What Does it Mean for a Language Model to Preserve Privacy?

Natural language reflects our private lives and identities, making its privacy concerns as broad as those of real life. Language models lack the ability to understand the context and sensitivity of text, and tend to memorize phrases present in their training sets. An adversary can exploit this tendency to extract training data. Depending on the nature of the content and the context in which this data was collected, this could violate expectations of privacy. Thus, there is a growing interest in techniques for training language models that preserve privacy. In this paper, we discuss the mismatch between the narrow assumptions made by popular data protection techniques (data sanitization and differential privacy), and the broadness of natural language and of privacy as a social norm. We argue that existing protection methods cannot guarantee a generic and meaningful notion of privacy for language models. We conclude that language models should be trained on text data which was explicitly produced for public use.

[1]  Po-Sen Huang,et al.  Ethical and social risks of harm from Language Models , 2021, ArXiv.

[2]  Po-Sen Huang,et al.  Scaling Language Models: Methods, Analysis & Insights from Training Gopher , 2021, ArXiv.

[3]  Huseyin A. Inan,et al.  Differentially Private Fine-tuning of Language Models , 2021, ICLR.

[4]  Joonhwan Lee,et al.  Trkic G00gle: Why and How Users Game Translation Algorithms , 2021, Proc. ACM Hum. Comput. Interact..

[5]  Tatsunori B. Hashimoto,et al.  Large Language Models Can Be Strong Differentially Private Learners , 2021, ICLR.

[6]  R. Jia,et al.  Selective Differential Privacy for Language Modeling , 2021, NAACL.

[7]  Badih Ghazi,et al.  Large-Scale Differentially Private BERT , 2021, EMNLP.

[8]  Nicholas Carlini,et al.  Deduplicating Training Data Makes Language Models Better , 2021, ACL.

[9]  Wojciech Zaremba,et al.  Evaluating Large Language Models Trained on Code , 2021, ArXiv.

[10]  Melissa Chase,et al.  Membership Inference on Word Embedding and Beyond , 2021, ArXiv.

[11]  Zhiyuan Liu,et al.  Pre-Trained Models: Past, Present and Future , 2021, AI Open.

[12]  Francoise Beaufays,et al.  Understanding Unintended Memorization in Language Models Under Federated Learning , 2021, PRIVATENLP.

[13]  Diyi Yang,et al.  The Importance of Modeling Social Factors of Language: Theory and Practice , 2021, NAACL.

[14]  Dan Klein,et al.  Are Larger Pretrained Language Models Uniformly Better? Comparing Performance at the Instance Level , 2021, FINDINGS.

[15]  Yingnian Tao Who should apologise: Expressing criticism of public figures on Chinese social media in times of COVID-19 , 2021 .

[16]  Byron C. Wallace,et al.  Does BERT Pretrained on Clinical Notes Reveal Sensitive Data? , 2021, NAACL.

[17]  Stella Biderman,et al.  GPT-Neo: Large Scale Autoregressive Language Modeling with Mesh-Tensorflow , 2021 .

[18]  Emily M. Bender,et al.  On the Dangers of Stochastic Parrots: Can Language Models Be Too Big? 🦜 , 2021, FAccT.

[19]  Alex Kulesza,et al.  Learning with User-Level Privacy , 2021, NeurIPS.

[20]  R. Shokri,et al.  Differential Privacy Dynamics of Langevin Diffusion and Noisy Gradient Descent , 2021, NeurIPS.

[21]  Milad Nasr,et al.  Adversary Instantiation: Lower Bounds for Differentially Private Machine Learning , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[22]  Colin Raffel,et al.  Extracting Training Data from Large Language Models , 2020, USENIX Security Symposium.

[23]  Margaret Goss Temporal News Frames and Judgment: The Hillary Clinton Email Scandal , 2020 .

[24]  Harsh Jhamtani,et al.  Like Hiking? You Probably Enjoy Nature: Persona-grounded Dialog with Commonsense Expansions , 2020, EMNLP.

[25]  H. Brendan McMahan,et al.  Training Production Language Models without Memorizing User Data , 2020, ArXiv.

[26]  Zenglin Xu,et al.  Improving Contextual Language Models for Response Retrieval in Multi-Turn Conversation , 2020, SIGIR.

[27]  Reza Shokri,et al.  ML Privacy Meter: Aiding Regulatory Compliance by Quantifying the Privacy Risks of Machine Learning , 2020, ArXiv.

[28]  Mark Chen,et al.  Language Models are Few-Shot Learners , 2020, NeurIPS.

[29]  Sabine Trepte The Social Media Privacy Model: Privacy and Communication in the Light of Social Media Affordances , 2020 .

[30]  Adam S. Miner,et al.  Chatbots in the fight against the COVID-19 pandemic , 2020, npj Digital Medicine.

[31]  A. Butte,et al.  Protected Health Information filter (Philter): accurately and securely de-identifying free-text clinical notes , 2020, npj Digital Medicine.

[32]  Congzheng Song,et al.  Information Leakage in Embedding Models , 2020, CCS.

[33]  Shrey Desai,et al.  Calibration of Pre-trained Transformers , 2020, EMNLP.

[34]  Farah Magrabi,et al.  Responses of Conversational Agents to Health and Lifestyle Prompts: Investigation of Appropriateness and Presentation Structures , 2020, Journal of medical Internet research.

[35]  J. Ayers,et al.  Responses to addiction help-seeking from Alexa, Siri, Google Assistant, Cortana, and Bixby intelligent virtual assistants , 2020, npj Digital Medicine.

[36]  Alec Radford,et al.  Scaling Laws for Neural Language Models , 2020, ArXiv.

[37]  Rizwan Ahmed Khan,et al.  Handwritten Optical Character Recognition (OCR): A Comprehensive Systematic Literature Review (SLR) , 2020, IEEE Access.

[38]  Santiago Zanella Béguelin,et al.  Analyzing Information Leakage of Updates to Natural Language Models , 2019, CCS.

[39]  Dinesh Kumar Vishwakarma,et al.  Sentiment analysis using deep learning architectures: a review , 2019, Artificial Intelligence Review.

[40]  Omer Levy,et al.  Generalization through Memorization: Nearest Neighbor Language Models , 2019, ICLR.

[41]  Colin Raffel,et al.  Exploring the Limits of Transfer Learning with a Unified Text-to-Text Transformer , 2019, J. Mach. Learn. Res..

[42]  Omer Levy,et al.  RoBERTa: A Robustly Optimized BERT Pretraining Approach , 2019, ArXiv.

[43]  Vitaly Feldman,et al.  Does learning require memorization? a short tale about a long tail , 2019, STOC.

[44]  Andrew M. Dai,et al.  Gmail Smart Compose: Real-Time Assisted Writing , 2019, KDD.

[45]  Ryan Shandler,et al.  The age of surveillance capitalism: the fight for a human future at the new frontier of power , 2019, Journal of Cyber Policy.

[46]  Quoc V. Le,et al.  SpecAugment: A Simple Data Augmentation Method for Automatic Speech Recognition , 2019, INTERSPEECH.

[47]  Yang Zhang,et al.  Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning , 2019, USENIX Security Symposium.

[48]  Simson L. Garfinkel,et al.  Understanding database reconstruction attacks on public data , 2019, Commun. ACM.

[49]  Shoshana Zuboff The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power , 2019 .

[50]  Amir Houmansadr,et al.  Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[51]  R. Henson,et al.  Knowledge Is Power: Prior Knowledge Aids Memory for Both Congruent and Incongruent Events, but in Different Ways , 2018, Journal of experimental psychology. General.

[52]  Vitaly Shmatikov,et al.  The Natural Auditor: How To Tell If Someone Used Your Words To Train Their Model , 2018, ArXiv.

[53]  Olivier Ferret,et al.  Evaluation of a Sequence Tagging Tool for Biomedical Texts , 2018, Louhi@EMNLP.

[54]  Mario Fritz,et al.  ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models , 2018, NDSS.

[55]  Verena Rieser,et al.  #MeToo Alexa: How Conversational Systems Respond to Sexual Harassment , 2018, EthNLP@NAACL-HLT.

[56]  Úlfar Erlingsson,et al.  The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks , 2018, USENIX Security Symposium.

[57]  Carl A. Gunter,et al.  Towards Measuring Membership Privacy , 2017, ArXiv.

[58]  Peter Henderson,et al.  Ethical Challenges in Data-Driven Dialogue Systems , 2017, AIES.

[59]  Li Zhang,et al.  Learning Differentially Private Language Models Without Losing Accuracy , 2017, ArXiv.

[60]  Lukasz Kaiser,et al.  Attention is All you Need , 2017, NIPS.

[61]  Vitaly Shmatikov,et al.  Membership Inference Attacks Against Machine Learning Models , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[62]  Philipp Koehn,et al.  Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , 2016 .

[63]  Ian Goodfellow,et al.  Deep Learning with Differential Privacy , 2016, CCS.

[64]  Franck Dernoncourt,et al.  De-identification of patient notes with recurrent neural networks , 2016, J. Am. Medical Informatics Assoc..

[65]  Peter Szolovits,et al.  MIMIC-III, a freely accessible critical care database , 2016, Scientific Data.

[66]  Jianfeng Gao,et al.  A Persona-Based Neural Conversation Model , 2016, ACL.

[67]  Christopher Potts,et al.  A large annotated corpus for learning natural language inference , 2015, EMNLP.

[68]  Dan Klein,et al.  Neural CRF Parsing , 2015, ACL.

[69]  Eric Gilbert,et al.  Algorithmically Bypassing Censorship on Sina Weibo with Nondeterministic Homophone Substitutions , 2015, ICWSM.

[70]  Danah Boyd,et al.  Networked privacy: How teenagers negotiate context in social media , 2014, New Media Soc..

[71]  David L. Sayers The mediated innovation model: a framework for researching media influence in language change , 2014 .

[72]  Brendan T. O'Connor,et al.  Diffusion of Lexical Change in Social Media , 2012, PloS one.

[73]  Cynthia Dwork,et al.  The Promise of Differential Privacy: A Tutorial on Algorithmic Techniques , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[74]  Anand D. Sarwate,et al.  Differentially Private Empirical Risk Minimization , 2009, J. Mach. Learn. Res..

[75]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[76]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[77]  Michael Roe,et al.  Scanning electronic documents for personally identifiable information , 2006, WPES '06.

[78]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[79]  Yiming Yang,et al.  The Enron Corpus: A New Dataset for Email Classi(cid:12)cation Research , 2004 .

[80]  Paul Dourish,et al.  What we talk about when we talk about context , 2004, Personal and Ubiquitous Computing.

[81]  Bohn Stafleu van Loghum,et al.  Online … , 2002, LOG IN.

[82]  Trevor Darrell,et al.  Privacy in Context , 2001, Hum. Comput. Interact..

[83]  Ronan Le Bras,et al.  Delphi: Towards Machine Ethics and Norms , 2021, ArXiv.

[84]  David Sánchez,et al.  Anonymisation Models for Text Data: State of the art, Challenges and Future Directions , 2021, ACL.

[85]  Yossi Matias,et al.  Learning and Evaluating a Differentially Private Pre-trained Language Model , 2021, PRIVATENLP.

[86]  Maarten Sap,et al.  Documenting the English Colossal Clean Crawled Corpus , 2021, ArXiv.

[87]  Huseyin A. Inan,et al.  Membership Inference Attacks Against NLP Classification Models , 2021 .

[88]  Ming-Wei Chang,et al.  BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding , 2019, NAACL.

[89]  C. Newman,et al.  Shitty Media Men , 2019, #MeToo and the Politics of Social Change.

[90]  Ilya Sutskever,et al.  Language Models are Unsupervised Multitask Learners , 2019 .

[91]  Ines Gloeckner,et al.  Relevance Communication And Cognition , 2016 .

[92]  Rahul Jain,et al.  Theory and Applications of Models of Computation , 2012, Lecture Notes in Computer Science.

[93]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[94]  Siobhan Chapman Logic and Conversation , 2005 .

[95]  M. González Politeness: some universals in language usage , 1995 .

[96]  Penelope Brown,et al.  Politeness: Some Universals in Language Usage , 1989 .