PIIGuard: Mitigating PII Harvesting under Adversarial Sanitization

TL;DR

PIIGuard is a webpage-level defense that embeds hidden HTML fragments to prevent LLM assistants from leaking contact PII, achieving high success rates while maintaining page utility.

Contribution

The paper introduces PIIGuard, a novel webpage-level method using hidden HTML fragments and rule-based scoring to mitigate PII harvesting by browsing-enabled LLMs.

Findings

PIIGuard achieves at least 97% defense success rate across multiple models.

The method preserves QA utility on benign pages.

Effectiveness varies with browsing interfaces and sanitization prompts.

Abstract

Browsing-enabled LLM assistants can fetch webpages and answer contact-seeking queries, creating a practical channel for scraping contact-style personally identifiable information (PII) from public pages. Many prior defenses are deployed at the model, service, or agent layer rather than at the webpage itself, leaving ordinary page owners with limited deployable options. We present PIIGuard, a webpage-level defense that repurposes indirect prompt injection as a protective mechanism: the page owner embeds optimized hidden HTML fragments that steer the model away from verbatim or reconstructible disclosure of contact PII. PIIGuard searches over fragment text and insertion position using rule-based leakage scoring, evolutionary mutation, and final judge-based recoverability assessment. In direct-HTML evaluation on three target models (GPT-5.4-nano, Claude-haiku-4.5, and DeepSeek-chat(latest v3.2)), PIIGuard achieves at least 97.0% defense success rate under both rule-based and judge-based leakage evaluation, often reaching 100.0%, while preserving benign same-page QA utility. We further evaluate two harder settings: public-URL browsing and attacker-side LLM sanitization of fetched webpage. These results show that page-side defensive fragments can remain effective in deployment for some model-position pairs, but robustness varies substantially across browsing interfaces and sanitizer prompts. Overall, PIIGuard demonstrates that page owners can use page-side fragments as a practical mitigation for web-grounded PII leakage.