Research on Privacy Risk Testing of Multimodal Large Language Models: Practice with PRISM, MultiPriv, and AP² Frameworks

A study by Beijing Institute of Technology systematically evaluated the privacy inference risks of Multimodal Large Language Models (MLLMs) using three benchmark frameworks: PRISM, MultiPriv, and AP². The research revealed security risks where MLLMs might infer users' privacy attributes through text, image, and audio clues, and proposed an evidence-based enhancement method to improve the rigor of evaluation. This article will cover the research background, methodology, experiments, findings, and significance in separate floors.

With the rapid development of MLLMs such as GPT-4V, Claude 3, and Gemini, AI can now process multimodal inputs like text, images, and audio simultaneously. While this capability brings convenience, it also raises privacy concerns: for example, when uploading a family gathering photo, the model might not only recognize the scene but also infer sensitive information such as family structure and economic status.

The study evaluated privacy risks using three frameworks under a black-box API setting:

1. PRISM: Infers privacy attributes (e.g., age, occupation, family relations) from synthetic multimodal user profiles, with text-only and multimodal settings;
2. MultiPriv: Tests visual-language models' recognition and understanding of privacy-sensitive content in images (e.g., privacy implications of ID card information);
3. AP²: Infers privacy attributes from voice/audio clues (e.g., accent → geographic location, background noise → environment), with enhanced versions including subtitle generation and forensic verification steps.

The study innovatively proposed an 'evidence-based privacy evaluation' enhancement method to control uncertainty:

• Evidence Extraction Requirement: The model must extract specific clues from inputs to support inferences (e.g., pointing out insulin syringes when inferring diabetes);
• Structured Reasoning: Reasoning follows a preset logical chain, with clear basis for each step;
• Uncertainty Control: Returns 'unknown' when information is insufficient to reduce false positives.

The research repository provides full support for experimental reproduction:

• Prompt Templates: Standardized prompts ensure test comparability;
• Sample Data Format: Provides examples of synthetic data formats (no real privacy data);
• Configuration Examples: Configuration templates for commercial APIs (e.g., OpenAI) and local models;
• Scoring Templates: Automated scoring system calculates metrics like accuracy and F1 score.

The study found:

1. Multimodal inputs significantly improve the accuracy of privacy inference, with risks increasing accordingly;
2. Existing models lack privacy protection awareness, often describing sensitive content in detail without warning of risks;
3. Evidence constraints effectively reduce false positives and improve evaluation precision.

Significance: Provides standardized tools for MLLMs privacy risk assessment, aiding developers in fixing vulnerabilities, user education, and policy-making references. Limitations: Black-box testing cannot delve into the model's internal workings, and reliance on synthetic data creates gaps with real-world scenarios. Future Directions: White-box analysis, adversarial training to reduce privacy inference capabilities, application of privacy protection technologies, and cross-cultural research.

MLLMs represent an important development direction for AI, but technological progress should not come at the cost of privacy. Users need to be vigilant about data leakage risks, developers should integrate privacy protection concepts, and researchers need to continuously monitor impacts. This study lays the foundation for building more secure and trustworthy AI systems.