Inferensys

Glossary

Privacy Accounting

Privacy Accounting is the systematic tracking of cumulative privacy loss (epsilon, delta) across multiple training rounds in differentially private federated learning, ensuring total expenditure stays within a pre-defined privacy budget.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
FEDERATED LEARNING ATTACK MITIGATION

What is Privacy Accounting?

Privacy Accounting is the systematic tracking of cumulative privacy loss in differentially private federated learning.

Privacy Accounting is the formal, quantitative process of tracking and bounding the cumulative privacy loss (measured in epsilon, delta) across multiple training rounds in a differentially private machine learning system. It ensures the total privacy expenditure stays within a pre-defined privacy budget, providing a rigorous guarantee against data reconstruction or membership inference attacks. This is a critical component for federated learning in regulated industries like healthcare and finance.

The process relies on composition theorems, such as those from Rényi Differential Privacy (RDP), which provide tight bounds on how privacy loss accumulates with each iterative model update. By applying mechanisms like the Gaussian Mechanism to client updates and meticulously accounting for the noise, system architects can provably demonstrate compliance with privacy regulations. This transforms abstract privacy promises into auditable, mathematical facts.

PRIVACY ACCOUNTING

Key Components of a Privacy Account

A Privacy Account is a formal ledger tracking the cumulative privacy expenditure in a differentially private federated learning system. It ensures the total privacy loss across all training rounds remains within a pre-defined, verifiable budget.

01

Privacy Budget (ε, δ)

The privacy budget is the total allowable privacy loss, quantified by the parameters epsilon (ε) and delta (δ).

  • Epsilon (ε): Bounds the multiplicative difference in the probability of any output. A lower ε provides stronger privacy.
  • Delta (δ): A small probability of a complete privacy failure, representing an additive slack. It is typically set to a value less than the inverse of the dataset size. The budget is allocated at the project's outset, and the privacy account tracks expenditure against this limit.
02

Privacy Loss Random Variable

For each mechanism (e.g., a training round with noise addition), a Privacy Loss Random Variable quantifies the actual privacy cost incurred. Its distribution depends on the mechanism's noise scale and the specific query. The moments accountant and Rényi Differential Privacy (RDP) track these variables to enable tight composition, providing a more accurate measure of cumulative loss than simple sequential composition of (ε, δ) bounds.

03

Composition Theorems

Composition theorems mathematically define how privacy loss accumulates over multiple queries or training rounds.

  • Basic Sequential Composition: The epsilons sum, and the deltas sum. This is simple but yields loose, pessimistic bounds.
  • Advanced Composition: Provides tighter bounds, especially for many iterations.
  • Rényi Composition: Under RDP, Rényi divergences of the same order α add, allowing for exceptionally precise accounting, which is then converted to a final (ε, δ)-DP guarantee.
04

Mechanism-Specific Parameters

Each privacy-preserving operation consumes budget at a rate determined by its internal parameters.

  • Noise Scale (σ): For the Gaussian mechanism, the standard deviation of the added noise relative to the query's L2 sensitivity. A larger σ consumes less budget per round.
  • Sampling Rate (q): In federated learning, the fraction of clients selected per round. Privacy amplification theorems (like amplification by subsampling) reduce the effective privacy cost when q < 1.
  • Clipping Norm (C): The maximum L2 norm bound applied to individual client updates before noise addition, which defines the sensitivity of the aggregation query.
05

Spending Policy & Stopping Criterion

The spending policy is an algorithm that decides how much budget to allocate per training round. It can be:

  • Fixed: Allocates a uniform ε per round.
  • Adaptive: Allocates more budget in later rounds for fine-tuning, or varies it based on convergence metrics. The stopping criterion is triggered when the remaining privacy budget falls below a threshold, halting training to prevent budget overrun. This enforces the formal guarantee.
06

Audit Log & Verification

A cryptographically verifiable audit log is a core component for compliance and trust. It immutably records:

  • Initial budget allocation (ε_total, δ_total).
  • Per-round parameters: noise scale, clipping norm, client sampling rate.
  • Calculated privacy expenditure per round.
  • Cumulative expenditure and remaining budget. This log allows external auditors or regulators to verify that the system adhered to its declared privacy policy throughout training.
PRIVACY ACCOUNTING

Common Privacy Composition Methods

A comparison of formal methods for tracking cumulative privacy loss (epsilon, δ) across multiple training rounds in differentially private federated learning.

MethodComposition TypePrivacy GuaranteeTightnessCommon Use Case

Basic Composition

Linear

(kε, kδ)

Loose

Theoretical baseline; simple worst-case analysis.

Advanced Composition

√k

(ε√(2k log(1/δ')), kδ + δ')

Moderate

General iterative algorithms with Gaussian mechanism.

Rényi Differential Privacy (RDP)

Analytic

Converts RDP to (ε, δ)

Tight

Default for modern DP libraries (e.g., TensorFlow Privacy, Opacus).

Moments Accountant

Analytic

(ε, δ) via moment generating functions

Tight

Deep learning with DP-SGD; precursor to RDP.

Zero-Concentrated DP (zCDP)

Analytic

Converts zCDP to (ε, δ)

Tight

Subsampling analyses; compatible with RDP.

Privacy Loss Distribution (PLD)

Numerical

(ε, δ) via privacy loss random variable

Very Tight

Optimal accounting for heterogeneous mechanisms and subsampling.

Fast Fourier Transform (FFT) Accountant

Numerical

(ε, δ) via FFT convolution of PLDs

Very Tight

Production systems requiring highly accurate, real-time privacy budget tracking.

FRAMEWORKS & TOOLS

Privacy Accounting in Practice: Frameworks & Tools

Privacy accounting transforms theoretical privacy guarantees into auditable, operational systems. These frameworks and libraries provide the mathematical tooling to track, compose, and enforce privacy budgets across complex, iterative training processes like federated learning.

PRIVACY ACCOUNTING

Frequently Asked Questions

Privacy Accounting is the systematic tracking of cumulative privacy loss across multiple training rounds in differentially private federated learning, ensuring total expenditure stays within a pre-defined privacy budget.

Privacy accounting is the formal process of tracking and bounding the cumulative privacy loss (measured in epsilon and delta) incurred across multiple training rounds in a differentially private federated learning system. It ensures the total privacy expenditure does not exceed a pre-defined privacy budget, providing a mathematical guarantee that no individual's data can be identified or reconstructed from the final model or its intermediate updates. This is critical for regulated industries like healthcare and finance, where training on sensitive, decentralized data requires provable privacy assurances.

Key components tracked include:

  • Epsilon (ε): The primary privacy loss parameter, representing the maximum multiplicative difference in the probability of any output with or without a single individual's data. Lower epsilon means stronger privacy.
  • Delta (δ): A small probability of privacy failure, representing the chance the epsilon guarantee does not hold.
  • Composition: The method (e.g., basic, advanced, or Rényi Differential Privacy (RDP) composition) used to calculate how privacy loss accumulates over sequential queries (training rounds).
  • Mechanism: The specific noise-adding procedure used, such as the Gaussian mechanism or Laplace mechanism, each with defined privacy parameters per round.
Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.