Papers
Topics
Authors
Recent
Search
2000 character limit reached

Comprehensive Privacy Risk Scoring (CPRS)

Updated 6 July 2026
  • CPRS is a multifactor privacy quantification approach that aggregates various exposures into a single numerical risk estimate.
  • It spans multiple domains including social networks, cyber-physical systems, Android apps, visual media, and recommender systems to capture heterogeneous risks.
  • Mathematical models in CPRS use weighted sums, products, and continuous scoring to provide nuanced assessments adapted to diverse contexts.

Searching arXiv for the cited CPRS-related papers to ground the article in current records. Comprehensive Privacy Risk Scoring (CPRS) denotes a class of privacy quantification approaches that aggregate multiple sources of exposure into a single numerical assessment rather than treating privacy as a one-dimensional property. Across recent work, CPRS has been instantiated for online social networks, cyber-physical systems, Android devices and applications, visual content, and recommender systems, with component signals including profile attributes, visibility, social-graph structure, text entities, vulnerability profiles, compositional visual cues, and membership-inference evidence (Alam et al., 20 Jul 2025, Bhattacharjee et al., 2021, Tsaprazlis et al., 23 Mar 2026, He et al., 24 Jul 2025). A common premise is that privacy risk is heterogeneous: identical nominal disclosures can have different consequences depending on detail level, topology, context, exploitability, or inferential composition.

1. Conceptual basis and scope

A recurring definition in this literature is that a privacy score is a numerical estimate of privacy violation risk. In the LinkedIn-based thesis on online social networks, higher scores mean a user is more exposed or more likely to suffer privacy leakage, and risk is tied to the type of data shared and the audience with which it is shared (Kilic, 2021). In the cyber-physical systems setting, the same general idea is reformulated as system-aware vulnerability characterization followed by privacy quantification, with the central claim that privacy protection should not be uniform across nodes because nodes differ in attack exposure, privacy loss, and user preference (Bhattacharjee et al., 2021).

The term “comprehensive” is used because prior methods often isolate a single axis of exposure. In social-network work, one line of methods measures “what items are shared,” another measures “where the user sits” in the network, and a later extension argues that neither captures “how richly it is shared” (Kilic, 2021). In the unified social-network CPRS framework, the same concern is restated at larger scale: profile attributes, graph structure, and user-generated content are all privacy-relevant, and focusing on only one of them misses inference, de-anonymization, profiling, social engineering, and cross-referencing across data sources (Alam et al., 20 Jul 2025). In visual privacy, the analogous critique is that binary “private versus non-private” labeling neglects composition, even though benign attributes in isolation may jointly create severe privacy violations (Tsaprazlis et al., 23 Mar 2026).

This suggests that CPRS is less a single standardized formula than a modeling stance. The shared stance is that privacy risk emerges from multiple attack surfaces and must be estimated from observed technical evidence, structural position, or inferential composition rather than from a single count, a single permission, or a single visible identifier.

2. Mathematical patterns and score semantics

Despite domain differences, CPRS methods repeatedly adopt decomposable scoring functions. In the social-network framework, the global score is a weighted sum of three components,

CPRS=w1APRS+w2SGPRS+w3CBPRS,CPRS = w_1 \cdot APRS + w_2 \cdot SGPRS + w_3 \cdot CBPRS,

where APRSAPRS is attribute-based risk, SGPRSSGPRS is social-graph risk, and CBPRSCBPRS is content-based risk (Alam et al., 20 Jul 2025). In the cyber-physical systems formulation, the main privacy-risk equation is

R=PLM×FPLE,R = PLM \times FPLE,

so risk is the product of privacy loss magnitude and frequency of privacy loss events (Bhattacharjee et al., 2021). In the Android pre-installed-app framework, the device-level score begins from

Risk=Probability×Cost,Risk = Probability \times Cost,

operationalized as per-finding normalized counts multiplied by exploitability, user awareness, and impact, then summed and normalized to a $0$–$100$ device score where higher values mean worse privacy/security risk (Ozbay et al., 2022).

Other variants expose important semantic differences. The Android app framework based on permissions and API methods computes permission and method subscores, combines them equally, normalizes, and then reverses the direction: Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right), so higher values mean the app is more private rather than riskier (Marono et al., 2023). In recommender systems, the score is not a weighted sum of features but an attack-grounded indistinguishability quantity: ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right), with user-level risk taken as the mean of interaction-level risks (He et al., 24 Jul 2025). In visual privacy, the score is explicitly continuous on APRSAPRS0, with lexicographic dominance weights APRSAPRS1 and calibrated severity bands APRSAPRS2, APRSAPRS3, APRSAPRS4, and APRSAPRS5 (Tsaprazlis et al., 23 Mar 2026).

A common misconception is that CPRS always produces a directly comparable “risk score.” The literature does not support that claim. Some frameworks output higher-is-riskier scores, some output higher-is-more-private scores, some use APRSAPRS6, and others use APRSAPRS7–APRSAPRS8 or record-specific APRSAPRS9-like quantities. A plausible implication is that CPRS is comparable within a framework, but not automatically across frameworks without attention to direction, normalization, and threat model.

3. Social-network CPRS: attributes, graph structure, content, and granularity

In online social networks, CPRS has evolved from privacy-policy scoring toward multidimensional exposure modeling. The LinkedIn thesis profiled 5,389 distinct users collected from May 2018 to August 2018, using a Python crawler with Selenium, a breadth-first crawl from a seed account up to second-degree connections, and dual storage in MySQL and Neo4j (Kilic, 2021). It critiques policy-based methods such as PSN and PSI for ignoring granularity and critiques network-based methods such as PSC and PSNA for ignoring profile-content detail. Its main conceptual contribution is that risk depends on three dimensions: the sensitivity of the shared item, the user’s network position or centrality, and the granularity of the shared data.

Granularity is represented through a Granularity Matrix, from which a Privacy Policy Matrix and a Granularity Level Matrix are derived. The levels are Zero Granularity, Low Granularity, Medium Granularity, and High Granularity, assigned by 1-dimensional clustering with dynamic programming. The general granularity-based score is

SGPRSSGPRS0

with

SGPRSSGPRS1

The thesis then defines two variants: PSGN, a naïve granularity model based on frequency and independence assumptions, and PSGI, an IRT-based model using the Graded Response Model and implemented in R with the LTM package (Kilic, 2021). The empirical findings are that granularity varies substantially across items; education, work experience, and about show much larger standard deviations than birthday or phone number; and PSGI fits the observed data better than PSGN, just as PSI fits policy data better than PSN.

The later social-network CPRS framework generalizes multidimensional scoring to three explicit components: attribute-based, graph-based, and content-based risk (Alam et al., 20 Jul 2025). For profile attributes such as mobile, email, gender, pronoun, date of birth, relationship status, from location, lives in location, school, and workplace, sensitivity is defined as

SGPRSSGPRS2

visibility is

SGPRSSGPRS3

and attribute risk is SGPRSSGPRS4. Graph risk uses SimRank-based structural similarity and PageRank-based importance; content risk uses SpaCy to extract 18 entity types, then sums entity sensitivity and multiplies by post visibility, with comments inheriting the parent post’s visibility. Validated on the SNAP Facebook Ego Network and the Koo dataset, the framework reports mean component risks of SGPRSSGPRS5 for APRS, SGPRSSGPRS6 for SGPRS, and SGPRSSGPRS7 for CBPRS, with overall CPRS values of SGPRSSGPRS8 under equal weighting, SGPRSSGPRS9 for a content-focused scenario, and CBPRSCBPRS0 for a graph-focused scenario (Alam et al., 20 Jul 2025).

Taken together, these works establish two distinct but related social-network claims. First, privacy exposure is not exhausted by visibility settings or graph centrality alone. Second, apparently similar disclosures can differ in risk because of detail level, structural embedding, or entity-rich textual disclosure.

4. Cyber-physical systems: vulnerability characterization and personalized privacy

In cyber-physical systems, CPRS is organized around the sequence vulnerability score CBPRSCBPRS1 privacy preference CBPRSCBPRS2 privacy budget CBPRSCBPRS3 CBPRSCBPRS4 Laplace noise CBPRSCBPRS5 risk/utility outcome (Bhattacharjee et al., 2021). The graph of the system is modeled as CBPRSCBPRS6, with adjacency matrix CBPRSCBPRS7 and Laplacian CBPRSCBPRS8. The key profiling object is the Standard Vulnerability Profiling Library (SVPL), which ranks nodes by privacy loss severity using an attribute-based attack graph, topological information, prior attack incidents, risk sources, privacy weaknesses, feared events, and privacy harms.

The Vulnerability Assessment Attack Graph is defined as

CBPRSCBPRS9

and the paper explicitly decomposes risk as

R=PLM×FPLE,R = PLM \times FPLE,0

Here, R=PLM×FPLE,R = PLM \times FPLE,1 measures privacy loss magnitude and R=PLM×FPLE,R = PLM \times FPLE,2 is the frequency of privacy loss events. The associated Vulnerability Profile Generation algorithm takes node vulnerability set R=PLM×FPLE,R = PLM \times FPLE,3, attack incidents R=PLM×FPLE,R = PLM \times FPLE,4, and new nodes R=PLM×FPLE,R = PLM \times FPLE,5, checks whether attack incidents exist, creates attack nodes R=PLM×FPLE,R = PLM \times FPLE,6, expands the compromised node set R=PLM×FPLE,R = PLM \times FPLE,7, adds edges R=PLM×FPLE,R = PLM \times FPLE,8, updates R=PLM×FPLE,R = PLM \times FPLE,9, and matches compromised nodes against Risk=Probability×Cost,Risk = Probability \times Cost,0 to profile vulnerabilities (Bhattacharjee et al., 2021).

The second component is Personalized Differential Privacy (PDP). Instead of assigning a uniform privacy budget, the framework maps node type, access frequency, attacker exposure, communication medium, operational complexity, and distance in the network to privacy preferences such as high, medium, and low. The paper gives a preference-to-Risk=Probability×Cost,Risk = Probability \times Cost,1 mapping function, though it appears typographically incomplete, and applies sequential composition with cumulative privacy loss Risk=Probability×Cost,Risk = Probability \times Cost,2. The privacy-preserving release uses the Laplace mechanism,

Risk=Probability×Cost,Risk = Probability \times Cost,3

Utility loss is evaluated using mean absolute error,

Risk=Probability×Cost,Risk = Probability \times Cost,4

and normalized deviation Risk=Probability×Cost,Risk = Probability \times Cost,5 (Bhattacharjee et al., 2021).

Experiments use a micro-grid dataset of 443 homes from the UMASS Repository, with homes treated as edge nodes and fog and cloud as aggregation layers. Uniform Differential Privacy applies the same Risk=Probability×Cost,Risk = Probability \times Cost,6 to all nodes, whereas PDP uses different Risk=Probability×Cost,Risk = Probability \times Cost,7 values based on privacy preference. The reported conclusion is that SVPL enables comprehensive vulnerability characterization, PDP enables personalized privacy quantification and protection, and the combined framework improves privacy while preserving utility and reducing disclosure risk better than uniform differential privacy (Bhattacharjee et al., 2021).

5. Android devices and applications: heterogeneous evidence aggregation

In Android ecosystems, CPRS appears in two related but distinct forms: device-level trust scoring for pre-installed applications and app-level privacy scoring from static code and manifest analysis.

The device-level framework for pre-installed software scores each smartphone by consolidating ten findings derived from tracker SDKs, manifest files, cloud-service weaknesses, and findings adapted from earlier research (Ozbay et al., 2022). The scored entities are devices rather than apps, using a public dataset built from firmware partitions collected by the authors’ Android app, Pre-App Collector, across 22 OEMs, 98 devices, and 14,178 APK files extracted from 143,862 firmware files. The ten findings are privileged pre-installed applications, applications with allowBackup enabled, applications not signed by the manufacturer or vendor, applications not updated for more than two years, applications with usesClearTextTraffic enabled, applications with debuggable enabled, trackers excluding crash reporters, vulnerabilities in cloud services, exported application components not requiring permissions, and dangerous permissions. Per-finding risk is

Risk=Probability×Cost,Risk = Probability \times Cost,8

and the final device score is

Risk=Probability×Cost,Risk = Probability \times Cost,9

The weighting scheme sets trackers as the most severe privacy factor, with $0$0, $0$1, and $0$2, while cloud-service findings are also treated seriously. The framework reports that Sony Xperia Z1 has the highest score in the dataset, that 7 of the top 10 highest-scoring phones are Samsung devices, and that the relationship between device score and number of pre-installed apps shows a weak negative Pearson correlation $0$3, indicating the score is not simply an app count (Ozbay et al., 2022).

The app-level framework instead analyzes individual Android applications through static extraction of AndroidManifest.xml permissions and decompiled public Android API methods obtained with JADX (Marono et al., 2023). It maps permissions and methods to PII categories and assigns five privacy levels: Sensitive $0$4, Personal $0$5, Confidential $0$6, Public $0$7, and Non-personal $0$8. Privacy-relevant methods are included once even if found multiple times, and methods identified without corresponding manifest permissions are given weight $0$9 in the experiments. The method score and permission score are each normalized to $100$0–$100$1, combined equally, and then reversed so that higher final values mean more privacy rather than more risk. On four evaluated apps, Shein receives $100$2, Reface $100$3, Gmail $100$4, and a synthetic “Dangerous App” with all sensitive permissions and no privacy-related methods receives $100$5 (Marono et al., 2023).

These two Android lines clarify a frequent ambiguity in CPRS. “Comprehensive” does not imply a common unit of analysis. One framework scores devices from aggregated app findings; the other scores apps from code-level evidence. Nor does comprehensiveness eliminate subjectivity: the pre-installed-app paper explicitly notes that coefficients are expert-driven and subjective, while the app-level paper notes that its privacy-method and permission mappings need refinement (Ozbay et al., 2022, Marono et al., 2023).

6. Visual privacy: compositional severity and continuous scoring

In visual privacy, CPRS is formulated as compositional severity assessment rather than attribute counting alone (Tsaprazlis et al., 23 Mar 2026). The framework introduces the Compositional Privacy Risk Taxonomy (CPRT), a regulation-aware taxonomy aligned with GDPR, HIPAA, CCPA/CPRA, and the EU AI Act. An image $100$6 is modeled as containing a subset of privacy-relevant attributes $100$7, and privacy severity depends both on the severity of visible attributes and on their capacity to become harmful when combined with auxiliary information.

CPRT has four ordered levels. Level 1 contains unique identifiers such as recognizable face, fingerprint, passport number, SSN, driver’s license number, and unique body markings. Level 2 contains linkage-based identifiers such as full legal name, medical information, financial information, beliefs, nudity, disability, emotional or mental-health inference, race or ethnicity, and non-unique identifiers. Level 3 contains aggregation-based identifiers such as age, gender, location cues, activities, and lifestyle cues. Level 4 contains benign contextual information such as property or assets, documents, metadata, and background individuals or crowds. Assignment is done by a deterministic four-question decision tree, where the first “yes” determines the level (Tsaprazlis et al., 23 Mar 2026).

The score maps level-wise attribute counts $100$8 to a continuous value in $100$9. Lexicographic dominance is enforced with weights Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),0, chosen so that one attribute at a higher level outweighs all possible lower-level combinations. Score intervals are calibrated from learned attribute embeddings using ordinal triplet loss plus inverse distance weighting, producing bands Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),1, Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),2, Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),3, and Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),4 (Tsaprazlis et al., 23 Mar 2026).

The dataset contains 6,736 images aligned with 22 privacy attributes, with level distribution L1: 2,860 images, L2: 1,025, L3: 1,363, and L4: 1,488. Evaluations of VLMs show that frontier models align much better with compositional severity under taxonomy-guided prompting than open-weight models do. Under taxonomy guidance, Gemini 3 Flash reaches Pearson Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),5, Spearman Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),6, MAE Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),7, and Bias Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),8, while GPT-5.2 reaches Pearson Sfinal=100round(100SP+SM200),S_{\text{final}} = 100 - \operatorname{round}\left(100 \cdot \frac{S_P + S_M}{200}\right),9, Spearman ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),0, MAE ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),1, and Bias ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),2. By contrast, smaller open-weight models exhibit systematic negative bias, especially on L3 and L4 cases where privacy arises from aggregation or context rather than a direct identifier. The paper therefore emphasizes a specific failure mode: models often recognize sensitive cues verbally yet still assign near-zero scores when no explicit identity linkage is visible (Tsaprazlis et al., 23 Mar 2026).

This work broadens CPRS beyond disclosure counting. It treats privacy risk as a calibrated severity manifold over compositional evidence, with strict cross-level dominance and within-level monotonicity.

7. Recommender systems, interpretation pitfalls, and recurring limitations

In recommender systems, CPRS becomes model-centric and attack-based. RecPS scores privacy risk at the level of user-item interactions and users by exploiting membership inference capability (He et al., 24 Jul 2025). For an interaction ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),3, the framework defines a record-specific privacy quantity

ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),4

motivated by the differential privacy indistinguishability view. The practical estimator is built by RecLiRA, which adapts LiRA to probabilistic recommenders through shadow models, confidence-gap transformation ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),5, a logit transform ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),6, Gaussian OUT calibration, and threshold search maximizing ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),7. User-level risk is not the sum but the mean of interaction-level risks,

ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),8

to avoid automatically penalizing users with long histories (He et al., 24 Jul 2025).

Experiments use MovieLens-1M, Amazon Digital Music, and Amazon Beauty with NCF and LightGCN. RecLiRA substantially outperforms MINER in AUC and especially in the low-FPR region; for example, on Amazon Digital Music, RecLiRA-LGCN reaches ϵ^(u,i)=ln(TPRFPR),\hat{\epsilon}_{(u,i)} = \ln\left(\frac{TPR}{FPR}\right),9 AUC and RecLiRA-NCF APRSAPRS00, versus APRSAPRS01 and APRSAPRS02 for MINER variants. The framework also shows that score-guided removal of only the most sensitive interactions preserves utility better than removing entire high-risk users. On Amazon Digital Music, removing the top 70% sensitive interactions of the top 5% users reduces their scores below the cutoff while reducing performance by APRSAPRS03 for NCF and APRSAPRS04 for LGCN, compared with much larger degradation under full user removal (He et al., 24 Jul 2025).

Across the CPRS literature, several interpretation pitfalls recur. First, score direction is not uniform: higher means worse risk in the social-network, cyber-physical-system, device, visual-severity, and recommender-system settings, but higher means more privacy in the app-level Android framework (Alam et al., 20 Jul 2025, Bhattacharjee et al., 2021, Ozbay et al., 2022, Tsaprazlis et al., 23 Mar 2026, He et al., 24 Jul 2025, Marono et al., 2023). Second, comprehensiveness does not imply runtime completeness. The Android app framework is static-analysis only and does not include network traffic inspection, dynamic tainting, or privacy-policy text in its final formula; the pre-installed-app study also relies on static analysis and notes that reflection, dynamic code loading, native libraries, obfuscation, and encryption may hide behaviors (Marono et al., 2023, Ozbay et al., 2022). Third, some frameworks depend on synthetic or scenario-specific inputs: the social-network CPRS paper generates synthetic profile attributes and visibility settings for the SNAP Facebook Ego Network because the dataset lacks actual profile attributes (Alam et al., 20 Jul 2025). Fourth, benchmarking remains incomplete in places: the same paper explicitly states that it has not yet benchmarked CPRS against simpler baselines like visibility-only models and has not empirically validated correlation with actual attacks (Alam et al., 20 Jul 2025).

A plausible implication is that CPRS is best understood as a family of rigorous but domain-bound risk formalisms. Its central contribution across domains is not a universal scalar, but a repeatable way to combine heterogeneous evidence into a privacy estimate that is more faithful than single-factor scoring.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Comprehensive Privacy Risk Scoring (CPRS).