Beyond Jailbreaking: Auditing Contextual Privacy in LLM Agents

TL;DR

This paper introduces CMPL, a comprehensive auditing framework that stress-tests LLM agents for latent privacy vulnerabilities through multi-turn interactions, revealing risks beyond single-turn defenses.

Contribution

It presents the novel CMPL framework for systematic privacy risk assessment in LLM agents, including an open benchmark and quantifiable metrics for multi-turn vulnerability detection.

Findings

CMPL uncovers privacy risks undetected by single-turn defenses.

The framework reveals temporal dynamics and adaptive strategies of adversaries.

Evaluation across diverse domains demonstrates its broad applicability.

Abstract

LLM agents have begun to appear as personal assistants, customer service bots, and clinical aides. While these applications deliver substantial operational benefits, they also require continuous access to sensitive data, which increases the likelihood of unauthorized disclosures. Moreover, these disclosures go beyond mere explicit disclosure, leaving open avenues for gradual manipulation or sidechannel information leakage. This study proposes an auditing framework for conversational privacy that quantifies an agent's susceptibility to these risks. The proposed Conversational Manipulation for Privacy Leakage (CMPL) framework is designed to stress-test agents that enforce strict privacy directives against an iterative probing strategy. Rather than focusing solely on a single disclosure event or purely explicit leakage, CMPL simulates realistic multi-turn interactions to systematically uncover latent vulnerabilities. Our evaluation on diverse domains, data modalities, and safety configurations demonstrates the auditing framework's ability to reveal privacy risks that are not deterred by existing single-turn defenses, along with an in-depth longitudinal study of the temporal dynamics of leakage, strategies adopted by adaptive adversaries, and the evolution of adversarial beliefs about sensitive targets. In addition to introducing CMPL as a diagnostic tool, the paper delivers (1) an auditing procedure grounded in quantifiable risk metrics and (2) an open benchmark for evaluation of conversational privacy across agent implementations.