Technical
pii-redact - SOTA PII Redaction on Your Laptop
Andie Jones
Mar 26, 2025
7 minutes
Introduction
When fine-tuning a large language model, it’s convenient to train on data generated by real users in your production environment. This data covers the actual use cases you want to support and is specific to your product. However, many kinds of production data contain personally identifiable information or PII. Fine-tuning on data containing PII is dangerous, since your model may memorize this PII and expose it via prompt injection attacks or just during regular use.
While several large close sourced models excel at redacting PII, using them requires you to send users’ potentially sensitive PII over the web to third parties, which privacy-sensitive customers might take issue with. On the other hand, open source libraries such as presidio have allowed developers to redact PII locally for years, but the performance of these legacy options is generally worse than what you’d get by using SOTA LLMs. Even the best existing open-source PII redaction libraries still let a LOT of PII through.
Can we do better?
To combine the high performance offered by closed source LLMs with the total privacy offered by libraries like presidio, we trained a pair of Llama 3.2 1B LLMs that specialize in PII redaction and published them to HuggingFace. PII-Redact-Name excels at redacting names in particular (turns out there are a LOT of edge cases to handle!) while PII-Redact-General catches everything else. Together, they show surprisingly robust performance.
To make these LLMs easy to use, we’ve also published an MIT-licensed pii-redact package to pypi and GitHub. Using this package, you can run redact PII on your local dev machine with just a few lines of code, and you won’t have to sacrifice any of the performance you’d get from the best closed-source LLMs.
For readers who just want to know how to use the package, we’ll start with installation and usage instructions, then provide more info on comparative results and methodology!
Installation
Install the required package using pip, or whatever package manager you prefer. In addition to installing a python api, this will install a cli tool you can use to detect and optionally redact PII in your datasets.
Usage
The cli tool allows you to process both JSONL and raw text datasets and output the cleaned data into a new file. You can specify whether you want to tag, redact, or replace the detected PII.
Process a JSONL dataset
For handling PII in your JSONL dataset files (each row should contains a messages array in the OpenAI format):
Option
--device: Device to use for processing (e.g., cuda, cpu)PII handling modes (mutually exclusive):
--tag: Keep PII content between XML tags (default)<PII:type>content</PII:type>--redact: Replace PII with just an empty tag<PII:type/>--replace: Replace PII with fake datafake_data--locale: Locale for generating fake data (default: en_US, only used with –replace)
Process text files
For handling PII in plain text files (one document per line):
Options:
--device: Device to use for processing (e.g., cuda, cpu)PII handling modes (mutually exclusive):
--tag: Keep PII content between XML tags (default)<PII:type>content</PII:type>--redact: Replace PII with just an empty tag<PII:type/>--replace: Replace PII with fake datafake_data--locale: Locale for generating fake data (default: en_US, only used with –replace)
How It Works
The script:
Reads the input file line by line
For each line runs the pairs of LLMs is used to generate text with the PII tags applied, and then replaces the PII in your original string
Writes the redacted text to the output file
Handles errors gracefully, preserving original text if processing fails
How It Was Made
Under the hood, the system uses two fine-tuned Llama 3.2 1B models that were trained on several datasets. Some of these datasets were synthetically generated by LLMs themselves, others are named entity recognition (NER) datasets like CoNLL 2003, and finally datasets of organic data we labeled ourselves like the Enron Emails obtained by Federal Energy Regulatory Commission. This dataset represents a large swath of languages, PII types and formatting to help ensure our models can generalize as well as they can.
It is hard to find a single high quality dataset for the problem of PII redaction because of the obviously sensitive nature of the data. For example, we found the hand labeled datasets to be crucial as often there are varying definitions of what constitutes PII. In some cases, synthetically generated datasets included extra information that could be considered PII but isn’t marked as such in the resulting dataset.
Testing Methodology
The system was evaluated using the AI4Privacy PII-masking-300k dataset, which represents the largest open benchmark for privacy masking systems. This dataset contains:
220,000+ text examples
30.4 million text tokens
7.6 million PII tokens
Coverage across 6 languages and 8 jurisdictions
Human-validated accuracy of 98.3%
Performance Results
Critical PII Categories Performance
Our system achieved near-perfect recall rates for highly sensitive information:
Social Security Numbers: 100%
IP Addresses: 99.8%
Passport Numbers: 99.65%
Driver's Licenses: 96.44%
Identity Information Performance
Strong performance in detecting personal identifiers:
Given Names: 95.35-96.58%
Last Names: 92.54-96.70%
Date of Birth: 98.20%
Email Addresses: 97.24%
Location Information Performance
Exceptional accuracy in detecting location data:
Street Addresses: 96.50%
Cities: 97.57%
States: 97.36%
Postal Codes: 99.27%
Geographic Coordinates: 100%
Comparative Analysis
When benchmarked against Presidio, a widely-used open-source PII detection framework, our system showed significant improvements:
Category | Our System | Presidio | Improvement |
SSN | 100% | 83.18% | +16.82% |
Driver's License | 96.44% | 61.79% | +34.65% |
Postal Code | 99.27% | 52.53% | +46.74% |
Understanding Detection Rates
These detection rates (also called "recall rates") represent how effectively our system identifies different types of personal information in text. While no automated system can guarantee perfect detection, our results show strong performance across all categories of personal information.
What These Numbers Mean
Detection rates indicate the proportion of sensitive information our system can identify in text data. For example, a 97% detection rate means:
The system successfully identifies the vast majority of that type of personal information
While highly effective, there remains a small chance that some instances may not be detected
These rates are benchmarked against carefully labeled test data
Important Considerations
These rates represent performance under test conditions
Real-world performance may vary depending on factors like:
Text quality and formatting
Context and language variations
Document types and structure
We recommend combining automated detection with appropriate human review processes for sensitive applications
Regular testing and validation should be performed on your specific use case
