What's up with Google's new VaultGemma model? – Differential Privacy explained

· Source: AI Coffee Break with Letitia · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Intermediate, medium

Summary

Google has introduced VaultGemma, a new large language model (LLM) that achieves provable privacy by employing differential privacy during its full pre-training phase, rather than just fine-tuning. This approach ensures that information seen only once during training leaves no detectable trace in the model, effectively preventing memorization of sensitive data like phone numbers or private addresses. The model demonstrates zero exact or approximate memorization across one million sampled training sequences, a significant improvement over non-differentially private baselines like Gemma 1 and Gemma 2, which reproduced 1% and 0.04% of tested sequences, respectively. VaultGemma's training involves gradient clipping and the addition of Gaussian noise to average gradients, requiring very large batch sizes (over 500,000 examples) to distinguish genuine patterns from one-off data. While achieving strong privacy, VaultGemma's utility currently matches GPT2 performance, indicating a trade-off between privacy and accuracy that still requires further development.

Key takeaway

For organizations handling sensitive data like hospitals or banks, VaultGemma offers a compelling solution to mitigate privacy risks associated with LLM memorization. Your teams should consider integrating differentially private pre-training for models processing confidential information, understanding that one-off sensitive details will be protected, but frequently appearing proprietary data will still be learned. Be aware of the current utility trade-off, as VaultGemma's accuracy aligns with older models, necessitating further development for full utility.

Key insights

VaultGemma achieves provable privacy by applying differential privacy during LLM pre-training, eliminating memorization of unique data.

Principles

Method

Differential privacy for LLMs involves clipping individual gradients, adding calibrated Gaussian noise to batch-averaged gradients, and updating weights, all performed with very large batch sizes during pre-training.

In practice

Topics

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Engineer, Machine Learning Engineer, AI Scientist

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by AI Coffee Break with Letitia.