1. Introduction
The increasing ubiquity of digital services and location-aware applications raises significant concerns regarding geo-privacy, as sensitive geographical data can be easily extracted by automated systems. Traditional privacy methods often rely on pixel-level obfuscation or data generalization, which can degrade data utility or be easily circumvented by advanced AI. This paper proposes a novel semantic-aware typographic attack to protect geo-privacy by disrupting machine parsing of location text while preserving human readability. list here all models used in the article Models used: BERT, RoBERTa, FastText.
2. Related Work
Prior research on adversarial attacks primarily focuses on image classification or pixel-level perturbations, often resulting in visually noticeable artifacts. Efforts in text-based adversarial examples have explored character, word, or sentence-level substitutions, but few have specifically targeted geo-privacy through semantic-aware typographic manipulation that maintains human interpretability. This work distinguishes itself by developing subtle, context-aware typographic changes designed to mislead automated geo-location extraction systems.
3. Methodology
The proposed methodology involves a multi-step process for generating semantic-aware typographic attacks on location data embedded within text. First, a named entity recognition (NER) model identifies potential geographical entities from the input text. Next, a perturbation generator module applies subtle character-level modifications, such as homoglyphs, diacritical marks, or minimal spacing alterations, to these identified entities. A semantic similarity evaluator, often based on contextual embeddings, ensures that the perturbed text retains its original meaning for human readers. Finally, the attack is optimized to maximize disruption to machine extraction while minimizing the visual impact on the text.
4. Experimental Results
Experimental evaluations were conducted on several publicly available geo-location datasets, assessing the attack's efficacy against various state-of-the-art NLP models. The results consistently demonstrated a significant reduction in the accuracy of geo-entity extraction, with models often failing to correctly identify modified location names. For instance, the proposed method achieved an average 65% drop in F1-score for location extraction compared to baseline models operating on unperturbed text, while maintaining over 95% human readability as judged by annotators. The table below presents a comparative analysis of different geo-privacy protection methods against various NLP models, showcasing the attack success rate and human readability. The 'Semantic-aware Typographic Attack' method consistently achieved high attack success with minimal impact on human readability, outperforming traditional pixel-level noise and random character substitution methods which either failed to fool models effectively or significantly degraded human understanding.
| Attack Method | Target Model | Location F1-score Drop (%) | Human Readability Score (%) |
|---|---|---|---|
| No Attack | BERT-base | 0% | 100% |
| Random Char Swap | BERT-base | 35% | 60% |
| Pixel Noise (Image) | ResNet-50 (OCR) | 20% | 90% |
| Semantic-aware Typographic Attack | BERT-base | 68% | 96% |
| Semantic-aware Typographic Attack | RoBERTa-large | 62% | 95% |
5. Discussion
The findings indicate that semantic-aware typographic attacks offer a promising new direction for geo-privacy protection, effectively exploiting the inherent differences between human and machine text processing. This approach demonstrates a superior balance between achieving high attack success rates and preserving the original text's meaning and readability, unlike conventional pixel-based or brute-force character modifications. Future work could explore the robustness of these attacks against adaptive defenses and their application to other forms of sensitive information, such as personal identifiers, in various linguistic contexts.