惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Martin Fowler
Martin Fowler
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 聂微东
IT之家
IT之家
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Y
Y Combinator Blog
博客园 - 【当耐特】
The Cloudflare Blog
宝玉的分享
宝玉的分享
罗磊的独立博客
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Visual Studio Blog
小众软件
小众软件
博客园_首页
Last Week in AI
Last Week in AI
J
Java Code Geeks
V
V2EX
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
阮一峰的网络日志
阮一峰的网络日志
腾讯CDC
博客园 - 司徒正美
Engineering at Meta
Engineering at Meta
The GitHub Blog
The GitHub Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
DataBreaches.Net
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
云风的 BLOG
云风的 BLOG
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Microsoft Azure Blog
Microsoft Azure Blog
T
The Blog of Author Tim Ferriss
N
Netflix TechBlog - Medium
F
Full Disclosure
B
Blog
H
Help Net Security
C
Check Point Blog
WordPress大学
WordPress大学
人人都是产品经理
人人都是产品经理
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
L
LangChain Blog
P
Proofpoint News Feed
D
Docker
Microsoft Security Blog
Microsoft Security Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Reading the Receipts: How Smarter Privacy Accounting Could Unlock More from Sensitive Data
Bongho Tae · 2026-04-27 · via DEV Community

The Problem Hiding Inside Every Medical Study

Picture a coalition of hospitals that wants to train an AI to detect early signs of heart disease. No individual hospital has enough patients to train the model alone, so they decide to collaborate. But there's a catch: they cannot simply share patient records. Privacy law forbids it. So instead, each hospital trains on its own data and shares only the model's learned parameters — not the raw records themselves.

This arrangement sounds safe, but the parameters are not innocent. Through a technique called a membership inference attack, a sophisticated adversary can sometimes probe a shared model and determine whether a specific person's records were used in training. Each round of parameter sharing is a small window through which a little information escapes. Run enough rounds, and the window grows into a door.

Every engineer building this kind of system therefore works under a constraint: a privacy budget. Think of it as a jar of trust coins. Each training round costs some coins. When the jar is empty, you must stop — any further sharing would compromise the privacy guarantees you promised. The question the system designer has to answer before training begins is: how many rounds can we afford?

The answer, it turns out, has historically been too pessimistic — sometimes by a wide margin. A paper by Sophie Taylor, Praneeth Vippathalla, and Justin Coon of the University of Oxford proposes a way to fix that, by changing not the rules of the game, but how carefully the score is kept.

Why the Old Scorekeeping Was Leaving Points on the Table

To understand the inefficiency, you need to understand what differential privacy actually guarantees. At its core, it is a mathematical promise: the output of any query on a database will look almost identical whether or not any single person's record is included. The "almost" is controlled by a small number, typically called epsilon. A very small epsilon means very strong privacy — the outputs barely change regardless of whether your record is present. A large epsilon means the outputs might shift noticeably, giving an adversary more leverage.

The clever mechanism that enforces this guarantee is noise. Before releasing an answer — say, "the average blood pressure of patients in this cohort" — the system deliberately adds a small dose of random static, like a radio signal faintly scrambled. The static is calibrated so that any single patient's record could plausibly have been there or not there; the noise blurs the difference.

Now here is where the budget problem enters. Every time you add noise to an answer and release it, you spend some of your epsilon coins. The mathematical theory of composition tells you how the costs accumulate over multiple queries. And existing composition theorems, for all their sophistication, share a common habit: they charge you for the worst possible query of that type, not for the query that actually happened.

Imagine a family deciding how to budget for a road trip. The parents look up the car's fuel consumption: maximum 9 litres per 100 kilometres. They plan the entire trip assuming every kilometre will cost maximum fuel — and conclude they can drive only 300 kilometres before running out. But in practice, the highway stretches are far more efficient than the worst-case city traffic. If they had tracked the actual fuel gauge reading after each leg of the journey, they would have realized they could drive 450 kilometres.

Existing privacy filters — the software tools that track privacy loss and decide when to stop — function like those overcautious parents. They know the mechanism type being used (say, "Gaussian noise added to an answer"), and they charge each query the maximum that mechanism could ever cost. They never check the fuel gauge. They never read the receipts.

Adaptive data release system showing query rounds and privacy tracking

Figure 1: Adaptive data privacy problem

The Insight: Charge for What Actually Happened

The key idea of this paper is disarmingly simple to state, though technically treacherous to implement: measure the privacy leakage that actually occurred, not the worst case that could have occurred.

When a query is answered and noise is added, the actual output is a specific number — not a range of possible numbers. That specific output lands somewhere in the distribution of possible outputs. If it lands near the middle of the distribution, the leakage for that query was small; an adversary learns relatively little from an unexceptional answer. If it lands in the extreme tail — a very unusual answer — the leakage was larger, because extreme answers are harder to fake with noise.

Think of it this way. Suppose a medical study releases the query "how many patients have elevated cholesterol?" and the true answer is 412 patients, plus some random noise. If the released number is 415, that is an utterly unremarkable deviation — it could mean 412 patients, or 411, or 413. An adversary trying to determine whether a specific patient is in the dataset gains almost nothing from this boring answer. The privacy cost of that particular query output was tiny.

But if the system's budget was pre-allocated by saying "this type of query could cost up to 0.3 epsilon coins," when the actual cost was closer to 0.03 coins, you have wasted the difference. The authors call tracking the actual coin-by-coin spending realisation-level accounting, as opposed to the older mechanism-level accounting that rounds every expense up to the catalogue price.

This is not merely thrifty bookkeeping. The gap between what you were charged and what you actually spent accumulates across hundreds or thousands of queries. In federated learning, where model training might take thousands of rounds, that difference can translate into a dramatically longer training run — a more capable model — within exactly the same privacy guarantee you promised at the start.

The Tricky Part: You Can't Just Read the Meter

If realisation-level accounting is so natural, why hadn't it been built before? The answer lies in a subtle mathematical hazard that the paper devotes considerable effort to navigating.

Here is the problem in miniature. Suppose you are playing a card game where you must stop when you've spent your budget. Normally, the stopping rule is independent of the cards themselves — you're just counting. But with realisation-level accounting, the stopping rule depends on the specific cards you've seen. This creates a self-referential tangle: the decision to stop, or not, is itself a piece of information that might reveal something about the data.

Mathematically, this is the problem of stopping times — the point at which you decide to quit. When you condition on having seen all the outputs up to a certain round and then decide whether to continue, you are in a different probability universe than if you had committed your stopping rule in advance. Standard privacy proofs assume the stopping point is fixed ahead of time. The moment it becomes adaptive, the proofs can break.

Picture a journalist who decides to stop investigating a story only when she finds compelling evidence. Her decision to stop is not random — it is correlated with what she found. If someone wants to know whether she stopped because of what her source said, her stopping time itself becomes a leak.

The authors work around this with a careful mathematical construction. Rather than conditioning on the full output history — which would create the self-referential problem — they design the filter to track a running statistic that accounts for how surprising each output was, without directly conditioning on the stopping decision itself. The proof that this filter still guarantees differential privacy requires several pages of careful measure-theoretic argument, grappling with conditional distributions and martingale stopping theorems. But the upshot is clean: you can use the actual leakage to decide when to stop, and the privacy guarantee still holds, exactly as promised.

A Bouncer Who Actually Checks the Tab

Think of the filter as a bouncer at a very strict club. The rule is: each patron can consume at most epsilon units of information over the evening. The old-style bouncer assigned every customer the maximum possible tab the moment they walked in, based on what a typical customer might order. This meant many customers were turned away before they reached their actual limit.

The new filter is a bouncer who actually watches what each customer orders and marks it on a running tab. When the tab hits the limit, the customer stops. Most evenings, most customers reach their real limit far later than the overcautious estimate would have predicted — so the club can stay open longer, and everyone gets more of the experience they came for, without the club violating its capacity rules.

The paper also addresses something practical that older approaches stumbled on. An alternative privacy formalism called Rényi Differential Privacy (RDP) — a variant that uses a specific mathematical measure of information distance between distributions — has been widely used for composition because it composes very cleanly across queries. But it behaves poorly for certain kinds of mechanisms, particularly ones whose noise distributions have heavy tails or unusual shapes. Some mechanisms simply don't fit the RDP framework neatly.

The realisation-level filter in this paper sidesteps that problem entirely. Because it operates directly on the actual output — asking "how surprising was this specific answer?" rather than "how does this mechanism behave on average?" — it does not require the mechanism to fit any particular mathematical family. It works on well-behaved Gaussian mechanisms and badly-behaved ones alike.

What the Numbers Show

The paper's numerical experiments compare the new filter against existing mechanism-level filters in a straightforward setup: a sequence of Gaussian queries on a database, where privacy budgets are identical across all methods. The comparison is measured not in privacy guarantees — all methods satisfy the same epsilon and delta — but in stopping time: how many queries each method allows before calling a halt.

Stopping time survival probability comparing mechanism-level and realisation-level filters

Figure 2: Stopping time survival P(T≥t) of mechanism-level privacy filters compared with our realisation-level privacy filter.

The realisation-level filter consistently permits more queries before stopping. The survival curve — showing the probability that the filter has not yet stopped at round t — stays elevated longer than the mechanism-level competitors. In practical terms, this means more training rounds in federated learning, more analysis steps in a statistical study, or more model iterations in a continuous learning pipeline, all without spending an extra epsilon coin.

The gain is not marginal. In the scenarios tested, the realisation-level filter allows substantially more rounds before halting, particularly in early phases of a query sequence where actual leakages tend to be modest. The difference compounds: more rounds mean more learned signal, which in the medical imaging example might mean the difference between a model that screens for disease adequately and one that screens reliably.

What Becomes Possible — and What Doesn't Yet

Think about what this means for the hospital coalition training a heart disease model. Under mechanism-level accounting, engineers might calculate: "We can afford 200 training rounds before we exhaust our privacy budget." With realisation-level filtering, the same budget might sustain 320 or 400 rounds, depending on how the actual outputs happen to land during training. The model trained on 400 rounds will almost certainly outperform the one cut off at 200 — and the privacy promise to patients has not changed at all.

Or consider a pharmaceutical company analyzing genomic data. Each query into the dataset costs privacy. With the old approach, researchers must submit their entire query plan before starting, pre-allocating budget to each step. With an adaptive realisation-level filter, they can run queries in response to what they find, stopping when the privacy budget runs dry, and trusting that the actual costs will often be lower than the catalogue price.

The honest limits matter here, though. The paper proves that the filter works — meaning it delivers the privacy guarantee it promises — and it demonstrates numerically that it allows more queries on average. What it does not answer is how to choose the filter's parameters optimally for a given application. The filter requires a user-specified epsilon and delta, and the paper is agnostic about how to set them in a real system. In a regulatory context, that choice is anything but obvious.

There is also a gap between proof and deployment. The mathematical machinery underlying the stopping-time proof is non-trivial, and translating it into a production-grade library requires careful implementation. A bug in the filter logic could undermine the privacy guarantee entirely — and unlike many software bugs, privacy bugs tend to be silent. They do not crash systems; they simply leak information that was supposed to stay hidden.

Finally, the paper focuses on privacy filters as a framework but does not provide a full comparison against the most recent FFT-based composition methods, which have their own strengths for certain problem shapes. The landscape of privacy accounting tools is crowded and fast-moving, and situating a new technique precisely within that landscape is genuinely difficult.

What the paper does accomplish is conceptually important: it shows that the gap between worst-case accounting and actual-case accounting is real, measurable, and exploitable without weakening the privacy guarantee. For years, privacy engineers have been paying full catalogue price for every query, even when the actual leakage was much smaller. This work is the first rigorous proof that you can read the receipts — and that reading them changes the bottom line.

The jar of trust coins turns out to have been heavier than anyone thought.


📄 https://arxiv.org/abs/2604.08630

tags: privacy, machinelearning, statistics, federatedlearning

🇰🇷 Korean version on Velog: https://velog.io/@tkdnel1002/m233p3fv