Table of Contents
Fetching ...

HearSay Benchmark: Do Audio LLMs Leak What They Hear?

Jin Wang, Liang Lin, Kaiwen Luo, Weiliu Wang, Yitian Chen, Moayad Aloqaily, Xuehai Tang, Zhenhong Zhou, Kun Wang, Li Sun, Qingsong Wen

TL;DR

We investigate whether Audio LLMs leak private attributes through voiceprints by introducing HearSay, a benchmark with $22{,}064$ real-world audio clips annotated for eight privacy attributes. The evaluation spans $13$ advanced ALLMs using metrics $IAR$ (inference accuracy rate), $ARR$ (answer refusal rate), and $BBR$ (blind bias rate), revealing significant privacy leakage (e.g., average Gender $IAR$ of $92.89\%$) and widespread safety gaps, while chain-of-thought reasoning can amplify risks for capable models. Results show that many models leverage genuine acoustic evidence to override priors, underscoring substantive privacy threats rather than mere data priors. The study calls for native acoustic safety alignment, such as encoder-level de-identification, and provides the HearSay dataset and code at the project GitHub for ongoing safety evaluation and defense development.

Abstract

While Audio Large Language Models (ALLMs) have achieved remarkable progress in understanding and generation, their potential privacy implications remain largely unexplored. This paper takes the first step to investigate whether ALLMs inadvertently leak user privacy solely through acoustic voiceprints and introduces $\textit{HearSay}$, a comprehensive benchmark constructed from over 22,000 real-world audio clips. To ensure data quality, the benchmark is meticulously curated through a rigorous pipeline involving automated profiling and human verification, guaranteeing that all privacy labels are grounded in factual records. Extensive experiments on $\textit{HearSay}$ yield three critical findings: $\textbf{Significant Privacy Leakage}$: ALLMs inherently extract private attributes from voiceprints, reaching 92.89% accuracy on gender and effectively profiling social attributes. $\textbf{Insufficient Safety Mechanisms}$: Alarmingly, existing safeguards are severely inadequate; most models fail to refuse privacy-intruding requests, exhibiting near-zero refusal rates for physiological traits. $\textbf{Reasoning Amplifies Risk}$: Chain-of-Thought (CoT) reasoning exacerbates privacy risks in capable models by uncovering deeper acoustic correlations. These findings expose critical vulnerabilities in ALLMs, underscoring the urgent need for targeted privacy alignment. The codes and dataset are available at https://github.com/JinWang79/HearSay_Benchmark

HearSay Benchmark: Do Audio LLMs Leak What They Hear?

TL;DR

We investigate whether Audio LLMs leak private attributes through voiceprints by introducing HearSay, a benchmark with real-world audio clips annotated for eight privacy attributes. The evaluation spans advanced ALLMs using metrics (inference accuracy rate), (answer refusal rate), and (blind bias rate), revealing significant privacy leakage (e.g., average Gender of ) and widespread safety gaps, while chain-of-thought reasoning can amplify risks for capable models. Results show that many models leverage genuine acoustic evidence to override priors, underscoring substantive privacy threats rather than mere data priors. The study calls for native acoustic safety alignment, such as encoder-level de-identification, and provides the HearSay dataset and code at the project GitHub for ongoing safety evaluation and defense development.

Abstract

While Audio Large Language Models (ALLMs) have achieved remarkable progress in understanding and generation, their potential privacy implications remain largely unexplored. This paper takes the first step to investigate whether ALLMs inadvertently leak user privacy solely through acoustic voiceprints and introduces , a comprehensive benchmark constructed from over 22,000 real-world audio clips. To ensure data quality, the benchmark is meticulously curated through a rigorous pipeline involving automated profiling and human verification, guaranteeing that all privacy labels are grounded in factual records. Extensive experiments on yield three critical findings: : ALLMs inherently extract private attributes from voiceprints, reaching 92.89% accuracy on gender and effectively profiling social attributes. : Alarmingly, existing safeguards are severely inadequate; most models fail to refuse privacy-intruding requests, exhibiting near-zero refusal rates for physiological traits. : Chain-of-Thought (CoT) reasoning exacerbates privacy risks in capable models by uncovering deeper acoustic correlations. These findings expose critical vulnerabilities in ALLMs, underscoring the urgent need for targeted privacy alignment. The codes and dataset are available at https://github.com/JinWang79/HearSay_Benchmark
Paper Structure (26 sections, 6 equations, 35 figures, 2 tables)

This paper contains 26 sections, 6 equations, 35 figures, 2 tables.

Figures (35)

  • Figure 1: A framework of our HearSay Benchmark for evaluating Audio-LLM privacy leakage across eight private personal attributes. Note: The portraits depicted are synthetically generated and do not correspond to real individuals.
  • Figure 2: The distribution of privacy attributes in our HearSay dataset.
  • Figure 3: Comparisons across three settings. (1) With-Audio setting: The highest IAR achieved among all evaluated models given raw audio input. (2) Random Guessing Baseline: Theoretical accuracy of random selection. (3) Transcribed-Text setting: The highest IAR achieved given only ASR transcripts.
  • Figure 4: Impact of CoT prompting on privacy inference accuracy across different models.
  • Figure 5: Model-level analysis of acoustic evidence versus statistical priors, where a larger vertical coordinate indicates a larger radius.
  • ...and 30 more figures