AgentDAM: Privacy Leakage Evaluation for Autonomous Web Agents
This addresses privacy risks for users of AI web agents, but it is incremental as it builds on existing agent frameworks with a new benchmark and defense.
The paper tackles the problem of privacy leakage in autonomous web agents by introducing AgentDAM, a benchmark to evaluate if agents follow data minimization principles, and shows that agents like GPT-4, Llama-3, and Claude inadvertently use unnecessary sensitive information, with a proposed prompting defense reducing leakage.
Autonomous AI agents that can follow instructions and perform complex multi-step tasks have tremendous potential to boost human productivity. However, to perform many of these tasks, the agents need access to personal information from their users, raising the question of whether they are capable of using it appropriately. In this work, we introduce a new benchmark AgentDAM that measures if AI web-navigation agents follow the privacy principle of ``data minimization''. For the purposes of our benchmark, data minimization means that the agent uses a piece of potentially sensitive information only if it is ``necessary'' to complete a particular task. Our benchmark simulates realistic web interaction scenarios end-to-end and is adaptable to all existing web navigation agents. We use AgentDAM to evaluate how well AI agents built on top of GPT-4, Llama-3 and Claude can limit processing of potentially private information, and show that they are prone to inadvertent use of unnecessary sensitive information. We also propose a prompting-based defense that reduces information leakage, and demonstrate that our end-to-end benchmarking provides a more realistic measure than probing LLMs about privacy. Our results highlight that further research is needed to develop AI agents that can prioritize data minimization at inference time.