Aligning Large Language Models With Preference Privacy

• How does the number of stages in PROPS affect the utility?
• Why does PROPS perform worse than RR at $\epsilon=0.1$ in Figure 3? Is there a standard deviation for the results?
• Does it improve utility to run PROPS for multiple epochs?

1. In experiments, can you compare against optimizing the biased loss function?
2. RR provides local DP, are there any benefits to only preserving central DP? I'm not quite sure what that mechanism would look like in this setting, but maybe a discussion somewhere in the paper could be good.

I have the following questions for the authors. I am willing to increase my score if the authors can address my concerns:

• To verify one major claim of the paper, could you please show experimentally that DPSGD indeed hurts privacy compared to the proposed preference privacy? One way would be to compare the DPSGD-based method with the preference privacy under the same privacy budget

• While the proposed PROPS is clever, I see a very high similarity to the idea from PATE [a], where models are trained on disjoint datasets and a noisy label is obtained from the aggregation of the teacher ensembles in a DP fashion? Can you comment on why PATE approach cannot be adapted here? In fact, I would rather say that PROPS inherently follows the private-public data setup of PATE. Here, what is public is the (prompt, responses) while the label is private.

• Can the authors comment on the need / rationale for using fresh batch of samples for PROPS?

• One major problem is in the experimental setting. While the proof of concept is appreciated, using other language models like the Pythia suite of models [b], Gemma [c], or Llama3 [d] that are current used in practice and showing how different models behave with PROPS alignment would have been a better approach.

• A problem of DPO which PROPS use as a base method is in its generalization to out of distribution. Now that RR is added, how does it affect the performance of PROPS?

• Can the authors provide an experiment on using different alignment like the RLHF. It would make the paper stronger to see such transferability and if there are any potential issues with those alignment approaches.

• In figure 4, why is the win-tie-loss rate of $\epsilon=\infty$ lower than $\epsilon=2$?

• In figure 5, what I can deduce is that training with no privacy ($epsilon=\infty$) leads to somewhat arbitrary response while training with privacy ($\epsilon=1$) can give some reasonable response (Prompt 2). I find this somewhat interesting. To better understand what is going on, can the authors also present the result of DPO without any privacy. Just normal DPO.

• While the motivation sounds plausible, I don't see a real threat here. I understand why DP could be used as a blanket covering for the privacy of the annotators, but the motivation for an annotator being exposed for their preference is somewhat unrealistic to me. Can the authors point to a reference in which this is practical?

[a] Scalable Private Learning with PATE https://arxiv.org/abs/1802.08908

[b] Pythia: A suite for analyzing large language models across training and scaling. https://arxiv.org/abs/2304.01373

[c] Gemma: Open models based on gemini research and technology. https://arxiv.org/abs/2403.08295

[d] llama 3 herd of models. https://arxiv.org/abs/2407.21783

• You write “We note that in typical alignment scenarios, the prompts and responses are not generated by humans (the two responses (y1 , y2 ) are usually obtained from the fine-tuned LLM)” Why are human preferences only on the labels, and not associated with the prompts? Since humans often are generating the prompts. What setting are humans only voting on prompt-responses? For example, knowing that someone is voting on “what to do if someone has disease A” is revealing.

• I think you should consider looking to PATE, where you have a private dataset that you train with ML, and then ensembling the labels on a public dataset with DP. The setting is slightly different, as you have different labelers label the same data (privately), but it’s quite related, as the labels are private, but the data is public.

• While not as relevant, I’ll point you to PMiXeD (https://arxiv.org/abs/2403.15638) which applies the PATE framework to the predictions of LLMs.

• I’d like more examples of label-privacy machine learning methods in your related works.

• Regarding going from preference-level to labeler-level DP, you should consider looking at research on personalized DP, such as: Individualized PATE (https://arxiv.org/abs/2202.10517). Specifically in Individualized PATE, different teachers can produce different numbers of labels because they have different privacy budgets. Other related works are Individual Privacy Accounting for DPSGD (https://arxiv.org/abs/2206.02617), and (less relevant) Individualized DPSGD (https://arxiv.org/abs/2303.17046)

• Can you make the computational cost of this method more explicit?

• How do you pick the number of rounds you wish to do, and how to split your privacy budget?

Evaluation:

• Why is this win-tie-loss rate for this specific dataset the right measure here?
• It’s hard to tell what the non private baseline is, and the existing baseline
• You seem to focus on “quality” but it seems like you have 2 axes that you care about: quality and helpfulness/relevance. It does not seem like these two measures should be combined into 1 (e.g. “i don’t have a physical location” is given as a high-quality answer, but it is clearly not helpful, as you state yourself). How should we interpret the performance of your model on these two axes?
• For figure 5, it’s hard to tell if your results in the figure are repreesntative, or just those 2 examples.

Typo: Abstract uses “it’s” not “its” - “mechanism which randomly flips human preferences, and it’s corresponding unbiased”