Rational Localized Adversarial Anonymization (RLAA)

• The paper introduces RLAA, which uses a rational economic framework and an Attacker-Arbitrator-Anonymizer (A–A–A) loop to balance privacy gains with utility costs.
• It employs a structured arbitration phase that filters spurious leaks and enforces early stopping to prevent catastrophic utility collapse.
• Empirical evaluations on real-world datasets show RLAA’s superior privacy-utility Pareto performance compared to existing anonymization methods.

Rational Localized Adversarial Anonymization (RLAA) is a fully localized, training-free framework for privacy-preserving text anonymization that systematically maximizes utility while enforcing rationality constraints on the anonymization process. RLAA addresses the challenges that arise when deploying adversarial anonymization with local small-scale models (LSMs), particularly the catastrophic utility collapse observed in prior schemes. RLAA achieves this through an agent-based Attacker-Arbitrator-Anonymizer (A–A–A) architecture and an economic formalization of privacy-utility trade-offs, introducing a rational arbitration phase that acts as a gatekeeper. RLAA improves the privacy-utility Pareto frontier on real-world datasets and enforces an early stopping criterion that prevents irrational, utility-destructive anonymization loops (Duan et al., 7 Dec 2025).

1. Formal Economic Framework: MPG, MUC, and MRS

The RLAA framework re-conceptualizes the anonymization process as a sequence of rational economic trades between privacy and semantic utility. Each anonymization operation is analyzed in terms of marginal increments:

• Marginal Privacy Gain (MPG, $\Delta P_t$): The reduction in attack success rate gained from an anonymization step:

$$\Delta P_t = P_{atk}\bigl(x^{(t-1)}\bigr) - P_{atk}\bigl(x^{(t)}\bigr)$$

where $P_{atk}(x)$ is the mean fraction of private attributes $v_k$ correctly inferred from $x$ by the attacker, computed over $K$ attributes.

• Marginal Utility Cost (MUC, $\Delta C_t$): The drop in semantic utility incurred by an anonymization step:

$$\Delta C_t = U(x^{(0)}, x^{(t-1)}) - U(x^{(0)}, x^{(t)})$$

where $U(\cdot, \cdot)$ denotes semantic similarity or utility.

• Marginal Rate of Substitution (MRS): The “exchange rate” between utility and privacy for that step:

$\mathrm{MRS}_t = \frac{\Delta C_t}{\Delta P_t}$

An anonymization step is considered rational if $\mathrm{MRS}_t \le \lambda$, where $\lambda$ is the user-specified bound on acceptable utility cost per privacy gain.

This formalism ensures that only anonymization steps yielding significant privacy improvements per utility loss are executed, as opposed to the naive accumulation of small, costly edits.

2. Attacker–Arbitrator–Anonymizer (A–A–A) Architecture

RLAA operationalizes localized anonymization using a three-agent iterative loop at each step $t$:

• Attacker ($M_{atk}$):
  • Input: Current text $x^{(t)}$.
  • Output: Set of candidate leaks $\mathcal{L}^{(t)} = \{l_k\}$ and a corresponding chain of reasoning $\mathcal{R}^{(t)}$.
  • Objective: Maximize private attribute inference accuracy $P_{atk}(x^{(t)})$.
• Arbitrator ($M_{arb}$):
  • Input: Each $(l_k, r_k)$ and $x^{(t)}$.
  • Task: Validate the evidentiary strength of each leak, assigning high (direct), medium (stylistic), or low/invalid (negligible) ratings.
  • Policy mapping $\Pi_{select}$:
  • High: "generalize"
  • Medium: "rephrase"
  • Low/Invalid: "ignore" (filtered out)
  • Compiles the actionable anonymization policy set $\mathcal{P}^{(t)}$.
  • Early stopping: If $\mathcal{P}^{(t)} = \emptyset$, the process halts, enforcing the $\mathrm{MRS}_t \le \lambda$ rationality constraint.
• Anonymizer ($M_{ano}$):
  • Input: $x^{(t)}$ and $\mathcal{P}^{(t)}$.
  • Process: Applies each $(l_k, \pi_k) \in \mathcal{P}^{(t)}$ to generate $x^{(t+1)} = M_{ano}(x^{(t)}, \mathcal{P}^{(t)})$ as a minimally edited, anonymized version.

A high-level pseudocode representation:

Input: x^(0), max iterations T, rationality threshold λ t ← 0 while t < T: # Phase 1: Adversarial Inference (L^(t), R^(t)) ← M_atk(x^(t)) # Phase 2: Rational Arbitration P^(t) ← ∅ for each (l_k, r_k) in zip(L^(t), R^(t)): v_k ← M_arb(l_k, r_k, x^(t)) # validity level π_k ← Π_select(v_k) if π_k ≠ Ignore: P^(t) ← P^(t) ∪ {(l_k, π_k)} if P^(t) is empty: break # early stop (MRS violation avoided) # Phase 3: Execute Edit x^(t+1) ← M_ano(x^(t), P^(t)) t ← t+1 return x^(t)

3. Rationality Enforcement and Theoretical Implications

In adversarial anonymization without arbitration, greedy attacker strategies often hallucinate spurious leaks $l_{hall}$, resulting in edits with fixed utility degradation $\Delta C_t \ge \epsilon > 0$ but vanishing privacy gain $\Delta P_t \to 0$. This leads $\mathrm{MRS}_t = \epsilon / \xi \to \infty$ (deadweight loss), especially after genuine leaks are depleted.

RLAA's arbitrator mitigates this irrational drift by:

• Assigning "low/invalid" to negligible or hallucinated leaks, yielding $\Delta C_t = 0$ for those steps.
• Enforcing an early stop when no actionable leaks remain.
• Structurally bounding $\mathrm{MRS}_t \le \lambda$ throughout the procedure.

Appendix proofs in the cited work show that this mechanism is necessary for avoiding utility collapse and maintaining a strict rationality guarantee over the anonymization trajectory (Duan et al., 7 Dec 2025).

4. Experimental Evaluation and Pareto-Optimality

Comprehensive benchmarking of RLAA includes:

• Datasets:
  • PersonalReddit (525 Reddit threads, 8 attributes)
  • reddit-self-disclosure (885 health-related PII samples)
• Models:
  • Local loop: Llama3-8B, Qwen2.5-7B (4 GB VRAM, 4-bit quantization)
  • External re-identification: DeepSeek-V3.2-Exp (685B)
• Baselines:
  • FgAA (Naive, SFT, API)
  • SEAL (SFT+DPO)
  • IncogniText
  • DP-BART-PR+
• Metrics:
  • PRIV: Average attack success (privacy risk; lower is better).
  • UTIL: Composite textual utility,

  $$\mathrm{UTIL} = \frac{1}{3N} \sum_{i=1}^N \left(\frac{s_{read,i}}{10} + \frac{s_{mean,i}}{10} + s_{hall,i}\right)$$ - ROUGE-L, BLEU: Structural integrity.

Pareto-Front Results:

• On reddit-self-disclosure, RLAA dominates all local baselines and surpasses even the FgAA(API) in privacy–utility trade-offs.
• On PersonalReddit, RLAA (Llama3-8B) achieves UTIL = 0.879 vs. FgAA(API)'s 0.826 at similar PRIV ≈ 0.21.

5. Empirical Insights and Ablation Analyses

RLAA produces several distinctive empirical findings relative to prior approaches:

• Prevents catastrophic utility collapse observed in FgAA (ROUGE-L improved from 0.218 to 0.596).
• Displays superior factual consistency and semantic structure versus IncogniText.
• SEAL, even when distilled, fails under local greedy loops, indicating that training alone does not suffice for rationality.
• Arbitrator ablation studies: Removing $M_{arb}$ reduces UTIL by 0.15–0.20 and may increase PRIV.
• MRS trajectory: FgAA’s $\mathrm{MRS}$ grows unboundedly; RLAA’s remains close to zero and triggers early exit when no rational edits remain.

6. Limitations and Potential Directions

Several constraints apply:

• Arbitration introduces 1.5×–2× increased latency per sample, considered acceptable for offline workflows.
• The approach does not provide formal $\epsilon$-DP guarantees and prioritizes semantic naturalness.
• Prospective extensions include integrating differential privacy bound estimation, dynamic $\lambda$ adaptation to user budgets, reinforcing arbitration via multi-agent verification, or lightweight fine-tuning.

RLAA exemplifies a paradigm shift in privacy-preserving text anonymization, structurally enforcing rationality and empirically surpassing previous state-of-the-art solutions for local model deployment (Duan et al., 7 Dec 2025).