Prompt Injection Vulnerability of Consensus Generating Applications in Digital Democracy

TL;DR

This paper investigates the vulnerability of consensus-generating Large Language Models in digital democracy to prompt-injection attacks and proposes a robustness pipeline to mitigate these risks.

Contribution

It identifies specific vulnerabilities of off-the-shelf LLMs in consensus tasks and introduces a defense framework combining detection, structured opinions, and reinforcement learning.

Findings

Default LLMs are highly vulnerable to prompt-injection attacks.

The proposed robustness pipeline significantly reduces consensus shifts caused by attacks.

Vulnerabilities are especially pronounced when opinions are closely balanced.

Abstract

Large Language Models (LLMs) are gaining traction as a method to generate consensus statements and aggregate preferences in digital democracy experiments. Yet, LLMs could introduce critical vulnerabilities in these systems. Here, we examine the vulnerability and robustness of off-the-shelf consensus-generating LLMs to prompt-injection attacks, in which texts are injected to amplify particular viewpoints, erase certain opinions, or divert consensus toward unrelated or irrelevant topics. We construct attack-free and adversarial variants of prompts containing public policy questions and opinion texts, classify opinion and consensus valences with a fine-tuned BERT model, and estimate LLM-human majority agreement rates. Across topics, default LLaMA 3.1 8B Instruct, GPT-4.1 Nano, and Apertus 8B exhibit widespread vulnerability, specially when disagreement and disagreement are finely balanced, for attacks that shift consensus toward positions aligned with GB-unionist conservative manifestos relative to pro-independence left manifestos, and for rational, instruction-like rhetorical strategies. A robustness pipeline combining GPT-OSS-SafeGuard injection detection, structured opinion representations, and GSPO-based reinforcement learning substantially reduces directional failures whenever the underlying consensus has a clear positive or negative valence. These findings advance our understanding of both the vulnerabilities and the potential defenses of consensus-generating LLMs in digital democracy applications.