1. Home
  2. To appear
  3. A Practical Guide to Differentially Priv ...

Journal of Data Science


A Practical Guide to Differentially Private Deep Learning Using the Pseudo Posterior Mechanism
Pub. online: 9 June 2026      Type: Statistical Data Science      Open accessOpen Access
Received
9 September 2025
Accepted
2 June 2026
Published
9 June 2026

Abstract

Privacy-preserving machine learning methods seek to train useful models that do not disclose information about the data on which they were trained. Such methods are vital when organizations train neural networks on sensitive individual-level data and seek to release the models publicly. Their goal poses a trade-off between predictive performance (utility) and privacy protection. That trade-off makes privacy-preserving machine learning methods difficult to apply in practice, usually requiring extensive iteration and hyperparameter tuning. Yet, practitioners often have little guidance for navigating competing statistical, computational, and privacy demands. We present an implementation algorithm for the Stochastic Weight Averaging–Gaussian Pseudo Posterior Mechanism (SWAG-PPM), a Bayesian differentially private deep learning method. The implementation algorithm focuses on the joint tuning of two key hyperparameters whose interaction governs model convergence and the privacy–utility trade-off. We introduce novel diagnostic tools to evaluate convergence and guide hyperparameter adjustments. Using a transformer model for occupational injury classification, we demonstrate that diagnostic-guided tuning with SWAG-PPM can achieve strong privacy protection and utility. While our case study uses a specific dataset and model architecture, all methodological steps can apply to other settings where privacy risk is heterogeneously distributed.

Supplementary material

 Supplementary Material
Complete classification report with per-class metrics

References

 
Abadi M, Chu A, Goodfellow I, McMahan HB, Mironov I, ..., Zhang L (2016). Deep learning with differential privacy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (E Weippl, S Katzenbeisser, C Kruegel, A Myers and S Halevi, eds.), 308–318.
 
Aktay A, Bavadekar S, Cossoul G, Davis J, Desfontaines D, ..., Wilson RJ (2020). Google COVID-19 community mobility reports: Anonymization process description (version 1.1).
 
Apple Inc (2017). Differential Privacy Overview. White Paper. Apple Inc., Cupertino, CA.
 
Bischl B, Binder M, Lang M, Pielok T, Richter J, ..., Lindauer M (2023). Hyperparameter optimization: Foundations, algorithms, best practices, and open challenges. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 13(2): e1484.
 
Carlini N, Ippolito D, Jagielski M, Lee K, Tramer F, Zhang C (2022). Quantifying memorization across neural language models. In: The Eleventh International Conference on Learning Representations.
 
Chew R (2025). OSHA Severe Injury Reports: Jan 2015 - Sep 2023. https://doi.org/10.6084/m9.figshare.28669604.v1
 
Chew R, Williams MR, Segarra EA, Preiss AJ, Konet A, Savitsky TD (2025). Bayesian pseudo posterior mechanism for differentially private machine learning. arXiv preprint: arXiv:2503.21528.
 
Devlin J, Chang MW, Lee K, Toutanova K (2019). Bert: Pre-training of deep bidirectional transformers for language understanding. In: Proceedings of NAACL-HLT (J Burstein, C Doran and T Solorio, eds.),
 
Dwork C (2006). Differential privacy. In: International Colloquium on Automata, Languages, and Programming (M Bugliesi, B Preneel, V Sassone and I Wegener, eds.), 1–12. Springer.
 
Dwork C, Kohli N, Mulligan D (2019). Differential privacy in practice: Expose your epsilons! Journal of Privacy and Confidentiality, 9(2). https://doi.org/10.29012/jpc.689
 
Google Research (2024). Advances in Private Training for Production on-Device Language Models. Blog Post. Google Research, Mountain View, CA.
 
Hod S, Canetti R (2025). Differentially private release of Israel’s national registry of live births. In: 2025 IEEE Symposium on Security and Privacy (SP), 3912–3930. IEEE.
 
Howarth G, Altman M, Ayalde S, Ghazi E, McCallum C, ..., Near J (2025). A community-driven differential privacy deployment registry, Technical Report NIST Internal or Interagency Report (NISTIR) 8588, (Draft), National Institute of Standards and Technology.
 
Hsu J, Gaboardi M, Haeberlen A, Khanna S, Narayan A, ..., Roth A (2014). Differential privacy: An economic method for choosing epsilon. In: 2014 IEEE 27th Computer Security Foundations Symposium, 398–410.
 
Hu J, Williams MR, Savitsky TD (2022). Mechanisms for global differential privacy under bayesian data synthesis. arXiv preprint: arXiv:2205.05003.
 
Liu J, Talwar K (2019). Private selection from private candidates. In: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing (M Charikar and E Cohen, eds.), 298–309.
 
Liu Z, Lin W, Shi Y, Zhao J (2021). A robustly optimized bert pre-training approach with post-training. In: China National Conference on Chinese Computational Linguistics (S Li, M Sun, Y Liu, H Wu, K Liu, W Che, S He and G Rao, eds.), 471–484. Springer.
 
Maddox WJ, Izmailov P, Garipov T, Vetrov DP, Wilson AG (2019). A simple baseline for bayesian uncertainty in deep learning. Advances in Neural Information Processing Systems, 32: 13153–13164.
 
Mandt S, Hoffman MD, Blei DM (2017). Stochastic gradient descent as approximate Bayesian inference. Journal of Machine Learning Research, 18(134): 1–35.
 
Nasr M, Songi S, Thakurta A, Papernot N, Carlin N (2021). Adversary instantiation: Lower bounds for differentially private machine learning. In: 2021 IEEE Symposium on Security and Privacy (SP), 866–882.
 
Near J, Darais D, Lefkovitz N, Howarth G (2025). Guidelines for evaluating differential privacy guarantees, Technical Report NIST.SP.800-226, National Institute of Standards and Technology.
 
Rigaki M, Garcia S (2024). A survey of privacy attacks in machine learning. ACM Computing Surveys, 56(4): 1–34. https://doi.org/10.1145/3624010
 
Savitsky TD, Williams MR, Hu J (2022). Bayesian pseudo posterior mechanism under asymptotic differential privacy. Journal of Machine Learning Research, 23(55): 1–37.
 
Shokri R, Stronati M, Song C, Shmatikov V (2017). Membership inference attacks against machine learning models. In: 2017 IEEE Symposium on Security and Privacy (SP), 3–18.
 
Stadler T, Oprisanu B, Troncoso C (2022). Synthetic data – anonymisation groundhog day. In: 31st USENIX Security Symposium (USENIX Security, volume 22, 1451–1468. USENIX Association, Boston, MA.
 
US Bureau of Labor Statistics (2025). Automated coding of injury and illness data. White paper.
 
US Census Bureau (2021). Census Bureau Sets Key Parameters to Protect Privacy in 2020 Census Results Press Release. U.S. Census Bureau.
 
Vaswani A, Shazeer N, Parmar N, Uszkoreit J, Jones L, ..., Polosukhin I (2017). Attention is all you need. In: Advances in Neural Information Processing Systems (I Guyon, U Von Luxburg, S Benigo, H Wallach, R Fergus, S Viswanathan and R Garnett, eds.), volume 30.

Related articles PDF XML
Related articles PDF XML

Copyright
2026 The Author(s). Published by the School of Statistics and the Center for Applied Statistics, Renmin University of China.
Open access article under the CC BY license.

Keywords
Bayesian deep learning differential Privacy imbalanced learning official statistics pseudo posterior distribution

Metrics
since February 2021
26

Article info
views

13

PDF
downloads


Share


RSS