The Canary's Echo: Auditing Privacy Risks of LLM-Generated Synthetic Text

TL;DR

This paper investigates privacy risks in synthetic data generated by LLMs, demonstrating that such data can leak training information and proposing improved membership inference attacks to better assess these risks.

Contribution

It introduces novel canary design strategies that improve the effectiveness of membership inference attacks on synthetic data from LLMs.

Findings

Synthetic data leaks training data information.

Canaries with in-distribution prefixes and high-perplexity suffixes improve attack success.

Enhanced MIAs better reveal privacy risks of LLM-generated synthetic data.

Abstract

How much information about training samples can be leaked through synthetic data generated by Large Language Models (LLMs)? Overlooking the subtleties of information flow in synthetic data generation pipelines can lead to a false sense of privacy. In this paper, we assume an adversary has access to some synthetic data generated by a LLM. We design membership inference attacks (MIAs) that target the training data used to fine-tune the LLM that is then used to synthesize data. The significant performance of our MIA shows that synthetic data leak information about the training data. Further, we find that canaries crafted for model-based MIAs are sub-optimal for privacy auditing when only synthetic data is released. Such out-of-distribution canaries have limited influence on the model's output when prompted to generate useful, in-distribution synthetic data, which drastically reduces their effectiveness. To tackle this problem, we leverage the mechanics of auto-regressive models to design canaries with an in-distribution prefix and a high-perplexity suffix that leave detectable traces in synthetic data. This enhances the power of data-based MIAs and provides a better assessment of the privacy risks of releasing synthetic data generated by LLMs.