The Canary's Echo: Auditing Privacy Risks of LLM-Generated Synthetic Text
This work addresses privacy risks for users and organizations releasing LLM-generated synthetic data, but it is incremental as it builds on existing MIA techniques.
The paper tackles the problem of information leakage about training data through synthetic text generated by Large Language Models (LLMs), showing that membership inference attacks (MIAs) can effectively infer training data membership with significant performance, and it enhances these attacks by designing in-distribution canaries to better assess privacy risks.
How much information about training samples can be leaked through synthetic data generated by Large Language Models (LLMs)? Overlooking the subtleties of information flow in synthetic data generation pipelines can lead to a false sense of privacy. In this paper, we assume an adversary has access to some synthetic data generated by a LLM. We design membership inference attacks (MIAs) that target the training data used to fine-tune the LLM that is then used to synthesize data. The significant performance of our MIA shows that synthetic data leak information about the training data. Further, we find that canaries crafted for model-based MIAs are sub-optimal for privacy auditing when only synthetic data is released. Such out-of-distribution canaries have limited influence on the model's output when prompted to generate useful, in-distribution synthetic data, which drastically reduces their effectiveness. To tackle this problem, we leverage the mechanics of auto-regressive models to design canaries with an in-distribution prefix and a high-perplexity suffix that leave detectable traces in synthetic data. This enhances the power of data-based MIAs and provides a better assessment of the privacy risks of releasing synthetic data generated by LLMs.