Leaky Thoughts: Large Reasoning Models Are Not Private Thinkers

TL;DR

Large reasoning models can unintentionally leak sensitive user data through their internal reasoning traces, especially with increased reasoning steps, highlighting a need for privacy safeguards beyond output monitoring.

Contribution

This paper reveals that reasoning traces in large models can leak private information and that increasing reasoning steps amplifies this risk, challenging assumptions about internal safety.

Findings

Reasoning traces often contain sensitive user data.

More reasoning steps lead to increased privacy leakage.

Enhanced reasoning improves utility but raises privacy risks.

Abstract

We study privacy leakage in the reasoning traces of large reasoning models used as personal agents. Unlike final outputs, reasoning traces are often assumed to be internal and safe. We challenge this assumption by showing that reasoning traces frequently contain sensitive user data, which can be extracted via prompt injections or accidentally leak into outputs. Through probing and agentic evaluations, we demonstrate that test-time compute approaches, particularly increased reasoning steps, amplify such leakage. While increasing the budget of those test-time compute approaches makes models more cautious in their final answers, it also leads them to reason more verbosely and leak more in their own thinking. This reveals a core tension: reasoning improves utility but enlarges the privacy attack surface. We argue that safety efforts must extend to the model's internal thinking, not just its outputs.