Planting and Mitigating Memorized Content in Predictive-Text Language Models

TL;DR

This paper evaluates privacy-preserving techniques to prevent large language models from memorizing sensitive data, finding differential privacy effective but with trade-offs, while heuristic methods are largely ineffective.

Contribution

It provides a comparative analysis of heuristic and differential privacy methods for mitigating memorization in language models, highlighting differential privacy's reliability.

Findings

Heuristic mitigations are largely ineffective against memorization.

Differential privacy reliably prevents memorization.

Heuristic methods may make overly strong assumptions about sensitive data.

Abstract

Language models are widely deployed to provide automatic text completion services in user products. However, recent research has revealed that language models (especially large ones) bear considerable risk of memorizing private training data, which is then vulnerable to leakage and extraction by adversaries. In this study, we test the efficacy of a range of privacy-preserving techniques to mitigate unintended memorization of sensitive user text, while varying other factors such as model size and adversarial conditions. We test both "heuristic" mitigations (those without formal privacy guarantees) and Differentially Private training, which provides provable levels of privacy at the cost of some model performance. Our experiments show that (with the exception of L2 regularization), heuristic mitigations are largely ineffective in preventing memorization in our test suite, possibly because they make too strong of assumptions about the characteristics that define "sensitive" or "private" text. In contrast, Differential Privacy reliably prevents memorization in our experiments, despite its computational and model-performance costs.