Client-Side Text Anonymization

• Client-side text anonymization is the process of locally transforming text to protect sensitive data like PII and authorial style while preserving downstream utility.
• It employs techniques such as NER-based pseudonymization, style obfuscation through paraphrasing, and adaptive methods to manage privacy-utility trade-offs.
• Implementations range from browser plugins and on-premise LLM services to mobile inference models, ensuring no sensitive data leaves the user’s device.

Client-side text anonymization refers to the transformation or rewriting of text to prevent leakage of sensitive information—including personally identifiable information (PII), user attributes, and author style—while retaining utility for downstream tasks, executed entirely on the user's device or within a local, on-premise boundary. This paradigm eliminates data egress risk and enables privacy-preserving workflows in interactive LLM-based applications, conversational agents, and real-time human-computer interaction.

1. Core Paradigms and Threat Models

Client-side text anonymization encompasses both explicit PII obfuscation and implicit attribute masking, targeting risks such as re-identification, attribute inference, and authorship attribution. Techniques address:

• Named-entity pseudonymization: Direct substitution of detected entities with placeholders, surrogates, or synthetic aliases.
• Style and attribute obfuscation: Rewriting to suppress statistical stylometry signals, thwarting authorship and profile inference attacks.
• Semantic and factual integrity: Ensuring the output is both fluent and utility-preserving, especially for information extraction, Q&A, and sentiment pipelines.

Threat models range from external LLM servers (preventing data from leaving the device), to adversarial classifiers operating over anonymized text, requiring robust defense against attribute inference, membership inference, and authorship attacks (Zhang et al., 2024, Shao et al., 26 Jun 2025, Bao et al., 2024, Balakrishnan et al., 2021).

2. Algorithmic Approaches

2.1 PII Detection and Replacement Pipelines

Entity-based anonymization typically employs an NER step (few-shot LLM or bespoke architectures), followed by context- or type-aware replacement:

• Prompt-based NER (Adanonymizer): Few-shot GPT-4o prompting, with curated lists of ≈100 sensitive data classes, bracketed output per entity category, and consistent alias mapping via local lookup tables (Zhang et al., 2024).
• LLM-driven substitution: In-place rewriting using local LLMs (e.g., GPT-oss-20B, DeepSeek-7B), prompted to produce type-consistent, realistic surrogates per span, obviating the need for template-based substitution (Albanese et al., 17 Mar 2026).

2.2 Stylometric and Attribute Obfuscation

Paraphrastic and adversarial generation methods aim to obfuscate not just explicit PII but latent authorial and demographic attributes:

• RL-based paraphrasing (KiP): Models (BART-para, DIPPER) fine-tuned with rewards combining privacy (embedding distance from author), semantic similarity (SBERT cosine), and fluency (CoLA/LM scores), subject to hard guardrails (Bao et al., 2024).
• GAN-based authorship anonymization: Generator-decoder networks adversarially trained to minimize authorship classification accuracy (via Siamese/cnn discriminators), combined with auxiliary losses for fluency and semantic preservation (Balakrishnan et al., 2021).

2.3 Hybrid and Adaptive Approaches

Recent frameworks integrate adversarial, contrastive, and utility-aware adaptation cycles on the client:

• AgentStealth: Combines adversarial anonymization, in-context contrastive learning, adaptive prompt control (utility feedback on-the-fly), dual-role SLM supervision (anonymization plus attacker emulation), and online RL (GRPO algorithm), all in a fully local execution context (Shao et al., 26 Jun 2025).

3. Privacy–Utility Trade-Offs and Control Interfaces

Achieving optimal anonymization requires explicit control over the trade-off between privacy risk reduction and output utility:

• Quantification and normalization: Per-category risk and utility impact scores are empirically collected and normalized $p_i$, $u_i$ ∈ [0,1] to support interactive thresholding (Zhang et al., 2024).

$$p_i = \frac{P_i - \min_j P_j}{\max_j P_j - \min_j P_j}, \quad u_i = \frac{U_i - \min_j U_j}{\max_j U_j - \min_j U_j}$$

• Pareto front construction: The trade-off is visualized and solved via a front $f(p) = \max\{1-u_i \,|\, p_i \ge p\}$, with interactive thresholds determining which categories are anonymized (Zhang et al., 2024).
• UI for balance navigation: 2D color palettes and sliders enable users to select personalized operating points, with immediate feedback via anonymized previews (Zhang et al., 2024).
• Adaptive prompting and memory: AgentStealth updates prompts and strategy based on real-time utility losses, integrating distilled anonymization insights in a rolling buffer (Shao et al., 26 Jun 2025).

4. System Architectures and On-Device Deployment

Client-side architectures prioritize strict locality, modularization, and cross-platform deployability, with several concrete instantiations:

• Browser-based plugins: Inject monitors for user text selection, pseudonymization engines (GPT-based or local model), preference storage (IndexedDB, Chrome Storage), and downstream query routing, as in Adanonymizer (Zhang et al., 2024).
• On-premise LLM services: Local HTTP/gRPC endpoints serving anonymization, fully containerized and restricted within organizational firewalls (e.g., Docker+CUDA+PyTorch stack for substitution LLMs) (Albanese et al., 17 Mar 2026).
• Edge-optimized LLMs: Lightweight SLMs (e.g., Llama-3.1-8B-Instruct with LoRA adapters, INT8 quantization) fit on devices with 4–16 GB RAM, yielding inference latencies of 50–200 ms/256 tokens on CPUs or mobile NPUs (Shao et al., 26 Jun 2025).
• Mobile/browser inference: Quantized transformer or GAN generators (e.g., 4-layer Transformer at 5–8 MB, TensorFlow.js or TFLite) enable on-device authorship obfuscation with sub-200 ms latency per sentence (Balakrishnan et al., 2021).

No raw PII is egressed or persisted outside the local context; all sensitive mappings and user preferences remain client-side (Zhang et al., 2024, Albanese et al., 17 Mar 2026).

5. Evaluation Methodologies and Benchmarks

Evaluation of client-side anonymization covers privacy, utility, trainability, and usability:

• Privacy: PII recall, adversarial attribute inference error, and authorship classifier F1. For substitution-based pipelines, PII recall ≥0.99 is the benchmark frontier (Albanese et al., 17 Mar 2026).
• Utility: Semantic fidelity (SBERT, VADER sentiment accuracy, topic distance), task accuracy (Q&A_true ≥ 0.96), and readbility/meaning scores (Shao et al., 26 Jun 2025, Bao et al., 2024, Albanese et al., 17 Mar 2026).
• Trainability: LoRA-MAE of a BERT downstream encoder, with thresholds MAE ≤ 0.03 for practical privacy-constrained fine-tuning (Albanese et al., 17 Mar 2026).
• Usability: Modification time, character edits, perceived satisfaction, as well as Likert scales for privacy protection and model answer quality (Zhang et al., 2024).
• Comparative benchmarks: Commercial (Microsoft Presidio, Google DLP), NER+template, and neural ZSTS baselines show inferior privacy-utility-trainability trade-offs compared to LLM-based anonymous-by-construction pipelines (Albanese et al., 17 Mar 2026).

Example Quantitative Results

Method	PII Recall	TopicDist	Q&A_true	LoRA-MAE
Presidio (MSFT)	0.56	0.001	0.52	0.030
DLP (Google)	0.65	0.0003	0.36	0.032
ZSTS–Subs.	0.98	0.023	0.75	0.055
LLM (GPT-oss 20B)	0.99	0.002	0.96	0.029

6. Limitations, Open Issues, and Security Considerations

Current anonymization systems exhibit several limitations:

• No formal differential privacy: Most frameworks do not offer formal DP guarantees, relying instead on adversarial and empirical evaluation (Balakrishnan et al., 2021).
• Content fidelity risks: Paraphrasing and entity substitution can introduce minor semantic drift or topical leakage, especially for domain-specific or idiomatic text (Bao et al., 2024).
• Stylometric leakage: GAN and RL-based obfuscators reduce re-identification accuracy but can struggle against stronger or unseen authorship classifiers.
• Unknown unknowns: Side-channels (e.g., timing, memory) and steganalysis remain underexplored in deployment (Balakrishnan et al., 2021).

Deployment within browser or local application contexts must enforce access control, audit logging, and prompt versioning to ensure ongoing privacy compliance (Albanese et al., 17 Mar 2026).

7. Practical Deployment and Integration Guidelines

For operational pipelines:

• Prepend anonymization before any cloud or third-party LLM processing to enforce responsible, anonymous-by-design agent deployments (Albanese et al., 17 Mar 2026).
• Local configuration and preference storage, combined with deterministic inference and local mapping tables, allow auditability and reversibility where needed.
• For downstream ML fine-tuning, enforce privacy-utility gates: e.g., fail the build if $\text{Recall} < 0.98$ or $\text{LoRA-MAE} > 0.05$ (Albanese et al., 17 Mar 2026).
• Integrate responsive, explainable GUIs (2D palette, real-time preview) to maximize user control and trust (Zhang et al., 2024).

Client-side text anonymization is established as a foundational element of privacy-preserving NLP, with emerging best practices centering on on-premise LLM substitution, interactive trade-off navigation, and system architectures ensuring that all transformations—and risks—remain strictly within local, user-controlled boundaries (Zhang et al., 2024, Shao et al., 26 Jun 2025, Albanese et al., 17 Mar 2026, Bao et al., 2024, Balakrishnan et al., 2021).