Explore epsilon and delta parameters interactively. Visualize the privacy-utility tradeoff, calculate noise scales for Gaussian and Laplace mechanisms, and track privacy budget composition across queries.
Adjust epsilon (privacy loss bound) and delta (failure probability) to see how they affect the privacy guarantee. The visualization shows the probability ratio between neighboring datasets.
See how model accuracy degrades as you increase privacy (lower epsilon). The curve shows the theoretical tradeoff for a classifier trained with DP-SGD. Click on the curve to set epsilon.
Track how your privacy budget depletes across multiple queries or training epochs. Compare basic, advanced, and Renyi composition theorems.
| Composition | Total Epsilon | Max Queries (Budget) | Status |
|---|
Compare your epsilon against production deployments of differential privacy by major organizations.
Differential privacy provides the strongest known mathematical framework for protecting individual privacy in data analysis and machine learning. Unlike ad-hoc anonymization techniques that can be defeated by clever adversaries, differential privacy offers provable guarantees. The core promise is simple: the output of a differentially private computation should be essentially the same whether or not any single individual's data is included in the input. This is formalized through two parameters: epsilon, which bounds the privacy loss, and delta, which bounds the probability of the guarantee failing.
The definition states that a mechanism M satisfies (epsilon, delta)-differential privacy if for any two neighboring datasets D and D' (differing in exactly one record) and any set of outputs S: P[M(D) in S] <= e^epsilon * P[M(D') in S] + delta. In plain terms, this means an adversary observing the output cannot determine with high confidence whether any specific individual was in the dataset. The epsilon parameter controls how much the output can differ between neighboring datasets, while delta allows a small probability of catastrophic privacy failure.
The most common way to achieve differential privacy is by adding calibrated random noise to computations. The Laplace mechanism adds noise drawn from a Laplace distribution with scale b = sensitivity/epsilon. The Gaussian mechanism adds noise from a Gaussian distribution with standard deviation sigma = sensitivity * sqrt(2 * ln(1.25/delta)) / epsilon. The sensitivity is the maximum change in the output when one record is added or removed. For counting queries, sensitivity is 1. For average queries over n records, sensitivity is the data range divided by n.
The choice between Laplace and Gaussian mechanisms depends on the application. Laplace provides pure (epsilon, 0)-differential privacy without requiring delta, but Gaussian noise composes better across multiple queries and is the standard choice for deep learning (DP-SGD). In practice, the Gaussian mechanism with the Renyi Divergence or Moments Accountant for composition tracking provides the tightest privacy bounds for iterative ML training.
DP-SGD (Differentially Private Stochastic Gradient Descent), introduced by Abadi et al. in 2016, adapts differential privacy for neural network training. It works by: (1) computing per-sample gradients, (2) clipping each gradient to a maximum norm C to bound sensitivity, (3) averaging the clipped gradients, (4) adding Gaussian noise calibrated to C and the privacy parameters, and (5) updating model weights with the noisy gradient. This process repeats for each training step, with the privacy budget tracked using the Moments Accountant.
The key parameters in DP-SGD are the clipping norm C (higher values preserve more gradient information but require more noise), the noise multiplier sigma (the ratio of noise to clipping norm), the lot size (number of samples per step), and the number of training steps. The total privacy budget epsilon grows with the number of steps, which means longer training requires either more noise or a larger privacy budget. The Moments Accountant provides tight composition bounds, significantly improving over basic or advanced composition for the many iterations typical in deep learning.
One of the most important practical aspects of differential privacy is composition: what happens to the total privacy guarantee when you run multiple private computations on the same data? Under basic composition, the epsilon values simply add up: k queries each with epsilon give total privacy loss of k * epsilon. This is tight but pessimistic for large k. Advanced composition (Dwork et al. 2010) shows that the total loss grows as O(epsilon * sqrt(k * ln(1/delta'))), which is much better for large numbers of queries. The Renyi Differential Privacy (RDP) accountant provides even tighter bounds and is the standard for DP-SGD training.
The composition calculator above lets you compare these three composition methods side by side. Enter your per-query epsilon and the number of queries to see how quickly the budget is consumed under each theorem. For ML training, where you may run thousands or millions of gradient steps, the difference between basic and advanced composition is enormous — often the difference between a usable model and one that requires infinite noise.
What epsilon value should you use? This depends on your threat model and regulatory requirements. An epsilon of 0.1-1.0 provides strong privacy suitable for medical records or highly sensitive personal data. Epsilon 1-5 provides moderate privacy appropriate for analytics where some data leakage is acceptable. Epsilon 5-15 provides weak but meaningful privacy, typical for telemetry and usage statistics. Epsilon above 15 provides minimal privacy protection and may not satisfy regulatory requirements. The US Census Bureau used epsilon 19.61 for the 2020 Census, which was controversial in the statistics community as potentially too high.
For ML models specifically, the practical range is epsilon 1-10 for most applications. Research has shown that models trained with DP-SGD at epsilon 3-8 can achieve accuracy within 1-5% of non-private baselines on common benchmarks. For highly sensitive applications (healthcare, finance), epsilon below 1 is recommended, though this may require larger datasets or simpler model architectures to maintain useful accuracy. The privacy-utility tradeoff curve above visualizes this relationship — use it to find the epsilon that balances your requirements for both privacy and model performance.
Differential privacy is one technique in a broader ML privacy toolkit. Federated learning keeps raw data on user devices and only shares model updates. Secure multi-party computation allows multiple parties to jointly train models without revealing their individual datasets. Homomorphic encryption enables computation on encrypted data. These techniques can be combined with differential privacy for defense in depth. For example, federated learning with DP-SGD adds noise to the local model updates before aggregation, providing both data locality and formal privacy guarantees. For a comprehensive security posture, pair differential privacy with the controls in the ML Security Checklist and use the Threat Model Generator to identify which privacy threats are most relevant to your deployment.
Differential privacy is a mathematical framework providing provable privacy guarantees for data analysis and ML training. It ensures the output of a computation does not reveal whether any specific individual's data was included. For ML, this prevents models from memorizing or leaking individual training data points. It is parameterized by epsilon (privacy loss bound) and delta (failure probability), and achieved by adding calibrated noise to computations or gradients.
Epsilon quantifies the maximum privacy loss — how much information about any individual can leak through the computation's output. Lower epsilon means stronger privacy but more noise and less utility. Epsilon of 0 means perfect privacy with no utility. In practice, values between 1 and 10 are common for ML. Apple uses epsilon 2-8 for iOS analytics, Google uses 2-9 for Chrome RAPPOR, and the US Census used 19.6 for population data.
Noise addition makes the computation output nearly independent of any single individual's data. For ML training (DP-SGD), Gaussian noise is added to clipped gradients at each step. The noise magnitude is calibrated to the gradient clipping norm, desired epsilon, delta, and number of steps. This ensures an adversary cannot determine from the trained model whether any specific data point was in the training set.
Stronger privacy (lower epsilon) requires more noise, reducing model accuracy. This is the fundamental tension in differential privacy. A medical model may need epsilon below 1 even at significant accuracy cost, while a recommendation system may use epsilon 10 for better quality. The tradeoff curve above helps you find the right balance. Techniques like pre-training on public data and fine-tuning with DP can improve the tradeoff significantly.
Under basic composition, total epsilon equals the sum of per-query epsilons. Advanced composition gives total epsilon proportional to sqrt(k) instead of k, which is much better for many queries. The Moments Accountant (used in DP-SGD) provides the tightest bounds. This matters because ML training involves thousands of gradient steps, each consuming budget. Tight composition accounting is the difference between a usable model and one that requires impractical amounts of noise.