When differential privacy meets NLP: The devil is in the detail

TL;DR

This paper critically analyzes ADePT, a differentially private text auto-encoder, revealing it does not meet differential privacy standards despite promising results, emphasizing the need for rigorous formal guarantees in NLP privacy applications.

Contribution

It provides a formal analysis showing ADePT's privacy guarantees are invalid, highlighting the importance of thorough scrutiny of privacy claims in NLP models.

Findings

ADePT is not truly differentially private.

The true sensitivity of ADePT's mechanism is at least six times higher.

Up to 100% of utterances could be unprivatized in practice.

Abstract

Differential privacy provides a formal approach to privacy of individuals. Applications of differential privacy in various scenarios, such as protecting users' original utterances, must satisfy certain mathematical properties. Our contribution is a formal analysis of ADePT, a differentially private auto-encoder for text rewriting (Krishna et al, 2021). ADePT achieves promising results on downstream tasks while providing tight privacy guarantees. Our proof reveals that ADePT is not differentially private, thus rendering the experimental results unsubstantiated. We also quantify the impact of the error in its private mechanism, showing that the true sensitivity is higher by at least factor 6 in an optimistic case of a very small encoder's dimension and that the amount of utterances that are not privatized could easily reach 100% of the entire dataset. Our intention is neither to criticize the authors, nor the peer-reviewing process, but rather point out that if differential privacy applications in NLP rely on formal guarantees, these should be outlined in full and put under detailed scrutiny.