Artificial intelligence (AI) models are vulnerable to information leakage of their training data, which can be highly sensitive, for example, in medical imaging. Privacy-enhancing technologies, such as differential privacy (DP), aim to circumvent these susceptibilities. DP is the strongest possible protection for training models while bounding the risks of inferring the inclusion of training samples or reconstructing the original data. DP achieves this by setting a quantifiable privacy budget. Although a lower budget decreases the risk of information leakage, it typically also reduces the performance of such models. This imposes a trade-off between robust performance and stringent privacy. Additionally, the interpretation of a privacy budget remains abstract and challenging to contextualize. Here we contrast the performance of artificial intelligence models at various privacy budgets against both theoretical risk bounds and empirical success of reconstruction attacks. We show that using very large privacy budgets can render reconstruction attacks impossible, while drops in performance are negligible. We thus conclude that not using DP at all is negligent when applying artificial intelligence models to sensitive data. We deem our results to lay a foundation for further debates on striking a balance between privacy risks and model performance.

人工智能 (AI) 模型很容易受到训练数据信息泄露的影响，这些数据可能非常敏感，例如在医学成像领域。隐私增强技术，例如差分隐私 (DP)，旨在规避这些敏感性。 DP 是对训练模型最强有力的保护，同时限制了推断包含训练样本或重建原始数据的风险。 DP 通过设定可量化的隐私预算来实现这一目标。尽管较低的预算可以降低信息泄漏的风险，但它通常也会降低此类模型的性能。这就需要在稳健的性能和严格的隐私之间进行权衡。此外，隐私预算的解释仍然抽象且难以具体化。在这里，我们将不同隐私预算下的人工智能模型的性能与重建攻击的理论风险界限和经验成功进行了对比。我们表明，使用非常大的隐私预算可以使重建攻击变得不可能，而性能下降可以忽略不计。因此，我们得出的结论是，在将人工智能模型应用于敏感数据时，根本不使用 DP 是一种疏忽。我们认为我们的结果为进一步讨论隐私风险和模型性能之间的平衡奠定了基础。