GAMA: A General Anonymizing Multi-Agent System for Privacy Preservation Enhanced by Domain Rules and Disproof Mechanism

TL;DR

The paper tackles privacy risks in LLM-based multi-agent systems by introducing GAMA, a General Anonymizing Multi-Agent framework that partitions agent workspaces into private and public spaces and anonymizes data before exposure to web-based LLMs. It combines an anonymizing mechanism (AMPP) with two enhancement modules—Domain-Rule-based Knowledge Enhancement (DRKE) and Disproof-based Logic Enhancement (DLE)—to preserve semantic and logical integrity under privacy constraints. Empirical results on general QA datasets and privacy-specific QA benchmarks show that GAMA achieves higher task accuracy and lower privacy leakage than baselines, while also exhibiting strong privacy-identification and resilience to re-identification attacks. The approach offers a practical path to safer deployment of LLM-powered MAS in privacy-sensitive domains, with room for autonomous privacy-rule learning and multimodal extensions in future work.

Abstract

With the rapid advancement of Large Language Models (LLMs), LLM-based agents exhibit exceptional abilities in understanding and generating natural language, enabling human-like collaboration and information transmission in LLM-based Multi-Agent Systems (MAS). High-performance LLMs are often hosted on web servers in public cloud environments. When tasks involve private data, MAS cannot securely utilize these LLMs without implementing the agentic privacy-preserving mechanism. To address this challenge, we propose a General Anonymizing Multi-Agent System (GAMA), which divides the agents' workspace into private and public spaces, ensuring privacy through a structured anonymization mechanism. In the private space, agents handle sensitive data, while in the public web space, only anonymized data is utilized. GAMA incorporates two key modules to mitigate semantic loss caused by anonymization: Domain-Rule-based Knowledge Enhancement (DRKE) and Disproof-based Logic Enhancement (DLE). We evaluate GAMA on two general question-answering datasets, a public privacy leakage benchmark, and two customized question-answering datasets related to privacy. The results demonstrate that GAMA outperforms existing baselines on the evaluated datasets in terms of both task accuracy and privacy preservation metrics.

Figures (6)

• Figure 1: Structure of GAMA, it has three key parts, including Anonymizing Mechanism for Privacy Preservation (AMPP), Domain-Rule-based Knowledge Enhancement (DRKE) and Disproof-based Logic Enhancement (DLE). The Private Space holds privacy-sensitive data and is restricted to entities with high-level permissions, whereas the Public Space remains accessible to all agents under the web environment. The Assistant Agent iteratively generates logical contradictions, while the Expert Agent continuously revises the answer until no further contradictions can be identified.
• Figure 2: Domain analysis and disproof-based inference, (a) is to analyze the domains of the task for DRKE in Section \ref{['sec:drke']}, (b) is the disproof process for DLE in Section \ref{['sec:dle']}.
• Figure 3: Privacy named entity number distribution of PQA-K and PQA-L. (a) is the privacy named entity distribution of each sample. (b) is the statistics of privacy-named entities from different categories.
• Figure 4: Domain rules and disproof iteration.
• Figure 5: The performance comparison of privacy identification.