CusText: Custom Differential Privacy for NLP

• CusText is a customizable text sanitization mechanism that applies classical ε-differential privacy and token-level customization to balance privacy and utility in NLP.
• It employs a mapping function to assign each token a semantically coherent output set, enabling fine-grained control over privacy-utility trade-offs beyond traditional MLDP methods.
• Empirical evaluations on benchmarks like SST-2 and QNLI demonstrate over 20% improved accuracy and strong defense against inference attacks, highlighting its practical value.

CusText is a customizable text sanitization mechanism designed to provide strong privacy guarantees—specifically, differential privacy (DP)—while maintaining high utility in downstream NLP tasks. It addresses critical limitations in previous metric local differential privacy (MLDP) approaches by operating on the original definition of ε-differential privacy (ε-DP) and introducing token-level customization. CusText’s architecture is compatible with arbitrary semantic similarity measures and supports fine-grained control over the privacy-utility trade-off through per-token output set tailoring.

1. Motivation and Theoretical Foundations

CusText was introduced in response to deficiencies in prevailing text sanitization mechanisms, notably those based on MLDP, such as SANTEXT. Traditional MLDP schemes rely on “distance” metrics satisfying triangle inequality (e.g., Euclidean distance), rendering them incompatible with widely used non-metric similarity measures like cosine similarity or TF-IDF. Furthermore, MLDP-based mechanisms often assign every input token a common output set—commonly the entire vocabulary—producing either excessive privacy costs at low ε or significant utility degradation due to irrelevant substitutions.

CusText departs from MLDP by leveraging the classical ε-DP framework and the exponential mechanism, decoupling the process from metric constraints and enabling compatibility with any similarity measure. For tokens $x$ and $x'$, and output $y$, CusText ensures:

$$\frac{\Pr[M(x) = y]}{\Pr[M(x') = y]} \leq e^{\epsilon}$$

where $M$ denotes the sanitization mechanism, and ε controls the privacy level.

2. Token-Level Customized Output Sets

The principal innovation in CusText lies in its assignment of a customized, semantically coherent candidate output set for each token. This is achieved by a mapping function $f_{map}$ that, for each unmapped input token $x$, constructs an output set $Y'$ of size $K$ composed of $x$ itself and its $K-1$ closest tokens (according to a user-specified similarity measure). This mapping is disjointly performed for all tokens until all are assigned to output sets, as described in Algorithm 1 of the original work.

Algorithmic Workflow (Excerpted Structure)

• For each unmapped token $x$:
  1. Compute the semantic similarity/distance between $x$ and all remaining tokens.
  2. Select the top $(K-1)$ semantically closest tokens to $x$.
  3. Form $Y' = \{x\} \cup \text{closest tokens}$.
  4. Assign $Y'$ as the output set for all tokens in $Y'$.
  5. Remove $Y'$ from the pool of unmapped tokens.

This approach ensures that each token is only substituted by semantically proximate tokens, substantially reducing utility loss compared to substitutions drawn from the full vocabulary.

3. Privacy-Preserving Sampling via the Exponential Mechanism

Having defined per-token customized output sets, CusText applies the exponential mechanism to probabilistically sample the output substitutions. A scoring function $u(x, y)$ quantifies semantic closeness (e.g., negative normalized Euclidean distance or adjusted cosine similarity), and the probability of emitting token $y$ as a replacement for $x$ is:

$$\Pr[f_{sample}(x) = y] = \frac{\exp\left(\frac{\epsilon \cdot u(x, y)}{2\Delta u}\right)}{\sum_{y' \in Y'} \exp\left(\frac{\epsilon \cdot u(x, y')}{2\Delta u}\right)}$$

where $\Delta u$ is the sensitivity of $u$ (normalized to unity in practice). This mechanism biases the sampling toward more semantically similar tokens, directly optimizing the privacy-utility balance.

4. Compatibility, Modularity, and Customization

CusText’s architecture is agnostic to the choice of semantic similarity metric, admitting any measure that can be normalized for scoring. This includes Euclidean distance, cosine similarity, and distances derived from pretrained embeddings such as GloVe or Counter-Fitting. The only prerequisite is that similarity values be normalized to $[0,1]$ or an equivalent range suitable for $u(x, y)$.

The mechanism’s modularity enables direct adaptation to diverse NLP scenarios. The customization parameter $K$ (the size of each output set) and privacy parameter $\epsilon$ jointly determine privacy level and semantic fidelity. An extended variant, CusText+, further improves utility by identifying and skipping low-risk tokens (e.g., stopwords) based on a predefined list, thereby restricting noise introduction to tokens likely to be privacy sensitive.

5. Empirical Performance and Privacy-Utility Trade-off

CusText demonstrates marked improvements in the privacy-utility trade-off across standard NLP benchmarks, including SST-2 (sentiment classification), MedSTS (medical semantic similarity), and QNLI (question answering). With fixed $\epsilon$ (e.g., 1, 2, or 3), models trained on texts sanitized with CusText achieve over 20% higher accuracy than those sanitized with SANTEXT on both SST-2 and QNLI. In adversarial tasks such as mask token inference and query-based attacks, CusText maintains downstream accuracy around 70% even with strict privacy settings, whereas prior MLDP-based methods exhibit either pronounced performance collapse or vulnerability to inference attacks.

Experiments demonstrate that careful choice of embeddings and output set sizes further enhances semantic preservation without sacrificing privacy. Replacements drawn from small, semantically tailored output sets lead to superior utility compared to methods using large uniform sets.

6. Practical Implications and Design Considerations

CusText enables robust local sanitization of sensitive text before external exposure, supporting privacy-compliant data sharing and secure preprocessing for NLP model training. The mechanism is particularly valuable for domains demanding strict privacy, such as healthcare and personal communications.

Key implementation decisions include:

• Selecting an appropriate $K$ to match the privacy-utility profile of the application.
• Deploying suitable word embeddings and similarity measures aligned with the target domain.
• Tuning $\epsilon$ according to risk tolerance and regulatory requirements.

7. Future Research Directions

Further work may refine per-token adaptation of both $K$ and $\epsilon$, dynamically allocating privacy budgets based on token sensitivity determined by advanced (potentially learned) criteria rather than static stopword lists. Exploration of improved scoring functions and mapping procedures could further optimize the balance between privacy and semantic utility. Additional investigation into downstream task-specific impacts and resistance to adaptive attacks is warranted.

---

CusText’s original use of the exponential mechanism within a token-level customized output mapping enables strong and flexible differentially private text sanitization across a wide variety of NLP applications, achieving empirically superior results compared to prior approaches based on metric local differential privacy.