DP-OPT: Make Large Language Model Your Privacy-Preserving Prompt Engineer

Thank you for the positive reviews and detailed summary of strengths in our paper.

Thank you for the positive comments and valuable reviews.

Q1: It’s known that in-context learning performance is unstable across the choice and even order of examples. How the authors ensure their ICL performance is reliable?

A1: We notice the most influential factor in ICL is the balance of examples in our experiment. We follow DLN-1 paper to implement the ICL where we sample 5 balanced examples. Our results are comparable to those reported in DLN-1 paper in Trec and Mpqa. ICL results on Disaster are different because we used a much larger test set (using the standard test set of Disaster) while DLN-1 selected a small 100-sample subset for the test.

Q2: Table 2 compares methods on different models. Why this comparison is valid/fair?

A2: Thanks for raising the concern. We argue that this is a fair comparison since all prompts are trained using the same model. We only test PEZ on a smaller model, Vicuan 7b, since it cannot be transferred to GPT3 (DaVinci-003). If PEZ is trained on DaVinci-003, it is unfair to compare it with other methods (only tuned on smaller models).

In Figure 4, the provided examples seems to suggested that the method won’t vary the task description while only generating few-shot prompts?

A3: Thanks for the question. We agree that the prompt engineering degrades to generating dummy samples. However, our method can create prompts without samples and promote the performance, as well. More generated prompts are included in Table 9,10 (in appendix). Interestingly, DP-OPT may only slightly change the prompt by appending “ # Student successes Input:” to an initial instruction. Intuitively, the modification prompts LLMs to generate “successful” responses. We notice such minor modifications can improve the accuracy of the Disaster dataset from 76.4% (0-shot) to 78.9% (DP-OPT) tested by DaVinci-003. It even outperforms more complicated prompts generated by DLN-1 (77%).

We thank the reviewer for the valuable comments!

Q1: The threat model & consequence

A1: Thanks for the suggestion. We have added details of threat models in Sec 4. The adversary's goals is to attain the private information of the client dataset (e.g., membership information). The knowledge of the adversary is limited to the prompts received from the client. The adversary can only get a tuned prompt provided by the client but can leverage any available LLMs for attacking.

The real-world consequence of privacy leakage from prompts could result in a violation of privacy regulations, e.g., GDPR (gdpr-info.eu). Concretely, private identifiable information (e.g., names) could be exposed in prompts. Empirically, the privacy risks have been identified in existing works using viable attacks [1,2]. Liu (2023) (https://twitter.com/kliu128/status/1623472922374574080) shows a real-world attack where private instructions behind Bing can be extracted merely by adversarial prompts. We have incorporated these additional discussions in Sec 3.

In Fig 2, we show the privacy leakage from the prompt. In response to your second question, we also add an empirical evaluation of MIA in Section B.2. We show the non-trivial privacy risks (77% AUC of MIA attack in the worst case) for sample membership when prompt tuning is used.

[1] Duan et al. On the Privacy Risk of In-context Learning. TrustNLP 2023.

[2] Wang et al. Decodingtrust: A comprehensive assessment of trustworthiness in gpt models. NeurIPS 2023

Q2.1: Evaluation on privacy leakage

A2.1: Thanks for the valuable comment. We compare the attack results of four methods that comply with data confidentiality using Vicuna-7b and discrete prompts below. We use the loss-based membership inference attack.

We also evaluate Likelihood Ratio MIA attack (Mireshghallah, 2022) using the initial instruction as a reference model.

We observe non-trivial AUCs for DLN-1 on Mpqa and SST-2. In comparison, both DP-OPT and OPT has very low AUC. OPT has slightly higher risks than DP-OPT when applied on the Trec dataset.

Q2.2: Presentations of prompt examples

Thanks for the suggestion! We have revised Fig 2 and 4!

Q3: Constraint in prompt generation

A3: Thanks for the great suggestion. We add discussion on the last section of Appendix where We tried the two recommended instructions in experiments: For DLN-1 and (DP-)OPT, we all append the privatization instruction to the instruction in the backward template. We test the instructions on SST-2 following the same setting in the main experiment and report the generated prompts in Table 10 in the Appendix.

Though vicuna-7b is instructed to keep data private, we still observe data breach in 2 out of 3 prompts for the first instruction. An example of a data breach is presented below. All the examples provided in the prompt can find exactly matched samples in the training set. Meanwhile, the prompt will present non-trivial risks (73% AUC) measured by Likelihood Ratio MIA attack.

Instruction: Classify the input text as positive or negative.   For example:    * real-life persona: positive  * \privdata{by a pack of dogs who are smarter than him} (by a pack of dogs who are smarter than him): negative  * candid, archly funny and deeply authentic: positive  * brian tufano 's handsome widescreen photography and paul grabowsky 's excellent music turn this fairly parochial melodrama into something really rather special . : positive

Interestingly, the second instruction only generates dummy examples that have no similar examples in the training set. However, the prompt will present non-trivial risks (69% AUC) measured by LiRa MIA attack.

In conclusion, though privatization instruction could remove private examples, it still suffers from information leakage. The method is orthogonal to our method that provides theoretical guarantees and can be combined with our DP-OPT to reduce the chance of explicit leakage.

We want to thank you again for the suggestion! If you have any additional comments, we will be more than happy to revise our manuscript accordingly!

Thanks for the valuable comments. Below we answer your questions one by one.

Q1: Related works [1,2,3,4] and comparison.

A1: Thank you for the question. These are very relevant papers on privatizing prompts. We have added discussion in our related work.

But we want to humbly argue that we have some differences to the referred papers in the definition of privacy. [1,2,4] considers Local Differential Privacy (LDP) or relaxed one, metric DP, which is a totally different definition/threat model compared to ours. In our work, we consider the threat model of Differential Privacy. We consider the information of a sample, that can be recognized in a dataset, as private. In contrast, LDP or metric DP considers the information that a sample is distinguished from another sample as private. We want to humbly mention that [4] was published after the submission deadline of ICLR.

Below we empirically compare our method (DP-OPT) to DLN-1 on privatized data [2]. We use Vicuna-7b to generate prompts and the same hyperparameters in Section 5.1. We show that our method can outperform [2] on sst2, trec, and mpqa significantly.

Q2: Evaluating trade-off by Membership inference attacks

A: Thanks for the suggestion. We use MIA as a privacy metric since their eps cannot be transformed to general DP. We also evaluate loss-based and Likelihood Ratio MIA attack (Mireshghallah, 2022) using the initial instruction as a reference model. However, we do not observe an obvious trade-off using MIA. For DP-OPT the MIA AUC is always around 50%.

Thank you for the detailed clarification! Accordingly, we updated our draft by enriching the implementation details in Appendix B.2. Our implementation follows exactly what you described.

The updated content is marked as blue in Appendix, and we also put the description here for your reference.

In Table 9, we compare our method to DLN-1 using sanitized data (Mattern, 2022), denoted as Private DLN-1. The implementation includes three steps: (1) First, the embedding of each token will be perturbed and projected into the original embedding space. This step can be extended to other sanitization methods like (Utpala, 2023, Feyisetan, 2020). (2) We use DLN-1 to tune prompts on these samples. DLN-1 is selected here due to its similarity to our method but can be replaced by other prompt-tuning algorithms in practice. (3) We use the generated prompts for inference.

We want to thank the reviewer again for the suggestion! If the reviewer has any additional comments, we will further revise our manuscript!

For better clarity, I am explicitly listing the procedure that uses text sanitization methods

1. Utilizing clean documents to generate sanitized text documents.
2. Employing non-private discrete prompt tuning on these already privatized documents. This should maintain privacy due to the composition rule, assuming the label is not compromising.
3. Applying the learned prompt at inference time.

Since the prompt is acquired from sanitized text documents, any potential data leakage would occur from paraphrases rather than the original content. I hope this clarifies better.