Privacy-Preserving Language Model Inference with Instance Obfuscation

TL;DR

The paper tackles privacy risks in Language Models as a Service (LMaaS), focusing on protecting the model's decisions (decision privacy) during black-box inference. It introduces Instance-obfuscated Inference (IoI), a framework that combines instance obfuscation with a decision-resolution mechanism and leverages privacy-preserving representation generation (PPRG) to protect inputs, while enabling recovery of the true prediction locally via a decoding function. The authors formalize decision privacy, propose a practical encoding and decoding pipeline, and define metrics to quantify the privacy-utility trade-off. Experimental results on SST-2, SST-5, MRPC, and QNLI demonstrate that IoI can achieve strong decision privacy with competitive task performance and provide insights into obfuscator design, balancing, and PPRG compatibility, highlighting IoI’s potential for secure, black-box NLP inference.

Abstract

Language Models as a Service (LMaaS) offers convenient access for developers and researchers to perform inference using pre-trained language models. Nonetheless, the input data and the inference results containing private information are exposed as plaintext during the service call, leading to privacy issues. Recent studies have started tackling the privacy issue by transforming input data into privacy-preserving representation from the user-end with the techniques such as noise addition and content perturbation, while the exploration of inference result protection, namely decision privacy, is still a blank page. In order to maintain the black-box manner of LMaaS, conducting data privacy protection, especially for the decision, is a challenging task because the process has to be seamless to the models and accompanied by limited communication and computation overhead. We thus propose Instance-Obfuscated Inference (IOI) method, which focuses on addressing the decision privacy issue of natural language understanding tasks in their complete life-cycle. Besides, we conduct comprehensive experiments to evaluate the performance as well as the privacy-protection strength of the proposed method on various benchmarking tasks.

Figures (5)

• Figure 1: A privacy adversary example with state-of-the-art privacy protection in LMaaS. Despite encoding the end user's input into privacy-preserving representations, the raw output representations or decisions are still in plaintext, making them vulnerable to attacks from both network channels and servers.
• Figure 2: Privacy-preserving scenario comparison. (a) Training Privacy aims to protect the private training data. A typical privacy tool for this scenario is differential privacy. Inference Privacy includes (b) Input Privacy that prevents the raw input data from being revealed; and (c) Decision Privacy that protects the inference results. The vectors in orange are privacy-preserving, while the ones in gray are not.
• Figure 3: The demonstration of IoI workflow for decision privacy protection. If a user (bottom left) makes illness inquiries via a PLM-driven online diagnosis system, normally, the inference result will be returned in plain text. As a most basic example, in IoI, the raw text is concatenated with an obfuscator, which is also a text. Subsequently, the concatenated text and the obfuscator are encoded respectively by the privacy-preserving representation generation module, which ensures the produced embedding representation is privacy-preserving (irreversible and unique). Consequently, instead of receiving one "plaintext", the PLM receives two independent "ciphertext" and makes inferences on them without knowing their correlation, raw text, and true decision. However, only the user is able to recover the true decision by leveraging the distribution of these two inferences. In practice, each input text is obfuscated by a group of obfuscators, and the requests from multiple inputs are sent to the PLM in arbitrary order.
• Figure 4: Balancing with different group size (SST-5)
• Figure 5: Length Expansion (SST-2)