ER-AE: Differentially Private Text Generation for Authorship Anonymization

Most of privacy protection studies for textual data focus on removing explicit sensitive identifiers. However, personal writing style, as a strong indicator of the authorship, is often neglected. Recent studies, such as SynTF, have shown promising results on privacy-preserving text mining. However, their anonymization algorithm can only output numeric term vectors which are difficult for the recipients to interpret. We propose a novel text generation model with a two-set exponential mechanism for authorship anonymization. By augmenting the semantic information through a REINFORCE training reward function, the model can generate differentially private text that has a close semantic and similar grammatical structure to the original text while removing personal traits of the writing style. It does not assume any conditioned labels or paralleled text data for training. We evaluate the performance of the proposed model on the real-life peer reviews dataset and the Yelp review dataset. The result suggests that our model outperforms the state-of-the-art on semantic preservation, authorship obfuscation, and stylometric transformation.


Introduction
Privacy has become a vital issue in online data gathering and public data release. Various machine learning models and privacy preservation algorithms have been studied for relational data (Johnson et al., 2018), network graph data (Chen et al., 2014), and transactional data (Li et al., 2012). Some of them have been successfully adopted in real-life applications such as telemetry collection (Cortés et al., 2016). However, the studies on privacy protection for textual data are still preliminary. Most related works only focus on replacing the sensitive key phrases in the text (Vasudevan and John, 2014) without considering the author's writing style, which is indeed a strong indicator of a person's identity. Even though some textual data, such as double-blind academic reviews, is released anonymously, the adversaries may recover the author's identity using the personal traits in writing. Stylometric techniques (Koppel et al., 2011) can identify an author of the text from 10,000 candidates. They are effective across online posts, articles, emails, and reviews (Ding et al., 2015(Ding et al., , 2017. Nevertheless, traditional text sanitization methods (Narayanan and Shmatikov, 2008) focus on anonymizing the contents, such as patient information, instead of the writing style, so they are ineffective against writing style analysis. The original author can be easily re-identified even if protected by these traditional approaches (Iqbal et al., 2008(Iqbal et al., , 2010(Iqbal et al., , 2013Schmid et al., 2015).
Only a few recent studies focus on authorship anonymization, aiming to hide the personal traits of writing style in the given textual data. Anonymouth (McDonald et al., 2012) is a semiautomatic framework that offers suggestions to users to change their writing style. Yet, this framework is not practical since it requires two datasets as a reference to compare the change in writing style. Also, the user has to make all the final modification decisions. SynTF (Weggenmann and Kerschbaum, 2018) represents a line of research that protects the privacy of the numeric vector representation of textual data. It adopts the exponential mechanism for a privacy guarantee, but the output is only an opaque term frequency vector, not an interpretable text in natural language. Furthermore, its token substitution approach does not consider the grammatical correctness and semantic.
Style transfer is another line of research that tries to generate text with controllable attributes (Shen et al., 2017;Hu et al., 2017;Sennrich et al., 2016). Representative models (Hu et al., 2017) can control the sentiment and tense of the generated text. However, they do not modify the personal traits in writing. Their applications on sentiment and word-reordering correspond to the content of the text more than the writing style. We argue that their definition of styles, such as sentiment or tense, is different from the personal linguistic writing characteristics that raise privacy concern. A4NT (Shetty et al., 2018) is a generative neural network that sanitizes the writing style of the input text. However, it requires text samples to be labeled with known author identities. It is not applicable to many textual data publishing scenarios. Additionally, according to the samples provided in the paper, it has difficulties keeping the same semantic meaning between the original and the generated text. Without using any privacy model, A4NT does not provide any privacy guarantee.
To address the aforementioned issues, we propose an Embedding Reward Auto-Encoder (ER-AE) to generate differentially private text. Relying on differential privacy, it protects the author's identity through text indistinguishability without assuming any specific labels, any parallel data or any assumption on the attacker. It guards the privacy of the data against the worst information disclosure scenario. ER-AE receives the original text as input and generates a new text using the two-set exponential mechanism. We propose a REINFORCE (Sutton et al., 2000) embedding reward function to augment the semantic information during the text generation process. The model can keep the generated text a close semantic and sentiment similarity to the original while providing a guarantee that one can hardly recover the original author's identity. Unlike the aforementioned authorship anonymization works, ER-AE produces human-friendly text in natural language. Our key contributions are summarized as follows: • The first differentially private authorship anonymization model that can generate humanfriendly text in natural language, instead of a numeric vector. • A novel two-set exponential mechanism to overcome the large output space issue while producing meaningful results. • A novel combination of a differential privacy mechanism with a sequential text generator, providing a privacy guarantee through a sampling process. • A new REINFORCE reward function that can augment the semantic information through external knowledge, enabling better preservation of the semantic similarity in the data synthesis process. • Comprehensive evaluations on two real-life datasets, namely NeurIPS & ICLR peer reviews and Yelp product reviews, show that ER-AE is effective in obfuscating the writing style, anonymizing the authorship, and preserving the semantics of the original text. All the source code and data are publicly accessible for reproducibility and transferability. 1 2 Related Work Differential Privacy. Recently, differential privacy has received a lot of attention in the machine learning community. The deep private autoencoder (Phan et al., 2016) is designed to preserve the training data privacy. Their purpose is to guarantee that publishing the trained model does not reveal the privacy of individual records. Our purpose is different. We publish the differentially private data generated by the model, rather than the model itself. Most existing models for differentially private data release, such as Chen et al. (2014) , focus on different types of data rather than text. One recent work (Weggenmann and Kerschbaum, 2018) aims to protect privacy in text data using the exponential mechanism. However, it releases the term frequency vectors instead of a readable text. This approach limits the utility of published data to only the applications that assume term frequency as features. In contrast, our goal is to generate differentially private text in a natural language without compromising individual privacy.
Writing Style Transfer. Studies on writing style transferal try to change the writing style revealed from the text according to a given author. Shetty et al. (2018) design a GAN to transfer Obama's text to Trump's style. A sequence to sequence (seq2seq) model is proposed by Jhamtani et al. (2017) to transfer modern English into Shakespearean English. Shetty et al.(2017) design a model with a cross-alignment method to control the text sentiment while preserving semantic. These models can also be applied to writing style anonymization. However, these studies require the data to be labeled with authorship identity. They assume a number of known authors. In contrast, ours does not assume any label information.
Writing Style Obfuscation. Writing style obfuscation studies try to hide the identity of an au-thor. Anonymouth (McDonald et al., 2012) is a tool that utilizes JStylo to generate writing attributes. It gives users suggestions on which way they can anonymize their text according to two reference datasets. (Kacmarcik and Gamon, 2006) also propose a similar architecture to anonymize text. However, instead of directly changing the text, they all work on the term frequency vector, whose real-life utility is limited. Compared with semi-automatic methods that require users to make a decision, our approach provides an end-to-end solution that directly learns from data.

Preliminaries and Problem Definition
Adjacency is a key notion in differential privacy. One of the commonly used adjacency definitions is that two datasets D 1 and D 2 are adjacent if D 2 can be obtained by modifying one record in D 1 (Dwork et al., 2010). Differential privacy (Dwork et al., 2006) is a framework that provides a rigorous privacy guarantee on a dataset. It demands inherent randomness of a sanitization algorithm or generation function: Definition 1. Differential Privacy. Two datasets are considered as adjacent if there is only one single element is different. Let privacy buget > 0, a randomized algorithm A : D n − → Z, and the image of A: im(A). The algorithm A is said to preservedifferential privacy if for any two adjacent datasets D 1 , D 2 ∈ D n , and for any possible set of output Z ∈ im(A): It guarantees that the result from a given algorithm A is not sensitive to a change of any individual record in D. denotes the privacy budget, the allowed degree of sensitivity. A large implies a higher risk to privacy. However, is a relative value that implies different degrees of risk given different problems (Weggenmann and Kerschbaum, 2018). Some studies (Sala et al., 2011) use a large , while the others (Chen et al., 2014) use a smaller value.
Adversary Scenario. Generally in an authorship identification problem, one assumes that the attacker holds an anonymous text authored by one of the suspects from the dataset. The attacker aims to infer the true author of the anonymous text based on a set of reference texts from each suspect. However, this scenario assumes certain information on the applicable dataset, such as author labels and the number of reference text samples. Therefore, following (Weggenmann and Kerschbaum, 2018), we define that any two pieces of text as adjacent datasets.
Adjacency. Any two pieces of text can be considered adjacent in the strictest scenario that datasets D 1 and D 2 both have only one record, and D 2 can be obtained by editing one record in D 1 following Definition 1. With differential privacy, we can have text indistinguishability: one cannot distinguish the identity of any text to another. In our case, the identity of a text corresponds to the author who wrote the text. Along with this, the attacker would fail in the original authorship identification scenario since the anonymous text is indistinguishable from the rest of the dataset.
Our definition follows Weggenmann and Kerschbaum (2018)'s idea, leading to the strictest and most conservative definition of adjacency.
Definition 2. Differentially Private Text Generation. Let D denote a dataset that contains a set of texts where x ∈ D is one of them. |x|, the length of the text, is bound by l. Given D with a privacy budget , for each x the model generates another textx dp that satisfies l-differential privacy.
Following the above definitions, any two datasets that contain only one record are probabilistically indistinguishable w.r.t. a privacy budget . It directly protects the identity of an individual record, disregarding whether some of the records belong to the same author or not. It assumes that every record is authored by a different author, which is the strictest situation. Technically, the proposed text generation approach protects the writing style by reorganizing the text, replacing tokens with different spelling, removing the lexical, syntactical and idiosyncratic features of the given text. The above definition is based on SynTF (2018), but our target is readable text rather than numeric vectors, which is more challenging. Figure 1 depicts the overall architecture of our proposed ER-AE model, which consists of an encoder and a generator. The encoder receives a sequence of tokens as input and generates a latent vector to represent the semantic features. The generator, which is incorporated with the two-set exponential mechanism, can produce differentially private text according to the latent vector. ER-AE is trained  by combining a reconstruction loss function and a novel embedding loss function.

Algorithm 1 Generation Procedure of ER-AE
Input: Text: x, Parameters: θ, Encoder: E θ (), Generator: G θ (), Privacy budget: . Produce the latent vector: Apply exponential mechanism to choose token set: T . Randomly sample new i-th token from T :x dp [i]. end for Output: Differentially Private Text:x dp .
Our ER-AE model starts with a basic sequenceto-sequence (seq2seq) auto-encoder structure. Given a text x, its tokens x 1 . . . x l are firstly converted into a sequence of embedding vectors Em(x 1 ) . . . Em(x l ) by Em : V → R m 1 , where V is the vocabulary across the dataset and m 1 is the embedding dimension. On its top, we apply a bi-directional recurrent neural network with Gated Recurrent Unit (GRU) (Cho et al., 2014) that leverages both the forward and backward information. GRU achieves a comparable performance to LSTM with less computational overhead (Cho et al., 2014). Then, the produced final state vectors from both directions, s f and s b , are concatenated and linearly transformed to be a latent vector E(x). m is the hidden state dimension for the GRU function.
The generator is another recurrent neural network with GRU. It generates a text token-by-token. For each timestamp i, it calculates a logit weight z iv for every candidate token v ∈ V, conditioned on the latent vector, last original token x i−1 , and the last hidden state s i−1 of the GRU function.
Letx i denote the random variable for the generated token at timestamp i. Its probability mass function is proportional to each candidate token's weight z ti . This is modeled through a typical softmax function: For each timestamp i, a typical seq2seq model generates text by applying argmax v∈V P r[x i = v]. However, this process does not protect the privacy of the original data.

Differentially Privacy Text Sampling with Two-Set Exponential Mechanism
To protect an individual's privacy and hide the authorship of the original input text, we couple differential privacy mechanism with the above sampling process in the generator. The exponential mechanism (McSherry and Talwar, 2007) can be applied to both numeric and categorical data (Fernandes et al., 2018). It is effective in various sampling process for discrete data. It guarantees privacy protection by injecting noise into the sampling process: Definition 3. Exponential Mechanism. Let M and N be two enumerable sets. Given a privacy budget > 0, a rating function ρ: M × N → R. The probability density function of the random variable ε ,ρ (m), P r [ε ,ρ (m) = n] is: where ∆, the sensitivity, means the maximum difference of rating function values between two adjacent datasets, and m ∈ M, n ∈ N .
However, according to Weggenmann and Kerschbaum (2018), the exponential mechanism requires a large privacy budget to produce meaningful results while the output space is large, the vocabulary size in our case. It's nontrivial to randomly sample a good result directly among 20,000 candidates.
To tackle the large output space issue, inspired by subsampled exponential mechanism (Lantz et al., 2015), we propose a two-set exponential mechanism to produce meaningful results with a better privacy protection. Instead of using a database independent distribution, we use a model-based distribution to generate subsets of tokens.
Definition 4. Two-Set Exponential Mechanism. Let V be a enumerable set with size s. Given the model-based probabilities of each item in V, P r [v] for v ∈ V, an item set S of size k is built by repeatedly sampling proportional to P r[v] with replacement. Other items are denoted as An item set C dp is chosen from N through the exponential mechanism with a rating function ρ: . Given > 0, N ∈ N , the probability density function (PDF) of the random variable ε ,ρ (C), P r [ε ,ρ (C) = N ], is: After choosing the set, C dp , an item is randomly picked from the chosen set: v ∼ Random(C dp ). Thus, given v, w ∈ V, P r[ε ,ρ (v) = w] is: Theorem 1. Two-Set Exponential Mechanism. 2 Given a privacy budget > 0 and the size of output space s, two-set exponential mechanism is ( + ln (s))-differentially private. By plugging our model with this mechanism, we have the probability mass function for ε ,ρ i (x i ): P r[ε ,ρ i (x i ) = tk]. This function models the disturbed probability distribution for all the alternative token tk to replace the original variable. According to Theorem 4, sampling from ε ,ρ i (x i ) for each 2 The proof is provided in Appendix B timestamp i is ( + ln (s))-differentially private. Recall that in Definition 1, the timestamp is bound by l. To generate textx dp , the generator samples a token for timestamp i through the chosen set T i : The composition theorem (Dwork et al., 2014) is an extension to differential privacy. By repeating n -differentially private algorithms, the complete process achieves an n-differential privacy. Algorithm 1 shows the differentially private text generation of ER-AE. As proved in Appendix A: Theorem 2. Differentially Private Text Sampling. Given a privacy budget > 0, a sequence length l > 0, the generator's sampling function in Eq. 5 is ( + ln (s)) * l-differentially private.

Initial Grammar and Semantic Preservation
To generate a human-friendly text that has a close semantic to the original one, we need to have a highquality rating function ρ i for Eq. 4. This is achieved by training the ER-AE model's encoder to extract semantic information, and its generator to learn the relationships among the tokens for prediction. We follow an unsupervised learning approach since we do not assume any label information. First, we adopt the reconstruction loss function: It maximizes the probability of observing the original token x i itself for the random variablex i . In the recent controllable text generation models, the reconstruction loss plays an important role to preserve grammar structure and semantics of input data (Shetty et al., 2018) when combined with the other loss.

REINFORCE Training for Semantic Augmentation
Diving into the optimization aspect of the softmax function, the reconstruction loss function above encourages the model to produce a higher probability on the original token while ignoring the rest candidates. It does not consider the other tokens that may have a similar meaning under a given context. This issue significantly limits the variety of usable alternative tokens. Additionally, this loss function relies on a single softmax function for multi-object learning, it cannot provide the expressiveness required by the language model (Yang et al., 2018). We inspect the candidates and in most of the cases, only the top-ranked token fits the context in the text. This is problematic because the mechanism for our sampling process also relies on the other candidates to generate text. To address the above issue, we propose a novel embedding reward function using the pre-trained word embeddings. Word representation learning models show that discrete text tokens' semantic can be embedded into a continuous latent vector space. The distance between word embedding vectors can be a reference to measure the similarity between different words. To encourage our rating function ρ i to learn richer and better substitute tokens, we propose a reward function that leverages the semantics learned from the other corpus. The text dataset to be anonymized and released can be small, and the extra semantic knowledge learned from the other corpus can provide additional reference for our rating function. This reward function is inspired by the Policy Gradient loss function (Sutton et al., 2000), L embed is: Generally, this reward function assigns credits to the under-rated tokens in the reconstruction loss function. Recall that D is the original dataset and x is one of its texts. At time step i, this reward function first assigns rewards to the top-k selected tokens, denoted as E k (x i ), according to probability estimates for random variablex i in Eq. 2. The rewards are proportional to their semantic relationship to the original token x i . It is defined as a function γ : V × V → R, γ(w, v) is: The min function avoids the generator focusing only on the original token. By assigning rewards to E k (x i ), it encourages the other candidates having a close semantic to the targeted one, but it may fail to reach infrequent tokens. Therefore, in the second part of the reward function, we encourage the model to explore less frequent tokens by random sampling candidates as V k . This design balances the exploitation (top-k) and the exploration (V k ) in reinforcement learning.
During training, the model is firstly pre-trained by minimizing the reconstruction loss in Eq. 6 through the Adam optimizer, and adopts the embedding reward loss later. The total loss is L = λ recon × L recon + λ embed × L embed (8) Specifically, the reconstruction loss can lead the model to generate grammatically correct text, and the embedding reward loss encourages the model to focus more on semantically similar tokens. The balance of the two loss functions are controlled by λ recon and λ embed .

Experiment
All the experiments are carried out on a Windows Server equipped with two Xeon E5-2697 CPUs (36 cores), 384 GB of RAM, and four NVIDIA TITAN XP GPU cards. We evaluate ER-AE on two different datasets with respect to its effectiveness for privacy protection and utility preservation.
• Yelp Review Dataset 3 : All the reviews and tips from the top 100 reviewers ranked by the number of published reviews and tips. It contains 76,241 reviews and 200,940 sentences from 100 authors. • Academic Review Dataset: All the public reviews from NeurIPS (2013-2018) and ICLR (2017) based on the original data and the web crawler provided by (Kang et al., 2018). It has 17,719 reviews, 268,253 sentences, and the authorship of reviews is unknown. Each dataset is divided into 70/10/20 for train/dev/evaluation respectively. As mentioned in the related work discussion, most of the controllable text generation and style transferal studies rely on known authorship or other labels. Other generation models such as paraphrasing, however, hold an essentially different goal and cannot provide a privacy guarantee on the generated data. They are not applicable to our problem. Therefore, we pick SynTF (Weggenmann and Kerschbaum, 2018) and different generation and sampling models for evaluation: • Random Replacement (Random-R): This method generates a new text by replacing each token in the text by randomly picking substitution from the vocabulary. • AE with Differential Privacy (AE-DP): Extended version of AE with the added two-set exponential mechanism for text generation. It does not include the embedding reward.   SynTF is a state-of-the-art generation model that satisfies differential privacy property on textual data. The other two simple baselines are for ablation test purposes.
For ER-AE, we adopted a two-layers stacked GRU network for both the encoder and the generator. There are 512 cells in each GRU layer. The vocabulary size is 20,000, separately built for each dataset. All the word embeddings in our model come from the pre-trained BERT embeddings provided by (Devlin et al., 2019), which has a dimension of 768 for each embedding. The maximum input length of our model is 50, the learning rate is 0.001, the k for embedding reward loss function is 5, the λ recon is 1, the λ embed is 0.5, and the batch size is 128. The k in two-set exponential mechanism is 5. ER-AE is implemented in TensorFlow (Abadi et al., 2016), and it uses the tokenizer in the NLTK library. Some traditional tricks for text generation, such as beam search, are not mentioned because they are incompatible with differential privacy. All the models are evaluated from three aspects: semantic preservation, privacy protection, and stylometric changes: Universal Sentence Embedding (USE) model 4 from Google. It can embed a sentence into a latent vector that represents its semantics. It is widely used for supervised NLP tasks such as sentiment analysis. We measure the degree of semantic preservation using the cosine similarity between the latent vector of the original text and Input the play place is pretty fun for the little ones . Random-R routing longtime 1887 somalia pretty anatomical shallow the dedicated drawer rosalie AE-DP employer play lancaster mute fish fun for wallace little chandler . SynTF conditioned unique catherine marquis governing skinny garment hu vivid . insists ER-AE the play place is pretty nice with the little ones ! Input i also ordered a tamarind margarita and it was great . Random-R substantial char recommended excavation tamarind coil longitudinal recover verify great housed AE-DP intersection also ordered service tamarind drooling scratched denis monkfish motions . SynTF carnage spence unsigned also clinging said originated beacon liking strike accomplishments ER-AE i also requested a tamarind margarita and it were great .
Input i 'm not complaining because you do get exactly what you pay for . Random-R substantial char recommended excavation tamarind coil longitudinal recover verify great housed AE-DP comic-book 'm not mins because you donnelly get exactly tenderloin nerves bottomless for aldo box SynTF leaf penetrated amounted jolted courageous socket fades unwilling tu judges regional numbering ER-AE i 'm not disappointing because you do make occult what you pay for .
Input the manuscript is well written is provides good insight into the problem . AE-DP the fig2c is well l102-103 wish provides horseshoe insight into the problem compositionality SynTF ness voice incoming depending entrances somehow priscilla rows romantic oblivious mall ER-AE the manuscript is well edited has provides excellent insight into the problem .
Input in particular , the generality of the approach is very well presented . SynTF wife pierced rotate specialist probe elects prussian beatty eccentric sweating . ER-AE in particular , this generality of an approach is very well written well one of the generated text. • Privacy Protection (Authorship): A state-ofthe-art authorship identification neural network model (Sari et al., 2017) to identify the authorship of generated text. The model is firstly trained on the training dataset, and the performance is evaluated on the testing set. The author's privacy is protected if s/he cannot be identified using authorship identification techniques. • Stylometric Changes: Well-established stylistic context-free features such as text length and a number of function words. We adopt Stylo-Matrix (Ding et al., 2017) for an aggregation of features in (Iqbal et al., 2013;Zheng et al., 2006). The feature vector change is measured by the difference in L2 norm.
Quantitative Evaluation (Table 1). With a low utility (USE) score around 0.2 for both datasets, SynTF, and Random-R generate grammatically incorrect text and completely change the meaning of the original one. In contrast, ER-AE without semantic augmentation through REINFORCE training, denoted as AE-DP, achieves a much higher utility score of around 0.61. The full model ER-AE, with an of 3, achieves the highest utility score of 0.75 for Yelp reviews and 0.74 for peer reviews. AE-DP, SynTF, and ER-AE all significantly reduce the chance of a successful authorship identification attack from 55% to lower than 10% in the Yelp data and introduce a variation in stylometric features of more than 10 in magnitude in the peer review dataset. They are all effective and competitive on removing the personal writing trait from the text data, but as mentioned above, AE-DP achieves the best and a much higher utility score. Although Random-R performs better on privacy protection, its generated texts are irrelevant to the original. Overall, with a competitive performance on anonymization, ER-AE performs significantly better than all of the other models on utility.
Impact of Embedding Reward. Table 4 shows that the embedding reward plays an important role in selecting semantically similar candidates for substitution. AE-DP assigns a large probability to the original token and a tiny probability to the others. If applied with the mechanism, it is more likely to pick a semantically irrelevant token. ER-AE shows a smoother distribution and assigns higher probabilities to top-ranked semantically relevant tokens. Its generated candidates are better.
Case Study. Table 4 shows that both SynTF and Random-R cannot generate human-friendly text. Due to the issue of reconstruction loss function [6], AE-DP cannot substitute token with similarly semantic tokens and destroys the semantic meaning. ER-AE, powered by embedding reward, can substitute some tokens with semantically similar ones: "written" is replaced by "editted", and the whole sentence still makes sense. Besides, it can preserve the grammatical structure of the input. However, due to some missing information from word embeddings, the model would fail to generate good candidates for sampling. The third sample replaces "exactly" with " occult". ER-AE still performs way better than other models.
Utility vs. Privacy. The privacy budget controls the trade-off between privacy and utility. A larger implies better utility but less protection on privacy. However, this is a relative value that implies different degrees of risk given different problems (Weggenmann and Kerschbaum, 2018;Fernandes et al., 2018). As proved by Weggenmann and Kerschbaum (2018) a higher is intrinsically necessary for a large output space, in our case the vocabulary, to generate relevant text. In fact, we have already significantly reduced the optimal value of 42.5 used by Weggenmann and Kerschbaum (2018) to around 13, given the same dataset. One possible way to lower the bound of is to directly factor in authorship and utility, such as topics, into the privacy model. However, it limits applicable to datasets.
Exponential Mechanism vs. Two-Set Exponential Mechanism. In Table 3, we estimated the probability of a meaningful token (among top 5 semantically similar tokens) is sampled based on the intermediate probabilities in Table 2. Given a large output space of 20,000, the exponential mechanism is not likely to sample a meaningful token with a probability of 0.01 %. However, the two-set exponential mechanism dramatically improves it from 0.01 % to around 70%. Our generator has a much higher chance to generate meaningful results with a similar privacy budget.

Conclusion
In this paper, we propose a novel model, ER-AE, to protect an individual's privacy for text data release. We are among the first to fuse the differential privacy mechanisms into the sequence generation process. We demonstrate the effectiveness of our model on the Yelp review dataset and two peer reviews datasets. However, we also find that ER-AE performs not very well on long texts due to the privacy budget accounting issue. Our future research will focus on improving long texts generation with better budget allocation scheme.

Ethical Considerations
Our model outperforms others on authorship obscuration and semantic preservation. Similar to other text generation tools, this model may be abused to generate fake reviews, but this can be assuaged by using fake review detection methods. This research work directly contributes to the area of privacy protection and indirectly promotes freedom of speech and freedom of expression in cyberspace. A Proof of Differentially Private Text Sampling.
Proof. At the generation stage, for each timestamp i, our model generates a token by sampling from Eq. 7, which follows the form of exponential mechanism. This process achieves ( + ln (s))-differential privacy as in Definition 4. Every input of the generator is the original input data x i−1 (see Eq.2). Eq.7 satisfies the sequential composition theorem. By repeating this process l times, the complete sampling function provides ( + ln (s)) * l-differential privacy.x dp is ( + ln (s)) * l-differentially private.
B Proof of Two-Set Exponential Mechanism.
Theorem 4. Two-Set Exponential Mechanism. Given a privacy budget > 0 and the size of output space s, two-set exponential mechanism is ( + ln (s))-differentially private. .
For the first part, denoted as P S , with V of size s, by dividing the numerator and denominator with P r[ε ,ρ (C) = S|tkS, x] * P r[tk|S, tkS, x], we can get: ≤ exp ( ) * s = exp ( + ln (s)). Therefore, the two-set exponential mechanism satisfies ( + ln (s))-differential privacy.