Amplified Patch-Level Differential Privacy for Free via Random Cropping

A team of researchers from the Technical University of Munich, including Kaan Durmaz and Stephan Günnemann, has published a novel analysis revealing that a standard machine learning practice provides a hidden privacy benefit. Their paper, "Amplified Patch-Level Differential Privacy for Free via Random Cropping," demonstrates that the inherent randomness of cropping images during training acts as a third source of stochasticity alongside gradient noise and minibatch sampling in Differentially Private Stochastic Gradient Descent (DP-SGD). This effect is most potent when sensitive information in an image, such as a person's face or a license plate, is confined to a specific spatial patch. Each random crop has a chance of excluding that patch, thereby reducing the model's exposure to the sensitive data.

The researchers formalized this by introducing a new "patch-level" neighboring relation for vision data and derived tight, quantifiable privacy bounds. Their key insight is that cropping lowers the effective sampling rate of any given sensitive patch, which then composes with the privacy guarantees of DP-SGD to yield stronger overall protection. Empirically, they validated that this patch-level amplification improves the privacy-utility trade-off across multiple segmentation tasks and datasets like Cityscapes. Crucially, this enhancement comes at zero cost—it requires no changes to model architecture, hyperparameters, or the core training loop, leveraging an existing source of randomness that was previously unaccounted for in privacy calculations.