MultiPriv: Benchmarking Individual-Level Privacy Reasoning in Vision-Language Models

TL;DR

MultiPriv introduces the Privacy Perception and Reasoning (PPR) framework and the first bilingual, synthetic dataset to benchmark individual-level privacy reasoning in Vision-Language Models. It demonstrates nine multimodal tasks spanning perception and reasoning, linked to 36 privacy attributes across 40 synthetic identities, enabling robust cross-language evaluation. Across 50+ models, the study reveals significant reasoning-based privacy risks that are not predicted by perception metrics, with open-source models and multilingual setups presenting pronounced leakage. The work highlights inconsistencies in safety alignment, emphasizes cross-language vulnerabilities, and provides a principled pathway toward privacy-preserving VLMs and safer multimodal AI systems.

Abstract

Modern Vision-Language Models (VLMs) demonstrate sophisticated reasoning, escalating privacy risks beyond simple attribute perception to individual-level linkage. Current privacy benchmarks are structurally insufficient for this new threat, as they primarily evaluate privacy perception while failing to address the more critical risk of privacy reasoning: a VLM's ability to infer and link distributed information to construct individual profiles. To address this critical gap, we propose \textbf{MultiPriv}, the first benchmark designed to systematically evaluate individual-level privacy reasoning in VLMs. We introduce the \textbf{Privacy Perception and Reasoning (PPR)} framework and construct a novel, bilingual multimodal dataset to support it. The dataset uniquely features a core component of synthetic individual profiles where identifiers (e.g., faces, names) are meticulously linked to sensitive attributes. This design enables nine challenging tasks evaluating the full PPR spectrum, from attribute detection to cross-image re-identification and chained inference. We conduct a large-scale evaluation of over 50 foundational and commercial VLMs. Our analysis reveals: (1) Many VLMs possess significant, unmeasured reasoning-based privacy risks. (2) Perception-level metrics are poor predictors of these reasoning risks, revealing a critical evaluation gap. (3) Existing safety alignments are inconsistent and ineffective against such reasoning-based attacks. MultiPriv exposes systemic vulnerabilities and provides the necessary framework for developing robust, privacy-preserving VLMs.

Figures (14)

• Figure 1: Individual-level privacy leakage. Modern VLMs elevate privacy risks from attribute-level to individual-level by leveraging their cross-modal reasoning capabilities to construct comprehensive personal privacy profiles. These models can associate direct identifiers (e.g., names, IDs) with various privacy attributes across multiple images.
• Figure 2: MultiPriv task overview. The MultiPriv benchmark decomposes privacy perception and reasoning into nine subtasks, with representative VQA examples for each category shown in the figure. The dataset includes 36 privacy attributes across 40 individual profiles, 719 images, and 7,414 manually designed VQA pairs. Additional examples are provided in the appendix.
• Figure 3: Privacy Taxonomy and Definition. MultiPriv defines a comprehensive privacy taxonomy, covering 36 fine-grained privacy attributes grouped into 7 major categories: Biometric, Identity Document, Medical Health, Financial Account, Location Trajectory, Property Identity, and Social Attributes.
• Figure 4: MultiPriv VLMs refusal distribution. Panels (a) and (b) show the top 3 and bottom 3 models in terms of refusal rates on privacy perception and reasoning tasks, respectively. Panels (c) and (d) depict refusal distributions across different MultiPriv tasks and privacy categories.
• Figure 5: MultiPriv privacy alignment boundaries across languages. Panel (a) shows the privacy alignment boundaries of different implicit attributes in Chinese and English, while panel (b) shows the privacy alignment boundaries of different models in both languages.