Apple believes that privacy is a fundamental human right. As AI experiences become increasingly personal and a part of people’s daily lives, it’s important that novel privacy-preserving techniques are created in parallel to advancing AI capabilities.
Apple’s fundamental research has consistently pushed the state-of-the-art in using differential privacy with machine learning, and earlier this year, we hosted the Workshop on Privacy-Preserving Machine Learning (PPML). This two-day hybrid event brought together Apple and members of the broader research community to discuss the state of the art in PPML, focusing on four key areas: Private Learning and Statistics, Attacks and Security, Differential Privacy Foundations, and Foundation Models and Privacy.
The presentations and discussions of these topics explored the intersection of privacy, security, and the rapidly evolving landscape of artificial intelligence. Workshop participants discussed the theoretical underpinnings and practical challenges of building AI systems that protect privacy. By addressing privacy and security concerns from both theoretical and practical perspectives, we aim to foster innovation while safeguarding user privacy.
In this post, we share recordings of selected talks and a recap of the publications discussed at the workshop.
Apple Workshop on Privacy-Preserving Machine Learning 2025 Videos
Published Work Presented at the Workshop
AirGapAgent: Protecting Privacy-Conscious Conversational Agents by Eugene Bagdasarian (Google Research), Peter Kairouz (Google Research), Ren Yi (Google Research), Marco Gruteser (Google Research), Sahra Ghalebikesabi (Google DeepMind), Sewoong Oh (Google Research), Borja Balle (Google DeepMind), and Daniel Ramage (Google Research)
A Generalized Binary Tree Mechanism for Differentially Private Approximation of All-Pair Distances by Michael Dinitz (Johns Hopkins University), Chenglin Fan (Seoul National University), Jingcheng Liu (Nanjing University), Jalaj Upadhyay (Rutgers University), and Zongrui Zou (Nanjing University)
Differentially Private Synthetic Data via Foundation Model APIs 1: Images by Zinan Lin (Microsoft Research), Sivakanth Gopi (Microsoft Research), Janardhan Kulkarni (Microsoft Research), Harsha Nori (Microsoft Research), and Sergey Yekhanin (Microsoft Research)
Differentially Private Synthetic Data via Foundation Model APIs 2: Text by Chulin Xie (University of Illinois Urbana-Champaign), Zinan Lin (Microsoft Research), Arturs Backurs (Microsoft Research), Sivakanth Gopi (Microsoft Research), Da Yu (Sun Yat-sen University), Huseyin Inan (Microsoft Research), Harsha Nori (Microsoft Research), Haotian Jiang (Microsoft Research), Huishuai Zhang (Microsoft Research), Yin Tat Lee (Microsoft Research), Bo Li (University of Illinois Urbana-Champaign, University of Chicago), and Sergey Yekhanin (Microsoft Research)
Efficient and Near-Optimal Noise Generation for Streaming Differential Privacy by Krishnamurthy (Dj) Dvijotham (Google DeepMind), H. Brendan McMahan (Google Research), Krishna Pillutla (ITT Madras), Thomas Steinke (Google DeepMind), and Abhradeep Thakurta (Google DeepMind)
Elephants Do Not Forget: Differential Privacy with State Continuity for Privacy Budget by Jiankai Jin (The University of Melbourne), Chitchanok Chuengsatiansup (The University of Melbourne), Toby Murray (The University of Melbourne), Benjamin I. P. Rubinstein (The University of Melbourne), Yuval Yarom (Ruhr University Bochum), and Olga Ohrimenko (The University of Melbourne)
Improved Differentially Private Continual Observation Using Group Algebra by Monika Henzinger (Institute of Science and Technology (ISTA) Austria) and Jalaj Upadhyay (Rutgers University)
Instance-Optimal Private Density Estimation in the Wasserstein Distance by Vitaly Feldman, Audra McMillan, Satchit Sivakumar (Boston University), and Kunal Talwar
Leveraging Model Guidance to Extract Training Data from Personalized Diffusion Models by Xiaoyu Wu (Carnegie Mellon University), Jiaru Zhang (Purdue University), and Steven Wu (Carnegie Mellon University)
Local Pan-privacy for Federated Analytics by Vitaly Feldman, Audra McMillan, Guy N. Rothblum, and Kunal Talwar
Nearly Tight Black-Box Auditing of Differentially Private Machine Learning by Meenatchi Sundaram Muthu Selva Annamalai (University College London) and Emiliano De Cristofaro (University of California, Riverside)
On the Price of Differential Privacy for Hierarchical Clustering by Chengyuan Deng (Rutgers University), Jie Gao (Rutgers University), Jalaj Upadhyay (Rutgers University), Chen Wang (Texas A&M University), and Samson Zhou (Texas A&M University)
Operationalizing Contextual Integrity in Privacy-Conscious Assistants by Sahra Ghalebikesabi (Google DeepMind), Eugene Bagdasaryan (Google Research), Ren Yi (Google Research), Itay Yona (Google DeepMind), Ilia Shumailov (Google DeepMind), Aneesh Pappu (Google DeepMind), Chongyang Shi (Google DeepMind), Laura Weidinger (Google DeepMind), Robert Stanforth (Google DeepMind), Leonard Berrada (Google DeepMind), Pushmeet Kohli (Google DeepMind), Po-Sen Huang (Google DeepMind), and Borja Balle (Google DeepMind)
PREAMBLE: Private and Efficient Aggregation via Block Sparse Vectors by Hilal Asi, Vitaly Feldman, Hannah Keller (Aarhus Univiersity; work done while at Apple), Guy N. Rothblum, Kunal Talwar
Privacy amplification by random allocation by Vitaly Feldman (Apple) and Moshe Shenfeld (The Hebrew University of Jerusalem)
Privacy of Noisy Stochastic Gradient Descent: More Iterations without More Privacy Loss by Jason Altschuler (MIT) and Kunal Talwar
Privately Estimating a Single Parameter by John Duchi (Stanford University), Hilal Ali, and Kunal Talwar
Scalable Private Search with Wally by Hilal Asi, Fabian Boemer, Nicholas Genise, Muhammad Haris Mughees, Tabitha Ogilvie, Rehan Rishi, Guy N. Rothblum, Kunal Talwar, Karl Tarbe, Ruiyu Zhu, and Marco Zuliani
Shifted Composition I: Harnack and Reverse Transport Inequalities by Jason Altschuler (University of Pennsylvania) and Sinho Chewi (IAS)
Shifted Interpolation for Differential Privacy by Jinho Bok (University of Pennsylvania), Weijie Su (University of Pennsylvania), and Jason Altschuler (University of Pennsylvania)
Tractable Agreement Protocols by Natalie Collina (University of Pennsylvania), Surbhi Goel (University of Pennsylvania), Varun Gupta (University of Pennsylvania), and Aaron Roth (University of Pennsylvania)
Tukey Depth Mechanisms for Practical Private Mean Estimation by Gavin Brown (University of Washington) and Lydia Zakynthinou (University of California, Berkeley)
User Inference Attacks on Large Language Models by Nikhil Kandpal (University of Toronto & Vector Institute), Krishna Pillutla (Google), Alina Oprea (Google, Northeastern University), Peter Kairouz (Google), Christopher A. Choquette-Choo (Google), and Zheng Xu (Google)
Universally Instance-Optimal Mechanisms for Private Statistical Estimation by Hilal Asi, John C. Duchi (Stanford University), Saminul Haque (Stanford University), Zewei Li (Northwestern University), and Feng Ruan (Northwestern University)
“What do you want from theory alone?” Experimenting with Tight Auditing of Differentially Private Synthetic Data Generation by Meenatchi Sundaram Muthu Selva Annamalai (University College London), Georgi Ganev (University College London, Hazy), and Emiliano De Cristofaro (University of California, Riverside)
Acknowledgments
Many people contributed to this workshop including Hilal Asi, Anthony Chivetta, Vitaly Feldman, Haris Mughees, Martin Pelikan, Rehan Rishi, Guy Rothblum, and Kunal Talwar.