```{contents}
```
## Data Privacy

---

### 1. Motivation and Problem Setting

Generative AI systems (LLMs, diffusion models, multimodal models) are trained on massive datasets and often interact directly with users.
This creates **unique privacy risks** because the model can:

* **Absorb sensitive data during training**
* **Reveal sensitive data during inference**
* **Accidentally memorize individuals' information**

**Goal of Data Privacy in Generative AI**

> Ensure that **no individual's private information is leaked, reconstructed, or inferred**, while preserving model utility.

---

### 2. Privacy Threat Model

| Threat Type               | Description                                | Example                            |
| ------------------------- | ------------------------------------------ | ---------------------------------- |
| **Training Data Leakage** | Model memorizes sensitive training samples | Reconstructing a person's SSN      |
| **Inference Leakage**     | Sensitive info inferred from outputs       | Predicting medical condition       |
| **Membership Inference**  | Detect if a person was in training set     | "Was Alice in dataset?"            |
| **Model Inversion**       | Reconstruct private inputs from model      | Recover face image from embeddings |
| **Prompt Leakage**        | Revealing private user conversations       | Exposing chat logs                 |

---

### 3. Why Generative Models Are Especially Risky

Generative models:

* Are **high-capacity** and **memorization-prone**
* Produce **human-readable content**
* Are often trained on **unfiltered web-scale data**
* Are deployed in **interactive environments**

---

### 4. Core Privacy Principles

| Principle              | Meaning                                 |
| ---------------------- | --------------------------------------- |
| **Data Minimization**  | Collect only necessary data             |
| **Purpose Limitation** | Use data only for defined objectives    |
| **Anonymization**      | Remove identifiers before training      |
| **Access Control**     | Limit data and model access             |
| **Auditable Training** | Trace data sources and usage            |
| **Privacy by Design**  | Embed privacy mechanisms into pipelines |

---

### 5. Technical Privacy Mechanisms

### 5.1 Differential Privacy (DP)

Formal privacy guarantee ensuring that **no single record significantly influences the model**.

**Definition (Simplified):**

A training algorithm is ((\varepsilon, \delta))-DP if output distributions are nearly identical whether or not any one individual's data is included.

#### DP-SGD Workflow

1. Compute per-example gradients
2. Clip gradients to norm (C)
3. Add Gaussian noise
4. Update parameters

```python
# Simplified DP-SGD example
for x, y in loader:
    grads = compute_per_example_gradients(model, x, y)
    clipped = clip_by_norm(grads, C=1.0)
    noise = torch.normal(0, sigma, size=clipped.shape)
    noisy_grad = clipped.mean(0) + noise
    optimizer.step(noisy_grad)
```

---

### 5.2 Data Anonymization & De-identification

Remove direct and indirect identifiers before training.

| Data Type     | Example Treatment    |
| ------------- | -------------------- |
| Names         | Replace with tokens  |
| Addresses     | Generalize to region |
| IDs           | Remove               |
| Free-text PII | Detect and mask      |

---

### 5.3 Federated Learning (FL)

Model trains **without centralizing raw data**.

**Workflow:**

1. Send model to clients
2. Train locally on private data
3. Send encrypted updates back
4. Aggregate centrally

---

### 5.4 Secure Computation

| Technique              | Purpose                        |
| ---------------------- | ------------------------------ |
| Secure Enclaves        | Protect memory during training |
| Homomorphic Encryption | Train on encrypted data        |
| Secure Aggregation     | Hide individual updates        |

---

### 6. Privacy Risks During Inference

| Risk             | Example                               |
| ---------------- | ------------------------------------- |
| Prompt Injection | Force model to reveal private content |
| Overfitting      | Regurgitation of training examples    |
| Memorization     | Quoting private conversations         |

**Mitigations**

* Output filtering
* Memorization testing
* Prompt sanitization
* Redaction models

---

### 7. Measuring Privacy

| Metric                        | Purpose                     |
| ----------------------------- | --------------------------- |
| (\varepsilon) (DP budget)     | Formal privacy loss         |
| Membership Inference Accuracy | Leakage detection           |
| Exposure Metric               | Measures memorization       |
| Canary Insertion              | Track memorization behavior |

---

### 8. Regulatory Landscape

| Regulation        | Key Requirements                        |
| ----------------- | --------------------------------------- |
| GDPR (EU)         | Right to erasure, consent, transparency |
| HIPAA (US)        | Health data protection                  |
| CCPA (California) | Consumer data rights                    |
| DPDP Act (India)  | Data fiduciary responsibility           |

---

### 9. Practical Privacy Pipeline for Generative AI

```text
Data Collection
   ↓
PII Detection & Masking
   ↓
Anonymization
   ↓
DP-SGD Training
   ↓
Privacy Auditing
   ↓
Deployment with Output Filters
   ↓
Continuous Monitoring
```

---

### 10. Summary

| Aspect     | Key Takeaway                                         |
| ---------- | ---------------------------------------------------- |
| Risk       | Generative models can memorize and leak private data |
| Solution   | Combine DP, anonymization, FL, secure computation    |
| Evaluation | Measure privacy leakage explicitly                   |
| Design     | Privacy must be embedded from data → deployment      |

---

### 11. Key Insight

> **In Generative AI, privacy is not a policy layer — it is a core learning-system property.**

Well-designed generative systems treat privacy as **a mathematical constraint on learning**, not merely a compliance checkbox.
