R.R.: Unveiling LLM Training Privacy through Recollection and Ranking
This addresses privacy risks for users of LLMs by exposing vulnerabilities even with data scrubbing, representing a novel method for a known bottleneck.
The paper tackles the problem of privacy leakage in Large Language Models (LLMs) by proposing R.R., a two-step attack that reconstructs personally identifiable information (PII) from scrubbed training data, achieving better PII identification performance than baselines across three datasets.
Large Language Models (LLMs) pose significant privacy risks, potentially leaking training data due to implicit memorization. Existing privacy attacks primarily focus on membership inference attacks (MIAs) or data extraction attacks, but reconstructing specific personally identifiable information (PII) in LLMs' training data remains challenging. In this paper, we propose R.R. (Recollect and Rank), a novel two-step privacy stealing attack that enables attackers to reconstruct PII entities from scrubbed training data where the PII entities have been masked. In the first stage, we introduce a prompt paradigm named recollection, which instructs the LLM to repeat a masked text but fill in masks. Then we can use PII identifiers to extract recollected PII candidates. In the second stage, we design a new criterion to score each PII candidate and rank them. Motivated by membership inference, we leverage the reference model as a calibration to our criterion. Experiments across three popular PII datasets demonstrate that the R.R. achieves better PII identification performance than baselines. These results highlight the vulnerability of LLMs to PII leakage even when training data has been scrubbed. We release our code and datasets at GitHub.