Pith. sign in

REVIEW 2 major objections 5 minor 87 references

A user-side agent can rewrite sensitive parts of a chatbot prompt so the provider cannot profile you well, while still getting useful answers.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-12 06:00 UTC pith:RGKDPDAD

load-bearing objection Solid systems paper: noise/denoise plus OPRO-style action selection rides the single-action privacy-utility envelope and beats two prior automated baselines; the 3.3×/1.4× numbers rest on a soft IAB-embedding proxy that already admits 17.5% residual recovery. the 2 major comments →

arxiv 2607.02932 v1 pith:RGKDPDAD submitted 2026-07-03 cs.CR cs.AIcs.HCcs.LG

PromptPET: Privacy-Utility Optimized Prompt Obfuscation

classification cs.CR cs.AIcs.HCcs.LG
keywords prompt privacyAI agentsuser profilingobfuscationprivacy-utility tradeoffIAB Audience Taxonomynoising/denoisingrule optimization
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

When people talk to AI chatbots they reveal far more than traditional identifiers: interests, health context, location, and other attributes that providers can turn into profiles. PromptPET sits on the user's side and rewrites only the sensitive pieces of each prompt before the query leaves the device. It detects those pieces against a taxonomy of demographic and interest attributes, scores how much each piece matters for a good answer, then chooses among four rewrites—redact, abstract, replace, or a new noise-and-denoise scheme that keeps the real unit and adds decoys that are later filtered from the reply. A learned rule set, refined by an iterative LLM optimizer, decides which rewrite to apply to each unit. On real chat logs the resulting system rides the best privacy–utility frontier that any single rewrite can achieve, and it beats prior automated prompt-obfuscation methods by delivering substantially more privacy for each unit of utility lost.

Core claim

Selective, taxonomy-guided prompt obfuscation that mixes redaction, abstraction, replacement, and a novel noising/denoising action, coordinated by a reinforcement-learning-inspired rule optimizer, matches the best privacy–utility tradeoff of any single action and significantly outperforms prior deployable prompt-obfuscation baselines on real user–AI queries.

What carries the argument

The Noise action plus the rule-optimization loop: Noise keeps a high-importance sensitive unit intact, injects coherent decoys under other taxonomy data types, forces the remote agent to answer real and decoy requests separately, and filters the decoy answers before the user sees them; the rule optimizer then learns which action (Noise, Abstract, Redact, or Replace) to assign to each unit by iterating decision-rule sets against a privacy–utility reward.

Load-bearing premise

The defense is evaluated against a single-prompt, honest-but-curious profiler that is adequately captured by taxonomy-label extraction and embedding similarity; multi-turn de-obfuscation and active elicitation are left out of scope.

What would settle it

On a held-out set of real multi-turn or longitudinal chats, if an adversary that only sees the obfuscated prompts can still recover the original IAB-style profile labels at rates comparable to the unprotected baseline, or if the filtered chatbot answers lose task success under human or task-specific utility metrics, the claimed privacy–utility frontier would not hold.

Watch this falsifier — get emailed when new claim-graph text bears on it.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 5 minor

Summary. The paper proposes PromptPET, a user-side framework that detects sensitive units in LLM prompts via an IAB Audience Taxonomy, scores their importance for response utility, and applies one of four obfuscation actions (redact, abstract, replace, or a novel noise/denoise scheme that injects decoy units and filters the response). A reinforcement-learning-inspired rule optimizer (OPRO-style) learns a decision rule set that selects the action per unit. On a WildChat-derived test set of real queries, single-action analysis shows Noise dominates the privacy-utility frontier at high privacy; the selective system matches that envelope and outperforms two prior automated baselines (Ngong et al., Zhou et al.) by 3.3 imes privacy per unit utility cost and 1.4 imes absolute privacy under the authors’ embedding-based exposure metric.

Significance. User-side prompt obfuscation that does not rely on provider cooperation is a timely and practically important PET for the emerging class of stateful AI agents that profile users from free-form natural-language input. The systematic isolation of four actions (including a carefully engineered noise/denoise template that preserves high-importance units), the explicit use of a fine-grained taxonomy for both detection and rewriting, the importance-score validation via controlled redaction, and the first application of an OPRO-style rule optimizer to this setting are genuine methodological contributions. If the reported frontier-matching and quantitative gains hold under stronger privacy metrics, the work supplies both a usable client-side tool and a reusable evaluation scaffold for future prompt-privacy research.

major comments (2)
  1. [§5.1.1, Appendix A, §5.6.4, Fig. 8] The central quantitative claims (3.3 imes privacy-per-utility and 1.4 imes absolute privacy over the two baselines, and the assertion that PromptPET rides the single-action envelope) rest entirely on the soft exposure metric of Section 5.1.1 / Appendix A: GPT-4.1 two-stage IAB extraction followed by normalized cosine similarity of mean embeddings of category-matched labels, then PrivacyGain = 1 − Exposure. Section 5.6.4 already records that 17.5 % of τ = 1.0 queries remain privacy-miss (median privacy 0.00) because residual co-occurring context still allows the same profiler to recover the profile. The metric therefore awards credit for semantic deviation rather than hard attribute-inference failure. Because the identical model family also supplies the agent responses and the utility judges, the ranking and the headline ratios may not transfer to an independent or production profiler. A
  2. [§3, §2.1–2.2] The threat model (Section 3) correctly declares cross-prompt longitudinal de-obfuscation and active elicitation out of scope, yet the motivation sections (2.1–2.2) emphasize precisely the stateful, memory-augmented agents that accumulate profiles over sessions. The single-prompt evaluation therefore leaves open whether the learned rule set remains effective once an adversary can correlate multiple obfuscated turns or detect the slotted multi-option template of the Noise action. At minimum the paper should quantify, on a multi-turn subset of WildChat, how quickly residual signals accumulate, or state more prominently that the reported gains are single-turn only and that longitudinal robustness is future work.
minor comments (5)
  1. [Fig. 6] Figure 6 KDE panels omit the lowest-density 5.3 % of queries; a short note on whether those omitted points disproportionately fall into the failure region would help readers interpret the visual claim that failure is rare.
  2. [§4.2.4, Appendix B] The Noise denoiser success rate of 97.6 % is reported only in the main text; the exact rule-based parser (or the few failure modes) should appear in Appendix B alongside the template.
  3. [Table 3] Table 3 credits all tied actions, so row sums exceed 100 %. A parenthetical note that the percentages are not a partition would avoid momentary confusion.
  4. [Eq. (1), §4.3] The length penalty λ = 10^{-5} in Eq. (1) is stated without sensitivity analysis; a one-sentence remark on whether the final rule set changes under λ ∈ {10^{-6}, 10^{-4}} would strengthen the optimizer description.
  5. [Fig. 2, §4.2] Minor typographical inconsistencies appear in the running example (e.g., “therapist/dentist” vs. separate answers) and in the capitalization of action names across figures and text; a light copy-edit pass would improve polish.

Circularity Check

0 steps flagged

No circular derivation: PromptPET's claims are empirical privacy-utility measurements on held-out data under fixed external metrics, not predictions forced by construction.

full rationale

This is an empirical systems paper, not a first-principles derivation. The load-bearing claims (matching the single-action privacy-utility frontier; 3.3× privacy-per-utility and 1.4× privacy vs. Ngong et al. and Zhou et al.) are measured outcomes on a held-out WildChat-derived test set under fixed metrics: IAB-taxonomy profile exposure via embedding cosine (Appendix A) and response utility via embedding cosine plus NLI claim preservation (Section 5.1). The rule optimizer is trained on a disjoint optimization split (797 train / 113 val) and evaluated on a separate test set (Section 5.5); single-action curves and baselines are scored with the same external metrics. There is no equation that reduces a claimed prediction to a fitted parameter by construction, no uniqueness theorem imported from the authors, and no self-citation that carries the central result. The Oracle seed uses importance-binned action frequencies from the single-action analysis, which is a mild methodological choice about initialization, not a circular identification of the reported test metrics with the training objective. PrivacyGain = 1 − Exposure is a metric definition applied uniformly to all methods, not a tautology that forces PromptPET to win. Honest finding: no significant circularity.

Axiom & Free-Parameter Ledger

4 free parameters · 4 axioms · 2 invented entities

The paper rests on a standard honest-but-curious threat model, an external advertising taxonomy chosen as the sensitive scope, LLM-as-judge metrics for both privacy and utility, and several hand-chosen optimization hyperparameters. No new physical entities are postulated; the free parameters are ordinary ML/system knobs.

free parameters (4)
  • alpha (privacy-utility weight) = 0.5 (balanced default)
    Balances the optimization objective; default 0.5, also swept at 0 and 1; directly shapes the final rule set.
  • importance thresholds tau = {0.6, 0.8, 1.0}
    Control which units are offered for obfuscation; chosen from empirical CDF terciles (0.6, 0.8, 1.0).
  • lambda (rule-length penalty) = 1e-5
    Discourages verbose rules in the OPRO objective; set to 1e-5.
  • optimization rounds / mini-batch size = 20 / 50
    Control the rule-optimizer loop; 20 rounds, batch of 50.
axioms (4)
  • domain assumption Adversary is honest-but-curious, processes prompts in the clear, and profiles via an IAB-style taxonomy; cross-prompt longitudinal attacks and active elicitation are out of scope.
    Stated in Section 3; load-bearing for the claim that unit-level obfuscation suffices.
  • domain assumption IAB Audience Taxonomy (Demographics & Interests) is an adequate proxy for the sensitive attributes a real provider would extract.
    Adopted in Section 4.1.1 as the default sensitive taxonomy.
  • domain assumption LLM-based importance scoring and claim-level NLI utility metrics are sufficiently reliable for comparative evaluation.
    Justified by prior literature and a controlled redaction validation (Section 5.3).
  • domain assumption Local user-side LLM (Gemma3:12B) is trusted and does not leak to the adversary.
    Stated in the system model (Section 3).
invented entities (2)
  • Noise/denoise action with slotted multi-option template independent evidence
    purpose: Preserve high-importance units while injecting coherent decoys that can be filtered by a hard-coded parser.
    Novel action introduced in Section 4.2.4; independent evidence is the 97.6 % denoiser success rate on the test set.
  • OPRO-style rule optimizer for per-unit action selection no independent evidence
    purpose: Learn a compact, interpretable decision rule set that coordinates the four actions.
    First application of the OPRO loop to prompt-obfuscation action choice (Section 4.3).

pith-pipeline@v1.1.0-grok45 · 32370 in / 2940 out tokens · 33460 ms · 2026-07-12T06:00:09.842707+00:00 · methodology

0 comments
read the original abstract

Privacy is an important challenge when users interact with AI chatbots, since users may share sensitive information, explicitly or implicitly, and AI chatbots can use this information for user profiling. In this paper, we aim to protect user privacy via a user-side mechanism that transforms sensitive information in a user prompt, while preserving enough information to elicit a useful response from the chatbot. This approach faces an inherent tradeoff between protecting privacy (i.e., avoiding profiling) and preserving utility (i.e., getting personalized and task-specific responses). To that end, we consider, evaluate, and compare four different obfuscation actions, namely redaction, abstraction, replacement, and a novel noising/denoising scheme that we introduce. Additional novel insights include: utilizing a data type taxonomy to both identify and obfuscate sensitive information and explicitly taking into account the utility of chat responses in making the obfuscation decision. First, we systematically optimize and evaluate each obfuscation action independently in terms of the privacy-utility tradeoff it achieves. Second, we propose PROMPTPET, an LLM-based agent that selects the best obfuscation action for each sensitive part of the prompt, using a reinforcement-learning inspired rule optimizer, applied for the first time in this context. Using a real-world chat dataset, we show that PROMPTPET matches the best privacy-utility tradeoff attainable by any single obfuscation action and significantly outperforms prior state-of-the-art approaches.

Figures

Figures reproduced from arXiv: 2607.02932 by Athina Markopoulou, Ke Yang, Olivia Figueira, Umar Iqbal.

Figure 1
Figure 1. Figure 1: PromptPET Overview. A user interacts with an AI agent through a conversational interface. PromptPET sits between the user and the online AI agent, obfuscating sensitive parts of the user prompt (query) so that it subverts user profiling by the provider. See [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: 4 [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the PromptPET Framework. For a given user query and sensitivity taxonomy, PromptPET detects sensitive units and estimates their importance scores, capturing each unit’s contribution to generating the desired LLM response. A obfuscation action decider relying on a learned decision rule set then chooses one of four actions for each unit: redact, abstract, replace, or noise. After all obfuscation … view at source ↗
Figure 3
Figure 3. Figure 3: Details of the Noise Action. Each sensitive unit as￾signed the Noise action is paired with noise data type drawn from the taxonomy; together these form a noise combination. A local LLM generates a plausible value under each noise data type, and a template combines the generated decoys with the original query. In [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: CDF of Sensitive Unit Importance Scores. Red dotted [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: Aggregate Privacy-Utility Tradeoff Curve. Each [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗
Figure 6
Figure 6. Figure 6: Privacy-Utility Distributions. Per-query distribu [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: PromptPET Privacy-Utility Tradeoff Curve. In￾cludes PromptPET (orange), prior work, and single-action upper bounds. Upper-Abstract and Upper-Noise reproduce the strongest single-action frontiers from [PITH_FULL_IMAGE:figures/full_fig_p011_8.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

87 extracted references · 12 linked inside Pith

  1. [1]

    Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. 2016. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 308–318

  2. [2]

    AdNauseam Project. 2026. AdNauseam. https://adnauseam.io/ Accessed 2026- 06-12

  3. [3]

    Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions speak louder than words: {Entity-Sensitive} privacy policy and data flow analysis with {PoliCheck}. In29th USENIX Security Symposium (USENIX Security 20). 985– 1002

  4. [4]

    Anthropic. 2026. Claude. https://claude.ai/ Accessed 2026-05-23

  5. [5]

    Anthropic. 2026. How Long Do You Store My Data? https://privacy.claude.com/ en/articles/10023548-how-long-do-you-store-my-data

  6. [6]

    Anthropic. 2026. Import Memory. https://claude.com/import-memory Accessed 2026-06-05

  7. [7]

    Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D

    Tom B. Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D. Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. 2020. Language Models are Few-Shot Learners. InAdvances in Neural Information Processing Systems, Vol. 33. 1877–1901

  8. [8]

    Benjamin Bullough, Harrison Lundberg, Chen Hu, and Weihang Xiao. 2024. Predicting entity salience in extremely short documents. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing: Industry Track. 50–64

  9. [9]

    Nicholas Carlini, Daphne Ippolito, Matthew Jagielski, Katherine Lee, Florian Tramer, and Chiyuan Zhang. 2022. Quantifying memorization across neural language models. InThe Eleventh International Conference on Learning Represen- tations

  10. [10]

    Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert- Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, et al. 2021. Extracting training data from large language models. In30th USENIX security symposium (USENIX Security 21). 2633–2650

  11. [11]

    Prateek Chhikara, Dev Khant, Saket Aryan, Taranjeet Singh, and Deshraj Ya- dav. 2025. Mem0: Building production-ready ai agents with scalable long-term memory.arXiv preprint arXiv:2504.19413(2025)

  12. [12]

    Chun Jie Chong, Chenxi Hou, Zhihao Yao, and Seyed Mohammadjavad Seyed Talebi. 2024. Casper: Prompt sanitization for protecting user privacy in web- based large language models.arXiv preprint arXiv:2408.07004(2024)

  13. [13]

    Amrita Roy Chowdhury, David Glukhov, Divyam Anshumaan, Prasad Chalasani, Nicolas Papernot, Somesh Jha, and Mihir Bellare. 2025. Pr 𝜖𝜖mpt: Sanitizing Sensitive Prompts for LLMs.arXiv preprint arXiv:2504.05147(2025)

  14. [14]

    Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers). Association for Computational Li...

  15. [15]

    Dia Browser. 2026. Dia Browser. https://www.diabrowser.com/ Accessed 2026-06-05

  16. [16]

    Tian Dong, Yan Meng, Shaofeng Li, Guoxing Chen, Zhen Liu, and Haojin Zhu

  17. [17]

    In 34th USENIX Security Symposium (USENIX Security 25)

    Depth Gives a False Sense of Privacy: {LLM} Internal States Inversion. In 34th USENIX Security Symposium (USENIX Security 25). 1629–1648

  18. [18]

    Jesse Dunietz and Dan Gillick. 2014. A new entity salience task with millions of training examples. InProceedings of the 14th Conference of the European Chapter of the Association for Computational Linguistics, volume 2: Short Papers. 205–209

  19. [19]

    Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. InProceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1388–1401

  20. [20]

    Futurism. 2026. OpenAI Personal Information Meta Google. https://futurism. com/artificial-intelligence/openai-personal-information-meta-google Accessed 2026-06-05

  21. [21]

    Leon Garza, Anantaa Kotal, Aritran Piplai, Lavanya Elluri, Prajit Das, and Aman Chadha. 2025. PRvL: Quantifying the Capabilities and Risks of Large Language Models for PII Redaction.arXiv preprint arXiv:2508.05545(2025)

  22. [22]

    Google. 2026. Gemini. https://gemini.google.com/ Accessed 2026-05-23

  23. [23]

    Google. 2026. Gemini Apps Privacy Hub. https://support.google.com/gemini/ answer/13594961

  24. [24]

    Google. 2026. Google. https://www.google.com/ Accessed 2026-06-05

  25. [25]

    Google. 2026. Import Memory. https://gemini.google/import-memory/ Accessed 2026-06-05

  26. [26]

    Google. 2026. Temporary Chats and New Privacy Controls in Gem- ini. https://blog.google/products-and-platforms/products/gemini/temporary- chats-privacy-controls/ Accessed 2026-06-05

  27. [27]

    Google DeepMind. 2026. Gemma 3. https://deepmind.google/models/gemma/ gemma-3/ Accessed 2026-05-20

  28. [28]

    Ece Gumusel, Yueru Yan, and Ege Otenen. 2026. From Awareness to Practice: A Survey of US Users’ Privacy Perceptions in LLM Chatbots. InUSEC, NDSS Symposium

  29. [29]

    Aniko Hannak, Gary Soeller, David Lazer, Alan Mislove, and Christo Wilson

  30. [30]

    In Proceedings of the 2014 conference on internet measurement conference

    Measuring price discrimination and steering on e-commerce web sites. In Proceedings of the 2014 conference on internet measurement conference. 305–318

  31. [31]

    Meng Hao, Hongwei Li, Hanxiao Chen, Pengzhi Xing, Guowen Xu, and Tian- wei Zhang. 2022. Iron: Private inference on transformers.Advances in neural information processing systems35 (2022), 15718–15731

  32. [32]

    Interactive Advertising Bureau (IAB) Tech Lab. [n. d.]. Audience Taxonomy 1.1 (TSV). https://github.com/InteractiveAdvertisingBureau/Taxonomies

  33. [33]

    Umar Iqbal, Pouneh Nikkhah Bahrami, Rahmadi Trimananda, Hao Cui, Alexan- der Gamero-Garrido, Daniel J Dubois, David Choffnes, Athina Markopoulou, Franziska Roesner, and Zubair Shafiq. 2023. Tracking, profiling, and ad targeting in the alexa echo smart speaker ecosystem. InProceedings of the 2023 ACM on Internet Measurement Conference. 569–583

  34. [34]

    Muhammad Jazlan, Ethan Wang, Yash Vekaria, and Zubair Shafiq. 2026. Tracking Conversations: Measuring Content and Identity Exposure on AI Chatbots.arXiv preprint arXiv:2604.27438(2026)

  35. [35]

    Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang Gong. 2019. Memguard: Defending against black-box membership inference at- tacks via adversarial examples. InProceedings of the 2019 ACM SIGSAC conference on computer and communications security. 259–274

  36. [36]

    Hidetoshi Kido, Yutaka Yanagisawa, and Tetsuji Satoh. 2005. An anonymous communication technique using dummies for location-based services. InICPS’05. Proceedings. International Conference on Pervasive Services, 2005.IEEE, 88–97

  37. [37]

    Eduard Kovacs. 2024. ChatGPT Plugin Vulnerabilities Exposed Data, Accounts. SecurityWeek. https://www.securityweek.com/chatgpt-plugin-vulnerabilities- exposed-data-accounts/

  38. [38]

    Chin-Yew Lin. 2004. ROUGE: A Package for Automatic Evaluation of Summaries. InText Summarization Branches Out: Proceedings of the ACL-04 Workshop. 74–81

  39. [39]

    Shuang Liu, Ruijia Zhang, Ruoyun Ma, Yujia Deng, Lanyi Zhu, Jiayu Li, Ze- long Li, Zhibin Shen, and Mengnan Du. 2026. LLM Agents in Law: Taxonomy, Applications, and Challenges.arXiv preprint arXiv:2601.06216(2026)

  40. [40]

    Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2020. Do cookie banners respect my choice?: Measuring legal compliance of banners from iab europe’s transparency and consent framework. In2020 IEEE Symposium on Security and Privacy (SP). IEEE, 791–809

  41. [41]

    Dasha Metropolitansky and Jonathan Larson. 2025. Towards effective extraction and evaluation of factual claims. InProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 6996–7045

  42. [42]

    Microsoft. 2026. Bing. https://www.bing.com/ Accessed 2026-06-05

  43. [43]

    Niloofar Mireshghallah, Maria Antoniak, Yash More, Yejin Choi, and Golnoosh Farnadi. 2024. Trust no bot: Discovering personal disclosures in human-llm conversations in the wild.arXiv preprint arXiv:2407.11438(2024)

  44. [44]

    Ivoline C Ngong, Swanand Ravindra Kadhe, Hao Wang, Keerthiram Murugesan, Justin D Weisz, Amit Dhurandhar, and Karthikeyan Natesan Ramamurthy. 2025. Protecting users from themselves: Safeguarding contextual privacy in interac- tions with conversational agents. InFindings of the Association for Computational Linguistics: ACL 2025. 26196–26220

  45. [45]

    Ollama. 2026. Gemma 3 (Ollama library). https://ollama.com/library/gemma3 Accessed 2026-05-20

  46. [46]

    Ollama. 2026. Ollama. https://ollama.com/ Accessed 2026-05-20

  47. [47]

    OpenAI. 2025. GPTs Data Privacy FAQ. https://help.openai.com/en/articles/ 8554402-gpts-data-privacy-faq. Accessed May 2026

  48. [48]

    OpenAI. 2025. How We’re Responding to The New York Times’ Data Demands in Order to Protect User Privacy. https://openai.com/index/response-to-nyt- data-demands/

  49. [49]

    OpenAI. 2025. Memory FAQ. https://help.openai.com/en/articles/8590148- memory-faq. Accessed May 2026

  50. [50]

    OpenAI. 2026. Atlas. https://chatgpt.com/atlas/ Accessed 2026-06-05

  51. [51]

    OpenAI. 2026. ChatGPT. https://chatgpt.com/ Accessed 2026-05-23

  52. [52]

    OpenAI. 2026. GPT-4. https://openai.com/index/gpt-4/ Accessed 2026-05-20

  53. [53]

    OpenAI. 2026. GPT-4.1 model documentation (OpenAI Developers). https: //developers.openai.com/api/docs/models/gpt-4.1 Accessed 2026-05-20

  54. [54]

    OpenAI. 2026. Memory and New Controls for ChatGPT. https://openai.com/ index/memory-and-new-controls-for-chatgpt/ Accessed 2026-06-05

  55. [55]

    OpenClaw. 2026. OpenClaw. https://openclaw.ai/ Accessed 2026-06-05

  56. [56]

    Charles Packer, Sarah Wooders, Kevin Lin, Vivian Fang, Shishir G Patil, Ion Stoica, and Joseph E Gonzalez. 2023. MemGPT: Towards LLMs as Operating Systems.arXiv preprint arXiv:2310.08560(2023)

  57. [57]

    David Pape, Sina Mavali, Thorsten Eisenhofer, and Lea Schönherr. 2025. Prompt obfuscation for large language models. In34th USENIX Security Symposium (USENIX Security 25). 2323–2342. 13

  58. [58]

    Joon Sung Park, Joseph O’Brien, Carrie Jun Cai, Meredith Ringel Morris, Percy Liang, and Michael S Bernstein. 2023. Generative agents: Interactive simulacra of human behavior. InProceedings of the 36th annual acm symposium on user interface software and technology. 1–22

  59. [59]

    Synthia Qia Wang, Sai Teja Peddinti, Nina Taft, and Nick Feamster. 2026. Beyond PII: How Users Attempt to Estimate and Mitigate Implicit LLM Inference. In Proceedings of the 2026 CHI Conference on Human Factors in Computing Systems. 1–17

  60. [60]

    Nils Reimers and Iryna Gurevych. 2019. Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks. InProceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Empirical Methods in Natural Language Processing (EMNLP-IJCNLP). 3982– 3992

  61. [61]

    Alessandro Scirè, Karim Ghonim, and Roberto Navigli. 2024. FENICE: Factuality evaluation of summarization based on natural language inference and claim extraction. InFindings of the Association for Computational Linguistics: ACL 2024. 14148–14161

  62. [62]

    Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In2017 IEEE symposium on security and privacy (SP). IEEE, 3–18

  63. [63]

    Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2012. Protecting location privacy: optimal strategy against localization attacks. InProceedings of the 2012 ACM conference on Com- puter and communications security. 617–627

  64. [64]

    Robin Staab, Mark Vero, Mislav Balunovic, and Martin Vechev. 2024. Beyond memorization: Violating privacy via inference with large language models. In International Conference on Learning Representations, Vol. 2024. 33832–33878

  65. [65]

    Robin Staab, Mark Vero, Mislav Balunović, and Martin Vechev. 2024. Large language models are advanced anonymizers.arXiv preprint arXiv:2402.13846 (2024)

  66. [66]

    The New York Times. 2026. Chatbots, Influencers, Brands, Market- ing. https://www.nytimes.com/2026/02/17/technology/chatbots-influencers- brands-marketing.html

  67. [67]

    Meng Tong, Kejiang Chen, Jie Zhang, Yuang Qi, Weiming Zhang, Nenghai Yu, Tianwei Zhang, and Zhikun Zhang. 2025. Inferdpt: Privacy-preserving inference for black-box large language models.IEEE Transactions on Dependable and Secure Computing(2025)

  68. [68]

    Sarah Tran, Hongfan Lu, Isaac Slaughter, Bernease Herman, Aayushi Dangol, Yue Fu, Lufei Chen, Biniyam Gebreyohannes, Bill Howe, Alexis Hiniker, et al

  69. [69]

    InProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, Vol

    Understanding Privacy Norms Around LLM-Based Chatbots: A Contextual Integrity Perspective. InProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, Vol. 8. 2522–2534

  70. [70]

    Imdad Ullah, Roksana Boreli, and Salil S Kanhere. 2020. Privacy in targeted advertising: A survey.arXiv preprint arXiv:2009.06861(2020)

  71. [71]

    Yash Vekaria, Aurelio Loris Canino, Jonathan Levitsky, Alex Ciechonski, Patricia Callejo, Anna Maria Mandalari, and Zubair Shafiq. 2025. Big Help or Big Brother? Auditing Tracking, Profiling, and Personalization in Generative AI Assistants. arXiv preprint arXiv:2503.16586(2025)

  72. [72]

    Adina Williams, Nikita Nangia, and Samuel Bowman. 2018. A broad-coverage challenge corpus for sentence understanding through inference. InProceedings of the 2018 Conference of the North American Chapter of the Association for Com- putational Linguistics: Human Language Technologies, Volume 1 (Long Papers). 1112–1122

  73. [73]

    Haoqi Wu, Wei Dai, Li Wang, and Qiang Yan. 2025. Cape: Context-aware prompt perturbation mechanism with differential privacy.arXiv preprint arXiv:2505.05922 (2025)

  74. [74]

    Yuhao Wu, Evin Jaff, Ke Yang, Ning Zhang, and Umar Iqbal. 2025. An in-depth investigation of data collection in llm app ecosystems. InProceedings of the 2025 ACM Internet Measurement Conference. 150–170

  75. [75]

    Wujiang Xu, Zujie Liang, Kai Mei, Hang Gao, Juntao Tan, and Yongfeng Zhang

  76. [76]

    A-mem: Agentic memory for llm agents.Advances in Neural Information Processing Systems38 (2026), 17577–17604

  77. [77]

    Chengrun Yang, Xuezhi Wang, Yifeng Lu, Hanxiao Liu, Quoc V Le, Denny Zhou, and Xinyun Chen. 2024. Large language models as optimizers. InInternational Conference on Learning Representations, Vol. 2024. 12028–12068

  78. [78]

    Tianyu Yang, Xiaodan Zhu, and Iryna Gurevych. 2025. Robust utility-preserving text anonymization based on large language models. InProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 28922–28941

  79. [79]

    Hye Sun Yun and Timothy Bickmore. 2025. Online health information–seeking in the era of large language models: cross-sectional web-based survey study. Journal of medical Internet research27 (2025), e68560

  80. [80]

    Jiang Zhang, Konstantinos Psounis, Muhammad Haroon, and Zubair Shafiq

Showing first 80 references.