Privacy-Preserving Adversarial Representation Learning in ASR: Reality or Illusion?

TL;DR

This paper investigates whether adversarial training can effectively anonymize speaker identity in speech representations for ASR, finding that while it reduces closed-set recognition accuracy, it does not significantly improve open-set speaker privacy.

Contribution

The study evaluates the effectiveness of adversarial training for speaker anonymization in ASR and highlights its limitations in real-world privacy protection.

Findings

Adversarial training reduces closed-set speaker classification accuracy.

Open-set speaker verification error does not significantly increase.

Standard representations still carry substantial speaker information.

Abstract

Automatic speech recognition (ASR) is a key technology in many services and applications. This typically requires user devices to send their speech data to the cloud for ASR decoding. As the speech signal carries a lot of information about the speaker, this raises serious privacy concerns. As a solution, an encoder may reside on each user device which performs local computations to anonymize the representation. In this paper, we focus on the protection of speaker identity and study the extent to which users can be recognized based on the encoded representation of their speech as obtained by a deep encoder-decoder architecture trained for ASR. Through speaker identification and verification experiments on the Librispeech corpus with open and closed sets of speakers, we show that the representations obtained from a standard architecture still carry a lot of information about speaker identity. We then propose to use adversarial training to learn representations that perform well in ASR while hiding speaker identity. Our results demonstrate that adversarial training dramatically reduces the closed-set classification accuracy, but this does not translate into increased open-set verification error hence into increased protection of the speaker identity in practice. We suggest several possible reasons behind this negative result.