pith. sign in

arxiv: 2606.06914 · v1 · pith:QSERKOO6new · submitted 2026-06-05 · 💻 cs.CR

DPAgent-in-the-Middle: Agentic Defense and Repair Against AI-Groomed Deceptive Patterns

Pith reviewed 2026-06-27 21:54 UTC · model grok-4.3

classification 💻 cs.CR
keywords privacy deceptive patternsAI groomingagentic defenseweb interfacesdeceptive designlatent space purificationdefensive promptingweb security
0
0 comments X

The pith

DPAgent coordinates four agents to detect and repair AI-groomed privacy deceptive patterns on live websites.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper formalizes AI grooming as a threat in which attackers seed data voids with deceptive samples that corrupt model reasoning and normalize manipulative web designs. It introduces DPAgent, an agentic framework that orchestrates four specialized agents using latent space purification and defensive prompting to explore, detect, and repair privacy deceptive interfaces directly in live web environments. Evaluations report 90.98 percent detection of groomed samples, a state-of-the-art micro F1 of 0.816, coverage of over 80 percent of pattern types while visiting roughly 10 percent of the pages required by baselines, and successful repair of 77 percent of detected interfaces. A study across 485 sites finds that up to 98 percent contain at least one such pattern and that the system can mitigate over 90 percent of them. User studies indicate reduced privacy risk without degrading the browsing experience.

Core claim

By treating AI grooming as a distinct threat model and deploying an agent-in-the-middle system that combines four specialized agents, latent space purification, and defensive prompting, it becomes possible to proactively explore live websites, identify groomed deceptive patterns, and repair the affected interfaces before they reach users.

What carries the argument

DPAgent, the orchestration of four specialized agents that performs latent space purification and defensive prompting to explore, detect, and repair deceptive privacy interfaces.

If this is right

  • Websites can be scanned and repaired at the interface level before deceptive patterns reach end users.
  • The approach reduces privacy risks from both conventional and AI-amplified deceptive designs while preserving normal browsing.
  • Efficient exploration allows coverage of most pattern types with far fewer page visits than existing methods.
  • Large-scale deployment could lower the overall prevalence of privacy deceptive patterns across the web supply chain.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same agent orchestration could be adapted to detect deceptive patterns in domains other than privacy, such as financial or accessibility interfaces.
  • Running such agents continuously might create feedback that discourages the creation of data voids used for grooming.
  • The method points toward defenses that operate at the rendered UI layer rather than relying solely on network or content filters.

Load-bearing premise

The assumption that four specialized agents with latent space purification and defensive prompting will reliably mitigate AI grooming in live web environments without introducing new attack surfaces or unacceptable false positives.

What would settle it

A controlled experiment in which DPAgent is presented with newly seeded groomed deceptive patterns on live sites and either misses a substantial fraction of them or produces repairs that break core site functionality for users.

Figures

Figures reproduced from arXiv: 2606.06914 by Feng Liu, Haoyang Li, Minhui Xue, Ruoxi Sun, Seong Oun Hwang, Xingliang Yuan, Zewei Shi.

Figure 1
Figure 1. Figure 1: An overview of DPAgent. DPAgent reframes web privacy issue mitigation as a supply chain optimization, providing an effective defensive strategy against AI grooming and privacy deceptive patterns. execution. Backdoor attacks [19] embed hidden triggers dur￾ing training to elicit incorrect behavior only when specific conditions are met. Jailbreak attacks [20] aim to circumvent safety mechanisms to extract res… view at source ↗
Figure 2
Figure 2. Figure 2: An overview of the DPAgent framework. B. Grooming Purifying Agent To safeguard the DPAgent pipeline against grooming at￾tacks, we introduce the Grooming Purifying Agent, which comprises two complementary defense components: (i) a grooming filter deployed at the input stage to collaborate with the proxy and block suspicious grooming content, and (ii) a carefully designed defensive prompt applied in the PDP … view at source ↗
Figure 3
Figure 3. Figure 3: Rate score distribution in the user study. [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: RL model evaluation rewards. D. Benchmarks In the DPAgent architecture, two downstream tasks can be compared against existing works: the website exploration approach and privacy deceptive pattern detection. Below, we introduce the benchmark models used to evaluate the perfor￾mance of DPAgent’s components. For the website exploration approach, we first chose the brute-force method, Breadth-First Search (BFS… view at source ↗
Figure 5
Figure 5. Figure 5: Examples of privacy deceptive patterns before and after repair. [PITH_FULL_IMAGE:figures/full_fig_p021_5.png] view at source ↗
read the original abstract

Privacy deceptive patterns in web interfaces systematically manipulate users into disclosing personal data, yet existing defenses are fragmented, static, and increasingly vulnerable to manipulation by large language models. Moreover, data voids, areas of information scarcity within the web ecosystem, create fertile ground for adversaries to inject misleading content that can be scraped and learned by AI systems, thereby amplifying both deceptive design and model misbehavior. In this paper, we formalize a new threat model, AI grooming, where attackers exploit data voids to seed benign-looking but malicious samples that corrupt model reasoning and normalize deceptive practices. To address this threat in privacy deceptive patterns, we present DPAgent, an agentic and reasoning-aware framework that orchestrates four specialized agents to mitigate the AI Grooming threat via a proactive defense that combines latent space purification with defensive prompting and operates directly in live web environments to proactively explore, detect, and repair privacy deceptive user interfaces before they reach end users. Extensive evaluations show that DPAgent detects 90.98% of groomed samples, achieves state-of-the-art privacy deceptive pattern detection with a micro F1 of 0.816, explores over 80% of pattern types while visiting only about 10% of the pages required by baselines, and successfully repairs 77% of detected deceptive interfaces. A large-scale study of 485 websites in the wild reveals that up to 98% contain at least one privacy deceptive pattern, over 90% of which can be mitigated by DPAgent. User studies further confirm that DPAgent effectively reduces privacy risks while preserving browsing experience. Our results demonstrate the promise of agent-in-the-middle defenses for securing the web UI supply chain against deceptive design and emerging AI threats rooted in data void exploitation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper introduces a new threat model called 'AI grooming,' in which adversaries exploit data voids to seed malicious samples that corrupt LLM reasoning and normalize privacy deceptive patterns on the web. It proposes DPAgent, a multi-agent framework orchestrating four specialized agents that combines latent space purification, defensive prompting, and live-web exploration to detect, explore, and repair such patterns before they reach users. Reported results include 90.98% detection of groomed samples, state-of-the-art micro F1 of 0.816 for deceptive-pattern detection, exploration of over 80% of pattern types while visiting ~10% of the pages required by baselines, 77% successful repair rate, and a wild study of 485 sites finding up to 98% contain at least one pattern (over 90% mitigable by the system), plus user studies showing reduced privacy risk without degrading experience.

Significance. If the empirical claims and the reliability of the four-agent orchestration hold under scrutiny, the work would represent a meaningful step toward proactive, reasoning-aware defenses for the web UI supply chain against both conventional deceptive design and emerging AI-amplified threats. The combination of a formalized threat model, large-scale in-the-wild measurement, and an agentic repair mechanism operating directly on live pages is novel within the deceptive-patterns literature and could inform future agent-in-the-middle security architectures.

major comments (3)
  1. [Abstract] Abstract and evaluation sections: performance numbers (90.98% groomed-sample detection, micro F1 0.816, 77% repair rate, 98% prevalence) are presented without any description of the underlying datasets, baseline systems, statistical tests, error bars, or ablation studies, rendering it impossible to assess whether the data actually support the stated claims.
  2. [Large-scale study] Large-scale study (485 websites): because DPAgent is used both to discover patterns and to report mitigation success, any undetected false positives directly inflate the 98% prevalence and >90% mitigation figures; no independent ground-truth labeling or inter-rater reliability is mentioned.
  3. [Threat model and DPAgent architecture] Threat-model and system sections: the central assumption that orchestrating four agents with latent purification and defensive prompting will not introduce new attack surfaces (prompt injection on the orchestrator, agent poisoning, or repair-induced UX degradation) or excessive false positives is asserted but not subjected to adversarial testing or quantified false-positive analysis in live deployments.
minor comments (2)
  1. [Introduction] The term 'AI grooming' is introduced without a formal definition or comparison table distinguishing it from existing data-poisoning or prompt-injection threats.
  2. [System overview] Notation for the four agents and the latent-space purification step is not standardized across figures and text.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback. We address each major comment below, agreeing where clarifications or additions are needed and outlining specific revisions to the manuscript.

read point-by-point responses
  1. Referee: [Abstract] Abstract and evaluation sections: performance numbers (90.98% groomed-sample detection, micro F1 0.816, 77% repair rate, 98% prevalence) are presented without any description of the underlying datasets, baseline systems, statistical tests, error bars, or ablation studies, rendering it impossible to assess whether the data actually support the stated claims.

    Authors: We agree the abstract is concise and omits methodological details. The full manuscript contains dedicated evaluation sections describing the groomed-sample dataset construction from data voids, baseline systems for deceptive-pattern detection, ablation studies on the four-agent components, and live-web exploration metrics. To improve accessibility, we will expand the abstract with a brief evaluation overview and add statistical tests, error bars, and confidence intervals to the reported figures in the results sections. revision: yes

  2. Referee: [Large-scale study] Large-scale study (485 websites): because DPAgent is used both to discover patterns and to report mitigation success, any undetected false positives directly inflate the 98% prevalence and >90% mitigation figures; no independent ground-truth labeling or inter-rater reliability is mentioned.

    Authors: This concern about potential circularity is valid. The manuscript describes the exploration and mitigation process but does not detail independent validation. We will add a subsection reporting post-hoc manual labeling of a random sample of sites by multiple annotators, including inter-rater reliability metrics. While exhaustive independent ground truth for all 485 sites is resource-intensive and not feasible in this revision, we will explicitly discuss this as a limitation and clarify the methodology to allow assessment of reliability. revision: partial

  3. Referee: [Threat model and DPAgent architecture] Threat-model and system sections: the central assumption that orchestrating four agents with latent purification and defensive prompting will not introduce new attack surfaces (prompt injection on the orchestrator, agent poisoning, or repair-induced UX degradation) or excessive false positives is asserted but not subjected to adversarial testing or quantified false-positive analysis in live deployments.

    Authors: We acknowledge the paper asserts robustness without dedicated adversarial testing. We will add a new security analysis subsection discussing potential attack surfaces (prompt injection, agent poisoning) with proposed mitigations, and report quantified false-positive rates and UX impact from the live deployments and user studies. Full red-teaming experiments are noted as future work, but the existing user studies already provide evidence against excessive false positives and UX degradation. revision: yes

Circularity Check

0 steps flagged

No circularity; engineering framework with empirical results

full rationale

The paper introduces DPAgent as an agentic framework for detection and repair, with performance metrics (90.98% detection, 0.816 F1, 77% repair, 98% prevalence) obtained from direct evaluations on groomed samples and a 485-site crawl. No equations, derivations, fitted parameters, or self-referential definitions appear in the provided text. Results are presented as outputs of the implemented system rather than quantities forced by construction from the same inputs. Self-citations, if present, are not load-bearing for any claimed derivation. This is a standard non-circular engineering contribution.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Only the abstract is available; the ledger reflects claims stated there. No free parameters, axioms, or invented entities beyond the new threat model and framework are detailed.

axioms (1)
  • domain assumption Existing defenses against privacy deceptive patterns are fragmented, static, and vulnerable to manipulation by large language models.
    Stated as background motivation in the abstract.
invented entities (1)
  • AI grooming threat model no independent evidence
    purpose: Describes attackers exploiting data voids to seed malicious samples that corrupt model reasoning and normalize deceptive patterns.
    Newly formalized in the paper per the abstract.

pith-pipeline@v0.9.1-grok · 5865 in / 1381 out tokens · 21105 ms · 2026-06-27T21:54:53.787679+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

89 extracted references · 3 canonical work pages

  1. [1]

    Data voids: Where missing data can easily be exploited,

    M. Golebiewski and D. Boyd, “Data voids: Where missing data can easily be exploited,” Data&Society, Tech. Rep., 2019. [Online]. Available: https://datasociety.net/wp-content/uploads/2019/11/Data-Voi ds-2.0-Final.pdf

  2. [2]

    A well-funded moscow-based global ‘news’ network has infected western artificial intelligence tools worldwide with russian propaganda,

    M. Sadeghi and I. Blachez, “A well-funded moscow-based global ‘news’ network has infected western artificial intelligence tools worldwide with russian propaganda,” 2025, accessed: 2025-12-16. [Online]. Available: https://www.newsguardrealitycheck.com/p/a-well-funded-moscow-bas ed-global

  3. [3]

    Is Russia grooming AI chatbots?

    A. Radina, “Is Russia grooming AI chatbots?” 2025

  4. [4]

    A pro-russia content network foreshadows the automated future of info ops,

    A. S. Project, “A pro-russia content network foreshadows the automated future of info ops,” American Sunlight Project, Tech. Rep., 2025

  5. [5]

    Russian networks flood the internet with propaganda aiming to corrupt ai chatbots,

    A. Newport and N. Jankowicz, “Russian networks flood the internet with propaganda aiming to corrupt ai chatbots,” 2025, accessed: 2025-05-29. [Online]. Available: https://bit.ly/43j5htv

  6. [6]

    Russia-linked pravda network: Wikipedia, llm, x,

    V . Chatelet and A. Lesplingart, “Russia-linked pravda network: Wikipedia, llm, x,” 2025, accessed: 2025-05-29. [Online]. Available: https://dfrlab.org/2025/03/12/pravda-network-wikipedia-llm-x/

  7. [7]

    Llm grooming: A new strategy to weaponise ai for fimi purposes,

    S. Freuden and R. Serrano, “Llm grooming: A new strategy to weaponise ai for fimi purposes,” 2025, accessed: 2025-05-29. [Online]. Available: https://www.disinfo.eu/outreach/our-webinars/10-april-llm-g rooming-a-new-strategy-to-weaponise-ai-for-fimi-purposes/ 14

  8. [8]

    Create a fear of missing out - chatgpt implements unsolicited deceptive designs in generated websites without warning,

    V . Krauß, M. McGill, T. Kosch, Y . M. Thiel, D. Sch ¨on, and J. Gugen- heimer, “Create a fear of missing out - chatgpt implements unsolicited deceptive designs in generated websites without warning,” inProceed- ings of the 2025 CHI Conference on Human Factors in Computing Systems, 2025, pp. 1–20

  9. [9]

    The dark (patterns) side of UX design,

    C. M. Gray, Y . Kou, B. Battles, J. Hoggatt, and A. L. Toombs, “The dark (patterns) side of UX design,” inProceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018, pp. 1–14

  10. [10]

    Automated Large-Scale analysis of cookie notice compliance,

    A. Bouhoula, K. Kubicek, A. Zac, C. Cotrini, and D. Basin, “Automated Large-Scale analysis of cookie notice compliance,” in33rd USENIX Security Symposium (USENIX Security 24). Philadelphia, PA: USENIX Association, 2024, pp. 1723–1739

  11. [11]

    Cookiegraph: Understanding and detecting first-party tracking cookies,

    S. Munir, S. Siby, U. Iqbal, S. Englehardt, Z. Shafiq, and C. Troncoso, “Cookiegraph: Understanding and detecting first-party tracking cookies,” inProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, p. 3490–3504

  12. [12]

    (un) informed consent: Studying gdpr consent notices in the field,

    C. Utz, M. Degeling, S. Fahl, F. Schaub, and T. Holz, “(un) informed consent: Studying gdpr consent notices in the field,” inProceedings of the 2019 acm sigsac conference on computer and communications security, 2019, pp. 973–990

  13. [13]

    Freely given consent? studying consent notice of third-party tracking and its violations of gdpr in android apps,

    T. T. Nguyen, M. Backes, and B. Stock, “Freely given consent? studying consent notice of third-party tracking and its violations of gdpr in android apps,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 2369–2383

  14. [14]

    Ai-powered attacks rise as cisos prioritize ai security risks,

    E. Geller, “Ai-powered attacks rise as cisos prioritize ai security risks,” Cybersecurity Dive, 2025, accessed: 2025-11-25. [Online]. Available: https://www.cybersecuritydive.com/news/ai-security-risks-agents-repor t/753345/

  15. [15]

    Deepfake videos impersonating real doctors push false medical advice and treatments,

    A. Clark, “Deepfake videos impersonating real doctors push false medical advice and treatments,”CBS News, 2025, accessed: 2025-11-

  16. [16]

    Available: https://www.cbsnews.com/news/deepfake-vid eos-impersonating-real-doctors-push-false-medical-advice-treatments/

    [Online]. Available: https://www.cbsnews.com/news/deepfake-vid eos-impersonating-real-doctors-push-false-medical-advice-treatments/

  17. [17]

    More ai-generated child sex abuse material is being posted online,

    K. Collier, “More ai-generated child sex abuse material is being posted online,”NBC News, 2024, accessed: 2025-11-25. [Online]. Available: https://www.nbcnews.com/tech/security/ai-generated-child-sex-abuse-m aterial-posted-online-rcna162169

  18. [18]

    Chatbot responses to disinformation-related prompts,

    M. Alyukov, M. Makhortykh, A. V oronovici, and M. Sydorova, “Chatbot responses to disinformation-related prompts,” 2025, accessed: 2025-11-

  19. [19]

    Available: https://doi.org/10.17605/OSF.IO/WVZKJ

    [Online]. Available: https://doi.org/10.17605/OSF.IO/WVZKJ

  20. [20]

    Is russia really ‘grooming’ western ai?

    ——, “Is russia really ‘grooming’ western ai?”Aljazeera, 2025, accessed: 2025-11-25. [Online]. Available: https://www.aljazeera.com/ opinions/2025/7/8/is-russia-really-grooming-western

  21. [21]

    Reflection backdoor: A natural backdoor attack on deep neural networks,

    Y . Liu, X. Ma, J. Bailey, and F. Lu, “Reflection backdoor: A natural backdoor attack on deep neural networks,” inEuropean Conference on Computer Vision (ECCV), 2020, pp. 182–199

  22. [22]

    Jailbroken: How does llm safety training fail?

    A. Wei, N. Haghtalab, and J. Steinhardt, “Jailbroken: How does llm safety training fail?” inAdvances in Neural Information Processing Systems, 2023, pp. 80 079–80 110

  23. [23]

    Explaining and harnessing adversarial examples,

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” inInternational Conference on Learning Repre- sentations (ICLR), 2014

  24. [24]

    Poisoning attacks against support vector machines,

    B. Biggio, B. Nelson, and P. Laskov, “Poisoning attacks against support vector machines,” inProceedings of the 29th International Coference on International Conference on Machine Learning, 2012, p. 1467–1474

  25. [25]

    Alphadog: No-box camouflage attacks via alpha channel oversight,

    Q. Xia and Q. Chen, “Alphadog: No-box camouflage attacks via alpha channel oversight,” inThe Network and Distributed System Security (NDSS) Symposium 2025, 2025

  26. [26]

    mitmproxy: A free and open source interactive HTTPS proxy,

    A. Cortesi, M. Hils, T. Kriechbaumer, and contributors, “mitmproxy: A free and open source interactive HTTPS proxy,” 2010–, [Version 11.1]. [Online]. Available: https://mitmproxy.org/

  27. [27]

    Adversarial example detection using latent neighborhood graph,

    A. Abusnaina, Y . Wu, S. Arora, Y . Wang, F. Wang, H. Yang, and D. Mohaisen, “Adversarial example detection using latent neighborhood graph,” inProceedings of the 2021 IEEE/CVF international conference on computer vision, 2021, pp. 7687–7696

  28. [28]

    Detecting adversarial samples from artifacts,

    R. Feinman, R. R. Curtin, S. Shintre, and A. B. Gardner, “Detecting adversarial samples from artifacts,”arXiv preprint arXiv:1703.00410, 2017

  29. [29]

    Sample efficient detection and classification of adversarial attacks via self-supervised embeddings,

    M. Moayeri and S. Feizi, “Sample efficient detection and classification of adversarial attacks via self-supervised embeddings,” inProceedings of the IEEE/CVF international conference on computer vision, 2021, pp. 7677–7686

  30. [30]

    A baseline for detecting misclassified and out-of-distribution examples in neural networks,

    D. Hendrycks and K. Gimpel, “A baseline for detecting misclassified and out-of-distribution examples in neural networks,”arXiv preprint arXiv:1610.02136, 2016

  31. [31]

    Learning transferable visual models from natural language supervi- sion,

    A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clark, G. Krueger, and I. Sutskever, “Learning transferable visual models from natural language supervi- sion,” inInternational conference on machine learning, 2021, pp. 8748– 8763

  32. [32]

    Efficientnet: Rethinking model scaling for con- volutional neural networks,

    M. Tan and Q. Le, “Efficientnet: Rethinking model scaling for con- volutional neural networks,” inInternational Conference on Machine Learning. PMLR, 2019, pp. 6105–6114

  33. [33]

    A simple framework for contrastive learning of visual representations,

    T. Chen, S. Kornblith, M. Norouzi, and G. Hinton, “A simple framework for contrastive learning of visual representations,” inInternational conference on machine learning. PmLR, 2020, pp. 1597–1607

  34. [34]

    Serper.dev: The world’s fastest and cheapest google search api,

    Serper.dev, “Serper.dev: The world’s fastest and cheapest google search api,” 2025, accessed: 2025-04-19. [Online]. Available: https://serper.dev/

  35. [35]

    Privagent: Agentic-based red-teaming for llm privacy leakage,

    Y . Nie, Z. Wang, Y . Yu, X. Wu, X. Zhao, W. Guo, and D. Song, “Privagent: Agentic-based red-teaming for llm privacy leakage,”arXiv preprint arXiv:2412.05734, 2024

  36. [36]

    Prox- imal policy optimization algorithms,

    J. Schulman, F. Wolski, P. Dhariwal, A. Radford, and O. Klimov, “Prox- imal policy optimization algorithms,”arXiv preprint arXiv:1707.06347, 2017

  37. [37]

    Qwq-32b: Embracing the power of reinforcement learning,

    Q. Team, “Qwq-32b: Embracing the power of reinforcement learning,” March 2025. [Online]. Available: https://qwenlm.github.io/blog/qwq-3 2b/

  38. [38]

    SoK: State of the krawlers – evaluating the effectiveness of crawling algorithms for web security measurements,

    A. Stafeev and G. Pellegrino, “SoK: State of the krawlers – evaluating the effectiveness of crawling algorithms for web security measurements,” in33rd USENIX Security Symposium (USENIX Security 24). Philadelphia, PA: USENIX Association, Aug. 2024, pp. 719–737. [Online]. Available: https://www.usenix.org/conference/usenixsecurity 24/presentation/stafeev

  39. [39]

    Webvoyager: Building an end-to-end web agent with large multimodal models,

    H. He, W. Yao, K. Ma, W. Yu, Y . Dai, H. Zhang, Z. Lan, and D. Yu, “Webvoyager: Building an end-to-end web agent with large multimodal models,”arXiv preprint arXiv:2401.13919, 2024

  40. [40]

    Webpilot: A versatile and autonomous multi-agent system for web task execution with strategic exploration,

    Y . Zhang, Z. Ma, Y . Ma, Z. Han, Y . Wu, and V . Tresp, “Webpilot: A versatile and autonomous multi-agent system for web task execution with strategic exploration,” inProceedings of the AAAI Conference on Artificial Intelligence, 2025, pp. 23 378–23 386

  41. [41]

    Ui-tars: Pioneering automated gui interaction with native agents,

    Y . Qin, Y . Ye, J. Fang, H. Wang, S. Liang, S. Tian, J. Zhang, J. Li, Y . Li, S. Huanget al., “Ui-tars: Pioneering automated gui interaction with native agents,”arXiv preprint arXiv:2501.12326, 2025

  42. [42]

    WebUI: A dataset for enhancing visual UI understanding with web semantics,

    J. Wu, S. Wang, S. Shen, Y .-H. Peng, J. Nichols, and J. P. Bigham, “WebUI: A dataset for enhancing visual UI understanding with web semantics,” inProceedings of the 2023 CHI Conference on Human Factors in Computing Systems, 2023, pp. 1–14

  43. [43]

    Qexplore: An exploration strategy for dynamic web applications using guided search,

    S. Sherin, A. Muqeet, M. U. Khan, and M. Z. Iqbal, “Qexplore: An exploration strategy for dynamic web applications using guided search,” Journal of Systems and Software, vol. 195, p. 111512, 2023

  44. [44]

    Computer-using agent,

    OpenAI, “Computer-using agent,” 2024, accessed: 2025-06-04. [Online]. Available: https://openai.com/index/computer-using-agent/

  45. [45]

    Agents and tools: Computer use,

    Anthropic, “Agents and tools: Computer use,” 2024, accessed: 2025- 06-04. [Online]. Available: https://docs.anthropic.com/en/docs/agents-a nd-tools/computer-use

  46. [46]

    ”create a fear of missing out

    V . Krauß, M. McGill, T. Kosch, Y . M. Thiel, D. Sch ¨on, and J. Gugenheimer, “”create a fear of missing out” - chatgpt implements unsolicited deceptive designs in generated websites without warning,” inProceedings of the 2025 CHI Conference on Human Factors in Computing Systems, 2025. [Online]. Available: https://doi.org/10.1145/ 3706598.3713083

  47. [47]

    50 shades of deceptive patterns: A unified taxonomy, multimodal detection, and security implications,

    Z. Shi, R. Sun, J. Chen, J. Sun, M. Xue, Y . Gao, F. Liu, and X. Yuan, “50 shades of deceptive patterns: A unified taxonomy, multimodal detection, and security implications,” inProceedings of the ACM Web Conference 2025 (WWW’25), 2025

  48. [48]

    Dark patterns meet gui agents: Llm agent susceptibility to manipulative interfaces and the role of human oversight,

    J. Tang, C. Chen, J. Li, Z. Zhang, B. Guo, I. Khalilov, S. A. Gebreegziabher, B. Yao, D. Wang, Y . Ye, T. Li, Z. Xiao, Y . Yao, and T. J.-J. Li, “Dark patterns meet gui agents: Llm agent susceptibility to manipulative interfaces and the role of human oversight,” 2025. [Online]. Available: https://arxiv.org/abs/2509.10723

  49. [49]

    The obvious invisible threat: Llm- powered gui agents’ vulnerability to fine-print injections,

    C. Chen, Z. Zhang, B. Guo, S. Ma, I. Khalilov, S. A. Gebreegziabher, Y . Ye, Z. Xiao, Y . Yao, T. Liet al., “The obvious invisible threat: Llm- powered gui agents’ vulnerability to fine-print injections,”arXiv preprint arXiv:2504.11281, 2025

  50. [50]

    (2024, September) Introducing openai o1-preview

    OpenAI. (2024, September) Introducing openai o1-preview. Accessed: 2025-04-19. [Online]. Available: https://openai.com/index/introducing -openai-o1-preview/ 15

  51. [51]

    Deepseek-r1: Incentivizing reasoning capability in llms via reinforcement learning,

    D.-A. Team, “Deepseek-r1: Incentivizing reasoning capability in llms via reinforcement learning,” 2025. [Online]. Available: https: //arxiv.org/abs/2501.12948

  52. [52]

    (2025) Claude 3.7 sonnet and claude code

    Anthropic. (2025) Claude 3.7 sonnet and claude code. Accessed: 2025-04-19. [Online]. Available: https://www.anthropic.com/news/cla ude-3-7-sonnet

  53. [53]

    DeepMind

    G. DeepMind. (2025) Gemini 2.5: Our newest gemini model with thinking. Accessed: 2025-04-19. [Online]. Available: https: //blog.google/technology/google-deepmind/gemini-model-thinking-upd ates-march-2025/#gemini-2-5-thinking

  54. [54]

    Chatbot arena: an open platform for evaluating llms by human preference,

    W.-L. Chiang, L. Zheng, Y . Sheng, A. N. Angelopoulos, T. Li, D. Li, B. Zhu, H. Zhang, M. I. Jordan, J. E. Gonzalez, and I. Stoica, “Chatbot arena: an open platform for evaluating llms by human preference,” in Proceedings of the 41st International Conference on Machine Learning, 2024

  55. [55]

    A protection motivation theory of fear appeals and attitude change1,

    R. W. Rogers, “A protection motivation theory of fear appeals and attitude change1,”The journal of psychology, vol. 91, no. 1, pp. 93– 114, 1975

  56. [56]

    Using protection motivation theory in the design of nudges to improve online security behavior,

    R. Van Bavel, N. Rodr ´ıguez-Priego, J. Vila, and P. Briggs, “Using protection motivation theory in the design of nudges to improve online security behavior,”International Journal of Human-Computer Studies, vol. 123, pp. 29–39, 2019

  57. [57]

    “secure settings are quick and easy!

    S. Prange, N. Thiem, M. Fr ¨ohlich, and F. Alt, ““secure settings are quick and easy!”–motivating end-users to choose secure smart home configurations,” inProceedings of the 2022 International Conference on Advanced Visual Interfaces, 2022, pp. 1–9

  58. [58]

    Driving behaviour change with cybersecurity awareness,

    S. Chaudhary, “Driving behaviour change with cybersecurity awareness,” Computers & Security, p. 103858, 2024

  59. [59]

    From awareness to action: exploring end-user empowerment interventions for dark patterns in ux,

    Y . Lu, C. Zhang, Y . Yang, Y . Yao, and T. J.-J. Li, “From awareness to action: exploring end-user empowerment interventions for dark patterns in ux,”Proceedings of the ACM on Human-Computer Interaction, vol. 8, no. CSCW1, pp. 1–41, 2024

  60. [60]

    AidUI: Toward automated recognition of dark patterns in user interfaces,

    S. M. H. Mansur, S. Salma, D. Awofisayo, and K. Moran, “AidUI: Toward automated recognition of dark patterns in user interfaces,” in Proceedings of the 45th International Conference on Software Engi- neering, 2023, pp. 1958–1970

  61. [61]

    Do cookie banners respect my choice? : Measuring legal compliance of banners from iab europe’s transparency and consent framework,

    C. Matte, N. Bielova, and C. Santos, “Do cookie banners respect my choice? : Measuring legal compliance of banners from iab europe’s transparency and consent framework,” in2020 IEEE Symposium on Security and Privacy (SP), 2020

  62. [62]

    Automating cookie consent and GDPR violation detection,

    D. Bollinger, K. Kubicek, C. Cotrini, and D. Basin, “Automating cookie consent and GDPR violation detection,” in31st USENIX Security Symposium (USENIX Security 22). Boston, MA: USENIX Association, 2022, pp. 2893–2910

  63. [63]

    Ad injection at scale: Assessing deceptive advertisement modifications,

    K. Thomas, E. Bursztein, C. Grier, G. Ho, N. Jagpal, A. Kapravelos, D. Mccoy, A. Nappa, V . Paxson, P. Pearce, N. Provos, and M. A. Rajab, “Ad injection at scale: Assessing deceptive advertisement modifications,” in2015 IEEE Symposium on Security and Privacy, 2015, pp. 151–167

  64. [64]

    Where are you taking me?understanding abusive traffic distribution systems,

    J. Szurdi, M. Luo, B. Kondracki, N. Nikiforakis, and N. Christin, “Where are you taking me?understanding abusive traffic distribution systems,” 2021, p. 3613–3624

  65. [65]

    Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale,

    A. Oest, P. Zhang, B. Wardman, E. Nunes, J. Burgis, A. Zand, K. Thomas, A. Doup ´e, and G.-J. Ahn, “Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale,” in29th USENIX Security Symposium (USENIX Security 20), 2020

  66. [66]

    Inferring phishing intention via webpage appearance and dynamics: A deep vision based approach,

    R. Liu, Y . Lin, X. Yang, S. H. Ng, D. M. Divakaran, and J. S. Dong, “Inferring phishing intention via webpage appearance and dynamics: A deep vision based approach,” in31st USENIX Security Symposium (USENIX Security 22), 2022

  67. [67]

    Dark patterns at scale: Findings from a crawl of 11k shopping websites,

    A. Mathur, G. Acar, M. J. Friedman, E. Lucherini, J. Mayer, M. Chetty, and A. Narayanan, “Dark patterns at scale: Findings from a crawl of 11k shopping websites,”Proceedings of the ACM on Human-Computer Interaction, vol. 3, no. CSCW, pp. 1–32, 2019

  68. [68]

    Clustering of dark patterns in the user interfaces of websites and online trading portals (e-commerce),

    D. Nazarov and Y . Baimukhambetov, “Clustering of dark patterns in the user interfaces of websites and online trading portals (e-commerce),” Mathematics, vol. 10, no. 18, p. 3219, 2022

  69. [69]

    Unveiling the tricks: Automated detection of dark patterns in mobile applications,

    J. Chen, J. Sun, S. Feng, Z. Xing, Q. Lu, X. Xu, and C. Chen, “Unveiling the tricks: Automated detection of dark patterns in mobile applications,” inProceedings of the 36th Annual ACM Symposium on User Interface Software and Technology. New York, NY , USA: Association for Computing Machinery, 2023, pp. 1–20

  70. [70]

    Don’t detect, just correct: Can llms defuse deceptive patterns directly?

    R. Sch ¨afer, P. M. Preuschoff, R. Niewianda, S. Hahn, K. Fiedler, and J. Borchers, “Don’t detect, just correct: Can llms defuse deceptive patterns directly?” inProceedings of the Extended Abstracts of the CHI Conference on Human Factors in Computing Systems. New York, NY , USA: Association for Computing Machinery, 2025. [Online]. Available: https://doi.o...

  71. [71]

    Encrypted dns–¿ privacy? a traffic analysis perspective,

    S. Siby, M. Juarez, C. Diaz, N. Vallina-Rodriguez, and C. Troncoso, “Encrypted dns–¿ privacy? a traffic analysis perspective,” inThe Network and Distributed System Security (NDSS) Symposium 2020, 2020

  72. [72]

    Timeless timing attacks and preload defenses in tor’s DNS cache,

    R. Dahlberg and T. Pulls, “Timeless timing attacks and preload defenses in tor’s DNS cache,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 2635–2652

  73. [73]

    Connecting the dots in the sky: Website fingerprinting in low earth orbit satellite internet,

    P. Singh, D. Barradas, T. Elahi, and N. Limam, “Connecting the dots in the sky: Website fingerprinting in low earth orbit satellite internet,” in The Network and Distributed System Security (NDSS) Symposium 2024, 2024

  74. [74]

    The discriminative power of cross-layer rtts in fingerprinting proxy traffic,

    D. Xue, R. Stanley, P. Kumar, and R. Ensafi, “The discriminative power of cross-layer rtts in fingerprinting proxy traffic,” inThe Network and Distributed System Security (NDSS) Symposium 2025, 2025

  75. [75]

    Useful agentic ai: A systems outlook,

    M. Pan, Y . Zhu, J. Q. Davis, R. Cogo, L. A. Agrawal, N. Arabzadeh, X. Liu, H. Mao, S. Pallerla, T. Shiet al., “Useful agentic ai: A systems outlook,” 2025

  76. [76]

    Tor Project — Privacy & Freedom Online,

    The Tor Project, “Tor Project — Privacy & Freedom Online,” https: //www.torproject.org/, 2025, accessed: 2025-04-22

  77. [77]

    Brave Browser — Secure, Fast & Private Web Browser,

    Brave Software Inc., “Brave Browser — Secure, Fast & Private Web Browser,” https://brave.com/, 2025, accessed: 2025-04-22

  78. [78]

    Adblock Plus - Surf the web without annoying ads!

    Eyeo GmbH, “Adblock Plus - Surf the web without annoying ads!” https://adblockplus.org/, 2025, accessed: 2025-04-22

  79. [79]

    AdGuard — World’s most advanced ad blocker!

    AdGuard Software Ltd., “AdGuard — World’s most advanced ad blocker!” https://adguard.com/en/welcome.html, 2025, accessed: 2025- 04-22

  80. [80]

    DuckDuckGo – Privacy, simplified

    DuckDuckGo Inc., “DuckDuckGo – Privacy, simplified.” https://duckdu ckgo.com/, 2025, accessed: 2025-04-22

Showing first 80 references.