IncogniText: Privacy-enhancing Conditional Text Anonymization via LLM-based Private Attribute Randomization

Large Language Models (LLMs), e.g., GPT-4 Achiam et al. (2023), are gradually becoming ubiquitous and part of many applications in different sectors, e.g., healthcare Liu et al. (2024) and law Sun (2023), where they act as assistants to the users. Despite their various benefits Noy and Zhang (2023), the power of LLMs can be misused for harmful purposes, e.g., cybersecurity Xu et al. (2024) and privacy Neel and Chang (2023) attacks, and profiling Brewster . For instance, LLMs were found to be able to predict various private attributes, e.g., age, gender, income, occupation, about the text author Staab et al. (2023). Hereby, they achieve a performance close to that of humans with internet access, while incurring negligible costs and time. Such private attributes are quasi-identifiers and their combination can substantially increase the likelihood of re-identification Sweeney (2000), i.e., revealing the text author identity. This suggests that human-written text data could in some cases be considered as personal data, which is defined as "any information relating to an identified or identifiable natural person" in GDPR European Parliament and Council of the European Union . Hence, human-written text might potentially require further analysis and protection measures to comply with such privacy regulations.

Prior works proposed word-level approaches to mitigate text privacy leakage Albanese et al. (2023); Li et al. (2023). However, lexical changes do not change the syntactic features which were found to be sufficient for authorship attribution Tschuggnall and Specht (2014). Another line of work leverages differential privacy techniques to re-write the text in a privacy-preserving way Weggenmann et al. (2022); Igamberdiev and Habernal (2023), however, with high utility loss. Moreover, while most prior works and current state-of-the-art text anonymization industry solutions succeed in identifying and anonymizing regular separable text portions, e.g., PII, they fail in cases where intricate reasoning involving context and external knowledge is required to prevent privacy leakage Pilán et al. (2022). In light of this and given that most people do not know how to minimize the leakage of their private attributes, methods that effectively mitigate this threat are urgently needed.

In this work, we address the text anonymization problem where the goal is to prevent any adversary from correctly inferring private attributes of the text author while kee** the text utility, i.e., meaning and semantics. This problem is a prototype for a practical use case where data can reveal quasi-identifiers about the text author, e.g., online services (ChatGPT) and anonymous social media platforms (Reddit). Our contribution is threefold: First, we propose a novel text anonymization method that substantially increases its protection against attribute inference attacks. Second, we demonstrate the effectiveness of our method by conducting an empirical evaluation with different LLMs and on 2 datasets. Here, we also show that our method achieves higher privacy protection compared to two concurrent works Dou et al. (2023); Staab et al. (2024). Finally, we demonstrate the maturity of our method for real-world applications by distilling its anonymization capability into a set of LoRA parameters Hu et al. (2022) that can be added to a small on-device model on consumer products.

We propose IncogniText, an approach to leverage an LLM to protect the original text against attribute inference, while maintaining its utility, i.e., meaning and semantics, hence achieving a better privacy-utility trade-off. Given a specific attribute $a$, e.g., age, our method protects the original text $x_{orig}$ against the inference of the author’s true value $a_{true}$ of the private attribute, e.g., age: 30, by re-writing it in a way that misleads a potential privacy attacker into predicting a wrong target value $a_{target}$, e.g., age: 45. See Fig. 1 for an illustrative example.

We use an anonymization model $M_{anon}$ to re-write the original text $x_{orig}$ using a target attribute value $a_{target}$, the true attribute value $a_{true}$, and the template $T_{anon}$ with anonymization demonstrations, yielding $x_{anon}=M_{anon}(x_{orig},a_{target},a_{true},T_{anon})$. Hereby, the target value can either be chosen by the user or randomly sampled from a pre-defined set of values for the attribute considered. We additionally inform the anonymizer of the true attribute value $a_{true}$ to achieve an anonymized text $x_{anon}$ particularly tailored to hiding that value. The true attribute value could either be read from the text author’s device, e.g., local on-device profile or personal knowledge graph, or input by the author. Nevertheless, IncogniText achieves very effective anonymization even without the usage of the true attribute value $a_{true}$ as demonstrated by our experiments (Section 3).

To validate the effectiveness of the anonymized text $x_{anon}$ against attribute inference, we use a simulated adversary model $M_{adv}$ that tries to predict the author’s attribute value $a_{true}$. If the prediction is correct, additional rounds of anonymization are conducted with the anonymization model $M_{anon}$ until the adversary model $M_{adv}$ is fooled or a maximum iteration number is reached. This ensures that we perform as few re-writing iterations as necessary, hence maintaining as much utility as possible, i.e., the original text is changed as little as possible. Note that the same model can be used as $M_{anon}$ and $M_{adv}$ with different prompt templates $T_{anon}$ and $T_{adv}$ respectively (see Appendix). This might be especially suitable for on-device anonymization cases with limited memory and compute. Note that applying IncogniText to multiple attributes is easily achieved by merging the attribute-specific parts of the anonymization templates. For cases where the text author wants to share a subset or none of the private attributes, they can flexibly choose which attributes to anonymize, if any.

In addition to its usage for early stop** of the iterative anonymization, the adversary model $M_{adv}$ can also be used to inform the anonymization by sharing its reasoning $x_{AdvReasoning}$ for the correct prediction of the true attribute value $a_{true}$. In this case, the reasoning text $x_{AdvReasoning}$ is fed as an additional input to the anonymization model $M_{anon}$. This feature was also proposed in the concurrent work Staab et al. (2024) and we evaluate this variant of IncogniText in our experimental study. We highlight the main differences between this concurrent work and our approach. First, we condition the anonymization model $M_{anon}$ on a target attribute value $a_{target}$. We believe that misleading a potential attacker into predicting a wrong private attribute value by inserting new hints is more effective than removing or abstracting hints to the original value present in the original text. Furthermore, we condition the anonymization model $M_{anon}$ of the true attribute value $a_{true}$ to increase the quality of the anonymization. Finally, we leverage the adversary model $M_{adv}$ as an early stop** method to prevent unnecessary utility loss or the deterioration of the anonymization quality, i.e., further anonymization iterations can in some cases lead to a decrease in privacy as observed in the experiments in Staab et al. (2024). Our empirical evaluation and ablation study demonstrate the effectiveness of these contributions.

We first evaluate our approach on the dataset of $525$ human-verified synthetic conversations proposed by Staab et al. (2023). The dataset includes 8 different private attributes: age, gender, occupation, education, income level, relationship status, and the country and city where the author was born and currently lives in. We compare to anonymization baseline approaches including the Azure Language Service (ALS) Aahill (2023) and the two concurrent works, Dou-SD Dou et al. (2023) and Feedback-guided Adversarial Anonymization (FgAA) Staab et al. (2024). We evaluate the privacy of the anonymized texts using the SOTA attribute inference attack method Staab et al. (2023) which leverages pre-trained LLMs to predict the author attributes based on the text. We assess the utility of the anonymized texts using the traditional ROUGE score Lin (2004) and the LLM-based utility evaluation with the utility judge template $T_{utility}$ proposed in Staab et al. (2024). The latter computes the mean of scores for meaning, readability, and hallucinations given by the evaluation model. More details about the experimental setting including the prompt templates can be found in the Appendix E.

Table 1 presents our main results. We find that IncogniText achieves the highest privacy protection, i.e., lowest attacker inference accuracy, with a tremendous improvement of ca. $19\%$ compared to the strongest baseline. Note that FgAA uses a stronger anonymizer model (GPT-4) suggesting that the improvement might be bigger if we would use the same model with our method. Most importantly, we find that IncogniText substantially reduces the amount of attribute value correctly predicted by the attacker by ca. $90\%$, namely from $71.2\%$ to $7.2\%$. Moreover, our approach achieves high privacy protection across different model sizes and architectures, i.e., Llama 3 Meta (2024) and Phi-3 Abdin et al. (2024), demonstrating that it is model-agnostic. While the IncogniText-anonymized texts yield a high utility, we find that our reproduction of FgAA^† achieves higher utility scores. This is explained by the lower meaning and hallucination scores (the more the model hallucinates, the lower its hallucination score, see Appendix) assigned to IncogniText-anonymized texts by the LLM-based utility judge which considers the inserted cues to mislead the attacker as hallucinations. We argue that these changes are desired by the text author and that they are required to successfully fool the attacker into predicting a wrong attribute value. Finally, we find that IncogniText is significantly faster than the baseline, effectively requiring less anonymization steps (Fig. 2).

We also validate our approach on a dataset proposed in the concurrent work Dou et al. (2023) which contains real posts and comments from Reddit with annotated text-span self-disclosures. We choose a subset of 196 examples that we preprocess (see Appendix for details). Likewise, IncogniText significantly outperforms the strongest baseline FgAA on this dataset, reducing the adversarial accuracy by ca. 82%, namely from 73% to 12.8%.

We investigate different variants of IncogniText to gain more insights into the importance of its components and present the results in Table 2. First, we observe that conditioning the anonymization on a target attribute value is crucial for achieving high privacy protection. Besides, we find that performing early stop** (ES) with the adversary model improves both privacy and utility, since it ensures that no further anonymization steps are conducted that might deteriorate utility or privacy. Moreover, our results suggest that conditioning the anonymizer (Anon) on the attribute ground truth (GT) value is more important than conditioning it on the adversarial reasoning and inference (Inf) for achieving higher privacy. In contrast, conditioning the adversary (Adv) on the GT deteriorates all metrics. We hypothesize that the adversary identifies fewer cues about the author in the text when it has access to GT. Ablation results with other models as anonymizers and Phi-3-small as evaluation model (see appendix) also showcase that conditioning on a target value is the main factor for decreasing privacy leakage. However, their results show no clear trend for the effect of conditioning the anonymizer and the adversary on any other information (GT or Inf). Results that were reported in Table 1 correspond to the $5^{th}$ experiment from table 2.

Finally, we investigate whether IncogniText can achieve a high privacy protection as part of an on-device anonymization solution. For this, we distill the IncogniText anonymization capabilities of the best anonymizer model (Phi-3-small) into a dedicated set of LoRA Hu et al. (2022) parameters associated with a small Qwen2-1.5B model Bai et al. (2023) that could be run on-device. We perform the instruction-finetuning Wei et al. (2021) using additional synthetic conversations released by Staab et al. (2023) that are different than the 525 examples used for testing. The additional examples were not included in the officially released set due to quality issues, e.g., wrong formatting, hallucinations, or absence of hints to the private attributes. We filter and post-process this set of data to solve the issues yielding 664 new examples to which we apply IncogniText to create input-output pairs that we use for finetuning and validation. Post-processing details can be found in the Appendix. We finetune the anonymizer to perform the $4^{th}$ experiment in Table 2 (Anonymizer conditioned on Target and GT). We only fine-tune the anonymizer model and use the pretrained version of Qwen2-1.5B for the adversary. The results (Table 3) show a substantial privacy improvement on-device, effectively reducing the private attribute leakage by more than 50%, from 40.8% to 18.1%, while maintaining utility scores comparable to larger models.

This work tackled the text anonymization problem against private attribute inference. Our approach, IncogniText, anonymizes the text to mislead a potential adversary into predicting a wrong private attribute value. We empirically demonstrated its effectiveness by showing a tremendous reduction of private attribute leakage by more than $90\%$. Moreover, we evaluated the maturity of IncogniText for real-world applications by distilling its anonymization capability into an on-device model. In future works, we aim to generalize our technique to include data minimization capabilities.

While our method achieves tremendous reduction of the private attribute attacker accuracy, the attacker might use a stronger attribute inference model, e.g., a model finetuned for this task, than the open-source adversary model we used in our experiments. This is especially true for on-device setting as the adversary model used has to also be on-device and therefore must be small, e.g., Qwen 1.5B in our experiments. Using better models, e.g., GPT-4, for privacy evaluation might also reveal a higher privacy leakage. Nevertheless, we believe IncogniText would still achieve substantially higher protection than the baselines. Finally, conducting the utility evaluation with humans, e.g., with Likert score Likert (1932), would yield more insightful results into the willingness of people to use this technique in a real-world application.