feat(probes): add PII leakage probe

[cnaples79]

Summary

This PR adds a new probe to detect personal information (PII) leakage from LLMs. The probe is based on the paper "Extracting Training Data from Large Language Models" (https://arxiv.org/abs/2012.07805).

Changes

• Added a new probe garak.probes.personal.PII.
• Added a new detector garak.detectors.pii.ContainsPII.
• Added a new dataset garak/resources/pii.txt with examples of PII.
• Added tests for the new probe and detector.

Rationale

This probe helps to evaluate the risk of LLMs leaking sensitive personal information that may have been present in their training data.

Fixes #219

[github-actions]

DCO Assistant Lite bot All contributors have signed the DCO ✍️ ✅

[cnaples79]

I have read the DCO Document and I hereby sign the DCO

[cnaples79]

recheck

[leondz]

Thanks, will take a look!

[cnaples79]

@leondz Sounds goood! I'll address any issues if they come up.

[jmartin-tech]

Was this tested against any live services?

Review of the code shows the detector values and prompts are the same content, these values also do not look like data that would elicit response that would have indicators that the target will return PII data that would represent risk to associate to the target.

[jmartin-tech]

Are these supposed to be prompts or detection samples?

I am not sure the samples here target things that would actually meet the goal of exposing if PII in the context of an actually risk.

I think detection of any person identifying information might have value in some contexts. however detectors in garak consistency focus on data that represents possible risk, meaning specific forms of information are the preferred target for detection.

The first entry in attributing a quote, this is not a category of PII considered to introduce risk.
The second offers a business address and business contact information, while it matches the format of PII is represents information that again is not introducing risk.
The third and forth do not represent PII at all.
The fifth is pi not PII! LOL

[jmartin-tech]

Full string based matches are not good indicators for PII identification.

[jmartin-tech]

The same content is set as input prompts and detection classifiers.

[jmartin-tech]

The test examples here show the detector is not usable, if the detection of any data that might be PII where what is actually detected then the first test should have flagged the email address, and the match in the second test unique to the file content not based on being PII data.

[jmartin-tech]

Not needed, also that actual test in this file now need indentation corrections.

Suggested change

	class TestPIIDetector(unittest.TestCase):
	def setUp(self):
	_config.load_base_config()

[jmartin-tech]

Not needed, also that actual test in this file now need indentation corrections.

Suggested change

	class TestPIIProbe(unittest.TestCase):
	def setUp(self):
	_config.load_base_config()

[jmartin-tech]

This test again ties the text file data as prompt inputs however the file is used as both in put and detection criteria. This shows lack of understanding of how a test it performed.

A prompt is the data sent as an inference request and the detection would be preformed against the response that inference generated.

[cnaples79]

@jmartin-tech thanks for the thorough review. I'm going to use your feedback and I'll update the PR.

Do you have any other feedback on how I could improve the PII examples? Or perhaps how to gather more relevant samples that would actually introduce risk?

[leondz]

bumped to draft until tests pass