Dependency-Aware Privacy for Multi-turn Agents

TL;DR

RootGuard is a novel privacy mechanism for multi-turn LLM agents that ensures privacy of root data points across multiple interactions, outperforming traditional independent noising methods in medical data scenarios.

Contribution

The paper introduces RootGuard, a privacy-preserving approach that guarantees privacy for root data points in multi-turn interactions, reducing privacy degradation and improving utility.

Findings

RootGuard achieves 2.3–3.0× lower target error than independent noising at ε=0.1.

RootGuard's privacy guarantee depends only on initial root sanitization, regardless of number of turns.

More turns increase the total privacy budget, which RootGuard distributes across roots, unlike independent noising.

Abstract

LLM agents release private data across multi-service interactions. Existing prompt sanitizers based on metric differential privacy treat each release independently, so adversaries combining releases across turns can recover private attributes; privacy degrades with every release. This degradation is fundamental: when private attributes are the \emph{roots} of a computation graph, independently noising a derived value amplifies the root's distinguishability by up to the deriving function's Lipschitz constant $L$, which can far exceed the nominal privacy parameter for nonlinear functions in medical and financial workflows. RootGuard sanitizes root values once and computes subsequent releases deterministically from the noised roots. By the post-processing theorem, the privacy guarantee depends only on the initial root sanitization, regardless of the adversary's functions or number of turns, and derived values inherit privacy at zero marginal cost. RootGuard further exploits structural domain knowledge (e.g., BMI from height and weight, or a known target function) to allocate budget across roots, improving the privacy-utility tradeoff. A worst-case adversary forcing $t$ turns increases the total budget $B = t \cdot \varepsilon$. RootGuard distributes this larger budget across roots, while independent noising spends $\varepsilon$ per release and gives the adversary $t$ observations to combine via MAP reconstruction. This yields a \emph{double asymmetry}: more turns aid RootGuard while weakening independent noising. On eight NHANES medical diagnostic templates, RootGuard achieves $2.3$--$3.0\times$ lower target error than independent noising at $\varepsilon = 0.1$ (7.6\% vs.\ 17.1\% wMAPE at $B = (2k{+}1)\varepsilon$). Under MAP reconstruction, more queries strengthen attacks against independent noising while RootGuard remains invariant.