Natural language processing (NLP) models may leak private information in different ways, including membership inference, reconstruction or attribute inference attacks. Sensitive information may not be explicit in the text, but hidden in underlying writing characteristics. Methods to protect privacy can involve using representations inside models that are demonstrated not to detect sensitive attributes or -- for instance, in cases where users might not trust a model, the sort of scenario of interest here -- changing the raw text before models can have access to it. The goal is to rewrite text to prevent someone from inferring a sensitive attribute (e.g. the gender of the author, or their location by the writing style) whilst keeping the text useful for its original intention (e.g. the sentiment of a product review). The few works tackling this have focused on generative techniques. However, these often create extensively different texts from the original ones or face problems such as mode collapse. This paper explores a novel adaptation of adversarial attack techniques to manipulate a text to deceive a classifier w.r.t one task (privacy) whilst keeping the predictions of another classifier trained for another task (utility) unchanged. We propose IDT, a method that analyses predictions made by auxiliary and interpretable models to identify which tokens are important to change for the privacy task, and which ones should be kept for the utility task. We evaluate different datasets for NLP suitable for different tasks. Automatic and human evaluations show that IDT retains the utility of text, while also outperforming existing methods when deceiving a classifier w.r.t privacy task.

翻译：自然语言处理（NLP）模型可能通过多种方式泄露隐私信息，包括成员推理、重建或属性推断攻击。敏感信息可能并未显式存在于文本中，而是隐藏于底层的写作特征中。隐私保护方法可涉及使用模型内部被证明无法检测敏感属性的表征，或者——例如在用户可能不信任模型的情况下（本文所关注的此类场景）——在模型能够访问之前修改原始文本。其目标是重写文本，以防止他人推断出敏感属性（例如作者的性别或通过写作风格推断其位置），同时保持文本的原始用途（例如产品评论的情感倾向）。目前解决此问题的少数研究主要集中于生成式技术。然而，这些方法往往生成与原文差异极大的文本，或面临模式崩溃等问题。本文探索了一种新颖的对抗攻击技术改编方法，通过操纵文本以欺骗针对某一任务（隐私）的分类器，同时保持为另一任务（效用）训练的分类器的预测结果不变。我们提出IDT方法，该方法通过分析辅助可解释模型的预测结果，识别哪些词元对于隐私任务需要修改，哪些词元对于效用任务应当保留。我们评估了适用于不同任务的多种NLP数据集。自动评估与人工评估均表明，IDT在保持文本效用的同时，在欺骗隐私任务分类器方面也优于现有方法。