Private and Stable Test-Time Adaptation with Differential Privacy
2026-06-01 • Machine Learning
Machine LearningComputer Vision and Pattern Recognition
AI summaryⓘ
The authors study how to update models during testing to handle new data while keeping the test data private. They apply techniques from differential privacy, like clipping gradients and adding noise, to popular test-time adaptation methods. Their experiments show this can protect privacy with only a small drop in accuracy, and sometimes even improve stability and performance. This work highlights privacy concerns in test-time updates and suggests practical ways to address them.
Test-time adaptationDifferential privacyGradient clippingGaussian noiseImageNet-CModel inferencePrivacy-preserving machine learningContinual learningModel stability
Authors
Zefeng Li, Qiaoyue Tang, Mathias Lecuyer, Evan Shelhamer
Abstract
Test-time adaptation (TTA) can reduce error on new and different data by updating the model on these inputs during inference. However, these updates raise the issue of privacy w.r.t. the testing data, because the model parameters now depend on all past inputs. To control this privacy risk, we cast multiple popular TTA methods (Tent, EATA, SAR, DeYO, and COME) into differential privacy (DP) forms that apply per-sample gradient clipping and Gaussian noise for all updates. On ImageNet-C, our DP-TTA methods provide adequate privacy at small cost to accuracy, and in the low-privacy regime the clipping mechanism of DP can even improve the accuracy and stability of adaptation in the continual setting. These improvements to privacy and accuracy come at only modest computational overhead. These first results on private TTA raise awareness of the issue, inform the development of more private test-time updates, and identify per-sample clipping as an effective technique for improving the accuracy and stability of adaptation.