Noise Masking Attacks and Defenses for Pretrained Speech Models
This work addresses privacy risks for users of speech models by demonstrating a novel attack vector, though it builds incrementally on prior noise masking techniques.
The paper tackles the problem of privacy leakage in pretrained speech models by extending noise masking attacks from ASR models to speech encoders, showing that fine-tuning and attacking these encoders can recover sensitive data from pretraining with improved precision.
Speech models are often trained on sensitive data in order to improve model performance, leading to potential privacy leakage. Our work considers noise masking attacks, introduced by Amid et al. 2022, which attack automatic speech recognition (ASR) models by requesting a transcript of an utterance which is partially replaced with noise. They show that when a record has been seen at training time, the model will transcribe the noisy record with its memorized sensitive transcript. In our work, we extend these attacks beyond ASR models, to attack pretrained speech encoders. Our method fine-tunes the encoder to produce an ASR model, and then performs noise masking on this model, which we find recovers private information from the pretraining data, despite the model never having seen transcripts at pretraining time! We show how to improve the precision of these attacks and investigate a number of countermeasures to our attacks.