By ML Task
ML task matters because PETs constrain different parts of the pipeline: data collection, training, inference, evaluation, logging, and release.
Task Matrix
| ML task | Primary PET | Supporting PETs | What to measure | Do not claim |
|---|---|---|---|---|
| Cross-silo model training | Federated learning | Secure aggregation, DP, robust aggregation | Per-site utility, update leakage, poisoning resilience, round size | Privacy from FL alone |
| Federated analytics | Federated analytics or MPC | DP, thresholds, output review | Small-cell leakage, latency, analyst workflow, cost | That aggregates are automatically safe |
| Private inference | HE or TEE confidential inference | Compression, quantization, attestation, key management | Latency, accuracy, supported operators, output leakage | That input privacy protects prediction privacy |
| Private RAG | Confidential RAG | TEEs, access control, redaction, audit logs | Retrieval authorization, answer leakage, prompt/log retention | That a protected runtime fixes bad permissions |
| Private LLM fine-tuning | DP-SGD, FL, TEEs depending on data location | Secure aggregation, memorization audits, redaction | Utility, privacy budget, memorization, compute cost | That fine-tuning is safe because data stays local |
| Synthetic data generation | DP synthetic data if release is public | Memorization tests, downstream utility tests | Membership inference, nearest-neighbor similarity, task utility | That synthetic means anonymous |
| Privacy-preserving evaluation | Clean room, TEE, MPC, DP metrics | Output review, test-set minimization | Label leakage, benchmark contamination, metric sensitivity | That evaluation outputs cannot leak |
Cross-Silo Training
Use federated learning when several organizations want a shared model and raw data cannot centralize.
Add:
- secure aggregation when the coordinator should not inspect individual updates;
- DP when the model release must bound individual or record contribution;
- robust aggregation when participants may be malicious or compromised;
- per-site evaluation because non-IID data can hide failures.
Avoid FL when the real problem is governance, not data movement. A negotiated data-sharing agreement plus centralized training may be simpler, cheaper, and easier to audit.
Federated Analytics
Use federated analytics when the output is a metric, report, or aggregate rather than a trained model.
This is often the right starting point for healthcare quality metrics, cross-bank risk statistics, and platform measurement. Add DP or minimum thresholds when outputs could reveal small cohorts.
Avoid it when the computation requires rich joint features across parties. That may push you toward MPC or a controlled clean-room workflow.
Private Inference
Use HE when the model provider must not see client inputs and the workload is narrow enough for encrypted computation.
Use TEE-based confidential inference when:
- the model is too complex for practical HE;
- latency matters;
- hardware trust and remote attestation are acceptable;
- plaintext exists only inside the confidential runtime.
Avoid both if the output itself is sensitive and no output policy exists. The prediction can leak attributes even when inputs are protected.
Private RAG
Private RAG is mostly an authorization and leakage-control problem with PET support.
Use confidential RAG when prompts, retrieved snippets, embeddings, or model execution cross trust boundaries. TEEs can reduce runtime exposure, but the design also needs retrieval policy, provenance, log controls, and answer review.
Failure mode: the system faithfully protects the prompt from the cloud operator while retrieving documents the user should never have seen.
Private LLM Fine-Tuning
Choose based on where training data can live:
| Data constraint | PET direction | Caveat |
|---|---|---|
| Data stays inside organizations | FL | Updates can leak; local training must be reliable |
| Formal privacy for records is required | DP-SGD or DP adapters | Utility and compute may be painful |
| Training can run in a confidential environment | TEEs | Requires attestation and side-channel assumptions |
| Only redacted examples can be used | Redaction plus evaluation | Redaction is not a formal privacy guarantee |
Measure memorization directly. A private fine-tuning story is weak if nobody tests whether prompts can extract training examples.
Synthetic Data For ML
Use synthetic data for prototyping, QA, education, and some downstream modeling when raw data release is too risky.
Use DP synthetic data for public or broad releases that need a formal privacy claim. Non-DP synthetic data may still be useful, but it should be labeled as risk-reduced data, not anonymous data.
Measure:
- downstream task performance;
- rare subgroup utility;
- nearest-neighbor similarity to training records;
- membership inference risk;
- privacy budget if DP is used.
Worked Example: Model Provider Private Inference
A model provider wants to sell risk scoring without seeing customer inputs.
First shortlist:
- HE if the model can be simplified to supported operations and latency remains acceptable.
- TEE confidential inference if the model is complex or low latency is required.
- Client-side inference if the model is small enough and IP exposure is acceptable.
Recommendation changes when:
- the customer also needs the provider not to learn outputs;
- the model architecture cannot be made HE-friendly;
- attestation cannot be integrated into the customer's workflow;
- the input sensitivity is low enough that standard hosted inference plus contractual controls is sufficient.
Checklist
- Which pipeline stage contains the sensitive data?
- Does the PET protect training data, inference inputs, retrieved context, evaluation labels, logs, or outputs?
- Is the model architecture compatible with the PET?
- What utility loss is acceptable?
- What attack will be tested before launch?
- What operational metric would cause rollback?