Table of Contents
Fetching ...

Improving User Privacy in Personalized Generation: Client-Side Retrieval-Augmented Modification of Server-Side Generated Speculations

Alireza Salemi, Hamed Zamani

TL;DR

This paper tackles privacy concerns in personalized generation by removing the need for private user profiles to leave the client. It introduces P^3, an interactive framework in which a server-side LLM drafts tokens that are selectively verified or edited by a small client-side model with access to a retrieved personal context, applying PII filtering and refusal when necessary. Empirical evaluation on LaMP-QA shows P^3 yields $7.4 ext{\%}$–$9 ext{\%}$ improvements over strong baselines and retains $90.3 ext{\%}$–$95.7 ext{\%}$ of the utility of the insecure upper bound, while incurring only $1.5 ext{\%}$–$3.5 ext{\%}$ additional privacy leakage beyond a query-only baseline. The client-side contribution is small ($9.2 ext{\%}$ of final tokens), with most computation on the server, demonstrating a practical trade-off between utility, privacy, and efficiency; the authors also release open-source code for broader impact.

Abstract

Personalization is crucial for aligning Large Language Model (LLM) outputs with individual user preferences and background knowledge. State-of-the-art solutions are based on retrieval augmentation, where relevant context from a user profile is retrieved for LLM consumption. These methods deal with a trade-off between exposing retrieved private data to cloud providers and relying on less capable local models. We introduce $P^3$, an interactive framework for high-quality personalization without revealing private profiles to server-side LLMs. In $P^3$, a large server-side model generates a sequence of $k$ draft tokens based solely on the user query, while a small client-side model, with retrieval access to the user's private profile, evaluates and modifies these drafts to better reflect user preferences. This process repeats until an end token is generated. Experiments on LaMP-QA, a recent benchmark consisting of three personalized question answering datasets, show that $P^3$ consistently outperforms both non-personalized server-side and personalized client-side baselines, achieving statistically significant improvements of $7.4%$ to $9%$ on average. Importantly, $P^3$ recovers $90.3%$ to $95.7%$ of the utility of a ``leaky'' upper-bound scenario in which the full profile is exposed to the large server-side model. Privacy analyses, including linkability and attribute inference attacks, indicate that $P^3$ preserves the privacy of a non-personalized server-side model, introducing only marginal additional leakage ($1.5%$--$3.5%$) compared to submitting a query without any personal context. Additionally, the framework is efficient for edge deployment, with the client-side model generating only $9.2%$ of the total tokens. These results demonstrate that $P^3$ provides a practical, effective solution for personalized generation with improved privacy.

Improving User Privacy in Personalized Generation: Client-Side Retrieval-Augmented Modification of Server-Side Generated Speculations

TL;DR

This paper tackles privacy concerns in personalized generation by removing the need for private user profiles to leave the client. It introduces P^3, an interactive framework in which a server-side LLM drafts tokens that are selectively verified or edited by a small client-side model with access to a retrieved personal context, applying PII filtering and refusal when necessary. Empirical evaluation on LaMP-QA shows P^3 yields improvements over strong baselines and retains of the utility of the insecure upper bound, while incurring only additional privacy leakage beyond a query-only baseline. The client-side contribution is small ( of final tokens), with most computation on the server, demonstrating a practical trade-off between utility, privacy, and efficiency; the authors also release open-source code for broader impact.

Abstract

Personalization is crucial for aligning Large Language Model (LLM) outputs with individual user preferences and background knowledge. State-of-the-art solutions are based on retrieval augmentation, where relevant context from a user profile is retrieved for LLM consumption. These methods deal with a trade-off between exposing retrieved private data to cloud providers and relying on less capable local models. We introduce , an interactive framework for high-quality personalization without revealing private profiles to server-side LLMs. In , a large server-side model generates a sequence of draft tokens based solely on the user query, while a small client-side model, with retrieval access to the user's private profile, evaluates and modifies these drafts to better reflect user preferences. This process repeats until an end token is generated. Experiments on LaMP-QA, a recent benchmark consisting of three personalized question answering datasets, show that consistently outperforms both non-personalized server-side and personalized client-side baselines, achieving statistically significant improvements of to on average. Importantly, recovers to of the utility of a ``leaky'' upper-bound scenario in which the full profile is exposed to the large server-side model. Privacy analyses, including linkability and attribute inference attacks, indicate that preserves the privacy of a non-personalized server-side model, introducing only marginal additional leakage (--) compared to submitting a query without any personal context. Additionally, the framework is efficient for edge deployment, with the client-side model generating only of the total tokens. These results demonstrate that provides a practical, effective solution for personalized generation with improved privacy.
Paper Structure (10 sections, 9 figures, 1 table, 1 algorithm)

This paper contains 10 sections, 9 figures, 1 table, 1 algorithm.

Figures (9)

  • Figure 1: An overview of the $P^3$ framework.
  • Figure 2: Prompts used with the server-side and user-side LLMs in the $P^3$ framework and the baselines.
  • Figure 3: Prompt used for the linkability attack with GPT-4.2.
  • Figure 4: Prompts used for the attribute extraction (top) and attribute inference attack (bottom) with GPT-4.2.
  • Figure 5: Effectiveness of privacy attacks on different methods (lower is better). (A) Linkability attack, in which the cloud LLM provider uses information collected during response generation to identify the true user profile among five candidates. (B) Attribute inference attack, in which the cloud LLM provider uses information collected during response generation to infer user attributes from five possible options per attribute. Experiments are conducted using the Qwen-2.5 family as the backbone models (3B as the client-side and 14B as the server-side LLM) for the evaluated methods and GPT-4.2 as the attacker model.
  • ...and 4 more figures