Network-Level Prompt and Trait Leakage in Local Research Agents
This addresses privacy risks for organizations and individuals deploying local WRAs, revealing a novel attack vector that is incremental in extending existing inference methods to this specific domain.
The paper demonstrates that Web and Research Agents (WRAs) are vulnerable to network-level inference attacks, where passive adversaries can recover over 73% of functional and domain knowledge from user prompts and up to 19 of 32 latent traits with high accuracy, based on timing correlations from visiting 70-140 domains.
We show that Web and Research Agents (WRAs) -- language model-based systems that investigate complex topics on the Internet -- are vulnerable to inference attacks by passive network adversaries such as ISPs. These agents could be deployed locally by organizations and individuals for privacy, legal, or financial purposes. Unlike sporadic web browsing by humans, WRAs visit $70{-}140$ domains with distinguishable timing correlations, enabling unique fingerprinting attacks. Specifically, we demonstrate a novel prompt and user trait leakage attack against WRAs that only leverages their network-level metadata (i.e., visited IP addresses and their timings). We start by building a new dataset of WRA traces based on user search queries and queries generated by synthetic personas. We define a behavioral metric (called OBELS) to comprehensively assess similarity between original and inferred prompts, showing that our attack recovers over 73% of the functional and domain knowledge of user prompts. Extending to a multi-session setting, we recover up to 19 of 32 latent traits with high accuracy. Our attack remains effective under partial observability and noisy conditions. Finally, we discuss mitigation strategies that constrain domain diversity or obfuscate traces, showing negligible utility impact while reducing attack effectiveness by an average of 29%.