Search papers, labs, and topics across Lattice.
This paper introduces natural identifiers (NIDs) as a novel approach to address the challenges of auditing the privacy of large language models (LLMs) without requiring costly retraining or access to private datasets. By leveraging structured random strings that naturally occur in training datasets, NIDs facilitate scalable post-hoc differential privacy audits and enable dataset inference for suspect datasets. The findings demonstrate that NIDs can effectively serve as alternative canaries and held-out data, significantly enhancing the feasibility of privacy assessments in LLMs.
Natural identifiers can transform LLM privacy audits by eliminating the need for retraining and inaccessible datasets, making post-hoc assessments practical and scalable.
Assessing the privacy of large language models (LLMs) presents significant challenges. In particular, most existing methods for auditing differential privacy require the insertion of specially crafted canary data during training, making them impractical for auditing already-trained models without costly retraining. Additionally, dataset inference, which audits whether a suspect dataset was used to train a model, is infeasible without access to a private non-member held-out dataset. Yet, such held-out datasets are often unavailable or difficult to construct for real-world cases since they have to be from the same distribution (IID) as the suspect data. These limitations severely hinder the ability to conduct scalable, post-hoc audits. To enable such audits, this work introduces natural identifiers (NIDs) as a novel solution to the above-mentioned challenges. NIDs are structured random strings, such as cryptographic hashes and shortened URLs, naturally occurring in common LLM training datasets. Their format enables the generation of unlimited additional random strings from the same distribution, which can act as alternative canaries for audits and as same-distribution held-out data for dataset inference. Our evaluation highlights that indeed, using NIDs, we can facilitate post-hoc differential privacy auditing without any retraining and enable dataset inference for any suspect dataset containing NIDs without the need for a private non-member held-out dataset.