Differential Privacy

The Memorisation Problem

EEG signals carry biometric identity information. Multiple studies have demonstrated that individuals can be re-identified from their EEG patterns with high accuracy using standard machine learning classifiers. This has two important implications:

Privacy risk: A foundation model trained on multi-subject EEG could memorise subject-specific characteristics, allowing an attacker to extract identity information from the model's weights or activations.
Generalisation risk: A model that memorises individual characteristics will generalise poorly to new individuals, mistaking person-specific EEG patterns for cognitive state signals.

Both risks are addressed by differentially private (DP) training pipelines that formally limit the model's ability to memorise individual-level information.

Formal Definition of Differential Privacy

A randomised algorithm \(\mathcal{A}\) satisfies \((\varepsilon, \delta)\)-differential privacy if for any two datasets \(D\) and \(D'\) that differ by exactly one individual's data, and for any possible output set \(S\):

\[\Pr[\mathcal{A}(D) \in S] \leq e^\varepsilon \cdot \Pr[\mathcal{A}(D') \in S] + \delta\]

Intuitively: the model's behaviour changes very little when any single individual's data is added or removed. A smaller \(\varepsilon\) provides stronger privacy. In practice, \(\varepsilon \in [1, 10]\) is considered acceptable, and \(\delta \ll 1/|D|\).

DP-SGD for Foundation Model Training

The standard approach is DP-SGD (Abadi et al., 2016): at each training step, per-example gradients are clipped to a maximum norm \(C\) (limiting the influence of any individual), and Gaussian noise is added to the aggregated gradient before updating model weights.

\[\tilde{g}_t = \frac{1}{B} \left( \sum_{i \in \text{batch}} \text{clip}(g_i, C) \right) + \mathcal{N}(0, \sigma^2 C^2 I)\]

The privacy cost accumulates over training steps and is tracked using the moments accountant or Rényi differential privacy accounting.

Practical challenge: DP-SGD requires per-example gradient computation, which is significantly more expensive than standard mini-batch training. Techniques like ghost clipping and DP-Adam reduce this overhead.

Scalable Private Partition Selection

Chen, Cohen-Addad, Epasto & Zadimoghaddam (2025) - arXiv:2502.08878

A complementary approach to DP training: rather than applying DP-SGD over the entire dataset, use private partition selection to identify and select a differentially private subset of training data that is less likely to contain uniquely identifying characteristics. This reduces the privacy noise required during training while maintaining the formal DP guarantee.

Differentially Private Synthetic Data Generation

Tan et al. (2025) - arXiv:2503.12347

An alternative to direct DP training is to generate privacy-preserving synthetic EEG data and train the foundation model on the synthetic data instead of the original recordings. If the synthetic data generation process satisfies differential privacy, then any model trained on the synthetic data inherits the DP guarantee.

This approach has the advantage of decoupling the privacy mechanism from the model training process: once the synthetic data is generated, standard (non-DP) training procedures can be used, recovering standard training efficiency.

Challenges for EEG: Generating realistic synthetic EEG that preserves cognitive state correlates while removing individual identity is technically demanding. Current approaches use conditional generative models (VAEs, GANs, diffusion models) with DP constraints.

Subject De-identification

Before any DP training, standard de-identification steps should be applied:

Remove or generalise demographic metadata (age, gender) that could be combined with EEG patterns for re-identification.
Remove stimulus-response triggers that could identify the specific experimental protocol.
Apply spatial blurring (source mixing) to reduce individual-specific electrode patterns.

These steps reduce the amount of DP noise required to achieve a given privacy level, improving the utility-privacy tradeoff.

Relationship to Personalisation

Differential privacy ensures the base model cannot memorise individual characteristics. This makes the base model more robust and more generalisable. Subject personalisation then adds back individual-specific information in a controlled way at deployment time - using individual-specific adapter modules that are never shared with the base model and never trained on other individuals' data.