A formal promise about individuals
Differential privacy (DP) is a mathematical definition of privacy. Informally, it promises that the result of a computation looks essentially the same whether or not any single person’s data was part of the input. If removing your record from a dataset would barely change the model or statistic produced, then nobody can look at the output and learn much about you specifically. Unlike ad hoc approaches such as deleting names, DP gives a provable, quantifiable guarantee that holds even against attackers with unlimited side information.
The epsilon-delta guarantee
The strength of the promise is captured by two numbers. Epsilon (ε) bounds how much the probability of any output can change when one individual’s data is added or removed — a smaller epsilon means a tighter bound and stronger privacy. Delta (δ) is a small probability that the epsilon bound may be exceeded, allowing more practical mechanisms. Together, an (ε, δ)-differentially private algorithm guarantees that no analysis of its output can distinguish two datasets differing in one person by more than the budget allows. Epsilon is often called the privacy budget because it can be spent across multiple queries and adds up.
The mechanisms: Laplace and Gaussian noise
DP is achieved by adding calibrated random noise to results. The amount of noise depends on the sensitivity of the computation — how much one record can change the output. The Laplace mechanism adds noise drawn from a Laplace distribution scaled to sensitivity divided by epsilon, and is used for pure ε-DP. The Gaussian mechanism adds normally distributed noise and is paired with a delta to give (ε, δ)-DP; it composes well across many operations, which makes it the workhorse for machine learning. More queries means more accumulated noise to stay within the same budget.
DP-SGD: private model training
To make a trained model differentially private, the standard technique is DP-SGD (differentially private stochastic gradient descent). It modifies normal training in two ways. First, it clips each individual example’s gradient to a fixed maximum norm, so no single record can have outsized influence. Second, it adds Gaussian noise to the sum of the clipped gradients before applying the update. A privacy accountant tracks the cumulative epsilon spent over all training steps. The result is a model whose weights provably do not depend too much on any one training example.
The accuracy trade-off and where it is used
Privacy is not free: clipping and noise reduce the information the model can extract, so differentially private models tend to be less accurate, with the gap widening at strict epsilon values and narrowing with larger datasets. Practitioners therefore tune epsilon to balance protection against utility. Differential privacy now underpins real systems — national census statistics, telemetry collection in operating systems and browsers, and privacy-preserving machine learning, where it is frequently layered on top of federated learning for defence in depth.