AgentDAM: Privacy Leakage Evaluation for Autonomous Web Agents

TL;DR

AgentDAM presents an end-to-end privacy benchmark for autonomous web agents to assess data minimization in action. It employs realistic, multimodal WebArena/VisualWebArena environments to measure task utility and privacy leakage, revealing substantial leakage for current GPT-based agents while showing that privacy-aware CoT prompting can reduce leaks with modest task-cost. The study demonstrates that probing privacy in isolation overestimates safety, emphasizes the need for end-to-end evaluation, and highlights directions for robust mitigations and broader benchmarking. Overall, AgentDAM provides a realistic framework to quantify and mitigate inference-time privacy leakage in autonomous web agents, guiding future improvements in data-minimization strategies and agent design.

Abstract

Autonomous AI agents that can follow instructions and perform complex multi-step tasks have tremendous potential to boost human productivity. However, to perform many of these tasks, the agents need access to personal information from their users, raising the question of whether they are capable of using it appropriately. In this work, we introduce a new benchmark AgentDAM that measures if AI web-navigation agents follow the privacy principle of ``data minimization''. For the purposes of our benchmark, data minimization means that the agent uses a piece of potentially sensitive information only if it is ``necessary'' to complete a particular task. Our benchmark simulates realistic web interaction scenarios end-to-end and is adaptable to all existing web navigation agents. We use AgentDAM to evaluate how well AI agents built on top of GPT-4, Llama-3 and Claude can limit processing of potentially private information, and show that they are prone to inadvertent use of unnecessary sensitive information. We also propose a prompting-based defense that reduces information leakage, and demonstrate that our end-to-end benchmarking provides a more realistic measure than probing LLMs about privacy. Our results highlight that further research is needed to develop AI agents that can prioritize data minimization at inference time.

Figures (6)

• Figure 1: Our benchmark's workflow involves an agentic model (e.g., Llama) processing observation $o_t$: user_data and user_instruction, along with the representation of the current webpage (e.g. screenshot). The model generates the next action $a_t$, which the environment executes, altering its state. The action is also judged by our evaluator for leakages in user_data. We self-host fully functional replicas of websites.
• Figure 2: Example of the task (top row) with the corresponding trace generated by the web agent. We show the agentic reasoning text (middle row) and the state of the environment (screenshot) at several selected time steps.
• Figure 3: Dataset generation pipeline: Human annotators select a task and create user_instruction based on it. Next, they create the Data Seed , consisting of plot and sensitive_data (as referenced in \ref{['t:sensitive-data']}), which is used to generate the actual user_data via prompting LLM. Data Seed includes irrelevant piece of information, sensitive_data, that should NOT be revealed by the agent (highlighted in red).
• Figure 4: Examples of website representations: accessibility tree (left, taken from zhou2023webarena), SOM (right).
• Figure 5: Dependence of privacy leakage rate on varying number of sampling repetitions used to generate user_data. Namely, 1 sampling repetition means each data seed was used only once to generate user_data and so on.