Data Redaction from Conditional Generative Models

Machine Unlearning. Machine unlearning computes or approximates a re-trained machine learning model after removing certain training samples (cao2015towards, ). Many unlearning methods have been proposed for supervised learning (guo2019certified, ; schelter2020amnesia, ; neel2021descent, ; sekhari2021remember, ; izzo2021approximate, ; ullah2021machine, ; bourtoule2021machine, ; warnecke2021machine, ), among which some provide theoretically guaranteed unlearning or removal for strictly convex classifiers. There is one method approximate deletion method for generative models (kong2022approximate, ), which aims to delete from an unconditional generative model by post-hoc rejection sampling. The goal of data redaction is very different from machine unlearning, which unlearns training samples and is usually in the privacy context, while data redaction prevents undesirable samples from generation regardless whether they are in the training set. ¹¹1It is also unclear how to do efficient unlearning for complex conditional generative models (e.g. text-to-X) because it is unclear what exact combination of (text, X) pairs to unlearn and how to do it beyond retraining from scratch. A detailed explanation can be found in Section II-C in (kong2023data, ).

Data Filtering and Semantic Editing. A direct way to prevent certain samples to be generated is to apply a data filter (e.g., a malicious content classifier). The filter can be applied to training data before training (nichol2021glide, ; schuhmann2022laion, ; ramesh2022hierarchical, ), or applied post-hoc to model outputs (rando2022red, ; nudenet, ; man, ). Another line of research has looked at semantically modifying the outputs of generative models. For GANs (goodfellow2014generative, ), (bau2020semantic, ) computes an editing vector in the latent space to alter a semantic concept. For diffusion models (ho2020denoising, ) especially text-to-image models like Stable Diffusion (rombach2021highresolution, ), there are also a number of image editing techniques (bar2022text2live, ; hertz2022prompt, ; kawar2022imagic, ; valevski2022unitune, ; brack2022stable, ). (schramowski2022safe, ) applied image editing to prevent diffusion models from generating malicious images through a safety guidance term that alters the sampling algorithm for inappropriate prompts.

While these filtering and editing methods can be used to prevent malicious images, the model parameters are not modified. Consequently, in cases where the models owners share the model weights with third parties, they do not have control over whether the third parties will use the filters or editing methods. In contrast, our proposed method modifies the model weights to address this issue.

Data Redaction in Unconditional Models. Several works have studied methods to prevent generative models from producing undesirable samples, either by re-training or post-editing. For GANs, (asokan2020teaching, ) and (sinha2021negative, ) investigated re-training methods via modified loss functions that penalize generation of undesirable samples, and (bau2020rewriting, ) and (cherepkov2021navigating, ) introduced post-hoc parameter rewriting techniques for semantic editing, which can be used to remove undesirable artifacts. (kong2023data, ), (malnick2022taming, ), and (moon2023feature, ) designed post-editing data redaction methods for various types of pre-trained generative models.

All these methods are restricted to the unconditional setting as they modify the map** from latent vectors to samples. In contrast, the goal of this paper is to redact data from pre-trained, conditional generative models. In these models, the conditional information heavily controls the content and style of generated samples (e.g. text-to-X), whereas the latent controls variation. It is therefore necessary to also modify the map** from conditional to samples.

Redaction Methods for Stable Diffusion. (gandikota2023erasing, ) fine-tunes Stable Diffusion to incorporate negative guidance on undesirable visual styles (e.g., those under copyright protection). As a result, undesirable samples will not be generated with the standard sampling algorithm. However, one might recover the original score from the distilled score to break this method (see Appendix A for details). (gandikota2023unified, ) proposed an analytic solution for keys in cross attention blocks to edit concepts. A similar approach (zhang2023forget, ) proposed a re-steering mechanism for keys by minimizing the attention maps of target concepts. (heng2023selective, ) and (kumari2023ablating, ) proposed to forget or manipulate concepts by further fine-tuning the entire network with certain continual learning objectives. These methods are heavily designed for text-to-image tasks with Stable Diffusion. They require the model to be trained with either classifier-free guidance (ho2022classifier, ) or cross attention blocks, or they need to fine-tune the entire large diffusion network. In contrast, our proposed method is universal, applies to a broader range of generative models, and applies to multiple data domains. To our knowledge, it is the first method that is able to redact voices from a trained speech synthesis model.

In this section, we study how to redact text prompts in text-to-image models. Modern text-to-image models can produce high-resolution images conditioned on text prompts that may be offensive, biased, malignant, or fabricated (nichol2021glide, ; birhane2021multimodal, ; schuhmann2022laion, ; ramesh2022hierarchical, ; rando2022red, ; nudenet, ; man, ). These models are usually expensive to re-train, so it is important to redact these prompts without re-training.

Especially, we look at DM-GAN (zhu2019dm, ), a GAN-based text-to-image model. It is trained on pairs of text and images from the CUB dataset (CUB, ; reed2016learning, ), a dataset for various species of birds. DM-GAN is composed of three cascaded generative networks $\{G_{1},G_{2},G_{3}\}$. The first $G_{1}$ generates $64\times 64$ images, the second $G_{2}$ up-samples to $128\times 128$, and the third $G_{3}$ up-samples to $256\times 256$. Each $G_{i}$ has its own conditioning network $H_{i}$. For a given prompt $c$, the model computes a sentence embedding $v_{s}(c)$ and word embeddings $v_{w}(c)$ from a pre-trained text encoder (xu2018attngan, ). The first conditioning network $H_{1}$ performs conditioning augmentation on the sentence embedding and concatenate the output to the latent variable. $H_{2}$ and $H_{3}$ apply memory writing modules to the word embeddings and fuse the outputs with the previously generated low-resolution images via several gates.

Defining $\hat{c}$. We assume $\mathcal{C}_{\Omega}$ contains prompts that have undesirable words or phrases. For these prompts, the reference prompts are defined by replacing these words with non-redacted ones.

Sequential distillation. We propose to distill the conditioning networks $\{H_{1},H_{2},H_{3}\}$ sequentially based on (4). This is because both $G_{2}$ and $G_{3}$ are generative super-sampling networks, which take $G_{1}$ and $G_{2}$ outputs as inputs, respectively. After $G_{1}$ is edited to $G_{1}^{\prime}$ for redaction, $G_{2}$ will take $G_{1}^{\prime}$ outputs as inputs, and similar for $G_{3}$. Formally,

for $i=2,3$.

Improved capacity. As $H_{1}^{\prime}$ needs to approximate a piecewise function that is defined differently for two sets of sentence embeddings, we need to increase the capacity of $H_{1}^{\prime}$ for better distillation. We append a few LSTM layers to the beginning of $H_{1}^{\prime}$, which directly take the sentence embeddings as inputs. The LSTM layers are followed by a convolution layer that reduces hidden dimensions to 1. We initialize this layer with zero weights for training stability. We expect these layers can project sentence embeddings of $c$ to those of $\hat{c}$. The rest of $H_{1}^{\prime}$ has the same architecture as $H_{1}$ but all weights are initialized for training. We do not increase the capacity of $H_{2}^{\prime}$ and $H_{3}^{\prime}$ for two reasons. First, $H_{1}^{\prime}$ has more direct impact on the generated images because it directly controls the initial low-resolution image. Second, the memory writing modules of $H_{2}$ and $H_{3}$ are already very expressive.

Fixing the variance prediction part in $H_{1}$. We aim to reduce the computational overhead by fixing certain variables. The conditioning augmentation module in $H_{1}$ first computes a mean and a variance vector, and then samples from the Gaussian defined by them. We fix the variance prediction part and only distill the mean prediction part. In our experiments the number of parameters to be trained in $H_{1}^{\prime}$ (with improved capacity) is reduced by $\sim 32\%$ and therefore matches $H_{1}$.

$\lambda$ annealing. In order to make sure the distilled conditioning networks also approximate the pre-trained ones well for non-redacted prompts, we anneal the balancing coefficient $\lambda$ during distillation: we initialize $\lambda=\lambda_{\min}$ and linearly increases to $\lambda_{\max}$ in the end.

Modern text-to-speech models can turn text into high-quality speech in unseen voices such as celebrity voices (kong2021diffwave, ; Betker2022TTS, ; wang2023neural, ; zhang2023speak, ). This may have unpredictable public impact if these models are used to fake celebrities. In this section, we study redacting certain voices from a pre-trained text-to-speech model.

Especially, we look at DiffWave (kong2021diffwave, ), a diffusion probabilistic model that is conditioned on spectrogram and outputs waveform. It is trained on speech of a single female reading a book, which we call the pre-trained voice. There are $n=30$ layers or residual blocks in DiffWave, each containing one independent conditioning network $H_{i}$. The architecture of each $H_{i}$ includes two up-sampling layers followed by one convolution layer.

Defining $\hat{c}$ with voice cloning. We assume $\mathcal{C}_{\Omega}$ contains a few clips of speech in a specific voice. We train a voice cloning model (CycleGAN-VC2 (kaneko2019cyclegan, )) between the specific and pre-trained voices, and then transform all clips in $\mathcal{C}_{\Omega}$ to the pre-trained voice. By doing this we obtain time-aligned pairs between $c\in\mathcal{C}_{\Omega}$ and the corresponding $\hat{c}$: when we select a small duration $[t,t+\Delta t]$, the content of $c_{t:t+\Delta t}$ is the same as $\hat{c}_{t:t+\Delta t}$, yet only the voices are different.

Improved voice cloning. We find the voice cloning quality of CycleGAN-VC2 can be improved by making the two unpaired training sets more similar. We first use a pre-trained Whisper model (radford2022robust, ) to extract text from redacted speech. Then, we use Tortoise-TTS (Betker2022TTS, ) to turn these text into speech in the pre-trained voice. Note that this cannot be used to define $\hat{c}$ directly because the generated samples are not time-aligned with the speech to be redacted. However, these generated samples are more similar to the redacted samples because they have the same text, and therefore it is easier for CycleGAN-VC2 to learn transformations between these two voices.

Parallel distillation. We propose to distill all conditional layers $H_{i}$’s in parallel as they are independent. We minimize the following loss: $\min\frac{1}{n}\sum_{i=1}^{n}L(H_{i}^{\prime};\lambda).$

Fixing up-sampling layers in $H_{i}$. To reduce computation overhead we fix the two up-sampling layers in each $H_{i}$. We only distill the last convolution layer in each $H_{i}$.

Improved capacity. To improve redaction quality, we increase the capacity of each $H_{i}^{\prime}$ by replacing its last convolution layer $h_{\mathrm{conv}}$ with a spectrogram-rewriting module. It has two components: a gate $h_{\mathrm{gate}}$ consisting of a convolution with zero initialization followed by sigmoid, and a transformation block $h_{\mathrm{trans}}$ consisting of two convolution layers. The forward computation of the spectrogram-rewriting module is defined as: $y=h_{\mathrm{conv}}(v)\odot h_{\mathrm{gate}}(v)+h_{\mathrm{conv}}(h_{\mathrm{trans}}(v))\odot(1-h_{\mathrm{gate}}(v)),$ where $v$ is the up-sampled mel-spectrogram and $y$ is the output representation at each layer. We expect this module can retain the pre-trained voice and also project redacted voices to the pre-trained voice.

Non-uniform distillation losses. We conjecture the all conditioning layers are not of the same importance because of their order and different hyper-parameters specifically the dilation $2^{i\mathrm{~{}mod~{}}n^{\prime}}$ in the corresponding residual layer. This motivates us to use different weights and $\lambda$ values for each $H_{i}$: $\min\sum_{i=1}^{n}w_{i}L(H_{i}^{\prime};\lambda_{i}).$ We test different schedules described in Table I.

We train a class-conditional GAN called cGAN (mirza2014conditional, ) on MNIST (lecun2010mnist, ). Each conditional has a $10$-dimensional embedding vector, and is concatenated to the latent vector as the input. The affine transformation matrix $M$ in Section IV is the last 10 rows of the weight matrix of the first fully connected layer. We redact labels 0,1,2,3 according to (3), where we let $\hat{c}=9-c$ for them. Generated samples of pre-trained and redacted models are shown in Fig. 2.

Setup. We use the pre-trained DM-GAN (zhu2019dm, ) model trained on the CUB dataset (CUB, ), which contains 8855 training images and 2933 testing images of 200 subcategories belonging to birds. Each image has 10 captions (reed2016learning, ). Our distillation algorithm is trained with the caption data only. We redact prompts that contain certain words or phrases. We redact the word blue$\in c$ by defining $\hat{c}$ as the prompt that replaces all blue with another word red. ⁵⁵5Any word other than blue can be used. Similarly, we redact blue wings and red wings by replacing these phrases to white wings. We redact long beak and white belly by replacing the first to short beak and the second to black belly. Finally, we redact yellow and red by replacing them to black, which is more challenging as many samples are redacted.

Table II includes the number of training and test prompts that are redacted in each experiment. Note that when we redact blue wings and red wings, we also redact phrases wings that are blue and wings that are red.

Architecture and optimization. The architecture of the pre-trained model and other details are in Appendix B. The architecture of student conditioning networks with improved capacity is shown in Fig. 4. For each $H_{i}$, $i=1,2,3$, we use the Adam optimizer (kingma2014adam, ) with a learning rate $0.005$ to optimize the mean square error loss. The redaction algorithm terminates at 1000 iterations. For $H_{1}$ we use a batch size of 128, and for $H_{2}$ and $H_{3}$ we reduce the batch size to 32 in order to fit into GPU memory.

Configurations. We first use the sequential distillation (5) and (6) with $\lambda=1$ to perform redaction, which we denote as the base configuration. We then improve the capacity by using a 3-layer bidirectional LSTM with hidden size $=32$ and dropout rate $=0.1$. Next, we fix the variance prediction in $H_{1}$ to reduce the number of parameters to optimize, which matches the base configuration. Finally, we apply $\lambda$ annealing by setting $\lambda_{\min}=1$ and $\lambda_{\max}=3$.

Baseline. We compare to the Rewriting algorithm (bau2020rewriting, ), a semantic editing method originally designed for unconditional generative models. We adapt their method to DM-GAN by rewriting $G_{1}$, $G_{2}$, and $G_{3}$ sequentially. For both $G_{2}$ and $G_{3}$ we rewrite the up-sampling layer before the feature output. For $G_{1}$ we have choices of rewriting the up-sampling layer at different resolutions ranging from $8\times 8$ to $64\times 64$. We test all these choices in the experiment.

Evaluation metrics. To evaluate generation quality of $G^{\prime}$, we compute Inception Scores (IS) (salimans2016improved, ) for images conditioned on redacted and valid prompts, separately. In detail, the IS scores are computed as $\exp(\mathbb{E}_{x}\mathbb{KL}(p(y|x)\parallel p(y)))$, where $x\sim p_{G^{\prime}}(\cdot|c)$ for $c\sim\mathrm{Uniform}(\mathcal{C}_{\Omega})$ or $\mathrm{Uniform}(\mathcal{C}\setminus\mathcal{C}_{\Omega})$, $p(y|x)$ is the logit from the Inception-V3 output layer (szegedy2016rethinking, ), and $p(y)$ is the marginal. We generate one sample for each text prompt for evaluation.

To evaluate redaction quality, we compute the following three metrics where $c\sim\mathcal{C}_{\Omega}$ and $z\sim\mathcal{N}$.

1. 1.

   $\mathcal{R}_{G(\cdot|c/\hat{c})}$ measures faithfulness of $G^{\prime}$ on the redaction prompts. It is defined as the fraction of samples $\{G^{\prime}(z|c)\}$ such that $\mathrm{dist}(G^{\prime}(z|c),G(z|\hat{c}))<\mathrm{dist}(G^{\prime}(z|c),G(z|c))$, where $\mathrm{dist}$ is $\ell_{2}$ distance in the Inception-V3 feature space (szegedy2016rethinking, ).

2. 2.

   A modified R-precision score $\mathcal{R}_{r}$ measures how well $G^{\prime}(z|c)$ matches the target caption $\hat{c}$. (xu2018attngan, ) defined correlation $\mathrm{corr}(x,c)$ between sample $x$ and caption $c$ as $\cos\langle\mathrm{Enc}_{\mathrm{CNN}}(x),\mathrm{Enc}_{\mathrm{RNN}}(c)\rangle$ for pretrained CNN (image) and RNN (text) encoders. We use the pretrained encoders from DM-GAN. Then, $\mathcal{R}_{r}$ is defined as the fraction of samples $G^{\prime}(z|c)$ such that $\mathrm{corr}(G^{\prime}(z|c),\hat{c})$ is larger than the correlation between $G^{\prime}(z|c)$ and 100 random, mismatch captions.

3. 3.

   We further introduce $\mathcal{R}_{c/\hat{c}}$, which measures how much better $G^{\prime}(z|c)$ matches $\hat{c}$ than $c$. It is defined as the fraction of samples $G^{\prime}(z|c)$ such that $\mathrm{corr}(G^{\prime}(z|c),\hat{c})>\mathrm{corr}(G^{\prime}(z|c),c)$.

Results. The results for redacting yellow and red shown in Table III. The base configuration already achieves good redaction and generation quality. After improving capacity, we find all redaction quality metrics increase by $2.3\sim 2.7\%$, and generation quality is retained. After we fix the variance prediction in $H_{1}$, the redaction decrease by $\sim 1\%$, but the generation quality on valid prompts increases by $0.1$. Finally, by performing $\lambda$ annealing, all metrics improve. Notably, $\mathcal{R}_{G(\cdot|c/\hat{c})}$ and $\mathcal{R}_{c/\hat{c}}$ increase by over $5\%$, indicating generated samples are more similar to $\hat{c}$ rather than $c$.

We find the Rewriting baselines achieve better IS. However, generated samples are blurred and lack sharp edges as shown in the visualization. The redaction quality of Rewriting has a significant gap with ours: all redaction metrics are less than half of ours. Especially, $\mathcal{R}_{r}$ is worse than the pre-trained model, indicating generated samples conditioned on redacted prompts are not very correlated to $\hat{c}$. We hypothesize the main problem for Rewriting is that it is crafted for 2D convolutions and edits the main generative network, which makes it hard to handle and distinguish the information from different prompts. In terms of different choices of resolutions, we find rewriting the layer at resolution $8\times 8$ yields the best redaction quality.

Table IV includes results for redacting the other prompts. The Rewriting baseline is applied to $8\times 8$ resolution in $H_{1}$ because it yields the best redaction quality. We find the base configuration of our method is already very effective. Our method greatly outperforms Rewriting in all redaction quality metrics and keeps good generation quality.

Visualization. See Appendix B-B for generated samples. The Rewriting baseline generate very blurry samples while our method generates high-quality, sharp samples which also satisfy the redaction requirements.

Computation. Data redaction takes about 30 minutes to train on a single NVIDIA 3080 GPU.