KART: Parameterization of Privacy Leakage Scenarios from Pre-trained Language Models

TL;DR

The paper tackles the challenge of comparing privacy leakage risks across diverse real-world scenarios for pre-trained language models by introducing KART, a four-factor parameterization (Knowledge, Anonymization, Resource, Target). It demonstrates how KART can unify scenario descriptions, enabling portable risk assessments and cross-study comparisons, and provides an experimental demonstration using eight scenarios with BERT on clinical data to show how risk scales with scenario severity. The work outlines a pathway toward standardized privacy guidelines for model sharing, while acknowledging that no universal risk metric currently captures all leakage types. Overall, KART offers a practical framework for organizing and aggregating privacy-risk findings across past and future studies, with potential for meta-analytic synthesis and more consistent risk estimation under various attack methods.

Abstract

For the safe sharing pre-trained language models, no guidelines exist at present owing to the difficulty in estimating the upper bound of the risk of privacy leakage. One problem is that previous studies have assessed the risk for different real-world privacy leakage scenarios and attack methods, which reduces the portability of the findings. To tackle this problem, we represent complex real-world privacy leakage scenarios under a universal parameterization, \textit{Knowledge, Anonymization, Resource, and Target} (KART). KART parameterization has two merits: (i) it clarifies the definition of privacy leakage in each experiment and (ii) it improves the comparability of the findings of risk assessments. We show that previous studies can be simply reviewed by parameterizing the scenarios with KART. We also demonstrate privacy risk assessments in different scenarios under the same attack method, which suggests that KART helps approximate the upper bound of risk under a specific attack or scenario. We believe that KART helps integrate past and future findings on privacy risk and will contribute to a standard for sharing language models.

Figures (3)

• Figure 1: Scenario-aware privacy risk assessment using KART parameterization. Any privacy leakage experiment implicitly or explicitly assumes the scenario where an attacker who has prior knowledge about a target person attacks a pre-trained language model to obtain other personal target information. The attacker may also use auxiliary resources. The target information may or may not be in the pre-training data depending on the anonymization. Parameterizing the assumed scenario would improve the portability of the findings of the experiment.
• Figure 2: Overview of the privacy leakage experiment. (a) The model provider publishes a BERT model. Its pre-training data is anonymized in the $A^{-}$ scenarios $(\mathcal{D}_{\mathrm{public}})$ but not in the $A^{+}$ scenarios $(\mathcal{D}_{\mathrm{private}})$. (b) The attacker aims to reveal name-disease pairs present in "full name mentions" in $\mathcal{D}_{\mathrm{private}}$. (c) Attack with NLG using the pre-trained BERT model. Different templates are used in the $K^{+}$ and $K^{-}$ scenarios. Predictions are refined differently when $\mathcal{D}_{\mathrm{public}}$ is available ($R^{+}$ scenarios) or unavailable ($R^{-}$ scenarios) to the attacker.
• Figure 3: Risk comparison between anchor and weakened scenarios. All the primary factors of the weakened scenario are the same or less severe than those of the anchor scenario. The weakened scenario may result in a zero or positive privacy risk margin.