Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Can LLMs get help from other LLMs without revealing private information?

Florian Hartmann, Duc-Hieu Tran, Peter Kairouz, Victor Cărbune, Blaise Aguera y Arcas

TL;DR

The paper addresses privacy risks in LLM cascades where a private-data desktop model (student) can query a remote teacher. It proposes privacy-preserving cascade mechanisms by sanitizing queries and leveraging social learning via in-context learning, introducing two metrics—entity leak and mapping leak—to assess leakage under auxiliary information. Three methods for privately generating teacher signals are evaluated, with grouping as a tool to reduce leakage and cost; results show strong performance gains over baselines across GSM8k, intent/subj tasks, and translation, while maintaining favorable privacy profiles under realistic threat models. The work demonstrates that data minimization and ICL-driven guidance can enable effective, privacy-conscious collaboration between private-context models and powerful remote LLMs, with implications for on-device privacy-preserving AI deployments and safer cascade architectures.

Abstract

Cascades are a common type of machine learning systems in which a large, remote model can be queried if a local model is not able to accurately label a user's data by itself. Serving stacks for large language models (LLMs) increasingly use cascades due to their ability to preserve task performance while dramatically reducing inference costs. However, applying cascade systems in situations where the local model has access to sensitive data constitutes a significant privacy risk for users since such data could be forwarded to the remote model. In this work, we show the feasibility of applying cascade systems in such setups by equipping the local model with privacy-preserving techniques that reduce the risk of leaking private information when querying the remote model. To quantify information leakage in such setups, we introduce two privacy measures. We then propose a system that leverages the recently introduced social learning paradigm in which LLMs collaboratively learn from each other by exchanging natural language. Using this paradigm, we demonstrate on several datasets that our methods minimize the privacy loss while at the same time improving task performance compared to a non-cascade baseline.

Can LLMs get help from other LLMs without revealing private information?

TL;DR

The paper addresses privacy risks in LLM cascades where a private-data desktop model (student) can query a remote teacher. It proposes privacy-preserving cascade mechanisms by sanitizing queries and leveraging social learning via in-context learning, introducing two metrics—entity leak and mapping leak—to assess leakage under auxiliary information. Three methods for privately generating teacher signals are evaluated, with grouping as a tool to reduce leakage and cost; results show strong performance gains over baselines across GSM8k, intent/subj tasks, and translation, while maintaining favorable privacy profiles under realistic threat models. The work demonstrates that data minimization and ICL-driven guidance can enable effective, privacy-conscious collaboration between private-context models and powerful remote LLMs, with implications for on-device privacy-preserving AI deployments and safer cascade architectures.

Abstract

Cascades are a common type of machine learning systems in which a large, remote model can be queried if a local model is not able to accurately label a user's data by itself. Serving stacks for large language models (LLMs) increasingly use cascades due to their ability to preserve task performance while dramatically reducing inference costs. However, applying cascade systems in situations where the local model has access to sensitive data constitutes a significant privacy risk for users since such data could be forwarded to the remote model. In this work, we show the feasibility of applying cascade systems in such setups by equipping the local model with privacy-preserving techniques that reduce the risk of leaking private information when querying the remote model. To quantify information leakage in such setups, we introduce two privacy measures. We then propose a system that leverages the recently introduced social learning paradigm in which LLMs collaboratively learn from each other by exchanging natural language. Using this paradigm, we demonstrate on several datasets that our methods minimize the privacy loss while at the same time improving task performance compared to a non-cascade baseline.
Paper Structure (41 sections, 3 figures, 11 tables)

This paper contains 41 sections, 3 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Contributions
  3. Problem Setting
  4. Constraints
  5. Simplifying assumptions
  6. Privacy Measures
  7. Entity leak metric
  8. Mapping leak metric
  9. Methods
  10. Method 1: Creating a problem description
  11. Method 2: Generating new unlabeled examples
  12. Method 3: Replacing entities in original examples
  13. Grouping unlabeled examples to reduce teacher calls
  14. Experiments
  15. Models
  16. ...and 26 more sections

Figures (3)

  • Figure 1: The local model, the student, wants to label its private data. It can query a larger, remote model, the teacher, to get help. The student may not reveal private data to the teacher.
  • Figure 2: The three methods we consider. Steps 1 and 2 show actual student queries and teacher responses as generated in our experiments when using Gemini 1.0 Nano-2 as the student and Gemini 1.0 Ultra as the teacher. Note that each method generates increasingly specific queries about the student's problem.
  • Figure 3: For a given labeling budget = expansion size / group size, we show the accuracy reached. Grouping allows us to improve the $29.0\%$ accuracy reached through expansion size$=$group size$= 1$ to an accuracy of $32.5\%$ all while just using $\frac{1}{8}$ of the budget. Furthermore, even for budgets above 1, we can well outperform the approach without grouping.