Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Are LLMs Good Safety Agents or a Propaganda Engine?

Neemesh Yadav, Francesco Ortu, Jiarui Liu, Joeun Yook, Bernhard Schölkopf, Rada Mihalcea, Alberto Cazzaniga, Zhijing Jin

TL;DR

This work tackles the challenge of distinguishing safety-driven refusals from political censorship in large language models by introducing the Politically Sensitive Prompts (PSP) dataset. It combines data-driven and representation-level de-politicization methods, and examines vulnerability to prompt injection attacks to understand how refusals manifest in political contexts. Key findings show evidence of censorship-like refusals in several models, varying susceptibility across architectures, and that de-politicization shifts refusals, while cognitive hacking can amplify partial refusals, revealing a nuanced gray zone. The study highlights the need for systematic auditing of political bias in LLM safety mechanisms and suggests directions for improving transparency and robustness in governance of refusals across diverse geopolitical contexts.

Abstract

Large Language Models (LLMs) are trained to refuse to respond to harmful content. However, systematic analyses of whether this behavior is truly a reflection of its safety policies or an indication of political censorship, that is practiced globally by countries, is lacking. Differentiating between safety influenced refusals or politically motivated censorship is hard and unclear. For this purpose we introduce PSP, a dataset built specifically to probe the refusal behaviors in LLMs from an explicitly political context. PSP is built by formatting existing censored content from two data sources, openly available on the internet: sensitive prompts in China generalized to multiple countries, and tweets that have been censored in various countries. We study: 1) impact of political sensitivity in seven LLMs through data-driven (making PSP implicit) and representation-level approaches (erasing the concept of politics); and, 2) vulnerability of models on PSP through prompt injection attacks (PIAs). Associating censorship with refusals on content with masked implicit intent, we find that most LLMs perform some form of censorship. We conclude with summarizing major attributes that can cause a shift in refusal distributions across models and contexts of different countries.

Are LLMs Good Safety Agents or a Propaganda Engine?

TL;DR

This work tackles the challenge of distinguishing safety-driven refusals from political censorship in large language models by introducing the Politically Sensitive Prompts (PSP) dataset. It combines data-driven and representation-level de-politicization methods, and examines vulnerability to prompt injection attacks to understand how refusals manifest in political contexts. Key findings show evidence of censorship-like refusals in several models, varying susceptibility across architectures, and that de-politicization shifts refusals, while cognitive hacking can amplify partial refusals, revealing a nuanced gray zone. The study highlights the need for systematic auditing of political bias in LLM safety mechanisms and suggests directions for improving transparency and robustness in governance of refusals across diverse geopolitical contexts.

Abstract

Large Language Models (LLMs) are trained to refuse to respond to harmful content. However, systematic analyses of whether this behavior is truly a reflection of its safety policies or an indication of political censorship, that is practiced globally by countries, is lacking. Differentiating between safety influenced refusals or politically motivated censorship is hard and unclear. For this purpose we introduce PSP, a dataset built specifically to probe the refusal behaviors in LLMs from an explicitly political context. PSP is built by formatting existing censored content from two data sources, openly available on the internet: sensitive prompts in China generalized to multiple countries, and tweets that have been censored in various countries. We study: 1) impact of political sensitivity in seven LLMs through data-driven (making PSP implicit) and representation-level approaches (erasing the concept of politics); and, 2) vulnerability of models on PSP through prompt injection attacks (PIAs). Associating censorship with refusals on content with masked implicit intent, we find that most LLMs perform some form of censorship. We conclude with summarizing major attributes that can cause a shift in refusal distributions across models and contexts of different countries.

Paper Structure

This paper contains 44 sections, 3 equations, 3 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Problem Definition
  3. Refusals
  4. Refusal versus Censorship
  5. Related Work
  6. Refusal in LLMs
  7. Interpreting and Jailbreaking Refusals
  8. LLM Censorship
  9. PSP: Politically Sensitive Prompts
  10. Motivation and Dataset Introduction
  11. Existing, Scope-Limited Data Sources
  12. Sensitive Tweets
  13. Sensitive Prompts from HuggingFace
  14. Limitations and Motivation for Transformation
  15. Our Data Construction Method
  16. ...and 29 more sections

Figures (3)

  • Figure 1: Left: Difference in responses of Qwen 2.5 32B in different contexts. Qwen 2.5 refuses to respond to queries sensitive to a Chinese context but complies to queries sensitive to a different regional context (here, France). Upper Right: Topics extracted from the prompt are used to judge the nature of censorship in a given model. Lower Right: Cognitive Hacking is used as a Prompt Injection Attack (PIA) to elicit Ethical Dilemmas in the form of Partial Refusals.
  • Figure 2: Refusals are motivated by safety guardrails and Censorship by political filtering.
  • Figure 3: Left: Comparison of refusals of all models aggregate across all sources paired against each other. Right: Comparison of refusals aggregated the ccp source, paired against that of each country. A lower coefficient ( red) in each cell means higher propensity of the response to be a complete refusal. These coefficients were produced from an OLS regression statistical analysis.