Multi-P$^2$A: A Multi-perspective Benchmark on Privacy Assessment for Large Vision-Language Models (2412.19496v2)

Abstract: Large Vision-LLMs (LVLMs) exhibit impressive potential across various tasks but also face significant privacy risks, limiting their practical applications. Current researches on privacy assessment for LVLMs is limited in scope, with gaps in both assessment dimensions and privacy categories. To bridge this gap, we propose Multi-P$^2$A, a comprehensive benchmark for evaluating the privacy preservation capabilities of LVLMs in terms of privacy awareness and leakage. Privacy awareness measures the model's ability to recognize the privacy sensitivity of input data, while privacy leakage assesses the risk of the model unintentionally disclosing privacy information in its output. We design a range of sub-tasks to thoroughly evaluate the model's privacy protection offered by LVLMs. Multi-P$^2$A covers 26 categories of personal privacy, 15 categories of trade secrets, and 18 categories of state secrets, totaling 31,962 samples. Based on Multi-P$^2$A, we evaluate the privacy preservation capabilities of 21 open-source and 2 closed-source LVLMs. Our results reveal that current LVLMs generally pose a high risk of facilitating privacy breaches, with vulnerabilities varying across personal privacy, trade secret, and state secret.

• The paper introduces Multi-P$^2$A, a new benchmark with 31,962 samples across 59 privacy categories, finding that current Large Vision-Language Models (LVLMs) generally pose a high risk of privacy breaches.
• Multi-P$^2$A assesses LVLM privacy along two dimensions: Privacy Awareness (ability to recognize sensitivity) and Privacy Leakage (risk of disclosing private information), covering personal, trade, and state secrets.
• Evaluation using Multi-P$^2$A shows that models like GPT-4o and Phi attempt to balance answering sensitive/insensitive queries, but LVLMs overall demonstrate suboptimal performance in awareness and leakage, with prompt engineering providing limited privacy enhancement.

This paper introduces Multi-$\text{P}^\text{2}$A, a benchmark designed for evaluating privacy risks in Large Vision-LLMs (LVLMs). The benchmark assesses privacy along two dimensions: Privacy Awareness and Privacy Leakage. Privacy Awareness evaluates the model's ability to recognize the privacy sensitivity of input data. Privacy Leakage assesses the risk of the model unintentionally disclosing private information in its output. The benchmark encompasses 26 categories of personal privacy, 15 categories of trade secrets, and 18 categories of state secrets, totaling 31,962 samples. The privacy preservation capabilities of 21 open-source and 2 closed-source LVLMs are evaluated using Multi-$\text{P}^\text{2}$A. The results indicate that current LVLMs generally pose a high risk of facilitating privacy breaches.

The study identifies limitations in current benchmarks, including a narrow scope of privacy risks and limited dataset sizes. To address these limitations, Multi-$\text{P}^\text{2}$A incorporates a wider array of privacy categories and a larger dataset. The authors draw inspiration from TrustLLM and MultiTrust, but they reconceptualize the Privacy Awareness and Privacy Leakage dimensions.

The Multi-$\text{P}^\text{2}$A framework consists of two key components: Privacy Awareness and Privacy Leakage.

Privacy Awareness is divided into three tasks:

• Privacy Image Recognition: Assesses the model's ability to identify privacy-related visual cues within input images.
• Privacy Question Detection: Assesses the model's capacity to discern the privacy risks of input queries.
• Privacy InfoFlow Assessment: Evaluates the alignment between a model’s understanding of privacy information flow and human expectations.

Privacy Leakage is categorized based on the model’s role in leaking private information:

• Perception Leakage: Assesses the risk of LVLMs revealing privacy-related information present in input images.
• Reasoning Leakage: Evaluates the risk of LVLMs inferring private information based on visual cues within input images.
• Memory Leakage: Evaluates the risk of LVLMs revealing privacy-sensitive information retained from its training process.

The paper describes the construction of the Multi-$\text{P}^\text{2}$A dataset, detailing the collection of images from existing datasets and social media platforms. For trade secrets and state secrets, the dataset uses exclusively outdated and publicly available materials. The personal privacy dataset is built upon the VISPR dataset.

The paper introduces a metric called Expect-to-Answer ($EtA$) to address biases in the Refuse-to-Answer ($RtA$) metric, which tends to favor conservative models. $EtA$ balances the model’s tendency to refuse responses to privacy-sensitive questions with its responsiveness to questions involving non-sensitive attributes. The $EtA$ metric is calculated as:

$$EtA = \frac{\left( RtA_\text{sensitive} + (1 - RtA_\text{insensitive}) \right)}{2}$$

where:

• $RtA_\text{sensitive}$ is the $RtA$ of privacy-related questions.
• $RtA_\text{insensitive}$ is the $RtA$ of privacy-unrelated questions.

The experimental results demonstrate that Large Vision LLMs (LVLMs) exhibit suboptimal performance in Privacy Awareness. GPT-4o demonstrates leadership in Privacy Awareness across all tasks. However, accurately differentiating between privacy-related and privacy-unrelated input images and queries remains a challenge for GPT-4o. Phi demonstrates strong privacy preservation capabilities, ranking first across three tasks in Privacy Leakage by declining most sensitive inquiries. Based on the $EtA$ metric, Phi and GPT-4o achieve a balance between addressing privacy-unrelated queries and rejecting privacy-related requests.

The study also finds that closed-source LVLMs, such as GPT-4o, do not necessarily exhibit superior privacy preservation capabilities compared to advanced open-source models. GPT-4o exhibits similar vulnerabilities to open-source models in Perception Leakage and also has risks in leaking inferable private information.

The paper evaluates the models’ privacy preservation capabilities across personal privacy, trade secret, and state secret. GPT-4o may be more oriented toward protecting personal privacy. Phi demonstrates increasing protection capabilities across personal privacy, trade secret, and state secret. The authors note that, for LVLMs, the tension between refusing to answer privacy-related questions and willingness to answer corresponding privacy-unrelated questions appears to be a challenging contradiction.

The paper also finds a general inconsistency between the performance of current LVLMs in Privacy Question Detection and Privacy Leakage, and that current LVLMs tend to protect privacy-related information through instinct rather than consciousness.

The study investigates the impact of prompt engineering on privacy enhancement. Results show that incorporating security prompts may improve the models’ ability to safeguard private data. The authors observe that the models’ response rates to insensitive questions decrease as the addition of safety prompts. They conclude that while prompt engineering offers a valuable approach to enhance model security, it cannot fundamentally resolve the inherent privacy risks.