N(μ,1) based on a single observation.
1
70
Mar 23
Can we do better without reporting an entire privacy profile? Yes! With Gaussian differential privacy (GDP).
1
1
73
Mar 23
As the convention sets δ in a data-dependent way, this matters whenever you compare models across datasets or papers.
1
58
Mar 23
Issue 2: You can't properly compare two mechanisms by ε if their δ values differ. A Gaussian mechanism with ε = 6 at δ = 10⁻⁵ is less private than one with ε = 8 at δ = 10⁻⁹. This is because you cannot properly compare ε if δ is different.
1
64
Mar 23
No attacker in the universe can achieve that 98% rate: It's purely an artifact of compressing the entire privacy profile into one pair (ε, δ). My colleagues and I detailed on this problem in detail in this NeurIPS'24 paper:
arxiv.org/abs/2407.02191
1
1
92
Mar 23
Issue 1: A single (ε, δ) pair can massively overstate privacy risk. Example: DP-SGD with ε = 8 at δ = 10⁻⁵ suggests a worst-case membership inference accuracy of ~98% using standard conversions. But using the full privacy profile, the actual maximum is only ~68%.
1
100
Mar 23
The standard way is to report is to use a single (ε, δ) pair for a small δ. The community has developed informal conventions, e.g., ε < 10 is generally considered OK in privacy-preserving machine learning. But this convention has two big issues.
1
101
1 Dec 2025
Presenting this on Thursday Dec 4 at #EurIPS in Copenhagen. Come by at the poster session if this sounds interesting!
#NeurIPS2025
1 Dec 2025
New paper at #NeurIPS2025!
"Unifying Re-Identification, Attribute Inference, and Data Reconstruction Risks in Differential Privacy" in which we derive unified, tighter bounds on operational attack risks for any DP mechanisms, using f-DP.
Link: arxiv.org/abs/2507.06969
Thread👇
1
262
1 Dec 2025
New paper at #NeurIPS2025!
"Unifying Re-Identification, Attribute Inference, and Data Reconstruction Risks in Differential Privacy" in which we derive unified, tighter bounds on operational attack risks for any DP mechanisms, using f-DP.
Link: arxiv.org/abs/2507.06969
Thread👇
2
2
8
690
1 Dec 2025
This is a unifying framework which can model various types of risk.
1
1
87
1 Dec 2025
Continued here:
x.com/hiddenmarkov/status/19…
1 Dec 2025
Continuing the thread on "Unifying Re-Identification, Attribute Inference, and Data Reconstruction Risks in Differential Privacy", for some reason it got borked.
x.com/hiddenmarkov/status/19…
100
1 Dec 2025
Continuing the thread on "Unifying Re-Identification, Attribute Inference, and Data Reconstruction Risks in Differential Privacy", for some reason it got borked.
x.com/hiddenmarkov/status/19…
1 Dec 2025
New paper at #NeurIPS2025!
"Unifying Re-Identification, Attribute Inference, and Data Reconstruction Risks in Differential Privacy" in which we derive unified, tighter bounds on operational attack risks for any DP mechanisms, using f-DP.
Link: arxiv.org/abs/2507.06969
Thread👇
1
1
210
1 Dec 2025
Another (final) finding. The unified f-DP bound extends to a form of a generalization bound. Given that we can compute f-DP curves precisely, this is likely the tightest generalization bound applicable to deep learning, but it is only for on-average generalization unfortunately.
1
48
1 Dec 2025
Very excited, and I think this will be quite useful for practical deployments of DP.
This is a joint work with great Felipe Gomez ( felipe-gomez.com/ ), George Kaissis, Jamie Hayes, Borja Balle, @FlavioCalmon, JL Raisaro.
57