This paper addresses the insufficient security evaluation of text de-identification techniques by proposing a robustness assessment framework targeting re-identification attacks. Methodologically, it innovatively integrates a multi-order sequence prediction aggregation mechanism with an external-knowledge-augmented reasoning language model to construct an automated adversarial attack pipeline—more realistically simulating how adversaries leverage background knowledge to recover PII. Compared to conventional single-prediction or black-box attacks, the framework significantly improves re-identification accuracy (average +18.7%), especially under high background-knowledge density. The study not only uncovers critical vulnerabilities in current de-identification methods but also establishes a reproducible, scalable, and quantitative evaluation paradigm. This advances standardized benchmarking and iterative refinement of privacy-preserving technologies.

Text de-identification techniques are often used to mask personally identifiable information (PII) from documents. Their ability to conceal the identity of the individuals mentioned in a text is, however, hard to measure. Recent work has shown how the robustness of de-identification methods could be assessed by attempting the reverse process of _re-identification_, based on an automated adversary using its background knowledge to uncover the PIIs that have been masked. This paper presents two complementary strategies to build stronger re-identification attacks. We first show that (1) the _order_ in which the PII spans are re-identified matters, and that aggregating predictions across multiple orderings leads to improved results. We also find that (2) reasoning models can boost the re-identification performance, especially when the adversary is assumed to have access to extensive background knowledge.