REVIEW 2 major objections 5 minor 87 references
A user-side agent can rewrite sensitive parts of a chatbot prompt so the provider cannot profile you well, while still getting useful answers.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-12 06:00 UTC pith:RGKDPDAD
load-bearing objection Solid systems paper: noise/denoise plus OPRO-style action selection rides the single-action privacy-utility envelope and beats two prior automated baselines; the 3.3×/1.4× numbers rest on a soft IAB-embedding proxy that already admits 17.5% residual recovery. the 2 major comments →
PromptPET: Privacy-Utility Optimized Prompt Obfuscation
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Selective, taxonomy-guided prompt obfuscation that mixes redaction, abstraction, replacement, and a novel noising/denoising action, coordinated by a reinforcement-learning-inspired rule optimizer, matches the best privacy–utility tradeoff of any single action and significantly outperforms prior deployable prompt-obfuscation baselines on real user–AI queries.
What carries the argument
The Noise action plus the rule-optimization loop: Noise keeps a high-importance sensitive unit intact, injects coherent decoys under other taxonomy data types, forces the remote agent to answer real and decoy requests separately, and filters the decoy answers before the user sees them; the rule optimizer then learns which action (Noise, Abstract, Redact, or Replace) to assign to each unit by iterating decision-rule sets against a privacy–utility reward.
Load-bearing premise
The defense is evaluated against a single-prompt, honest-but-curious profiler that is adequately captured by taxonomy-label extraction and embedding similarity; multi-turn de-obfuscation and active elicitation are left out of scope.
What would settle it
On a held-out set of real multi-turn or longitudinal chats, if an adversary that only sees the obfuscated prompts can still recover the original IAB-style profile labels at rates comparable to the unprotected baseline, or if the filtered chatbot answers lose task success under human or task-specific utility metrics, the claimed privacy–utility frontier would not hold.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes PromptPET, a user-side framework that detects sensitive units in LLM prompts via an IAB Audience Taxonomy, scores their importance for response utility, and applies one of four obfuscation actions (redact, abstract, replace, or a novel noise/denoise scheme that injects decoy units and filters the response). A reinforcement-learning-inspired rule optimizer (OPRO-style) learns a decision rule set that selects the action per unit. On a WildChat-derived test set of real queries, single-action analysis shows Noise dominates the privacy-utility frontier at high privacy; the selective system matches that envelope and outperforms two prior automated baselines (Ngong et al., Zhou et al.) by 3.3 imes privacy per unit utility cost and 1.4 imes absolute privacy under the authors’ embedding-based exposure metric.
Significance. User-side prompt obfuscation that does not rely on provider cooperation is a timely and practically important PET for the emerging class of stateful AI agents that profile users from free-form natural-language input. The systematic isolation of four actions (including a carefully engineered noise/denoise template that preserves high-importance units), the explicit use of a fine-grained taxonomy for both detection and rewriting, the importance-score validation via controlled redaction, and the first application of an OPRO-style rule optimizer to this setting are genuine methodological contributions. If the reported frontier-matching and quantitative gains hold under stronger privacy metrics, the work supplies both a usable client-side tool and a reusable evaluation scaffold for future prompt-privacy research.
major comments (2)
- [§5.1.1, Appendix A, §5.6.4, Fig. 8] The central quantitative claims (3.3 imes privacy-per-utility and 1.4 imes absolute privacy over the two baselines, and the assertion that PromptPET rides the single-action envelope) rest entirely on the soft exposure metric of Section 5.1.1 / Appendix A: GPT-4.1 two-stage IAB extraction followed by normalized cosine similarity of mean embeddings of category-matched labels, then PrivacyGain = 1 − Exposure. Section 5.6.4 already records that 17.5 % of τ = 1.0 queries remain privacy-miss (median privacy 0.00) because residual co-occurring context still allows the same profiler to recover the profile. The metric therefore awards credit for semantic deviation rather than hard attribute-inference failure. Because the identical model family also supplies the agent responses and the utility judges, the ranking and the headline ratios may not transfer to an independent or production profiler. A
- [§3, §2.1–2.2] The threat model (Section 3) correctly declares cross-prompt longitudinal de-obfuscation and active elicitation out of scope, yet the motivation sections (2.1–2.2) emphasize precisely the stateful, memory-augmented agents that accumulate profiles over sessions. The single-prompt evaluation therefore leaves open whether the learned rule set remains effective once an adversary can correlate multiple obfuscated turns or detect the slotted multi-option template of the Noise action. At minimum the paper should quantify, on a multi-turn subset of WildChat, how quickly residual signals accumulate, or state more prominently that the reported gains are single-turn only and that longitudinal robustness is future work.
minor comments (5)
- [Fig. 6] Figure 6 KDE panels omit the lowest-density 5.3 % of queries; a short note on whether those omitted points disproportionately fall into the failure region would help readers interpret the visual claim that failure is rare.
- [§4.2.4, Appendix B] The Noise denoiser success rate of 97.6 % is reported only in the main text; the exact rule-based parser (or the few failure modes) should appear in Appendix B alongside the template.
- [Table 3] Table 3 credits all tied actions, so row sums exceed 100 %. A parenthetical note that the percentages are not a partition would avoid momentary confusion.
- [Eq. (1), §4.3] The length penalty λ = 10^{-5} in Eq. (1) is stated without sensitivity analysis; a one-sentence remark on whether the final rule set changes under λ ∈ {10^{-6}, 10^{-4}} would strengthen the optimizer description.
- [Fig. 2, §4.2] Minor typographical inconsistencies appear in the running example (e.g., “therapist/dentist” vs. separate answers) and in the capitalization of action names across figures and text; a light copy-edit pass would improve polish.
Circularity Check
No circular derivation: PromptPET's claims are empirical privacy-utility measurements on held-out data under fixed external metrics, not predictions forced by construction.
full rationale
This is an empirical systems paper, not a first-principles derivation. The load-bearing claims (matching the single-action privacy-utility frontier; 3.3× privacy-per-utility and 1.4× privacy vs. Ngong et al. and Zhou et al.) are measured outcomes on a held-out WildChat-derived test set under fixed metrics: IAB-taxonomy profile exposure via embedding cosine (Appendix A) and response utility via embedding cosine plus NLI claim preservation (Section 5.1). The rule optimizer is trained on a disjoint optimization split (797 train / 113 val) and evaluated on a separate test set (Section 5.5); single-action curves and baselines are scored with the same external metrics. There is no equation that reduces a claimed prediction to a fitted parameter by construction, no uniqueness theorem imported from the authors, and no self-citation that carries the central result. The Oracle seed uses importance-binned action frequencies from the single-action analysis, which is a mild methodological choice about initialization, not a circular identification of the reported test metrics with the training objective. PrivacyGain = 1 − Exposure is a metric definition applied uniformly to all methods, not a tautology that forces PromptPET to win. Honest finding: no significant circularity.
Axiom & Free-Parameter Ledger
free parameters (4)
- alpha (privacy-utility weight) =
0.5 (balanced default)
- importance thresholds tau =
{0.6, 0.8, 1.0}
- lambda (rule-length penalty) =
1e-5
- optimization rounds / mini-batch size =
20 / 50
axioms (4)
- domain assumption Adversary is honest-but-curious, processes prompts in the clear, and profiles via an IAB-style taxonomy; cross-prompt longitudinal attacks and active elicitation are out of scope.
- domain assumption IAB Audience Taxonomy (Demographics & Interests) is an adequate proxy for the sensitive attributes a real provider would extract.
- domain assumption LLM-based importance scoring and claim-level NLI utility metrics are sufficiently reliable for comparative evaluation.
- domain assumption Local user-side LLM (Gemma3:12B) is trusted and does not leak to the adversary.
invented entities (2)
-
Noise/denoise action with slotted multi-option template
independent evidence
-
OPRO-style rule optimizer for per-unit action selection
no independent evidence
read the original abstract
Privacy is an important challenge when users interact with AI chatbots, since users may share sensitive information, explicitly or implicitly, and AI chatbots can use this information for user profiling. In this paper, we aim to protect user privacy via a user-side mechanism that transforms sensitive information in a user prompt, while preserving enough information to elicit a useful response from the chatbot. This approach faces an inherent tradeoff between protecting privacy (i.e., avoiding profiling) and preserving utility (i.e., getting personalized and task-specific responses). To that end, we consider, evaluate, and compare four different obfuscation actions, namely redaction, abstraction, replacement, and a novel noising/denoising scheme that we introduce. Additional novel insights include: utilizing a data type taxonomy to both identify and obfuscate sensitive information and explicitly taking into account the utility of chat responses in making the obfuscation decision. First, we systematically optimize and evaluate each obfuscation action independently in terms of the privacy-utility tradeoff it achieves. Second, we propose PROMPTPET, an LLM-based agent that selects the best obfuscation action for each sensitive part of the prompt, using a reinforcement-learning inspired rule optimizer, applied for the first time in this context. Using a real-world chat dataset, we show that PROMPTPET matches the best privacy-utility tradeoff attainable by any single obfuscation action and significantly outperforms prior state-of-the-art approaches.
Figures
Reference graph
Works this paper leans on
-
[1]
Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. 2016. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 308–318
2016
-
[2]
AdNauseam Project. 2026. AdNauseam. https://adnauseam.io/ Accessed 2026- 06-12
2026
-
[3]
Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions speak louder than words: {Entity-Sensitive} privacy policy and data flow analysis with {PoliCheck}. In29th USENIX Security Symposium (USENIX Security 20). 985– 1002
2020
-
[4]
Anthropic. 2026. Claude. https://claude.ai/ Accessed 2026-05-23
2026
-
[5]
Anthropic. 2026. How Long Do You Store My Data? https://privacy.claude.com/ en/articles/10023548-how-long-do-you-store-my-data
arXiv 2026
-
[6]
Anthropic. 2026. Import Memory. https://claude.com/import-memory Accessed 2026-06-05
2026
-
[7]
Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D
Tom B. Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D. Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. 2020. Language Models are Few-Shot Learners. InAdvances in Neural Information Processing Systems, Vol. 33. 1877–1901
2020
-
[8]
Benjamin Bullough, Harrison Lundberg, Chen Hu, and Weihang Xiao. 2024. Predicting entity salience in extremely short documents. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing: Industry Track. 50–64
2024
-
[9]
Nicholas Carlini, Daphne Ippolito, Matthew Jagielski, Katherine Lee, Florian Tramer, and Chiyuan Zhang. 2022. Quantifying memorization across neural language models. InThe Eleventh International Conference on Learning Represen- tations
2022
-
[10]
Nicholas Carlini, Florian Tramer, Eric Wallace, Matthew Jagielski, Ariel Herbert- Voss, Katherine Lee, Adam Roberts, Tom Brown, Dawn Song, Ulfar Erlingsson, et al. 2021. Extracting training data from large language models. In30th USENIX security symposium (USENIX Security 21). 2633–2650
2021
-
[11]
Prateek Chhikara, Dev Khant, Saket Aryan, Taranjeet Singh, and Deshraj Ya- dav. 2025. Mem0: Building production-ready ai agents with scalable long-term memory.arXiv preprint arXiv:2504.19413(2025)
Pith/arXiv arXiv 2025
-
[12]
Chun Jie Chong, Chenxi Hou, Zhihao Yao, and Seyed Mohammadjavad Seyed Talebi. 2024. Casper: Prompt sanitization for protecting user privacy in web- based large language models.arXiv preprint arXiv:2408.07004(2024)
arXiv 2024
-
[13]
Amrita Roy Chowdhury, David Glukhov, Divyam Anshumaan, Prasad Chalasani, Nicolas Papernot, Somesh Jha, and Mihir Bellare. 2025. Pr 𝜖𝜖mpt: Sanitizing Sensitive Prompts for LLMs.arXiv preprint arXiv:2504.05147(2025)
Pith/arXiv arXiv 2025
-
[14]
Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers). Association for Computational Li...
2019
-
[15]
Dia Browser. 2026. Dia Browser. https://www.diabrowser.com/ Accessed 2026-06-05
2026
-
[16]
Tian Dong, Yan Meng, Shaofeng Li, Guoxing Chen, Zhen Liu, and Haojin Zhu
-
[17]
In 34th USENIX Security Symposium (USENIX Security 25)
Depth Gives a False Sense of Privacy: {LLM} Internal States Inversion. In 34th USENIX Security Symposium (USENIX Security 25). 1629–1648
-
[18]
Jesse Dunietz and Dan Gillick. 2014. A new entity salience task with millions of training examples. InProceedings of the 14th Conference of the European Chapter of the Association for Computational Linguistics, volume 2: Short Papers. 205–209
2014
-
[19]
Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. InProceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1388–1401
2016
-
[20]
Futurism. 2026. OpenAI Personal Information Meta Google. https://futurism. com/artificial-intelligence/openai-personal-information-meta-google Accessed 2026-06-05
2026
-
[21]
Leon Garza, Anantaa Kotal, Aritran Piplai, Lavanya Elluri, Prajit Das, and Aman Chadha. 2025. PRvL: Quantifying the Capabilities and Risks of Large Language Models for PII Redaction.arXiv preprint arXiv:2508.05545(2025)
Pith/arXiv arXiv 2025
-
[22]
Google. 2026. Gemini. https://gemini.google.com/ Accessed 2026-05-23
2026
-
[23]
Google. 2026. Gemini Apps Privacy Hub. https://support.google.com/gemini/ answer/13594961
arXiv 2026
-
[24]
Google. 2026. Google. https://www.google.com/ Accessed 2026-06-05
2026
-
[25]
Google. 2026. Import Memory. https://gemini.google/import-memory/ Accessed 2026-06-05
2026
-
[26]
Google. 2026. Temporary Chats and New Privacy Controls in Gem- ini. https://blog.google/products-and-platforms/products/gemini/temporary- chats-privacy-controls/ Accessed 2026-06-05
2026
-
[27]
Google DeepMind. 2026. Gemma 3. https://deepmind.google/models/gemma/ gemma-3/ Accessed 2026-05-20
2026
-
[28]
Ece Gumusel, Yueru Yan, and Ege Otenen. 2026. From Awareness to Practice: A Survey of US Users’ Privacy Perceptions in LLM Chatbots. InUSEC, NDSS Symposium
2026
-
[29]
Aniko Hannak, Gary Soeller, David Lazer, Alan Mislove, and Christo Wilson
-
[30]
In Proceedings of the 2014 conference on internet measurement conference
Measuring price discrimination and steering on e-commerce web sites. In Proceedings of the 2014 conference on internet measurement conference. 305–318
2014
-
[31]
Meng Hao, Hongwei Li, Hanxiao Chen, Pengzhi Xing, Guowen Xu, and Tian- wei Zhang. 2022. Iron: Private inference on transformers.Advances in neural information processing systems35 (2022), 15718–15731
2022
-
[32]
Interactive Advertising Bureau (IAB) Tech Lab. [n. d.]. Audience Taxonomy 1.1 (TSV). https://github.com/InteractiveAdvertisingBureau/Taxonomies
-
[33]
Umar Iqbal, Pouneh Nikkhah Bahrami, Rahmadi Trimananda, Hao Cui, Alexan- der Gamero-Garrido, Daniel J Dubois, David Choffnes, Athina Markopoulou, Franziska Roesner, and Zubair Shafiq. 2023. Tracking, profiling, and ad targeting in the alexa echo smart speaker ecosystem. InProceedings of the 2023 ACM on Internet Measurement Conference. 569–583
2023
-
[34]
Muhammad Jazlan, Ethan Wang, Yash Vekaria, and Zubair Shafiq. 2026. Tracking Conversations: Measuring Content and Identity Exposure on AI Chatbots.arXiv preprint arXiv:2604.27438(2026)
Pith/arXiv arXiv 2026
-
[35]
Jinyuan Jia, Ahmed Salem, Michael Backes, Yang Zhang, and Neil Zhenqiang Gong. 2019. Memguard: Defending against black-box membership inference at- tacks via adversarial examples. InProceedings of the 2019 ACM SIGSAC conference on computer and communications security. 259–274
2019
-
[36]
Hidetoshi Kido, Yutaka Yanagisawa, and Tetsuji Satoh. 2005. An anonymous communication technique using dummies for location-based services. InICPS’05. Proceedings. International Conference on Pervasive Services, 2005.IEEE, 88–97
2005
-
[37]
Eduard Kovacs. 2024. ChatGPT Plugin Vulnerabilities Exposed Data, Accounts. SecurityWeek. https://www.securityweek.com/chatgpt-plugin-vulnerabilities- exposed-data-accounts/
2024
-
[38]
Chin-Yew Lin. 2004. ROUGE: A Package for Automatic Evaluation of Summaries. InText Summarization Branches Out: Proceedings of the ACL-04 Workshop. 74–81
2004
-
[39]
Shuang Liu, Ruijia Zhang, Ruoyun Ma, Yujia Deng, Lanyi Zhu, Jiayu Li, Ze- long Li, Zhibin Shen, and Mengnan Du. 2026. LLM Agents in Law: Taxonomy, Applications, and Challenges.arXiv preprint arXiv:2601.06216(2026)
arXiv 2026
-
[40]
Célestin Matte, Nataliia Bielova, and Cristiana Santos. 2020. Do cookie banners respect my choice?: Measuring legal compliance of banners from iab europe’s transparency and consent framework. In2020 IEEE Symposium on Security and Privacy (SP). IEEE, 791–809
2020
-
[41]
Dasha Metropolitansky and Jonathan Larson. 2025. Towards effective extraction and evaluation of factual claims. InProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 6996–7045
2025
-
[42]
Microsoft. 2026. Bing. https://www.bing.com/ Accessed 2026-06-05
2026
-
[43]
Niloofar Mireshghallah, Maria Antoniak, Yash More, Yejin Choi, and Golnoosh Farnadi. 2024. Trust no bot: Discovering personal disclosures in human-llm conversations in the wild.arXiv preprint arXiv:2407.11438(2024)
Pith/arXiv arXiv 2024
-
[44]
Ivoline C Ngong, Swanand Ravindra Kadhe, Hao Wang, Keerthiram Murugesan, Justin D Weisz, Amit Dhurandhar, and Karthikeyan Natesan Ramamurthy. 2025. Protecting users from themselves: Safeguarding contextual privacy in interac- tions with conversational agents. InFindings of the Association for Computational Linguistics: ACL 2025. 26196–26220
2025
-
[45]
Ollama. 2026. Gemma 3 (Ollama library). https://ollama.com/library/gemma3 Accessed 2026-05-20
2026
-
[46]
Ollama. 2026. Ollama. https://ollama.com/ Accessed 2026-05-20
2026
-
[47]
OpenAI. 2025. GPTs Data Privacy FAQ. https://help.openai.com/en/articles/ 8554402-gpts-data-privacy-faq. Accessed May 2026
2025
-
[48]
OpenAI. 2025. How We’re Responding to The New York Times’ Data Demands in Order to Protect User Privacy. https://openai.com/index/response-to-nyt- data-demands/
2025
-
[49]
OpenAI. 2025. Memory FAQ. https://help.openai.com/en/articles/8590148- memory-faq. Accessed May 2026
arXiv 2025
-
[50]
OpenAI. 2026. Atlas. https://chatgpt.com/atlas/ Accessed 2026-06-05
2026
-
[51]
OpenAI. 2026. ChatGPT. https://chatgpt.com/ Accessed 2026-05-23
2026
-
[52]
OpenAI. 2026. GPT-4. https://openai.com/index/gpt-4/ Accessed 2026-05-20
2026
-
[53]
OpenAI. 2026. GPT-4.1 model documentation (OpenAI Developers). https: //developers.openai.com/api/docs/models/gpt-4.1 Accessed 2026-05-20
2026
-
[54]
OpenAI. 2026. Memory and New Controls for ChatGPT. https://openai.com/ index/memory-and-new-controls-for-chatgpt/ Accessed 2026-06-05
2026
-
[55]
OpenClaw. 2026. OpenClaw. https://openclaw.ai/ Accessed 2026-06-05
2026
-
[56]
Charles Packer, Sarah Wooders, Kevin Lin, Vivian Fang, Shishir G Patil, Ion Stoica, and Joseph E Gonzalez. 2023. MemGPT: Towards LLMs as Operating Systems.arXiv preprint arXiv:2310.08560(2023)
Pith/arXiv arXiv 2023
-
[57]
David Pape, Sina Mavali, Thorsten Eisenhofer, and Lea Schönherr. 2025. Prompt obfuscation for large language models. In34th USENIX Security Symposium (USENIX Security 25). 2323–2342. 13
2025
-
[58]
Joon Sung Park, Joseph O’Brien, Carrie Jun Cai, Meredith Ringel Morris, Percy Liang, and Michael S Bernstein. 2023. Generative agents: Interactive simulacra of human behavior. InProceedings of the 36th annual acm symposium on user interface software and technology. 1–22
2023
-
[59]
Synthia Qia Wang, Sai Teja Peddinti, Nina Taft, and Nick Feamster. 2026. Beyond PII: How Users Attempt to Estimate and Mitigate Implicit LLM Inference. In Proceedings of the 2026 CHI Conference on Human Factors in Computing Systems. 1–17
2026
-
[60]
Nils Reimers and Iryna Gurevych. 2019. Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks. InProceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Empirical Methods in Natural Language Processing (EMNLP-IJCNLP). 3982– 3992
2019
-
[61]
Alessandro Scirè, Karim Ghonim, and Roberto Navigli. 2024. FENICE: Factuality evaluation of summarization based on natural language inference and claim extraction. InFindings of the Association for Computational Linguistics: ACL 2024. 14148–14161
2024
-
[62]
Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In2017 IEEE symposium on security and privacy (SP). IEEE, 3–18
2017
-
[63]
Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux, and Jean-Yves Le Boudec. 2012. Protecting location privacy: optimal strategy against localization attacks. InProceedings of the 2012 ACM conference on Com- puter and communications security. 617–627
2012
-
[64]
Robin Staab, Mark Vero, Mislav Balunovic, and Martin Vechev. 2024. Beyond memorization: Violating privacy via inference with large language models. In International Conference on Learning Representations, Vol. 2024. 33832–33878
2024
-
[65]
Robin Staab, Mark Vero, Mislav Balunović, and Martin Vechev. 2024. Large language models are advanced anonymizers.arXiv preprint arXiv:2402.13846 (2024)
Pith/arXiv arXiv 2024
-
[66]
The New York Times. 2026. Chatbots, Influencers, Brands, Market- ing. https://www.nytimes.com/2026/02/17/technology/chatbots-influencers- brands-marketing.html
2026
-
[67]
Meng Tong, Kejiang Chen, Jie Zhang, Yuang Qi, Weiming Zhang, Nenghai Yu, Tianwei Zhang, and Zhikun Zhang. 2025. Inferdpt: Privacy-preserving inference for black-box large language models.IEEE Transactions on Dependable and Secure Computing(2025)
2025
-
[68]
Sarah Tran, Hongfan Lu, Isaac Slaughter, Bernease Herman, Aayushi Dangol, Yue Fu, Lufei Chen, Biniyam Gebreyohannes, Bill Howe, Alexis Hiniker, et al
-
[69]
InProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, Vol
Understanding Privacy Norms Around LLM-Based Chatbots: A Contextual Integrity Perspective. InProceedings of the AAAI/ACM Conference on AI, Ethics, and Society, Vol. 8. 2522–2534
-
[70]
Imdad Ullah, Roksana Boreli, and Salil S Kanhere. 2020. Privacy in targeted advertising: A survey.arXiv preprint arXiv:2009.06861(2020)
Pith/arXiv arXiv 2020
-
[71]
Yash Vekaria, Aurelio Loris Canino, Jonathan Levitsky, Alex Ciechonski, Patricia Callejo, Anna Maria Mandalari, and Zubair Shafiq. 2025. Big Help or Big Brother? Auditing Tracking, Profiling, and Personalization in Generative AI Assistants. arXiv preprint arXiv:2503.16586(2025)
Pith/arXiv arXiv 2025
-
[72]
Adina Williams, Nikita Nangia, and Samuel Bowman. 2018. A broad-coverage challenge corpus for sentence understanding through inference. InProceedings of the 2018 Conference of the North American Chapter of the Association for Com- putational Linguistics: Human Language Technologies, Volume 1 (Long Papers). 1112–1122
2018
-
[73]
Haoqi Wu, Wei Dai, Li Wang, and Qiang Yan. 2025. Cape: Context-aware prompt perturbation mechanism with differential privacy.arXiv preprint arXiv:2505.05922 (2025)
Pith/arXiv arXiv 2025
-
[74]
Yuhao Wu, Evin Jaff, Ke Yang, Ning Zhang, and Umar Iqbal. 2025. An in-depth investigation of data collection in llm app ecosystems. InProceedings of the 2025 ACM Internet Measurement Conference. 150–170
2025
-
[75]
Wujiang Xu, Zujie Liang, Kai Mei, Hang Gao, Juntao Tan, and Yongfeng Zhang
-
[76]
A-mem: Agentic memory for llm agents.Advances in Neural Information Processing Systems38 (2026), 17577–17604
2026
-
[77]
Chengrun Yang, Xuezhi Wang, Yifeng Lu, Hanxiao Liu, Quoc V Le, Denny Zhou, and Xinyun Chen. 2024. Large language models as optimizers. InInternational Conference on Learning Representations, Vol. 2024. 12028–12068
2024
-
[78]
Tianyu Yang, Xiaodan Zhu, and Iryna Gurevych. 2025. Robust utility-preserving text anonymization based on large language models. InProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 28922–28941
2025
-
[79]
Hye Sun Yun and Timothy Bickmore. 2025. Online health information–seeking in the era of large language models: cross-sectional web-based survey study. Journal of medical Internet research27 (2025), e68560
2025
-
[80]
Jiang Zhang, Konstantinos Psounis, Muhammad Haroon, and Zubair Shafiq
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.