This paper presents a method for producing synthetic tweet corpora that are released in place of the original tweets, with the dual goals of minimizing the identifiability of users and maintaining user-specific word distributions and the analytical usefulness of the released corpus. In the field of data privacy, these two goals, colloquially known as minimizing risk and maximizing utility, see Duncan et al. (2001), form the basis for measuring the effectiveness of protection methods. Risk and utility reside in tension, such that protection methods can be tuned to offer different levels of utility for corresponding levels of risk. Ideally, we want protection methods that offer the best trade-off of risk and utility in order to allow data providers to release high-quality data.
When dealing with unstructured text documents, privacy risk for users is commonly measured through stylometric models that identify anonymized authors based on features extracted from the text. These models have been successful in correctly attributing authorship with documents such as the Federalists papers;Mosteller and Wallace (1964), online blogs; Narayanan et al. (2012), and even executable binaries; Caliskan-Islam et al. (2015). Recent work has shown similar results with short documents such as tweets, despite the small character limit; Almishari et al. (2014).
We are concerned with a stylometric attack on a corpus of tweets that were gathered and released for research purposes, which is commonly done in the social sciences. This corpus may include tweets that are no longer publicly available, either from users deleting their own content or from Twitter enforcing their policies, e.g., terms of service violations or length of time. As others have pointed out, i.e., Williams et~al. (2017), Twitter states in their developer guidelines that users have the right to be forgotten, see Twitter (2015). Thus if tweets are deleted, researchers should not use or release those tweets further. However, by complying with this policy, research can be rendered non-replicable since original data cannot be shared; Tromble et al. (2017). In addition to this, a number of authors have called for stronger ethical standards when publishing social media data, e.g., Williams et~al. (2017); Zimmer (2010); Rivers and Lewis (2014). The privacy concern for users comes from either information disclosed through the sharing of previously deleted tweets or through additional information generated from analyses, e.g., identifying hate speech; Burnap and Williams (2015). In that case, if users were identified and linked to their tweets, person-specific information would be made public beyond what users had intended to share.
While most of the stylometry literature has focused on developing attack models, some methods do exist to protect the text from stylometric attacks. These include semi-automatic methods to obscure individual authors; Kacmarcik and Gamon (2006) or approaches such as iterative translation; Rao et al. (2000); Mack et al. (2015), which have been shown to offer little protection in some cases, see Caliskan and Greenstadt (2012)
. In addition to risk concerns, redaction or translation are blunt instruments that do not take into consideration the original language of the text and may remove features which are vital for researchers. We address this by taking a neural-based approach, inspired by the promising results in training neural architectures as simple generative models for natural language processing, e.g.,Bengio et al. (2003); Mikolov et al. (2010); Sutskever et al. (2014); Ororbia II et al. (2017); Serban et al. (2017)
. In particular, neural architectures greatly reduce the amount of human involvement required in extracting the properties of language and (word) distributional information from the original documents. We do not simply use “off the shelf” neural methods, but we develop a novel architecture to condition our synthesis model on each user in the corpus. From a utility standpoint, generating synthetic tweets that capture the language of the original texts should outperform redaction or iterative translation. On the risk side, neural models will not precisely replicate the original tweets (it would be severe overfitting if they did), so risk should be reduced by the noise added in the new text generation process.
The contributions of this paper are as follows: (1) a novel neural architecture to efficiently synthesize text based on individual users’ language features, (2) the inclusion of a tuning parameter which allows for varying the risk-utility trade-off, (3) defining a privacy risk scenario when sharing Twitter data according to stylometric methods, and (4) an empirical evaluation of different private protection methods with respect to this scenario and the utility of the released data. Our experimental results show that data generated by neural models offer an improved risk-utility trade-off as compared with redaction or iterative translation. They also show that the risk-utility trade-off can be managed by the scaling of the neural model’s output logits (using a parameter commonly referred to as the temperature). This provides a straightforward privacy tuning parameter, allowing for the release of synthetic tweet corpora with different amounts of utility and risk.
The rest of this paper is organized as follows. Section 2 formally defines our risk and utility measures. Section 3 details our neural synthesis method and prior methods of redaction and iterative translation. Section 4 provides a thorough experiment evaluating the risk and utility offered by different methods on a real Twitter dataset. Section 5 gives a discussion of our results and conclusions.
2 Problem Formulation
We wish to release a protected version of an original tweet corpus, and we evaluate different methods of doing so based on empirical measures of risk and utility. We define the risk of such a release as the identifiability of the individuals in the data. We define the utility by the preservation of research value as compared with the original data. In the following sections, we precisely detail how we measure each of these values. These metrics are used for our experimental evaluation in Section 4.
2.1 Re-identification attack model
Assuming the released tweet corpus is “anonymized”, i.e., the real usernames are removed and replaced with an anonymous identifier to connect all of a user’s tweets in the corpus, identification can still occur through a stylometric attack, which links publicly available texts known to be composed by the users in the corpus. We assume the tweets do not contain metadata, which would need to be protected by additional methods. We emulate a stylometric attack by using an approach akin to that of Narayanan et al. (2012) and Almishari et al. (2014). We assume a release dataset, , and an attack dataset, , with matching sets of users, . For each user in and , there are a set of corresponding tweets:
The attacker who wishes to identify users in collects , which has labeled tweets for the users of interest. In a realistic scenario, the attacker likely does not know the exact set of users in the target data (or is not interested in disclosing all of their identities), but by assuming the user sets of and
are the same, we place an upper bound on the attacker’s knowledge of users in the release data. This allows us to estimate the identification percentage across all users in the sample.
|Feature Set||Description||# Features|
|Uni-grams||Count of all lemmatized uni-grams that occur in at least|
|two tweets and in no more than 50% of the tweets||100,959|
|Bi-grams||Count of all lemmatized bi-grams that occur in at least two|
|tweets and in no more than 50% of the tweets||349,853|
|Almishari et. al (2014)||Char-Uni-grams||26|
|Narayanan et. al (2012)||Tweet word length, Tweet character length, Vocabulary richness,|
|Word shape, Word length, Char-Uni-grams, Number of|
|punctuation characters, Number of digits, Number of|
|special characters (non-ascii characters), Number of|
|function words, Syntactic category pairs||387|
For each user in
, we train a classifier onto predict each user versus all other users, resulting in trained classifiers. We utilize a variety of feature sets for this classification task, so we are testing the risk from multiple different attacks. Table 1 displays the five different feature sets used for the attack models. We use the uni-grams and bi-grams as simple common sense feature sets, and we use the feature sets from Almishari et al. (2014) and Narayanan et al. (2012) because they were both shown to perform quite well for re-identification.
For each of these feature sets, we try four classifiers: regularized least squares (RLSC), support vector machines (SVM), naive Bayes (NB), and k-nearest neighbors (KNN). These models were used in eitherNarayanan et al. (2012) or Almishari et al. (2014). For RLSC, SVM, and KNN, we use row and feature normalization following Narayanan et al. (2012). As with the feature sets, it is highly likely an attacker would try multiple different classifiers to achieve re-identification, so we test multiple models in order to calculate an estimate of the risk under different attacks.
For each classifier and feature set trained on , we test using the data in , producing a probabilistic ranking of user matches from highest to lowest. Our overall identification risk can be summarized as the percentage of users with correct matches in the top (e.g. 1, 5, 10) most likely users. For example, if is 1, this is the percentage of most likely users based on our classifier which match the true identity. We also fix the number of test samples for each user () in at 99 tweets in order to have comparable testing sets for each user. As suggested by Narayanan et al. (2012) we collapse the feature vectors for each user in to the mean for testing. This allows us to gain a single ranking of user classifications rather than a set for each tweet. We do not collapse feature vectors during training, except in the case of the KNN, where we collapse vectors to the centroid for each user to improve computational ability.
2.2 Evaluating research utility
We measure the utility or usefulness of the released tweet corpus in two ways: (1) the similarity of word distributions and (2) similarity of results from commonly used text analyses. These values are compared to the baseline, i.e., the original, unaltered data, since the maximal utility would come from a researcher having access to the original tweets.
For distributional similarity, we use the cosine similarity of the uni-grams and bi-grams between the original and each altered corpus, defined as:
where and are term frequency vectors, either of uni-grams or bi-grams, for a given user in the original and the altered corpus. Because the data has user labels, we calculate the similarity for each user and take the average across all users as our utility measure. We do this because each user in the corpus may have specific interests or ways of communicating, which a researcher would want to utilize. Our protection method should preserve not only the overall word distribution, but it should preserve each user’s distribution as well. The cosine similarity takes values between 0 and 1, and an average user cosine similarity closer to 1 implies the protection method has better preserved the overall language of each user.
For model-specific assessment, we consider the results from two common types of analyses. The first is classification task to predict tweets that reference the band “One Direction”, either by name (‘one direction’), hashtag (‘#onedirection’) or handle (‘@onedirection’). This target was chosen due to the relatively high incidence rate (
) compared to other terms. We label tweets with these references and train a model on the original corpus to predict the label given the rest of the terms in the tweet. Using cross-validation we get a baseline estimate of the out-of-sample F1-score, which combines precision and recall:
We then test the cross-validated model on each protected dataset to get F1-scores for each of the altered corpora. We expect the perturbation, either from redaction, translation, or synthesis to decrease the accuracy of the model. Generally speaking, the better the release data maintains the feature distribution of the baseline data, the closer the resulting F1-score should be to the baseline F1-score. Another way to think about this is that if the altered corpus carried the same distributional properties as the original corpus, we would expect similar performance on a test set to that of cross-validation.
For the second model-specific measure, we analyze how well the different protection methods preserve sentiment by user, using the “Vader” sentiment model, specifically developed to measure sentiment in social media data; Hutto and Gilbert (2014). For each release corpus, we generate a vector of user sentiment scores, representing the average compound sentiment (across tweets) for each user. The utility measure is then the cosine similarity between the vector for each release and the baseline’s vector. While this is similar in nature to the general word distribution measures, building sentiment models is a very common analysis task using Twitter data. If we were working with numerical data this would be similar to comparing the covariance matrices versus comparing a specific regression model. While the former tells us overall how the datasets compare, the second gives us a specific insight into how the protection methods affect our inference models. Before moving to the empirical evaluation, we detail our proposed protection method in the next section.
3 Protection methods
3.1 Synthetic Data Models for Privacy Protection
The concept of synthetic data originated out of the multiple imputation literature, seeRubin (1993)
, based on the simple concept of drawing new “samples” from a Bayesian posterior predictive distribution (BPPD) to release in place of the original data. If modeled well, synthetic data capture distributional aspects of the original data resulting in high utility, and none of the values are the original ones ensuring low risk. For general background and further readings seeRaghunathan et al. (2003); Reiter (2003, 2005); Reiter and Kinney (2012); Drechsler (2011); Raab et al. (2017).
Traditional synthetic data is unfortunately not realistic in the scenario we present in this paper. These generative models are either approximated jointly or using fully conditional sequential models. Both in terms of producing accurate synthetic data and running the computation in reasonable time, neither of these present a viable option for unstructured text data. For example, a standard synthesis method for our dataset would require estimating a Multinomial distribution with over 40,000 parameters at a minimum.
As current synthesis methods do not exist to handle this type of data, we propose a neural-based approach to address this problem. Specifically, to avoid paying a high cost in fitting models that scale poorly to high-dimensional data, we take advantage of a specific class of neural architectures known as recurrent neural networks (RNNs), which are powerful function approximators, seeGoodfellow et al. (2014); Chung et al. (2015); Sønderby et al. (2016), that process data sequentially and share parameters efficiently through a recursive formulation. This is ideal for text because we can efficiently approximate models that take sequence into account, which is crucial for modeling grammar and syntactic structure in language. In addition, we can take advantage of recent advances in GP-GPU hardware used in speeding up the many matrix operations that underly inference and training in neural networks.
3.2 A Multi-User Conditional Synthesis Model
We aim to model the unknown data generating process underlying an observed tweet corpus, , conditioned on the set of users, . To do this conditioning, we propose a structural modification to the standard recurrent neural architecture. We allocate a set of parameters to model user-specific information and a set of parameters that contain input symbol information, and, to better capture information over long sequences, we integrate a longer-term memory mechanism into the model’s hidden state function by creating a model based on the Differential State Framework proposed in Ororbia II et al. (2017)
. This model we will call the multi-user Delta-RNN. Along with this model, we explore in our experiments this same structural modification applied to more standard RNN models that also fall under this framework, yielding the multi-user Gated Recurrent Unit (GRU) and the multi-user Elman RNN.
In order to build a generative model, we need to break our unstructured text into a set of features. Rather than utilize a common Bag-of-Words (BOW) representation of our data, which leads to several hundreds of thousands of features, we use a character level feature set, which results in a dramatically smaller dimensionality. We can produce sensible text using character features, since these models take sequence into account. The character set we use includes the 26 standard characters of the alphabet and the integers as well as punctuation and other non-standard symbols, such as emoticons (or emojis). Synthesizing a tweet involves sampling the learned model’s output to generate a sequence of characters until a certain stopping criterion is reached. In our case a sequence is continuously generated until either a simple end-token, e.g., , is generated or an upper bound on the character limit is reached (this is particularly useful for Twitter data, which caps the total characters at 140 in our corpus).
One key feature of the architectures we develop is that they capture the dependence between documents generated for the same user. Formally, given a finite dictionary of characters , we assume that for input sequences the distribution of interest is , where is a 1-of- encoding of a character at time indexed in ,111Note that, in line with the literature, we refer to the position of a character in a sequence or document as temporal information. is the historical context—that is, earlier characters in the sequence—preceding the current character of length and is the index of the user to be associated with this encoded character. By learning a good generative model for this conditional distribution, we can generate valid character sequence samples representative of specific target users. In the architecture proposed in this paper, this can be easily done by feeding a 1-of- encoding of the user index.
In order to ultimately generate sequences of characters, our recurrent neural architectures specifically learn to approximate . This learning procedure entails processing two parallel streams of encodings–a stream of characters and a corresponding stream of user indices (injectively mapped). The model predicts the characters at time conditional on past characters in the sequence and the user for which the document is generated. This is achieved by using a vector summary of the past (i.e., the last hidden state ), the currently observed token at , and knowledge of the current user (also a 1-of-k binary encoding corresponding to the user ). The task is to fit this model to the target corpus that we want to synthesize.
In contrast to building a separate model for each user in the data-set, our model shares its “language model” parameters across the multiple views of the data, motivated by the design of the hybrid architectures of Ororbia II et al. (2015, 2015a, 2015b) or the log-linear models of Le and Mikolov (2014). In this way, we may construct a single model that efficiently learns user-specific parameters (contained within a single matrix) jointly with the general language model parameters (which aggregates across users). This process emulates the sharing of parameters in more classical hierarchical models.
Interestingly enough, our specialized neural architecture also addresses a recent problem found in neural conversation agents;Vinyals and Le (2015). This issue centers around “coherence”, where a trained neural model has no sense of identity or self (even at the crudest level). For example, if asked the question, “Are you married?”, the model responds with “No!”, but when followed up with the question “What is your wife’s name?”, the model might respond with, “Cynthia”. While this issue is more prominent in sequence-to-sequence modeling tasks (as in question-answering, dialogue modeling), we also argue that in synthetic data-generation, where samples often come with meta-data, having a model that preserves local information, such as user identity, is crucial. We note that other work has attempted to address the coherence/consistency problem in neural models; Sordoni et al. (2015); Li et al. (2016). However, our approach is notably simpler in representing user-local information and differs in problem context compared to sequence-to-sequence mapping models.
Formally, we write the model parameters (biases have been omitted for clarity). For the multi-user Elman RNN, we calculate hidden and output states via the following equations:
is the one-hot encoding of a user indexand
are the activation functions for input-to-hidden and hidden-to-output layers respectively. The architecture specified by the above equations, unfolded over time, is shown in Figure1. A more powerful variation of the multi-user structure presented above is what we call the multi-user Delta-RNN. This model is defined by the following set of equations:
where means elementwise multiplication and
is the interpolation gate that the model uses to control how much new information from text at any time step is mixed into the slowly-changing hidden memory state;Ororbia II et al. (2017). In Appendix 6, we give specifications for regularizing these models through layer normalization Ba et al. (2016), as well as a description of the third model, the multi-user GRU.
For we choose to parametrize the posterior as a maximum-entropy classifier, defined as follows:
, the temperature meta-parameter, controls the smoothness of the output probability distribution. Whenis increased (i.e., ), the output classes tend towards equal probabilities, yielding more uniform samples , increasing the risk of mistakes but lowering the probability of generating text snippets similar to the original text. Lowering (i.e., ) sharpens the posterior distribution, making the probability of the target class, the class to which the model attributes highest probability, closer to 1. This means that the model will be more driven by the frequently observed terms from the original data for each user, but its samples will be made with higher confidence. At too low of temperatures we may only obtain high-frequency samples, chopping off the tail of the observed distribution of characters. We expect that raising the temperature will lower the distributional similarity of users to the original data (harming utility), but will lower the identification risk.
Parameters of the model are fit to the data via stochastic gradient descent using truncated back-propagation through time to calculate parameter gradients, whereis used to control the length of the window, or number of steps back in time. The objective is to minimize the negative log likelihood of the predictive posterior over the sequence as follows:
To generate samples from the neural model, we simply make use of the model’s efficient inference procedure, similar to that in Graves (2013). Specifically, by clamping the input units corresponding to a desired target user index and feeding in a “null” vector (or vector of all zeroes) as initial input, we may sample from its output probabilities and ultimately generate synthetic symbol sequences for individuals by feeding in a sample of model’s predicted output back in as input for the next step.
3.3 Previous protection methods
Two other protections method were applied to the release data set, redaction, and iterative translation. For redaction, we simply removed all hashtags and handles present in the corpus, assuming that many users frequently repeat hashtags and handles which makes these features best used for identifying a user. The iterative translation was based on Mack et al. (2015) and worked by first translating the original (redacted) corpus into Arabic and then back into English using the Google Translate API222cloud.google.com/translate. Arabic was chosen because it was found to offer the highest level of protection in Mack et al. (2015). The translation was performed on top of the redacted data because the hashtags and handles would likely not change through the translation process.
Our experimental dataset consists of tweets collected by Barbera and Bølstad (2016) for a study on German Twitter users. Twitter users were randomly sampled by generating uniformly random Twitter IDs and selecting based on profile-level selection criteria. We subset the data selecting only tweets classified as English by Twitter’s language detection algorithm. We then divided the corpus into two parts, as described in Section 2.1. The attack dataset, , contained 386,684 tweets across 627 users and the release dataset, , contained 62,073 tweets across the same 627 users.
4.2 Experimental Design
We produced 15 total neural generated synthetic datasets using three model variations and five temperature settings as described in Section 3.2. The three variations of our neural synthesis model were the Elman RNN, the Delta-RNN, and the GRU. We optimized parameters through stochastic gradient descent using the ADAM Kingma and Ba (2014) adaptive learning rate scheme, and a step size of
was found to be sufficient in preliminary experiments. All models were trained for 150 epochs, with updates calculated using mini-batches of 32 samples. Since these tweets are bounded by the 140 character limit, we were able to use full back-propagation through time without any truncation. Regularization consisted of layer normalization;Ba et al. (2016). See Appendix 6 for technical details of these model architectures. For each of the three models, we produced synthetic corpora for each of the temperatures: .
The re-identification risk was estimated following the stylometric attack models given in Section 2.1. There are five feature sets and four classification models, resulting in a total of 20 risk estimates. The utility was estimated using the four measures detailed in Section 2.2
. The two general measures were average user uni-gram and bi-gram cosine similarity between the baseline data and each altered dataset, with a high similarity implying most users have similar word distributions between the baseline and altered datasets. The two model-specific measures were a classification task to predict a reference to the band “One Direction” and a sentiment analysis task. High utility implied similarity of classification or sentiment between the original and synthesized corpora.
4.3 Experimental Results
Considering the stylometric attack results on the baseline data, we find that the bi-gram features show the best performance across the five feature sets, and for that feature set the SVM model performed the best (highest percentage of users identified as top 1 most likely in the baseline). Using the bi-gram SVM, the true user was correctly identified as the most likely candidate for 82% of users. This shows a very significant risk of re-identification in the unaltered data. These re-identification levels are comparable to previous work; Narayanan et al. (2012); Almishari et al. (2014).
Figure 2 shows the risk results for the baseline, redacted, translated, and the three neural models at temperature 1, for each of the four attack models using the bi-gram feature set. The plots show the percentage of users correctly identified in the top predicted users. We see that for three of the four attack models, the classifiers do quite well at identifying the true user among the most likely. All of the protection methods decrease the risk, but they do so at varying levels. The Elman RNN models has the lowest risk, while either the redacted or GRU have the highest risk out of the set of protection methods. A full plot of the 20 risk results (5 feature sets x 4 models) is shown in Figure 3.
We visualize the risk along with the utility results by using the standard risk-utility mapping, shown in Figure 4 (full results also given in Table 2). Each plot in the figure shows a risk-utility map for one of our four utility measures. In all cases, utility ranges from zero to one with zero being the lowest utility and one being the highest. Similarly, risk ranges from zero to one with zero being the lowest risk and one being the highest. We expect methods to move roughly along a curve from the bottom left corner (no utility, no risk) to the top right corner (all utility, all risk). We use the baseline original corpus release as the standard for maximal utility and maximal risk. And as expected, the baseline resides generally in the top right corner of the risk-utility maps. Figure 4 also shows the neural syntheses for each of the five temperatures, plotted on curves as the temperature changes. We see that, apart from a couple exceptions, as the temperature shrinks both the risk and utility increase. This confirms our expectation that the temperature acts as a risk-utility tuning parameter.
The neural syntheses perform quite well for the classification utility task (first panel), while the redacted and translated sit well below the neural curves, implying a better risk-utility trade-off from the neural methods. At very low temperatures the risk still decreases but the utility actually improves, moving the line towards the top left corner. While this is only one example, this is a very promising result. Both the redaction and translation methods perform well on the sentiment task (second panel), sitting above the curves formed by the neural syntheses. Overall every method offers very high utility, so the sentiment task gives us less ability to differentiate between the protection methods.
|Synthetic Delta-RNN (0.25)||0.54||0.59||0.82||0.48||0.83|
|Synthetic Delta-RNN (0.5)||0.56||0.59||0.90||0.56||0.89|
|Synthetic Delta-RNN (1)||0.44||0.51||0.93||0.55||0.91|
|Synthetic Delta-RNN (1.5)||0.18||0.30||0.85||0.39||0.87|
|Synthetic Delta-RNN (1.75)||0.08||0.23||0.78||0.31||0.85|
|Synthetic GRU (0.25)||0.55||0.64||0.83||0.42||0.82|
|Synthetic GRU (0.5)||0.59||0.59||0.90||0.53||0.91|
|Synthetic GRU (1.5)||0.40||0.51||0.90||0.49||0.91|
|Synthetic GRU (1.75)||0.30||0.47||0.88||0.44||0.91|
|Synthetic GRU (1)||0.53||0.58||0.93||0.56||0.93|
|Synthetic RNN (0.25)||0.37||0.63||0.64||0.33||0.75|
|Synthetic RNN (0.5)||0.38||0.54||0.77||0.45||0.81|
|Synthetic RNN (1)||0.31||0.39||0.91||0.48||0.87|
|Synthetic RNN (1.5)||0.15||0.17||0.81||0.33||0.80|
|Synthetic RNN (1.75)||0.10||0.07||0.74||0.26||0.71|
For the uni-grams similarity (third panel), the redacted and translation methods fall below the line formed by the neural methods, which implies they offer a worse risk-utility trade-off. For the bi-grams similarity (fourth panel), the translation approach is comparable to the neural methods while the redacted sits above the line. For both general utility measures, the Delta-RNN has the highest curve, offering the best risk-utility trade-off.
For the sentiment, uni-grams, and bi-grams we see that both risk and utility increase as the temperature decreases until the temperature gets very small (0.25). This phenomenon is because at lower temperatures the models start chopping off more from the tails of the user word distributions. This implies both lower risk due to the increased rarity of identifying words and also lower utility due to less distributional similarity.
At lower temperatures the more frequently observed terms are more likely to be generated, thus producing tweets that look more like the original language. Table 3 shows example tweets from the Delta-RNN for each of the temperatures. It is easy to see that the tweets become less like actual English at higher temperatures (though some may wonder if Twitter is ever actual English). Particularly the spelling, since we build character-level models, and the grammar get noticeably worse at higher temperatures. These results show how the temperature parameter can be used as a tool to control the amount of noise introduced into the release data and enables the user to actively control the risk-utility trade-off. This possibility makes the neural protection methods attractive in comparison to the translation and redaction methods that do not allow such flexibility in the choice of trade-off.
This paper presents a novel method using neural models for reducing the risk from stylometric attacks on text data while preserving the original language. We show that a more informed risk-utility trade-off is possible over previous methods such as redaction and translation. Particularly we find that the neural methods can reduce the risk far beyond the other methods, at some cost of utility. In some cases, such as uni-gram distributions or the classification task, the neural methods offered a better trade-off, while in the case of bi-grams or the sentiment task they did not.
When using the temperature (of the output distribution) as a “knob” to control the risk and utility, the neural models allow us to set the appropriate levels. Redaction on the other hand, while maintaining high utility, allowed over 50% re-identification of the users which may be unacceptably high. By testing a variety of attack models and feature sets, we showed that our protection methods are robust to more than one attack. In particular, we found a similar level of re-identification risk for the baseline corpus as was shown in previous papers, validating our stylometric attack models.
The use of temperature to control the risk and utility should be further explored in future work. Additionally, we see a different curve for the temperature when using different models. For example, the GRU carried higher risk even for higher temperatures, whereas the Delta-RNN and RNN changed quite a bit as the temperature lowered. In all cases, the desired risk-utility trade-off is important, and giving a range of output possibilities is key. In application, a data provider would need to assess the desired levels of risk and utility and would need tools to match these levels.
In order to further improve the performance of the neural synthesis models proposed in this paper, future work should include reformulating our models such that neural variational inference Kingma and Welling (2013) is employed. This would facilitate the learning of richer probabilistic language models that might capture yet more complex features of the original corpora distributions one might want to synthesize. Furthermore, operating under such a Bayesian framework would allow us to easily integrate better text-specific prior distributions, such as the piecewise-constant distribution Serban et al. (2017), easing the learning of difficult, multi-modal distributions.
- Almishari et al. (2014) Almishari, M., D. Kaafar, E. Oguz, and G. Tsudik (2014). Stylometric linkability of tweets. In Proceedings of the 13th Workshop on Privacy in the Electronic Society, pp. 205–208. ACM.
- Ba et al. (2016) Ba, J. L., J. R. Kiros, and G. E. Hinton (2016). Layer normalization. arXiv preprint arXiv:1607.06450.
- Barbera and Bølstad (2016) Barbera, P. and J. Bølstad (2016). Are governments more responsive to voters in issues they own? a comparative study of the quality of political representation using social media data. Presented at Polmeth 2016.
et al. (2003)
Bengio, Y., R. Ducharme, P. Vincent, and C. Jauvin (2003).
A neural probabilistic language model.
Journal of machine learning research3(Feb), 1137–1155.
- Burnap and Williams (2015) Burnap, P. and M. L. Williams (2015). Cyber hate speech on twitter: An application of machine classification and statistical modeling for policy and decision making. Policy & Internet 7(2), 223–242.
- Caliskan and Greenstadt (2012) Caliskan, A. and R. Greenstadt (2012). Translate once, translate twice, translate thrice and attribute: Identifying authors and machine translation tools in translated text. In Semantic Computing (ICSC), 2012 IEEE Sixth International Conference on, pp. 121–125. IEEE.
- Caliskan-Islam et al. (2015) Caliskan-Islam, A., F. Yamaguchi, E. Dauber, R. Harang, K. Rieck, R. Greenstadt, and A. Narayanan (2015). When coding style survives compilation: De-anonymizing programmers from executable binaries. arXiv preprint arXiv:1512.08546.
- Chung et al. (2015) Chung, J., K. Kastner, L. Dinh, K. Goel, A. C. Courville, and Y. Bengio (2015). A recurrent latent variable model for sequential data. In Advances in neural information processing systems, pp. 2980–2988.
- Drechsler (2011) Drechsler, J. (2011). Synthetic Data Sets for Statistical Disclosure Control. New York: Springer.
- Duncan et al. (2001) Duncan, G. T., S. A. Keller-McNulty, and S. L. Stokes (2001). Disclosure risk vs. data utility: The ru confidentiality map. In Chance. Citeseer.
- Goodfellow et al. (2014) Goodfellow, I., J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio (2014). Generative adversarial nets. In Advances in Neural Information Processing Systems, pp. 2672–2680.
- Graves (2013) Graves, A. (2013). Generating sequences with recurrent neural networks. arXiv:1308.0850 [cs].
- Hutto and Gilbert (2014) Hutto, C. J. and E. Gilbert (2014). Vader: A parsimonious rule-based model for sentiment analysis of social media text. In Eighth international AAAI conference on weblogs and social media.
- Kacmarcik and Gamon (2006) Kacmarcik, G. and M. Gamon (2006). Obfuscating document stylometry to preserve author anonymity. In Proceedings of the COLING/ACL on Main conference poster sessions, pp. 444–451. Association for Computational Linguistics.
- Kingma and Ba (2014) Kingma, D. and J. Ba (2014). Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980.
- Kingma and Welling (2013) Kingma, D. P. and M. Welling (2013). Auto-encoding variational bayes. arXiv preprint arXiv:1312.6114.
- Le and Mikolov (2014) Le, Q. V. and T. Mikolov (2014). Distributed representations of sentences and documents. arXiv preprint arXiv:1405.4053.
- LeCun et al. (2012) LeCun, Y. A., L. Bottou, G. B. Orr, and K.-R. Müller (2012). Efficient backprop. In Neural networks: Tricks of the trade, pp. 9–48. Springer.
- Li et al. (2016) Li, J., M. Galley, C. Brockett, J. Gao, and B. Dolan (2016). A persona-based neural conversation model. arXiv:1603.06155 [cs].
- Mack et al. (2015) Mack, N., J. Bowers, H. Williams, G. Dozier, and J. Shelton (2015). The best way to a strong defense is a strong offense: Mitigating deanonymization attacks via iterative language translation. International Journal of Machine Learning and Computing 5(5), 409.
- Mikolov et al. (2010) Mikolov, T., M. Karafiát, L. Burget, J. Cernockỳ, and S. Khudanpur (2010). Recurrent neural network based language model. In Interspeech, Volume 2, pp. 3.
- Mosteller and Wallace (1964) Mosteller, F. and D. Wallace (1964). Inference and disputed authorship: The federalist.
- Narayanan et al. (2012) Narayanan, A., H. Paskov, N. Z. Gong, J. Bethencourt, E. Stefanov, E. C. R. Shin, and D. Song (2012). On the feasibility of internet-scale author identification. In Security and Privacy (SP), 2012 IEEE Symposium on, pp. 300–314. IEEE.
- Ororbia II et al. (2015a) Ororbia II, A. G., C. L. Giles, and D. Reitter (2015a). Learning a deep hybrid model for semi-supervised text classification. In Empirical Methods in Natural Language Processing. Curran Associates.
- Ororbia II et al. (2015b) Ororbia II, A. G., C. L. Giles, and D. Reitter (2015b). Online semi-supervised learning with deep hybrid boltzmann machines and denoising autoencoders. arXiv preprint arXiv:1511.06964.
- Ororbia II et al. (2017) Ororbia II, A. G., T. Mikolov, and D. Reitter (2017). Learning simpler language models with the differential state framework. Neural Computation.
- Ororbia II et al. (2015) Ororbia II, A. G., D. Reitter, J. Wu, and C. L. Giles (2015). Online learning of deep hybrid architectures for semi-supervised categorization. In Machine Learning and Knowledge Discovery in Databases (Proceedings, ECML PKDD 2015), Volume 9284 of Lecture Notes in Computer Science, pp. 516–532. Porto, Portugal: Springer.
- Raab et al. (2017) Raab, G. M., B. Nowok, and C. Dibben (2017). Practical data synthesis for large samples. Journal of Privacy and Confidentiality 7(3), 4.
- Raghunathan et al. (2003) Raghunathan, T. E., J. P. Reiter, and D. B. Rubin (2003). Multiple imputation for statistical disclosure limitation. Journal of Official Statistics 19(1), 1–17.
- Rao et al. (2000) Rao, J. R., P. Rohatgi, et al. (2000). Can pseudonymity really guarantee privacy? In USENIX Security Symposium, pp. 85–96.
- Reiter (2003) Reiter, J. P. (2003). Inference for partially synthetic, public use microdata sets. Survey Methodology 21, 181–188.
- Reiter (2005) Reiter, J. P. (2005). Using cart to generate partially synthetic public use microdata. Journal of Official Statistics 21(3), 441.
- Reiter and Kinney (2012) Reiter, J. P. and S. K. Kinney (2012). Inferentially valid, partially synthetic data: Generating from posterior predictive distributions not necessary. Journal of Official Statistics 28(4), 583–590.
- Rivers and Lewis (2014) Rivers, C. M. and B. L. Lewis (2014). Ethical research standards in a world of big data. F1000Research 3.
- Rubin (1993) Rubin, D. B. (1993). Discussion: Statistical disclosure limitation. Journal of Official Statistics 9(2), 461–8.
- Serban et al. (2017) Serban, I. V., A. Ororbia II, J. Pineau, and A. Courville (2017). Piecewise latent variables for neural variational text processing. In Proceedings of the 2nd Workshop on Structured Prediction for Natural Language Processing, pp. 52–62.
Sønderby et al. (2016)
Sønderby, C. K., T. Raiko, L. Maaløe, S. K. Sønderby, and O. Winther
Ladder variational autoencoders.In Advances in Neural Information Processing Systems, pp. 3738–3746.
- Sordoni et al. (2015) Sordoni, A., M. Galley, M. Auli, C. Brockett, Y. Ji, M. Mitchell, J.-Y. Nie, J. Gao, and B. Dolan (2015). A neural network approach to context-sensitive generation of conversational responses. arXiv:1506.06714 [cs].
- Sutskever et al. (2014) Sutskever, I., O. Vinyals, and Q. V. Le (2014). Sequence to sequence learning with neural networks. In Advances in neural information processing systems, pp. 3104–3112.
- Tromble et al. (2017) Tromble, R., A. Storz, and D. Stockmann (2017). We don’t know what we don’t know: When and how the use of twitter’s public apis biases scientific inference. https://static1.squarespace.com/static/57efc8e020099ef24d19f28a/t/5a1f0bfaf9619ac246332767/1511984124823/Tromble+et+alaccessed on 05/24/2018.
- Twitter (2015) Twitter (2015). Developer agreement. https://developer.twitter.com/en/developer-terms/agreement-and-policy.
- Vinyals and Le (2015) Vinyals, O. and Q.~Le (2015). A neural conversational model. arXiv preprint arXiv:1506.05869.
- Williams et~al. (2017) Williams, M.~L., P.~Burnap, and L.~Sloan (2017). Towards an ethical framework for publishing twitter data in social research: Taking into account users’ views, online context and algorithmic estimation. Sociology, 0038038517708140.
- Zimmer (2010) Zimmer, M. (2010). “but the data is already public”: on the ethics of research in facebook. Ethics and information technology~12(4), 313–325.
6 Appendix: Model Details
In this appendix, we describe in detail, for reproducibility, the variations of the conditional synthesis model trained in this study. Both models have been shown to be special cases that can be derived from the Differential State Framework Ororbia II et al. (2017).
Layer normalization Ba et al. (2016), as applied to a linear pre-activation , is defined simply as follows:
where (the scale) and (the shift) are learnable parameters. denotes the Hadamard product.
6.1 The Multi-User Delta-RNN
While a simple RNN usually requires the layer normalization to be applied after calculating the full linear pre-activation (a sum of the filtration and the projected data point), a Delta-RNN requires further care to ensure the correct components are normalized without damaging the favorable properties inherent to its multiplicative gating.
In this paper, we set , the identity, and , the hyperbolic tangent, scaled optimally according to LeCun et al. (2012). Note, that unlike Ororbia II et al. (2017), each specific pre-activation term no longer requires the original biases or scales due to the use of layer normalization. Since the Delta-RNN takes advantage of parameter-sharing, it requires substantially fewer layer normalizations than the GRU model, described next.
6.2 The Multi-User Gated Recurrent Unit
The GRU variant of our synthesis model is defined as follows:
The architecture requires considerably more layer normalization operations than the Delta-RNN (and thus many more scale and shift vector biases). This is due to the fact that the GRU requires computing many variations of the linear pre-activations in order to make use of its various gates.