Differential Privacy in On-Device LLM Fine-Tuning

The Privacy Problem in Personalized LLMs

On-device LLMs promise privacy by keeping inference local, but personalization creates a new attack surface. When users correct model outputs, provide domain-specific examples, or fine-tune for specialized vocabulary, those training samples contain identifiable information. A healthcare LLM learning from patient notes, a financial assistant trained on transaction patterns, or a speech model adapted to regional dialects—all leak private data through model weights if exfiltrated.

Differential privacy (DP) provides mathematical guarantees that individual training samples cannot be reverse-engineered from model parameters. For mobile LLMs, implementing DP-SGD (differentially private stochastic gradient descent) enables safe personalization without cloud dependencies. The core challenge: calibrating noise injection to preserve utility on resource-constrained devices while meeting epsilon-delta privacy budgets.

DP-SGD Mechanics for Mobile Constraints

Standard DP-SGD clips per-example gradients to bound sensitivity, then adds calibrated Gaussian noise before aggregation. For a privacy budget ε=1.0 and failure probability δ=1e-5, noise scale σ must satisfy the moments accountant bound. On mobile, three adaptations matter:

Gradient Accumulation Over Microbatches: Memory limits prevent processing full batches. Accumulate clipped gradients across microbatches of size 4-8, compute noise once for the aggregated update. This reduces noise variance by √(batch_size/microbatch_size) compared to per-microbatch injection. For a 125M parameter model, accumulating 32 microbatches cuts noise standard deviation from 0.08 to 0.014 at ε=1.0.

Selective Layer Freezing: Freezing early transformer layers (embeddings, first 6-8 blocks) reduces trainable parameters by 60-70%, proportionally lowering noise requirements. The privacy budget concentrates on later layers where task-specific features form. In medical terminology fine-tuning, freezing blocks 0-10 of a 24-layer model maintained 91% of full-model accuracy while reducing training time from 340s to 95s on iPhone 14 Pro.

Quantized Noise Injection: Generate noise in FP32, quantize to INT8 before adding to quantized gradients. This prevents precision loss from dominating the privacy-utility tradeoff. For clipping norm C=1.0 and σ=0.04, INT8 quantization introduces 40% clip, increase C by 10%; if