Beyond Memorization: Violating Privacy via Inference with Large Language Models

We thank the reviewer for their feedback and will respond to the raised questions below.

Q5.1: Further analysis into how recovery of different kinds of PII was correlated would have been appreciated.

We agree with the reviewer that such analysis can be very insightful. However even with our labeling efforts the resulting dataset is quite small and combined with varying attributes per users (as well as varying hardness levels and overall profiles) we did not feel confident to make such an analysis across attributes. We tried to explore a more ideal state version of this in our ACS experiments where significantly more data points are available and correlations can be observed in a more direct fashion. In particular we could study the correlation of other personal attributes with a target attribute in isolation for example how well “race” could be predicted from “location, income, work-class, and citizenship” alone. With the limited amount of data in PersonalReddit we cannot make such conclusions reliably.

Q5.2: Have you considered using LLMs to "rewrite" inputs in a privacy-preserving manner?

Again, we agree with the reviewer that this is a potentially exciting direction for future work that may address some of the shortcomings of traditional methods (as highlighted in the anonymization experiment). For the current study, we wanted to focus on the adversarial scenario, including the evaluation of currently existing defenses. As also pointed out by reviewer R-buQH, there is a potentially challenging trade-off between privacy and utility (re-writing parts of the input may change parts of the intended message) whose accurate reflection requires further study and that we did not feel confident to put into this submission. Independently, we agree with the reviewer that upcoming techniques, including LLMs, can improve defenses and better privacy protection.

As the interactive rebuttal window will close soon, we thank all reviewers again for all their helpful feedback. We believe we have addressed the reviewer's questions in our answer and are eager to continue the conversation in case of further questions.

We thank the reviewer for their feedback and will respond to the raised questions below.

Q4.1: The labeling procedure should include multiple labels for each profile. We agree with the reviewer that multiple labels for each profile are an optimal solution. At the same time, labeling the profiles is very expensive (as highlighted in the paper). Since then we have cross-labeled $\sim$25% of the dataset. From this, we found that labelers agree on >90% (222 of 246 attributes) of the labels that both reviewers reported a certainty of at least 3 (i.e., the setting used in the paper). Out of the non-aligned 24 examples, we found only 7 ($\sim$3%) with strong disagreement (e.g., no relation vs. in relation), while the rest were all either less precise ("Boston" vs. "Massachusetts") or very close within a neighboring category (e.g., "divorced" vs. "no relation"). Empirically, we found that such adjacent cases are commonly accounted for in LLMs' top-2 and top-3 accuracies. We added these results to the paper to improve the clarity on the issue. On the 222 labels where both reviewers agreed, GPT-4 has a Top-{1,2,3} accuracy of 92.7%, 98.1%, and 99.09%, respectively.

We also thank the reviewer for spotting an issue in the synthetically created sample. We introduced this error while writing some synthetic examples by hand, and it has been carried forward. We have corrected this in the updated version of the submission.

Q4.2: How did we get the cost and time estimates of 100x and 240x respectively.

We refer to our answer of CQ1 in the common section. In particular, we compare the estimated time it would take a single human labeler to go through PersonalReddit (as measured by the time it took us) and compare it with the realized runtime of our inference script using GPT-4. From this, we also derive the cost savings by assuming an hourly labeling wage of 20 USD. Since our study, OpenAI both increased rate limitations by 2x and decreased cost on newer versions of GPT-4 by roughly 3x, which in practice would favor LLMs even more.

As the interactive rebuttal window will close soon, we thank all reviewers again for all their helpful feedback. We believe we have addressed the reviewer's questions in our answer and are eager to continue the conversation in case of further questions.

We thank the reviewer for their feedback and will respond to the raised questions below.

Q3.1: Can you clarify the creation of the synthetic examples?

Certainly, while we refer to our answer to CQ2 in the common section for a more detailed description, we will briefly summarize it here. In particular, we created over 1000 single-round conversations (across all hardness levels), each consisting of one question to set a random topic and one answer. Both the question and the answer were generated by separate LLM instances grounded in PersonalReddit examples whenever possible. We note that we had a separate grounding for each combination of attribute and hardness (40 in total) for each LLM. We then manually reviewed the answers given as to whether they revealed the respective attribute at the targeted hardness level, adjusting hardness levels or completely removing examples accordingly.

Q3.2: What are the chances that the ACS dataset has been memorized in the ablation experiment?

Memorization is hard to evaluate, and it is certainly possible that traces of the ACS dataset have been part of the training data. However, following recent literature [1] on memorization, we do not believe that our examples were memorized as (1) We did not use the representation in which ACS is commonly available on the internet (instead transforming it into new textual prompts) and (2) it being unlikely that the ACS was in the training data a large number of times. Further, we inspected several of the inferences and their corresponding reasonings made by the model, ensuring that they are sensible and self-contained. That said, the model has to have seen census data to make such inferences. However, this should not be categorized as (verbatim) memorization but rather as knowledge available to the model.

Q3.3: How does memorization impact the inference results presented in this paper? What is the subreddit prediction performance

Similar to the previous question, we believe (and tested following the Sota benchmark format) that no memorization occurred as part of the inferences. We further inspected many of the LLM inferences manually and can attest them to be reasonable and self-contained. We note that subreddit prediction is a problematic measurement of memorization as comments can contain phrases, e.g., “Ugh, I hate people here in r/relationships sometimes, you all …”, or specific topics (e.g., finances in /r/personalfinance) that enable direct inferences without memorization. Some works even directly treat the subreddit as a (supervised) prediction target for accuracy measurements [2, 3].

Q3.4: Do you release the prediction performance on the synthetic examples?

Yes, we release the predictions of GPT-4 (the strongest baseline) for all our synthetic examples alongside our code, and we additionally report the overall accuracy and the per-hardness accuracy in App. F.

Q3.5: What is the baseline in Fig.25?

As given in the text, the baseline is a naive majority class baseline classifier that directly predicts the majority for each respective attribute (over the entire training data). We have improved the writing in this section, making this point clearer.

[1] Carlini, Nicholas, et al. "Quantifying memorization across neural language models." arXiv preprint arXiv:2202.07646 (2022).

[2] Shejwalkar, Virat, et al. "Membership inference attacks against nlp classification models." NeurIPS 2021 Workshop Privacy in Machine Learning. 2021.

[3] Giel, Andrew, Jonathan NeCamp, and Hussain Kader. "CS 229: r/Classifier-Subreddit Text Classification." (2015).

We thank the reviewer for their feedback and will respond to the raised questions below.

Q2.1: Can you explain your choice of metrics / experiment design better? Why did you use accuracy for age?

Certainly, and we also improved the respective section in the paper. In particular, we did not use MSE for our age prediction experiments as we required a metric that (1) allowed both concrete ages and age ranges (and combinations) as inputs and (2) could be aggregated with our other metrics. A common choice in prior works, including privacy [1] and age estimation [2,3], is to evaluate accuracy based on a thresholding criterion. This was also done in, e.g., past PAN competitions [4], where age prediction accuracy was computed on discrete target ranges. We agree with the reviewer that these choices need to be made more explicit in the paper, which we have accounted for in our updated version uploaded alongside this rebuttal answer.

Q2.2: Did you have ethical considerations before publishing the work?

Yes, hence our decision not to publish any annotated profiles (and only release synthetic examples). We also proactively contacted all major LLM providers in the study to inform them of potential risks (and offering active conversations) before making any draft of our manuscript public. Concerning the dataset itself, we want to note that we only used public comments that are already available in a pre-existing dataset on HuggingFace (in particular, we did not scrape them). The used dataset [5] and (contained) Reddit comments have been extensively used in prior research [6,7,8,9,10]. Given these precautions and our decision not to disclose our annotations, we determined that an IRB review was not necessary. Overall, we share the reviewer's intuition on the ethical and privacy concerns of our findings, which we believe to have addressed to the maximum extent within our means. We also believe that one of the most important contributions we as privacy researchers can make is revealing such vulnerabilities, which ultimately allows for patching them, prohibiting malicious actors from silently exploiting vulnerabilities.

Q2.3: Which steps were taken to ensure the quality of the synthetic examples?

We refer to our answer of CQ2 in the common section. In particular, all synthetic examples were manually inspected by the same human labelers as the PersonalReddit dataset to ensure that hardness levels across attributes are aligned with what has been observed there. This also included re-adjusting hardness scores or completely removing individual samples.

[1] Mark Vero, Mislav Balunović, Dimitar I. Dimitrov, Martin Vechev: “TabLeak: Tabular Data Leakage in Federated Learning”, 2022; arXiv:2210.01785.

[2] Morgan-Lopez AA, Kim AE, Chew RF, Ruddle P (2017) Predicting age groups of Twitter users based on language and metadata features. PLOS ONE 12(8): e0183537. https://doi.org/10.1371/journal.pone.0183537

[3] Levi, Gil, and Tal Hassner. "Age and gender classification using convolutional neural networks." Proceedings of the IEEE conference on computer vision and pattern recognition workshops. 2015.

[4] Rosso, Paolo, et al. "Overview of PAN’16: new challenges for authorship analysis: cross-genre profiling, clustering, diarization, and obfuscation." Experimental IR Meets Multilinguality, Multimodality, and Interaction: 7th International Conference of the CLEF Association, CLEF 2016, Évora, Portugal, September 5-8, 2016, Proceedings 7. Springer International Publishing, 2016.

[5] Baumgartner, Jason, et al. "The pushshift reddit dataset." Proceedings of the international AAAI conference on web and social media. Vol. 14. 2020.

[6] Medvedev, Alexey N., Renaud Lambiotte, and Jean-Charles Delvenne. "The anatomy of Reddit: An overview of academic research." Dynamics On and Of Complex Networks III: Machine Learning and Statistical Physics Approaches 10 (2019): 183-204.

[7] Finlay, S. Craig. "Age and gender in Reddit commenting and success." (2014).

[8] Hada, Rishav, et al. "Ruddit: Norms of offensiveness for English Reddit comments." arXiv preprint arXiv:2106.05664 (2021).

[9] Turcan, Elsbeth, and Kathleen McKeown. "Dreaddit: A reddit dataset for stress analysis in social media." arXiv preprint arXiv:1911.00133 (2019).

[10] Proferes, Nicholas, et al. "Studying reddit: A systematic overview of disciplines, approaches, methods, and ethics." Social Media+ Society 7.2 (2021): 20563051211019004.

As the interactive rebuttal window will close soon, we thank all reviewers again for all their helpful feedback. We believe we have addressed the reviewer's questions in our answer and are eager to continue the conversation in case of further questions. We kindly request the reviewers to consider adjusting their score to reflect the improvements and clarifications made in response to their input.

We thank the reviewer for their feedback and will respond to the raised questions below.

Q1.1: What are potential follow-up works in this area?

After this initial study, we see several promising directions for future research. From the adversarial perspective, how such attacks could be made stronger (e.g., via RAG, fine-tuning, etc.) or translated to new modalities (especially with the rise of multi-modal models) such as images. At the same time, our discussions with model providers have shown us that this issue is taken seriously in the industry, fueling the need for better defenses (both from the provider and user side). This is a challenging topic as such inferences commonly cannot be as easily quantified as, e.g., the generation of toxic comments. Nevertheless, we got feedback that specific alignments against such inferences are planned for newer generations of these models. Additionally, improving user-side defenses, such as anonymization, or developing other mitigation methods is also a promising and worthwhile research direction to pursue. Overall, the ground for all these directions is the awareness that such inferences are possible, and we believe our paper makes a valuable contribution in this regard.

Q1.2: How could a potential cross-referencing attack work in practice?

We agree with the reviewer that such attacks require additional effort. At the same time, it needs to be said that especially with open access to US voter records, there are many instances where having access to city, age, and ethnicity is sufficient to uniquely identify an individual in such freely available databases (e.g., voterrecords.com) and only a limited amount of additional effort is required. Further, LLM inferences could be applied in cases where partial knowledge of these attributes is available (e.g., IP, mail addresses shared with a bot provider or even records that are part of large breaches [1,2,3]), and these could be linked with attributes (e.g., mental health status) extracted from conversations/posts.

Q1.3: Aren’t coercion attacks reasonably easy to thwart with prompt injections that reveal the system-prompt?

First, we agree with the reviewer that a vigilant security-aware user could (at the current state of LLMs) likely extract the system prompt. At the same time, we have to be aware that a large majority of chatbot users do not possess the knowledge nor the skills necessary to regularly check whether the chatbot they are currently interacting with contains an adversarial system prompt (especially when the bot is instructed not to reveal it). This danger increases with the proliferation of chatbots (character.ai alone has over 16 [4] million chatbots) and the ever-increasing number of people (100 Mio monthly users of OpenAI) using them in various aspects of life.

As the interactive rebuttal window will close soon, we thank all reviewers again for all their helpful feedback. We believe we have addressed the reviewer's questions in our answer and are eager to continue the conversation in case of further questions. We kindly request the reviewers to consider adjusting their score to reflect the improvements and clarifications made in response to their input.

CQ2: How were the synthetic samples created and how did we ensure their quality?

The overall framework for the synthetic example creation builds on the malicious chatbot scenario. Concretely, we created investigator bots (IBs) and user bots (UBs), and allowed the investigator bot to ask a single question which was answered by the user bot. Here, the answer of the user bot constitutes the synthetic example. In more detail, we took the following steps (outlined in App. F): First, we created 40 system prompts for both our IB and UB, each corresponding to one of the 8 attributes and 5 hardness levels. Whenever available, these system prompts are grounded in real-world examples from PersonalReddit. Otherwise, they were manually crafted to reflect the hardness levels observed (we show the template in App. H). To mimic users, we first generated 40 user profile dictionaries using GPT-4 with the same specified attributes as the ones examined in PR, and then used these dictionaries to create a free-text user description system prompt for the user bot to elucidate a behavior appropriate for the given attributes. We then generated over 1000 single-round conversations (across all hardness levels), each consisting of one question by the IB to set a random topic and the answer by the UB (protecting a specific attribute at a given hardness level). To ensure that the hardness ratings are well aligned with our PersonalReddit observations, we manually reviewed all UB responses, adjusting hardness scores (or removing examples completely). We then tested GPT-4 (the most capable model in prior experiments) on the synthetic examples, reporting the numbers in App. F. The goal of the synthetic examples is not to be a drop-in replacement synthetic dataset for PersonalReddit (measuring the quality of synthetic text datasets is significantly less clear [2][3] than on, e.g., tabular data) but to give the community a set of examples that are qualitatively aligned across hardness levels and attributes with what (the same) human labelers have seen in the PersonalReddit.

[2] Hämäläinen, Perttu, Mikke Tavast, and Anton Kunnari. "Evaluating large language models in generating synthetic hci research data: a case study." Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. 2023.

[3] Liu, Chia-Wei, et al. "How not to evaluate your dialogue system: An empirical study of unsupervised evaluation metrics for dialogue response generation." arXiv preprint arXiv:1603.08023 (2016).