Q1: Does the training set of the pre-trained CLIP contain MNIST-like images?

A1: Thanks for your comments! The original CLIP paper claimed that “CLIP was pretrained on a dataset of 400M image-text pairs, covering as broad a set of visual concepts as possible,” We realize that this means that CLIP's training set might be drawn from similar distributions to datasets such as MNIST, but we include zero-shot results above to show how much we can still privately learn through our presented training process. We have also included our results on GTSRB, a dataset with “minimal overlap with ImageNet-1K, with [. . .] 43 traffic signs aggregated into a single label in ImageNet-1K,” in the universal response above [1].

Q2: How different is the vizwiz image captioning dataset from the training set?

A2: Since the dataset used to train CLIP is not disclosed by OpenAI, we cannot answer how different the Vizwiz dataset is from the training dataset of CLIP. However, our additional experiments show that non-private fine-tuned scores are around 15% or above higher than zero-shot scores, suggesting that CLIP does not learn much from the Vizwiz dataset, or a similar dataset.

[1] https://arxiv.org/abs/2306.03962

Q4: [...] known computer vision datasets that do not differ from the training distribution of CLIP. [...] results in settings with low data regimes and with significant distribution shift with respect to the pre-training set, following the suggestions of [2,3]

A4: Thank you for your comments! Following your suggestions, we ran our experiments on CIFAR-100. The mean and standard deviation of 10 trials are reported in the universal response. Following your suggestions, we also ran our experiments on a dataset with distribution shifts, as well as settings with low data regimes. Paper [3] which you cite presents the GTSRB dataset as one that has “minimal overlap with ImageNet-1K, with [. . .] 43 traffic signs aggregated into a single label in ImageNet-1K.” We ran our experiments on GTSRB and obtained the following results for 10 trials each, and our results are reported in the universal response.

Additionally, we replicated the experiments in the paper [3] under low data settings. Following the experiments demonstrated by Figure 7 in [3], we randomly subsampled 10% and 50% of GTSRB’s training set and only used that subsample for training. Then, we tested on the test set. We ran these experiments for epsilon=0.1 and 0.7 and reported the results over 10 trials below.

As we can see when we compare our results to Figure 7 from [3] above (left hand side), in all four settings, we outperform on the test set for GTSRB.

Q5: Not accounting for the privacy loss incurred in tuning the hyperparameters is a problem.

A5: Thank you for your note. We noticed a lot of paper not accounting for the privacy budget of hyperparameters tuning, and due to limited computational resources, we did not include it.

Q6: BLIP is definitely no more state-of-the-art as the authors claim. A6: Thank you for your comment. We will rephrase our language from “state-of-the-art” to “extension of CLIP.” We acknowledge the feedback and want to re-emphasize that our focus in this paper is primarily to learn the private representations through contrastive loss instead of SOTA vision-language models such as LLaVa, which does not include contrastive loss.

Q7: CLIP is relatively old. Novel variants of CLIP may yield zero-shot (epsilon = 0) performance that is higher and might reduce the room for improvements achievable under DP constraints. Could the authors consider the latest and strongest CLIP-inspired architectures?

A7: While we acknowledge the evolution of CLIP-inspired architectures and the potential for newer variants to achieve higher zero-shot performance, our paper's primary focus lies in the integration of differential privacy constraints into CLIP. Our intent is to explore the feasibility of learning private representations through contrastive loss rather than privately fine-tuning a pretrained model. In specific scenarios, such as health images, where the data is highly sensitive and substantially differs from publicly available datasets, even advanced CLIP variants may not exhibit better performance than the vanilla one. In such cases, there arises a need to privately train a model. Therefore, our choice of CLIP as a baseline aligns with our objective of addressing privacy concerns in specific contexts. We appreciate the suggestion and will certainly explore incorporating the latest architectures in future work while maintaining a keen focus on privacy-preserving methodologies.

Q8: Since the gaussian mechanism is not applied at a sample level but at a mini-batch level, are the authors making a fair comparison between the epsilon values of their technique and the baselines?

A8: Although the noise injection procedure is different, we ensure that the final output is $(\epsilon,\delta)$-DP by Proposition 3.1. This is through clipping the minibatch gradient. So we are in a fair comparison setting for privacy protection. However, we acknowledged that our experimental results rely on stronger pretrained models and additional information from text. Please also refer to our universal response with respect to the choice of baselines.

Q9: Could the authors show the result of applying the contrastive clip fine-tuning for epsilon =∞? To know what's the upper bound on accuracy of the DP variant.

A9: We have included the nonprivate results, and please refer to our universal response.

Q10: Why the baselines selection varies based on the choice of the dataset?

A10: Our intention is not to compare with these baseline methods, but rather to evaluate our proposed approach against the established performance standards on these datasets. Therefore, we reported some recently established performance standards on these datasets.

[1] https://arxiv.org/pdf/2110.05679.pdf

[2] https://arxiv.org/pdf/2212.06470.pdf

[3] https://arxiv.org/abs/2306.03962

[4] Lecuyer, M., Atlidakis, V., Geambasu, R., Hsu, D. and Jana, S., 2019, May. Certified robustness to adversarial examples with differential privacy. In 2019 IEEE symposium on security and privacy (SP) (pp. 656-672). IEEE.

[5] Lu, Y., Huang, X., Dai, Y., Maharjan, S. and Zhang, Y., 2019. Blockchain and federated learning for privacy-preserved data sharing in industrial IoT. IEEE Transactions on Industrial Informatics, 16(6), pp.4177-4186.

Q1: There are several factually inappropriate usages of the notion of DP

A1: Thank you for the suggestion. We would like to note that several papers (from distinguished ML researchers) in the literature also use the wording “incorporate DP” [4,5]. In light of your comment, we will rephrase it to “incorporate privacy” for better description of our method.

Q2: Proposition 3.1 is a trivial consequence of the basic theorems of DP

A2: We would like to clarify that our Proposition 3.1 states that the Gaussian mechanism applied on minibatch level with this calibrated noise satisfies $(\epsilon,\delta)$-DP for per-sample. We acknowledge that the proof of this proposition is straightforward, so we named it as Proposition 3.1 rather than Theorem 3.1 in the original paper. We also would like to emphasize that our contribution is to demonstrate the efficiency of this simple approach for CLIP training that can achieve high accuracy while maintaining DP, supported by both our theory and experiments. The theoretical analysis in Section 5 is quite challenging, as we dealt with non-decomposable CLIP loss function. The technical tools employed in the existing literature to study DP-SGD do not directly apply to our proposed DP-CLIP. The non-decomposable loss required us to develop novel technical tools for theoretical analysis. In particular, we developed a novel concentration argument to provide the convergence analysis. This new analysis provides theoretical guarantees that per-batch clipping efficiently achieves high accuracy while maintaining DP. We consider this to be one of the major contributions of our work.

Q3: It is unclear why the zero-shot prediction of CLIP is not used as a baseline. Furthermore, the authors are neglecting parameter efficient fine-tuning baselines, for instance like [1]

A3: Thank you for your suggestion. We added both zero-shot prediction results and non-private training results in the universal response. We note that our method is proposed for DP-CLIP training, while [1] focuses on differentially private fine-tuning that optimizes some task-specific loss. Thus their method is not a natural baseline to compare with. We emphasize that our proposed method uniquely addresses the DP training of contrastive vision-language models, not only limited to DP image classifications. From this point, there are no “fair” baselines to compare with. We specifically chose these benchmarks because they demonstrate State-of-the-Art results in image classification tasks on these datasets. Our intention is not to compare with their methods, but rather to evaluate our proposed approach against the established performance standards. As image classification is not one of the tasks in [1], it is not included in our baselines.

Q1: The paper employs smaller classification datasets such as MNIST, Fashion-MNIST, CIFAR-10, and SVHN. It would have been preferable to observe results at the Imagenet scale, but I understand that the computational resources required for such experiments would have been substantial.

A1: Thank you so much for your feedback! Upon your suggestion and suggestions from other reviewers, we additionally ran our methods on a larger dataset (CIFAR-100), as well as another dataset GTSRB.

Q2: No comparison with real-world threat models has been provided. Epsilon-utility trade-offs can be misleading without testing them against actual attacks, as epsilon guarantees are built upon numerous assumptions, as indicated in [1].

A2: We thank you for your comments. Previous work has suggested that DP can protect against common privacy attacks such as reconstruction attacks and membership inference attacks [2]. We agree that it would be nice to demonstrate empirical protection performance against attacks. However, most membership inference attacks rely on the shadow model technique, which requires training thousands of shadow models with the same architecture as the target model. As it requires significant computing resources, we decide it is beyond the scope of this project, and we leave efficient attack techniques as future work.

[1] A Critical Review on the Use (and Misuse) of Differential Privacy in Machine Learning (https://arxiv.org/abs/2206.04621) [2] Chen J, Wang WH, Shi X. Differential Privacy Protection Against Membership Inference Attack on Machine Learning for Genomic Data. Pac Symp Biocomput. 2021;26:26-37. PMID: 33691001

Q1: Framing the algorithm as "DP-CLIP" is very misleading.

A1: We would like to emphasize that our proposed algorithm and the associated theory are designed for differentially private CLIP training from scratch. In the experimental section, we opted to use a pretrained model as an initialization solely to reduce computational costs. It's important to note that our intention was not to compare our method against Yu et al. (2023) due to the inherent differences in the addressed problem. Our mention of their work is specifically to highlight that, like ours, their framework also involves using a pretrained model as initialization.

Q2: The classification tasks are too simple given the power of the pretrained model.

A2: We have included both the zero-shot results and the non-private results. we also added two new datasets: Cifar 100 and GTSRB, where the GTSRB dataset presents a significant distribution shift with respect to the pre-training set. Please refer to our universal response.

Q3: The comparison with other baselines in Section 4.2 is arbitrary and careless.

A3: Thank you for pointing it out. We found several versions of the DP-Sinkhorn paper online: 1) from neurips https://proceedings.neurips.cc/paper_files/paper/2021/file/67ed94744426295f96268f4ac1881b46-Paper.pdf and 2) from arxiv https://arxiv.org/pdf/2111.01177.pdf. We used results from the newer version that appeared at NeurIPS in our paper. Looking at Table 1 from neurips version, we got an accuracy of 83.2 on MNIST and 73.0 on Fashion MNIST for epsilon=10 as cited in our paper (the numbers were taken from the best results with different architectures). If we look at the arxiv version, we get 83.2 on MNIST and 74.6 on Fashion MNIST for epsilon=10. Regarding our choice of the baseline methods, please refer to our universal response.

Q4: I didn't buy the results from Section 4.3.

A4: Thank you for your suggestions. We attach a set of more thorough experiments, including zero-shot results, eps = 1e-4, 1, 5, and non-private results. Please refer to the table in the universal response. Our additional experimental findings align with the results presented in the paper, demonstrating that post-training consistently outperforms zero-shot performance for epsilon values ranging from 1e-4 to $\infty$ (non-private.) A consistent trend is observable across various metrics. However, we did implement the 1e-8 regime for multiple trials and found that the result was pretty random, which suggests that the noise is substantial enough to compromise the model's utility. As a side note, due to the limit of time and computational resources, this set of additional results was generated using a training set of 5K samples and a test set of 1K samples, which results in a performance gap compared to our original results.

Regarding the state-of-the-art non-private performance provided by IBM Research AI, it is a score from the Kaggle website (https://paperswithcode.com/sota/image-captioning-on-vizwiz-2020-test). It is the only comparable baseline we could find online, although it is unclear what their model is. We will add this link to the manuscript.

Q5: The experiments should be running over multiple random seeds.

A5: Thank you for your suggestion — we have re-run all our experiments using 10 trials and report the mean and standard deviations in the universal response.

Q6: The dataset paragraph should be revised.

A6: We thank you for your suggestions. We will revise the description for the datasets and add explanations on evaluation metrics for the image captioning task.

Q7: Which privacy accountant did you use exactly?

A7: We are using RDP accountant implemented at tensorflow privacy package (https://github.com/tensorflow/privacy/blob/master/tensorflow_privacy/privacy/analysis/compute_noise_from_budget_lib.py .)

Q8: The paragraph below Table 2: "which is not present for DP-SGD" -- please note that the pretraining and extra caption data are not used in other baseline methods as well.

A8: We acknowledge that there are no “fair” baselines to compare with. Our intention is not to compare with their methods, but rather to evaluate our proposed approach against the established performance standards. We will further clarify this in this paragraph.

Q9: Various grammatical issues

A9: We have fixed these grammar issues and did a thorough check on the full paper.