Stronger Re-identification Attacks through Reasoning and Aggregation
Lucas Georges Gabriel Charpentier, Pierre Lison
TL;DR
This work examines how to make re-identification attacks against de-identified text stronger by (i) aggregating predictions across multiple re-identification orders and (ii) leveraging reasoning-enabled LLMs. It introduces a two-stage re-identification model (retrieval of background knowledge followed by infilling) and analyzes four orderings (Top-down, Bottom-up, Random, Entropy-based) with aggregation via weighted voting. Experiments on the TAB dataset with varying background knowledge show that while order alone has limited impact, aggregation improves accuracy, and reasoning-based infilling yields substantial gains, particularly under rich background knowledge. The findings inform robust evaluation and red-teaming of de-identification systems, highlighting both the potential attack strength and the need for careful defense strategies in privacy-sensitive domains.
Abstract
Text de-identification techniques are often used to mask personally identifiable information (PII) from documents. Their ability to conceal the identity of the individuals mentioned in a text is, however, hard to measure. Recent work has shown how the robustness of de-identification methods could be assessed by attempting the reverse process of _re-identification_, based on an automated adversary using its background knowledge to uncover the PIIs that have been masked. This paper presents two complementary strategies to build stronger re-identification attacks. We first show that (1) the _order_ in which the PII spans are re-identified matters, and that aggregating predictions across multiple orderings leads to improved results. We also find that (2) reasoning models can boost the re-identification performance, especially when the adversary is assumed to have access to extensive background knowledge.