R.R.: Unveiling LLM Training Privacy through Recollection and Ranking

TL;DR

This paper introduces R.R., a novel two-step attack that reconstructs personally identifiable information from scrubbed training data of LLMs, revealing privacy vulnerabilities despite data masking.

Contribution

The paper presents R.R., a new method combining recollection prompts and ranking criteria to effectively extract PII from masked training data, highlighting privacy risks.

Findings

R.R. outperforms baselines in PII identification accuracy

LLMs leak PII even with scrubbed training data

The attack demonstrates significant privacy vulnerabilities in LLMs

Abstract

Large Language Models (LLMs) pose significant privacy risks, potentially leaking training data due to implicit memorization. Existing privacy attacks primarily focus on membership inference attacks (MIAs) or data extraction attacks, but reconstructing specific personally identifiable information (PII) in LLMs' training data remains challenging. In this paper, we propose R.R. (Recollect and Rank), a novel two-step privacy stealing attack that enables attackers to reconstruct PII entities from scrubbed training data where the PII entities have been masked. In the first stage, we introduce a prompt paradigm named recollection, which instructs the LLM to repeat a masked text but fill in masks. Then we can use PII identifiers to extract recollected PII candidates. In the second stage, we design a new criterion to score each PII candidate and rank them. Motivated by membership inference, we leverage the reference model as a calibration to our criterion. Experiments across three popular PII datasets demonstrate that the R.R. achieves better PII identification performance than baselines. These results highlight the vulnerability of LLMs to PII leakage even when training data has been scrubbed. We release our code and datasets at GitHub.