Content Anonymization for Privacy in Long-form Audio

Basic Information

• Paper ID: 2510.12780
• Title: Content Anonymization for Privacy in Long-form Audio
• Authors: Cristina Aggazzotti, Ashi Garg, Zexin Cai, Nicholas Andrews (Johns Hopkins University)
• Classification: cs.SD (Sound), cs.CL (Computational Linguistics)
• Publication Date: October 14, 2025 (arXiv preprint)
• Paper Link: https://arxiv.org/abs/2510.12780

Abstract

Existing speech anonymization techniques successfully conceal speaker acoustic identity in short, isolated utterances as demonstrated in benchmarks such as the VoicePrivacy Challenge. However, in practical applications, utterances rarely appear in isolation: long-form audio is prevalent in interviews, phone calls, and meetings. In these scenarios, multiple utterances from the same speaker are available, presenting greater privacy risks: attackers can re-identify individuals by exploiting their vocabulary, grammar, and expression patterns, even if their voice is completely disguised. To address this risk, this paper proposes novel content anonymization methods. The approach performs context-aware rewriting of transcribed text within an ASR-TTS pipeline to eliminate speaker-specific stylistic markers while preserving semantics. The research demonstrates the effectiveness of content-based attacks against anonymized speech in long-form telephone conversation settings, then shows how the proposed content-based anonymization methods mitigate this risk while maintaining speech utility.

Research Background and Motivation

Problem Definition

Existing speech anonymization techniques primarily focus on acoustic identity concealment at the individual utterance level but face significant challenges in long-form audio scenarios:

1. Prevalence of Long-form Audio: In practical applications such as interviews, phone calls, and meetings, audio typically contains multiple utterances from the same speaker
2. Linguistic Content as Biometric Side-channel: Attackers can exploit speaker-specific linguistic features including vocabulary choices, grammatical structures, and expression habits for identity recognition
3. Limitations of Existing Methods: Focus exclusively on acoustic signal anonymization while neglecting identity information embedded in linguistic content

Research Significance

• Privacy Protection Needs: With increasing applications of voice data, protecting speaker identity becomes increasingly critical
• Practical Application Scenarios: Existing benchmarks diverge from real-world applications, necessitating consideration of long-form audio characteristics
• Multi-modal Threats: Attackers may simultaneously exploit acoustic and linguistic features, requiring comprehensive protection

Limitations of Existing Approaches

1. Single-modality Protection: Addresses only acoustic features while ignoring linguistic content
2. Simplistic PII Handling: Removes only obvious personally identifiable information without addressing linguistic style
3. Utterance-level Processing: Lacks consideration of discourse structure in long-form audio

Core Contributions

1. First Systematic Study: First comprehensive evaluation of content-based attacks against speech anonymization in long-form audio
2. Context-aware Rewriting Method: Proposes multi-utterance joint rewriting technique using sliding windows that considers dialogue context
3. Privacy-Utility Trade-off Quantification: Quantifies the trade-off between privacy protection and utility using modern generative models and detection systems
4. Multi-model Comparison: Compares performance of API models (GPT-4o-mini, GPT-5) and local models (Gemma-3-4B)
5. Comprehensive Evaluation Framework: Establishes multi-dimensional evaluation system encompassing privacy protection, content fidelity, and audio naturalness

Methodology Details

Task Definition

Given long-form audio recording $X = (u_1, u_2, ..., u_N)$ from source speaker $s$, the objective is to produce anonymized version $X' = g(X)$ that cannot be attributed to $s$. Successful anonymization requires achieving Equal Error Rate (EER) of 50% (random guessing level) for attackers.

Model Architecture

ASR-TTS Anonymization Pipeline

1. ASR Stage: Transcribes raw audio to text using Whisper-medium
2. Content Anonymization Stage: Performs rewriting of transcribed text
3. TTS Stage: Synthesizes new speech using XTTS with pseudo-target speaker embeddings

Content Anonymization Methods

1. Utterance-level Rewriting (GPT-4o-mini)

• Processes each utterance independently
• Suitable for shorter utterance processing

2. Segment-level Rewriting (Gemma-3-4B, GPT-5)

• Processes text segments spanning multiple utterances (16 utterances or approximately 300 tokens)
• Captures and modifies broader discourse patterns
• Uses sliding window providing context (N=8 preceding utterances)

Rewriting Strategies

• PII Replacement: Substitutes personally identifiable information with fictional but gender-consistent alternatives
• Style Modification: Alters linguistic style to eliminate speaker-specific characteristics
• Length Adjustment: Compresses content and varies sentence length
• Context Awareness: Considers dialogue history during rewriting

Technical Innovations

1. Multi-utterance Joint Rewriting: Transcends traditional single-utterance processing limitations by considering discourse structure
2. Context Window Mechanism: Leverages dialogue history for more accurate rewriting
3. Localization Solutions: Provides privacy-preserving yet practical local model alternatives
4. Multi-dimensional Optimization: Simultaneously considers privacy protection, semantic fidelity, and detection evasion

Experimental Setup

Dataset

• Fisher Speech Corpus: Contains approximately 2000 hours of conversational telephone speech
• Experimental Configuration: Employs "difficult" setting (1944 trials)
  • Positive samples (959): Different topic conversations from same speaker
  • Negative samples (985): Same topic conversations from different speakers
• VoxCeleb2: Used for generating pseudo-target speaker embeddings

Evaluation Metrics

Privacy Protection Metrics

• Equal Error Rate (EER): Attackers' error rate in distinguishing same speaker from different speaker speech
• Target: EER = 50% (random guessing level)

Utility Metrics

• UTMOS: Automatically predicts speech naturalness score (1-5 scale)
• Semantic Similarity:
  • Greedy Alignment Score (GAS)
  • Dynamic Time Warping Similarity (DTW-Sim)

Detectability Metrics

• Synthetic Text Detection: Using Binoculars detector
• Synthetic Speech Detection: Using SSL-AASIST detector

Comparison Methods

1. Audio-only Anonymization: Standard ASR-TTS pipeline without content modification
2. Content-only Anonymization: Rewrites content while preserving original voice
3. Audio + Content Anonymization: Simultaneously performs content rewriting and voice anonymization

Attack Models

• Speech Attack: WavLM-Base speaker verification model
• Content Attack: LUAR (Learning Universal Authorship Representations) model

Experimental Results

Main Results

Privacy Protection Effectiveness

1. Content-based Attack Threats: As utterance count increases, content attack EER decreases from approximately 0.4 to 0.1, demonstrating linguistic content's identity recognition capability
2. Anonymization Effectiveness: All rewriting methods significantly increase EER, bringing content attacks close to random guessing level
3. Model Comparison: Segment-level rewriting (GPT-5, Gemma3-4B) proves more effective than utterance-level rewriting (GPT4o-mini)

Utility Preservation

1. Audio Naturalness: Anonymized speech achieves UTMOS score of 3.14, surpassing original recording's 2.09
2. Semantic Fidelity:
   • GPT-5: GAS=0.699, DTW-Sim=0.739
   • Gemma3-4B: GAS=0.648, DTW-Sim=0.582
   • GPT4o-mini: GAS=0.678, DTW-Sim=0.702

Ablation Studies

Rewriting Strategy Comparison

• Conservative Strategy (Gemma3-4Bc): Retains 50% of original utterances, lowest detection difficulty
• Complete Rewriting: Provides stronger privacy protection but slightly higher detectability

Detection Evasion Analysis

• Synthetic Speech Detection: More accurate than synthetic text detection, particularly with fewer utterances
• Re-transcription Effect: Re-transcription after synthesis naturally removes certain machine-generated text artifacts

Case Analysis

Experiments demonstrate that re-transcription through the ASR-TTS pipeline naturally removes certain machine-generated text characteristics, making final anonymized text more difficult to detect as artificially generated.

Related Work

Speech Anonymization

• VoicePrivacy Challenge: Primarily focuses on acoustic anonymization of short utterances
• Traditional Methods: kNN speech conversion, etc., perform well in single-utterance scenarios

Content Privacy

• PII Processing: Existing methods primarily address explicit identifiers such as names and locations
• Style Anonymization: Lacks systematic treatment of linguistic style characteristics

Authorship Identification

• Text Analysis: Based on vocabulary choices, grammar, and functional word usage
• Speech Transcription: Recent work demonstrates identity information in transcribed text

Conclusions and Discussion

Main Conclusions

1. Content Threats Are Real: Linguistic content in long-form audio constitutes significant privacy risk
2. Rewriting Protection Is Effective: LLM-based rewriting effectively defends against content attacks
3. Local Solutions Are Feasible: Small open-source models (Gemma-3-4B) approach API model performance
4. Utility Preservation Is Achievable: Maintains speech quality and semantic integrity while providing privacy protection

Limitations

1. ASR Error Propagation: Errors in ASR stage may affect final quality
2. Semantic Fidelity: Rewriting process may lose subtle semantic information or ironic tone
3. Attack Model Limitations: Primarily considers uninformed attackers; semi-informed attacks may be more effective
4. End-to-end Absence: Current methods rely on cascaded pipeline, lacking end-to-end solutions

Future Directions

1. End-to-end Models: Develop end-to-end systems jointly anonymizing speech and content
2. Robust Rewriting: Improve rewriting models' balance between semantic fidelity and style anonymization
3. Strong Attack Defense: Research protection strategies against semi-informed attackers
4. Real-time Processing: Develop efficient anonymization methods applicable to real-time scenarios

In-depth Evaluation

Strengths

1. Problem Importance: First systematic identification and resolution of content threats in long-form audio anonymization
2. Method Innovation: Proposes context-aware multi-utterance joint rewriting strategy
3. Experimental Sufficiency:
   • Multi-dimensional evaluation system (privacy, utility, detectability)
   • Comparison of multiple models and strategies
   • Validation on real datasets
4. Practical Value: Provides complete solutions from API models to local models
5. Research Rigor: Employs established attack models and evaluation protocols

Weaknesses

1. Single Dataset: Primarily validated on Fisher corpus, lacks cross-domain generalization verification
2. Attack Model Limitations: Does not consider stronger adaptive attacks or multi-modal attacks
3. Missing Computational Cost Analysis: Lacks detailed analysis of computational overhead for different methods
4. Absence of User Studies: Lacks subjective evaluation by real users on anonymization effectiveness
5. Long-term Security: Does not consider impact of advancing attack techniques on protection effectiveness

Impact

1. Academic Contribution:
   • Fills research gap in long-form audio anonymization
   • Establishes new evaluation paradigm and benchmark
   • Provides important foundation for subsequent research
2. Practical Value:
   • Provides practical privacy protection solutions for voice data processing
   • Has direct applicability in interviews, meeting recordings, etc.
   • Supports compliance with relevant privacy regulations
3. Reproducibility: Authors commit to open-sourcing code and prompts, facilitating research reproduction and extension

Applicable Scenarios

1. High-privacy Requirement Scenarios: Medical interviews, legal consultations, psychotherapy
2. Commercial Applications: Customer service calls, meeting record privacy protection
3. Research Data Sharing: Privacy-preserving release of speech corpora
4. Compliance Requirements: Meeting GDPR and other privacy regulation technical requirements

References

This paper cites 26 relevant references covering multiple domains including speech anonymization, content privacy, and authorship identification, providing solid theoretical foundation. Key references include VoicePrivacy Challenge-related work, LUAR authorship identification model, and recent speech anonymization technology advances.

Overall Assessment: This is a high-quality research paper that identifies and addresses an important problem in speech anonymization. The methodology is innovative, experiments are comprehensive, and results are convincing, with significant value for both academia and industry. Despite certain limitations, it opens new research directions for long-form audio privacy protection.