Diferent metrics have been proposed to organize available privacy measures [ 20, 21 ]. Wagner and Eckhof [ 20 ] systematically classified over eighty privacy metrics, ofering a comprehensive framework for assessing privacy across diferent domains, e.g., communication, databases, and social networks. The survey highlights the significance of identifying the specific aspect of privacy that a metric aims to quantify, suggesting nine guiding aspects for selecting the appropriate privacy measures. Specifically, the authors stress the importance of considering the adversary’s knowledge and capability when evaluating privacy. In addition, Sousa and Kern [ 21 ] described how diferent mechanisms developed for NLP tasks provide privacy for textual data and which can be the threats in such scenarios. Moreover, Habernal [ 22 ] discussed the importance of not relying strictly on formal analysis of DP and its application on NLP tasks but to push research towards concrete measurements of the privacy provided to texts.

Traditional methods for evaluating privacy primarily focus on estimating the failure rates of obfuscation mechanisms [ 12 ] or assessing the similarities between original and obfuscated texts [ 23, 11 ]. On the one hand, uncertainty measures such as and [ 24, 25 ] estimate the probability that a term remains unchanged after obfuscation and the minimum cardinality of the set of words to which is mapped by the mechanism, respectively. However, such measures do not capture if the mechanism changes the original term with a closely related one. On the other hand, the similarity between the original and obfuscated texts is commonly estimated using metrics like the Jaccard index or cosine similarity between sentence embeddings computed by a Transformer, drawing inspiration from the use of BERTScores used to assess the quality of generated texts [ 14 ]. Meisenbacher et al. [ 23 ] proposed the -PUC score to compute an -weighted mean between uncertainty, similarity measures, and utility preserved. This score is tuned by the tuning parameter , which adjusts the focus on utility or privacy, allowing the user to decide whether to prioritize the former or the latter. However, none of the above measures ofer insights into the actual privacy aforded to the texts, nor do they assess the adversarial potential to infer the original meaning of the obfuscated text. Specifically, previous studies [ 26 ] criticized the reliance on formal privacy analysis solely based on the privacy budget parameter. DP mechanisms employing configurations where > 1 lack a comprehensive analysis of actual privacy guarantees, raising concerns about the suficiency of privacy protection methods employed1. In addition, Damie et al. [ 5 ] introduced a novel indicator to assess the risk of successful query recovery attacks within searchable encryption protocols. The study revealed that, even without additional background knowledge, an adversary can obtain the original queries with a success rate of 85%, encouraging analysis of privacy measures employed considering real attack scenarios.

The research community has widely studied application of privacy measure when performing NLP and IR tasks [ 27, 28, 29 ]. The scenario discussed in this study assumes that the users are willingly paying part of the utility during the document retrieval phase to defend the privacy of their search activity with the Information Retrieval system. The system is considered non-cooperative, as it does not actively contribute to protecting user privacy, e.g., it does not provide any private online API to mask the information need of the user. Figure 1 illustrates the general query obfuscation protocol, the focus of application of QuIPU in IR [ 11, 30 ]. The process considers two distinct domains: on the user (safe) side, the original query is generated by the user and privatized using an obfuscation mechanism, i.e., an algorithm that, given an original sensitive query , generates non-sensitive obfuscated queries that (theoretically) prevent the unveiling of the original information need. These obfuscated queries are sent to the IR system without explicitly disclosing their information need, after the initial obfuscation process. During this step, the user sets the parameters, i.e., formal privacy guarantees, considering the utility lost on the tasks [ 31, 32 ]. On the (unsafe) IR system side, relevant documents are retrieved by the “honest” system considering the obfuscated queries received, thus putting such documents on a lower rank. Finally, the documents are returned to the users for the post-processing described above. To prevent a “curious” IR system from discovering the actual query, the obfuscation methods employed are divided into two families of mechanisms, either based on heuristics or -DP.

Heuristics Obfuscation. To protect privacy in IR tasks, non-formal obfuscation methods were proposed [ 6, 7 ]. Arampatzis et al. [ 6 ] employed the WordNet [ 33 ] database to replace original terms within the query using synonyms, hypernyms, and holonyms. The obfuscation was performed based 1The DP configurations with > 1 deviate from the “theoretically secure” privacy setting, i.e., strong assurance about the formal privacy introduced, see DP definition [ 8 ]. on a hierarchical degree, i.e., the level parameter, aligned with the desired obfuscation the user aims to achieve. Such an approach was further extended by Fröbe et al. [ 7 ]. More in detail, the obfuscation approach retrieves locally the top- documents from a local corpus. Then, using a sliding window, the sequences of terms within such documents are taken as candidate obfuscation queries, removing those queries that contain synonyms and holonyms. Using the top- documents retrieved locally as pseudo-relevant, the queries submitted are the ones that achieve the higher nDCG.

Diferential Privacy ( DP) Obfuscation. Dwork et al. [ 8 ] introduced the -DP framework to formalize the privacy guarantees when releasing data. Given a privacy budget ∈ R+, and any pair of neighbouring datasets , ′, i.e., datasets that difer for only one entry, an obfuscation mechanism ℳ is DP if it holds the inequality Pr [ℳ() ∈ ] ≤ · Pr [ℳ(′) ∈ ] ∀ ⊂ Im(ℳ). DP introduces calibrated noise levels during output computation using the privacy budget , which controls the balance between data privacy and utility. The adoption of the DP framework for metric spaces, and therefore for NLP tasks, has been proposed in [ 34 ]. Metric-DP extends the traditional DP definition by ensuring that the probability of obfuscating two distinct points , ′ is proportional to the distance (, ′) between them. The DP formal framework has enabled the privacy research community to propose diferent strategies based on noisy sampling [ 35, 36, 37, 30 ] and perturbed word embeddings [ 24, 25, 38 ].

In this scenario, the adversary is represented by the IR system, which aims to understand the original user information need. In the query obfuscation protocol, the sweet spot for inferring the original queries is represented by the ones the system receives. The mechanism parameters, e.g., the privacy budget parameter of the DP obfuscation mechanisms, do not guarantee with absolute certainty that the original text is changed (or changed enough). Therefore, such queries may cause a leakage of the real information need. In addition, for the same parameters, diferent obfuscation strategies may produce texts with diferent obfuscation degrees. For instance, the efect of the parameter depends on the specific mechanism used [ 39, 40]. As a result, two DP mechanisms (one embedding-perturbation based and the other sampling-based) are both parametrized with = 3 and could lead to a situation where one method achieves an actual obfuscation while the other achieves only formal obfuscation. Therefore, the IR system aims to extract as much information as possible from the received queries, previously obfuscated on the user side, using this knowledge to infer the real text.

Consequently, the threat of a successful query inference stems not only from the obfuscation failure of the mechanism but also from the additional knowledge about the queries possessed by the adversary. The IR system might exploit its queries from the logs [41, 42]: by producing a classification on the information needs carried by the obfuscated queries received and the information in its logs, it aims to improve the chances of a correct guess of the original user query. Note that if the original query is not an extremely long tail one, it is reasonable to assume that the original information need has been previously submitted to the IR system, and thus, the attack can succeed with high probability.

Finally, a critical remark must be made regarding using cryptographic primitives in the protocol of the scenario we are analysing. Eavesdroppers or man-in-the-middle adversaries do not significantly threaten the user or the system. Cryptography can be employed while exchanging queries and documents between the client, i.e., the user, and server, i.e., the IR system, ensuring confidentiality among the internal parties of the protocol and security against external auditors. However, confidentiality does not imply privacy: if the IR system aims to disclose the user’s original query, cryptography techniques alone are insuficient to safeguard privacy concerning an internal adversary.

Privacy is strictly linked with the definition of risk [ 44], i.e., the possibility that an action or event generates consequences that have an impact on what users value, in this scenario, disclosing sensitive information. The higher the risk, the lower the privacy. For example, DP obfuscation mechanisms ofer the possibility that privacy and utility can be balanced by tuning the privacy budget . However, the framework does not provide any assurance against inference attacks [45]. To overcome this limitation, we need a formal definition of the risk against inference in the obfuscation protocol. After the QuIA algorithm has returned the ranked list ℒ, the IR system is tasked to guess the original query. This inference is based on the computed ranking, which considers the similarities between the obfuscated queries received (potentially leaking information) and the system’s query logs (auxiliary knowledge for a correct guess of the original user query). At this point, the IR system strategy to guess the correct query is sequential: knowing that the first query is the most similar to the average information need carried by the obfuscated queries, it represents the best choice for the guess. If the first query in the logs ℒ is the correct query, the attack is successful, and there is a 100% risk of correct inference. On the other hand, if the first one is not the correct guess, the adversary tries with the second query in the list, and so on, until the original query is guessed, decreasing the risk of success. Therefore, the risk of 2 (obf) , (logs) indicate the sets of text embeddings, and with (′), () the singular vector embedding of the queries. successful QuIA in guesses can be defined as the probability that the IR system correctly guesses ¯ as the original query , seeing the sets obf and logs, i.e., = P ︀[ {¯= } ∩ { ≤ } |obf, logs︀] , with the maximum number of guessing attempts the IR system is willing to take. The upper bound for the value of is determined by the size of the set logs. However, determining the precise threshold and assessing the risk the user faces is impossible without access to the IR system’s internal data and kind of attack. Therefore, we propose to model the malicious IR system with three kinds of attackers, representing relevant use cases: i) the “lazy” attacker, i.e., the one that looks only at the top position of the ranked list ℒ and makes only one guess; ii) the “active” attacker, i.e., an adversary that selects the top- queries and checks only with them if the guess is correct; and iii) the “motivated” attacker, i.e., the one that tries all the queries until the original one has been found. To model the probability of the risk a user faces against each of such attackers, we propose to use proxy indicators computed on where the original query appears in the ranked list ℒ: Precision at 1 ( @1) for the lazy attacker, Recall at (@) for the active attacker, and Reciprocal Rank (RR) for the motivated attacker.

Drawing inspiration from the usual ROC AUC, Figure 2 illustrates the evaluation plane that links the risk of a successful QuIA and the utility measure considering a set of queries obf() – an efectiveness measure such as nDCG in the IR case – obfuscated by a certain formal parameter – the parameter in case of DP. In the risk-utility plane, the Risk-Utility Boundary line, i.e., the diagonal, describes two regions where the risk-utility trend (, ) can be: i) above the line indicates that the utility exceeds the risk , and ii) below the line, where is less than . Therefore, the QuIPU score in Equation 1 considers the pairs (, ) estimated by submitting the set of obfuscated queries obf().

QuIPU = 2(+ + − ) = 2 ∫︁ (, ) + 2 ∫︁ (, )

(1) + − where represents an infinitesimal variation on the Risk-Utility Boundary line, and the factor 2 is introduced to map the score from [︀ − 2 2

1 , 1 ]︀ to [ − 1, 1 ] interval. The integrals are calculated with respect to the diagonal of the plane, such that regions where the curve lies below this diagonal, i.e., − , are assigned negative values, indicating that the risk is greater than the utility . Conversely, positive values are computed for regions where the utility exceeds the risk , i.e., +.

In Figure 2, four points are defined. The No Utility Point shows when the risk and utility are reduced to 0. It depicts the situation where the obfuscation mechanism fully modifies the original query, completely stopping a QuIA. However, the user completely renounces the efectiveness of the task, i.e., the submitted queries failed to retrieve any relevant documents. The No Privacy Point illustrates the efect of not using the obfuscation protocol. The queries are not obfuscated, meaning the original query is fully exposed to the IR system, resulting in 100% risk. Yet, utility is fully achieved, as the system uses the original query to retrieve the full list of relevant documents. Finally, the Optimal Point and the Trash Point present the best and worst cases theoretically obtainable. In the first, the obfuscation mechanism provides complete protection against Query Inference attacks, i.e., 0% of risk, maintaining maximum utility. The user’s information need are entirely met during the retrieval without exposing any information about the original query. The second is the opposite of the optimal point, i.e., the mechanism neither obfuscates the query nor can these queries retrieve any relevant documents. This case can happen in a “fully-dishonest” scenario, a.e., a phishing IR system [46].

We test the QuIPU framework on three diferent TREC collections: Deep Learning (DL’19) [ 47] and Deep Learning (DL’20) [48], based on the MS MARCO passages corpus, containing 43 and 54 queries respectively, and the Robust ’04 (Robust ’04) [49] which relies on disks 4 and 5 of the TIPSTER corpus and contains 249 queries. As obfuscation mechanisms, we consider those available in the pyPANTERA framework [50], i.e., CMP, Mahalanobis, their Vickrey Variants, CusText, SanText, TEM, and WBB. As privacy budget , we followed the parametrization reported in the original papers, which is also the one used by the pyPANTERA package and other recent experiments [ 11 ]. In detail, we select ∈ {1, 5, 10, 12.5, 15, 17.5, 20, 25, 30, 50}. The heuristics obfuscation mechanisms, i.e., AEA [ 6 ] and FEA [ 7 ], using diferent synonyms levels {3, 4, 5}, and sliding windows sizes {12, 14, 16}, respectively. We generated 50 obfuscation variants for each query and mechanism configuration. Finally, the IR system used as re-ranker in the post-retrieval phase of the protocol is the neural dense model Contriever, as used in [ 11, 30 ]. The honest aspect of the IR system, i.e., the part that performs the document retrieval task, is also the Contriever model while, the curious part of the system uses as encoder model distilbert-base-uncased [51].We use two models for the tasks to obtain unbiased results, in line with [ 11, 30 ]. To simulate a realistic scenario for the curious IR to perform the QuIA, we use as query logs the AOL collection4 from which 750k queries were selected and added to the original ones.

The traditional privacy analysis evaluates the utility as a function of the formal privacy parameters, e.g., . Figure 3 reports the results of the nDCG@10 vs the formal privacy parameters on the three diferent collections analysed. Note that the x-axis, representing the PrivacyParameter, considers both the values for the parameter of the DP mechanisms and the parameters of the heuristics [ 6, 7 ]. From this traditional perspective, it emerges that with lower values of the privacy parameters, mechanisms based on a DP strategy, like TEM or SanText, achieve higher efectiveness for low values of the privacy parameter . On the other hand, obfuscation mechanisms based on the embedding obfuscation strategies perform with high efectiveness only if the formal parameter is high. Finally, the Heuristics show high nDCG@10 for AEA and the worst results for the FEA mechanism. These results show a misleading sense of privacy: high results do not imply actual privacy, i.e., the submitted queries are the originals.

Table 1 reports the QuIPU scores obtained analysing the Risk vs. Utility on each set of obfuscated queries of the collections. The results show three distinct patterns that can be traced back to the three diferent obfuscation strategies. The Sampling-based mechanisms show weaker defences against the three attackers, and especially against the “active” one, i.e., QuIPU score more negative. In contrast, the Embedding Perturbation mechanisms are designed to protect user information from attackers, yielding higher QuIPU scores even against a “motivated” attacker. This suggests that, when using as DP obfuscation mechanisms, if the user wants to achieve strong actual privacy guarantees against the QuIA, it should select an obfuscation relying on changing the word embeddings of the queries. Finally, the heuristics strategies obtain a null QuIPU score due to the stable risk and utility achieved. FEA reaches a slightly positive QuIPU score against the three attackers, implying that it is impractical for an attacker to guess the original query even if “motivated” to do so.