Table of Contents
Fetching ...

Inference Attacks for X-Vector Speaker Anonymization

Luke Bauer, Wenxuan Bao, Malvika Jadhav, Vincent Bindschaedler

TL;DR

This paper studies the privacy-utility tradeoff in x-vector speaker anonymization and introduces a simple, ML-free inference attack that exploits how pseudo x-vectors are constructed from a public pool. The attack, which simulates the anonymization process for candidate speakers and compares resulting x-vectors, outperforms ML-based attacks and runs with lower computational cost. Experimental results on the VoicePrivacy framework reveal near-perfect de-anonymization under several settings and reveal leakage from prosodic features, challenging the perceived privacy of current anonymization schemes. The work highlights the need to tailor privacy evaluations to the specific anonymization mechanism and suggests future directions exploring invertibility and user-centered utility analyses.

Abstract

We revisit the privacy-utility tradeoff of x-vector speaker anonymization. Existing approaches quantify privacy through training complex speaker verification or identification models that are later used as attacks. Instead, we propose a novel inference attack for de-anonymization. Our attack is simple and ML-free yet we show experimentally that it outperforms existing approaches.

Inference Attacks for X-Vector Speaker Anonymization

TL;DR

This paper studies the privacy-utility tradeoff in x-vector speaker anonymization and introduces a simple, ML-free inference attack that exploits how pseudo x-vectors are constructed from a public pool. The attack, which simulates the anonymization process for candidate speakers and compares resulting x-vectors, outperforms ML-based attacks and runs with lower computational cost. Experimental results on the VoicePrivacy framework reveal near-perfect de-anonymization under several settings and reveal leakage from prosodic features, challenging the perceived privacy of current anonymization schemes. The work highlights the need to tailor privacy evaluations to the specific anonymization mechanism and suggests future directions exploring invertibility and user-centered utility analyses.

Abstract

We revisit the privacy-utility tradeoff of x-vector speaker anonymization. Existing approaches quantify privacy through training complex speaker verification or identification models that are later used as attacks. Instead, we propose a novel inference attack for de-anonymization. Our attack is simple and ML-free yet we show experimentally that it outperforms existing approaches.
Paper Structure (21 sections, 4 figures, 4 tables, 1 algorithm)

This paper contains 21 sections, 4 figures, 4 tables, 1 algorithm.

Figures (4)

  • Figure 1: Model architecture for x-vector speaker anonymization.
  • Figure 2: Illustration of our proposed attack. The target speaker, $s$, has released anonymized audio that the adversary is attempting to identify. The adversary has a set of potential speakers, $S'$ and they believe the speaker is a part of it. They anonymize audio from these potential speakers. Finally, they extract an x-vectors from the target anonymized audio $x$ and from the set of anonymized audio they just generated $X'$. The speaker in $S'$ whose x-vector most closely matches $x$ is the speaker of the target audio.
  • Figure 3: Attack accuracy for different pseudo x-vector construction methods under the Different adversary knowledge level. All construction methods, except for random, perform much better than random guessing. As the adversary's pool size increases, the attack accuracy decreases before leveling out around a pool of size 20.
  • Figure 4: ROC curves for identifying if a speaker is within the potential target pool when anonymized using different pseudo x-vector construction methods. All results shown are under the Different adversary knowledge level. AUC is far above random guessing for all. Not shown is the Same adversary knowledge level, which has AUC=1 for all pseudo x-vector construction methods, except Random Single, which is still above random guessing.