Differential Privacy for Transformer Embeddings of Text with Nonparametric Variational Information Bottleneck

TL;DR

This paper introduces NVDP, a novel differential privacy method for transformer text embeddings that balances privacy protection with utility by injecting calibrated noise into embeddings using a nonparametric variational information bottleneck.

Contribution

It proposes NVDP, a new privacy-preserving technique integrating NVIB into transformers to ensure privacy while maintaining task performance.

Findings

NVDP achieves strong privacy guarantees with minimal utility loss.

Varying noise levels allows a controllable privacy-utility trade-off.

The method performs well on the GLUE benchmark.

Abstract

We propose a privacy-preserving method for sharing text data by sharing noisy versions of their transformer embeddings. It has been shown that hidden representations learned by deep models can encode sensitive information from the input, making it possible for adversaries to recover the input data with considerable accuracy. This problem is exacerbated in transformer embeddings because they consist of multiple vectors, one per token. To mitigate this risk, we propose Nonparametric Variational Differential Privacy (NVDP), which ensures both useful data sharing and strong privacy protection. We take a differential privacy (DP) approach, integrating a nonparametric variational information bottleneck (NVIB) layer into the transformer architecture to inject noise into its multivector embeddings and thereby hide information, and measuring privacy protection with R\'enyi Divergence (RD) and its corresponding Bayesian Differential Privacy (BDP) guarantee. Training the NVIB layer calibrates the noise level according to the utility of the downstream task. We test NVDP on the General Language Understanding Evaluation (GLUE) benchmark and show that varying the noise level gives us a useful trade-off between privacy and accuracy. With lower noise levels, our model maintains high accuracy while offering strong privacy guarantees, effectively balancing privacy and utility.