CIPL: A Target-Independent Framework for Channel-Inversion Privacy Leakage in Agents
This work addresses privacy risks in AI agents for developers and users, though it is incremental by extending existing attack formulations to a more general framework.
The paper tackles the problem of privacy leakage in LLM agents beyond memory, showing that sensitive information can be exposed through internal channels, and introduces CIPL as a target-independent framework for studying such attacks, enabling cross-target comparison.
Large language model (LLM) agents may expose sensitive information through more than their final textual responses. Whenever private content is internally selected, assembled, and reused inside an agent pipeline, an attacker may attempt to turn that hidden dependence into an observable output signal. Existing evidence of this risk is strongest for memory leakage, but current attack formulations remain largely tied to specific systems and output surfaces. In this paper, we formulate privacy leakage in agentic systems as a \emph{channel inversion} problem and present CIPL (Channel Inversion for Privacy Leakage), a target-independent framework for studying such attacks. CIPL represents a target system through a common signature consisting of a sensitive source, selection, assembly, execution, observation, and extraction stages, and instantiates attacks through a reusable attack language built from a locator, an aligner, and a diversification policy. As a unified evaluation framework, CIPL supports cross-target comparison while preserving target-specific execution semantics. Our results provide initial evidence that privacy leakage is not confined to memory alone; instead, it depends on how sensitive content is routed into attacker-visible observation channels. These findings suggest that privacy evaluation for agentic systems should move beyond single-surface attack analysis toward a channel-oriented view of information exposure.