PrivScope: Task-scoped Disclosure Control for Hybrid Agentic Systems

TL;DR

PrivScope is a device-based system that enforces task-specific data disclosure control for hybrid agent systems, reducing unnecessary sensitive information exposure to cloud language models while maintaining task effectiveness.

Contribution

It introduces PrivScope, a novel on-device payload governor that enforces task-scoped disclosure without requiring cloud modifications, improving privacy and utility balance.

Findings

Eliminates profile leakage in medical workflows (0.0% vs. 17.7%)

Halves attacker re-identification rates (23.1% vs. 64.3%)

Maintains high task success and recall across multiple CLMs

Abstract

Hybrid local--cloud agents enrich user requests with context from persistent working state before delegating capability-intensive subtasks to a cloud language model (CLM). While this enrichment can improve task success, it also exposes unnecessary information in the cloud-bound payload, including task-irrelevant context, carryover from prior workflows, and overly specific sensitive details, resulting in \emph{over-disclosure}. Existing solutions either isolate workflows to limit cross-workflow leakage or apply general-purpose sanitization that does not reason over LC-assembled payload scope. We present \textsc{PrivScope}, a trusted on-device payload governor that enforces \emph{task-scoped disclosure} at the local--CLM boundary, without requiring cloud-side changes. Its key idea: sensitive information should reach the cloud only when required for the delegated subtask, and then only in the least revealing form preserving utility. \textsc{PrivScope} extracts disclosure units from the assembled payload and keeps direct identifiers and account-linked values on device. The remaining units pass through cloud-necessity control, which determines what is actually needed; units that must reach the cloud are abstracted to the least-specific representation sufficient for the task. On 100 medical-booking workflows across three commercial CLMs, \textsc{PrivScope} eliminates profile leakage (0.0\% vs.\ 17.7\%), more than halves attacker re-identification (23.1\% vs.\ 64.3\%), and achieves the highest candidate recall on every CLM tested while preserving task success close to the unprotected baseline on GPT-4o-mini and Gemini 2.5 Flash. Gains hold across five local backbones and add only seconds of on-device latency on commodity hardware.