Table of Contents
Fetching ...

GUIGuard: Toward a General Framework for Privacy-Preserving GUI Agents

Yanxi Wang, Zhiling Zhang, Wenbo Zhou, Weiming Zhang, Jie Zhang, Qiannan Zhu, Yu Shi, Shuxin Zheng, Jiyan He

TL;DR

This work addresses the privacy risks inherent in end-to-end GUI agents by introducing GUIGuard, a three-stage framework that performs on-device privacy recognition, privacy protection, and task execution under a Trustworthy Local–Remote Hybrid Service. It introduces GUIGuard-Bench, a cross-platform dataset with 630 trajectories and 13,830 screenshots annotated for region-level privacy grounding, risk levels, categories, and task necessity, enabling end-to-end evaluation of privacy perception, protection fidelity, and downstream planning. The study reveals that privacy recognition remains a major bottleneck for current models, with end-to-end accuracy well below practical levels, while protection strategies can preserve task solvability to varying degrees depending on strategy and platform. Case studies and graded protection experiments demonstrate the trade-offs between privacy leakage and task performance, underscoring the need for improved detectors, trajectory-aware protection, and task-necessity driven policies to enable practical privacy-preserving GUI agents with robust real-world impact.

Abstract

GUI agents enable end-to-end automation through direct perception of and interaction with on-screen interfaces. However, these agents frequently access interfaces containing sensitive personal information, and screenshots are often transmitted to remote models, creating substantial privacy risks. These risks are particularly severe in GUI workflows: GUIs expose richer, more accessible private information, and privacy risks depend on interaction trajectories across sequential scenes. We propose GUIGuard, a three-stage framework for privacy-preserving GUI agents: (1) privacy recognition, (2) privacy protection, and (3) task execution under protection. We further construct GUIGuard-Bench, a cross-platform benchmark with 630 trajectories and 13,830 screenshots, annotated with region-level privacy grounding and fine-grained labels of risk level, privacy category, and task necessity. Evaluations reveal that existing agents exhibit limited privacy recognition, with state-of-the-art models achieving only 13.3% accuracy on Android and 1.4% on PC. Under privacy protection, task-planning semantics can still be maintained, with closed-source models showing stronger semantic consistency than open-source ones. Case studies on MobileWorld show that carefully designed protection strategies achieve higher task accuracy while preserving privacy. Our results highlight privacy recognition as a critical bottleneck for practical GUI agents. Project: https://futuresis.github.io/GUIGuard-page/

GUIGuard: Toward a General Framework for Privacy-Preserving GUI Agents

TL;DR

This work addresses the privacy risks inherent in end-to-end GUI agents by introducing GUIGuard, a three-stage framework that performs on-device privacy recognition, privacy protection, and task execution under a Trustworthy Local–Remote Hybrid Service. It introduces GUIGuard-Bench, a cross-platform dataset with 630 trajectories and 13,830 screenshots annotated for region-level privacy grounding, risk levels, categories, and task necessity, enabling end-to-end evaluation of privacy perception, protection fidelity, and downstream planning. The study reveals that privacy recognition remains a major bottleneck for current models, with end-to-end accuracy well below practical levels, while protection strategies can preserve task solvability to varying degrees depending on strategy and platform. Case studies and graded protection experiments demonstrate the trade-offs between privacy leakage and task performance, underscoring the need for improved detectors, trajectory-aware protection, and task-necessity driven policies to enable practical privacy-preserving GUI agents with robust real-world impact.

Abstract

GUI agents enable end-to-end automation through direct perception of and interaction with on-screen interfaces. However, these agents frequently access interfaces containing sensitive personal information, and screenshots are often transmitted to remote models, creating substantial privacy risks. These risks are particularly severe in GUI workflows: GUIs expose richer, more accessible private information, and privacy risks depend on interaction trajectories across sequential scenes. We propose GUIGuard, a three-stage framework for privacy-preserving GUI agents: (1) privacy recognition, (2) privacy protection, and (3) task execution under protection. We further construct GUIGuard-Bench, a cross-platform benchmark with 630 trajectories and 13,830 screenshots, annotated with region-level privacy grounding and fine-grained labels of risk level, privacy category, and task necessity. Evaluations reveal that existing agents exhibit limited privacy recognition, with state-of-the-art models achieving only 13.3% accuracy on Android and 1.4% on PC. Under privacy protection, task-planning semantics can still be maintained, with closed-source models showing stronger semantic consistency than open-source ones. Case studies on MobileWorld show that carefully designed protection strategies achieve higher task accuracy while preserving privacy. Our results highlight privacy recognition as a critical bottleneck for practical GUI agents. Project: https://futuresis.github.io/GUIGuard-page/
Paper Structure (59 sections, 8 equations, 10 figures, 4 tables)

This paper contains 59 sections, 8 equations, 10 figures, 4 tables.

Figures (10)

  • Figure 1: Overview of the GUIGuard Framework and Benchmark. The top section shows GUIGuard’s three-phase pipeline: (1) Privacy Recognition localizes sensitive elements; (2) Privacy Protection sanitizes them (e.g., masking, semantic replacement, latent perturbation); and (3) Task Execution uses a remote agent to act on protected screenshots. In contrast, conventional GUI agents typically include only Phase (3), directly sending raw screenshots to the cloud. The bottom section illustrates GUIGuard-Bench construction, where collected trajectories are human-annotated with grounding boxes, risk grades, and categories to evaluate all phases.
  • Figure 2: (a) OSWorld benchmark results (accuracy %), comparing representative closed-source and open-source agents. (b) Illustration of the Trustworthy Remote Service. (c) Illustration of the Trustworthy Local–Remote Hybrid Service.
  • Figure 3: The dataset structure is illustrated in the figure. It consists of 240 trajectories (4,080 screenshots) collected from real-world terminal platform scenarios and 390 trajectories (8,587 screenshots) generated using image generation models. Each screenshot is accompanied by textual records of the agent’s interactions. Privacy-related regions are annotated on the screenshots, with privacy information categorized into three risk levels and six semantic categories, while task-required privacy is explicitly marked.
  • Figure 4: Privacy recognition results on GUIGuard Bench for both PC (blue) and Android (red) devices: (left) Binary privacy detection accuracy, whether a screenshot contains any privacy sensitive content; (middle) Privacy recall rate, how many ground truth private elements are retrieved; (right) Overall, end to end accuracy requiring correct detection and all fine grained labels (risk level, category, and task necessity) to be correct.
  • Figure 5: Fine-grained privacy label recognition on GUIGuard-Bench. For private elements that pass text matching and are correctly localized (IoU $\ge$ 0.6), we report the accuracy of predicting risk level, privacy category, and task necessity across VLMs on PC (blue) and Android (red).
  • ...and 5 more figures