MemPrivacy: Edge-Cloud Memory Privacy
- MemPrivacy is a privacy-preserving framework for edge-cloud LLM agents that replaces sensitive spans with type-aware placeholders to retain semantic context.
- It employs a three-stage closed-loop pipeline including on-device detection, cloud-side processing of sanitized data, and local restoration of original values.
- Empirical results demonstrate higher F1 scores and reduced latency compared to baselines, while maintaining a favorable balance between privacy protection and memory utility.
MemPrivacy is a privacy-preserving personalized memory management framework for edge-cloud LLM agents that is designed for persistent memory settings in which user interactions originate on device but memory extraction, consolidation, and retrieval are cloud-assisted. Its central mechanism is to identify privacy-sensitive spans on edge devices, replace them with semantically structured type-aware placeholders for cloud-side memory processing, and restore the original values locally when needed. The framework is motivated by the claim that aggressive masking removes task-relevant semantics and degrades memory utility, whereas typed placeholders can minimize sensitive data exposure while retaining the information required for effective memory formation and retrieval (Chen et al., 10 May 2026).
1. Edge-cloud personalized memory as a privacy problem
MemPrivacy is situated in edge-cloud agent deployments where personalized memory enables long-term adaptation and user-centric interaction, but cloud-assisted memory management broadens the privacy attack surface. In this setting, raw user messages may contain PII, health, financial, location, and credential data; once transmitted to cloud logs, vector stores, or memory modules, those data can persist across sessions and become vulnerable to extraction or indirect prompt-injection attacks. The framework therefore treats personalized memory not as a one-shot inference problem but as a repeated storage, retrieval, and reasoning pipeline with persistent exposure risk (Chen et al., 10 May 2026).
The paper argues that the main difficulty is not merely hiding values. Memory systems must preserve the semantic roles of those values so that the cloud can still write, retrieve, and reason over preferences, relationships, and temporal facts. Full masking or redaction protects privacy but destroys information needed by the memory system. This leads to a constrained privacy-utility objective:
Here privacy risk is the probability that an attacker can recover any sensitive item from sanitized inputs, sanitized outputs, and sanitized memory state, while utility loss is the gap between ideal and restored response quality:
2. Closed-loop reversible pseudonymization
The architecture is a closed-loop reversible pseudonymization pipeline with three stages. First, an on-device MemPrivacy model detects privacy spans in each user utterance and produces structured annotations
where is the span text, the privacy level, and the privacy type. If a span’s level meets the user-configured masking threshold , the device replaces it before transmission.
The replacement is not a generic mask. MemPrivacy uses semantically structured type-aware placeholders such as <EMAIL_1>, <PHONE_2>, and <PASSWORD_1>. This preserves the semantic category of the missing field and also distinguishes multiple values of the same type. The device stores a secure local mapping table containing the placeholder-to-original-span relation together with privacy level and privacy type. If the same sensitive item reappears later, the same placeholder is reused, enabling consistent cross-session reference (Chen et al., 10 May 2026).
Second, the cloud receives only sanitized text and sanitized memory:
Because placeholders retain type information, the cloud can still process memory-relevant structure more accurately than under plain masking.
Third, the edge device restores raw values locally after the cloud response is returned. The device scans the response for placeholders and replaces each placeholder using the local mapping database, yielding the restored output 0. The resulting trust boundary is asymmetric: the cloud operates only on sanitized inputs and sanitized memory states, while the original sensitive spans remain local (Chen et al., 10 May 2026).
3. Privacy taxonomy and configurable policy
MemPrivacy introduces a four-level privacy taxonomy that is used both for annotation and for configurable protection policy. The levels separate low-risk personalization signals from directly exploitable secrets.
| Level | Scope | Default policy |
|---|---|---|
| PL1 | low-sensitivity personalization | minimize and allow with revocability |
| PL2 | identifiable personal information | controlled storage only if necessary |
| PL3 | highly sensitive personal information | strictly controlled and not stored by default |
| PL4 | confidential / immediately exploitable information | zero retention / immediate block |
PL1 covers preferences, habits, style, and related low-risk cues. PL2 includes names, phone numbers, email, addresses, usernames, device IDs, IP addresses, relationship info, and company-plus-title combinations. PL3 covers IDs, financial records, medical history, precise location, biometrics, raw chat logs, and sensitive attributes. PL4 is reserved for passwords, verification codes, session tokens, API keys, private keys, seed phrases, database credentials, and other immediately exploitable internal details. The paper also gives policy guidance: PL1 is mainly “minimize and allow with revocability,” PL2 is “controlled storage only if necessary,” PL3 is “strictly controlled and not stored by default,” and PL4 is “zero retention / immediate block” (Chen et al., 10 May 2026).
A recurrent misconception in memory privacy is that all sanitization policies are functionally equivalent once the raw value is removed. MemPrivacy explicitly rejects that equivalence. Irreversible masking, untyped placeholders, and typed placeholders are treated as materially different interventions because they preserve different amounts of semantic structure, and the utility results are reported accordingly (Chen et al., 10 May 2026).
4. MemPrivacy-Bench and training methodology
MemPrivacy-Bench is constructed specifically for long-term memory privacy rather than generic PII detection. It contains 200 synthetic user profiles derived from PersonaHub seeds, is balanced 50% Chinese and 50% English, and uses dialogue scenarios spanning 7 high-level categories and 23 subcategories. The categories are Drafting/Polishing, Financial Data Analysis, Consultation/Planning, Tech Support/Simulation, Emotional/Social, Contextual Inference, and Preference Change. For each user, 6–10 subcategories are sampled to generate multi-turn conversations (Chen et al., 10 May 2026).
The paper reports the following split statistics. The training split contains 160 users, 26,016 turns, 52,032 messages, 42,159 messages with privacy, 125,776 privacy instances, and 7,811,374 tokens. The test split contains 40 users, 6,337 turns, 12,674 messages, 10,234 messages with privacy, 29,967 privacy instances, and 1,872,220 tokens. Annotation uses preliminary labels from Gemini-3.1-Pro and GPT-5.2, a two-stage refinement process, and final human verification by six annotators. An item is counted correct only if original span text, privacy level, and privacy type are all correct; final verification accuracy for the evaluation sets reaches 98.08% (Chen et al., 10 May 2026).
The evaluation suite includes 615 QA pairs in six categories: basic memory, temporal reasoning, adversarial questioning, dynamic updating, implicit inference, and information aggregation. The paper also derives an evaluation split from PersonaMem-v2 with 20 users, 2,521 turns, 5,041 messages, 2,378 privacy instances, and 563 questions (Chen et al., 10 May 2026).
Model training combines supervised fine-tuning and reinforcement learning. The SFT objective is standard cross-entropy,
1
and the RL stage uses Group Relative Policy Optimization, with extraction-level F1 as reward. In the RL configuration, the paper sets 2, 3, uses 8 sampled generations per prompt, and maximum input and completion lengths of 4096 and 1536 respectively (Chen et al., 10 May 2026).
5. Empirical results: extraction quality, latency, and memory utility
On privacy information extraction, MemPrivacy models outperform the reported general-purpose baselines on both MemPrivacy-Bench and PersonaMem-v2. On MemPrivacy-Bench, the best general-model result is Gemini-3.1-Pro with F1 78.41, Precision 78.66, Recall 81.22, and Time 32.87s, whereas MemPrivacy-4B-RL reaches F1 85.97, Precision 86.86, Recall 87.15, and Time 2.05s. On PersonaMem-v2, the best general-model F1 is 92.18 from DeepSeek-V3.2-Think, while MemPrivacy-4B-RL reaches 94.48 with 0.44s latency. The paper summarizes the benchmark deltas as +7.56 F1 on MemPrivacy-Bench and +2.30 F1 on PersonaMem-v2 (Chen et al., 10 May 2026).
Latency is a separate result rather than a by-product of the F1 gains. MemPrivacy models on MemPrivacy-Bench run in roughly 1.6–2.6 s, and on PersonaMem-v2 in roughly 0.4–0.7 s. By contrast, Gemini-3.1-Pro is reported at 32.87s on MemPrivacy-Bench and 29.21s on PersonaMem-v2, while DeepSeek-V3.2-Think takes 96.14s and 39.60s respectively. The paper therefore characterizes the MemPrivacy models as typically one to two orders of magnitude faster than the largest reasoning models (Chen et al., 10 May 2026).
The utility claim is tested across three memory systems: LangMem, Mem0, and Memobase. Across all systems, when PL2+PL3+PL4 are protected, accuracy drops are only about 0.71%–1.60%; when only PL4 is protected, the drops are below 0.89%. In LangMem, no protection yields 65.37 on MemPrivacy-Bench and 50.98 on PersonaMem-v2, irreversible masking yields 38.70 and 38.01, untyped placeholder masking yields 58.70 and 48.31, MemPrivacy with PL2-PL4 yields 64.07 and 49.38, and MemPrivacy with PL4 only yields 65.28 and 50.80. Comparable trends appear in Mem0 and Memobase, where typed placeholders preserve much more utility than irreversible masking and also improve on untyped placeholder masking (Chen et al., 10 May 2026).
The paper also reports BLEU-1, BLEU-2, METEOR, and ROUGE-L. In LangMem, for example, no protection yields BLEU-1 20.92, irreversible masking 11.85, untyped placeholders 18.75, MemPrivacy with PL2-PL4 18.64, and PL4-only 22.25, with ROUGE-L 29.35. The same directional pattern is reported for Mem0 and Memobase. The stated interpretation is that typed placeholders preserve semantic utility substantially better than aggressive masking because they maintain category information needed for cloud-side reasoning (Chen et al., 10 May 2026).
6. Position within the privacy literature and recognized limits
MemPrivacy belongs to a runtime memory-management line of work rather than to post-training model editing. This distinction is important. "Proactive Privacy Amnesia" forgets key tokens associated with memorized PII and then performs memory implanting with substitute sequences; it is evaluated as a post-training defense for fine-tuned LLMs and reports 100% reduction in phone number exposure and 9.8%–87.6% reduction in physical address exposure (Kuo et al., 24 Feb 2025). "Private Memorization Editing" instead edits Feed Forward blocks so that memorized prompt-target pairs map to privacy-preserving dummy targets, and it reports a 96.03% average decrease in memorization-attack accuracy (Ruzzetti et al., 9 Jun 2025). MemPrivacy does not edit model parameters to remove memorized training content; it sanitizes user interactions before cloud-side memory processing (Chen et al., 10 May 2026).
It also differs from earlier privacy frameworks that target communication streams or exposed internal state. PAS-MC combines local differential privacy via randomized response with anonymous upload through function secret sharing for mobile stream analytics (Joy et al., 2016). Pan-private algorithms protect streaming computation even when internal memory is exposed during execution, emphasizing that privacy must survive a memory snapshot rather than only the final output (Mir et al., 2010). A plausible implication is that MemPrivacy can be read as bringing a related memory-exposure concern into the edge-cloud agent setting, but doing so through reversible placeholder substitution rather than through noise addition or anonymous aggregation (Chen et al., 10 May 2026).
Theoretical privacy lenses also differ. "Information Density Bounds for Privacy" introduces pointwise maximal cost as an operational interpretation of lower bounds on information density and links such guarantees to adversaries minimizing nonnegative cost functions (Saeidian et al., 2024). This suggests a possible analytical lens for MemPrivacy-style releases, since the framework explicitly defines privacy risk as recoverability from sanitized inputs, outputs, and memory state, but the paper itself does not claim a pointwise maximal cost guarantee (Chen et al., 10 May 2026).
The limitations are explicit. MemPrivacy relies on accurate local detection; poor extraction harms both privacy and utility. It assumes the user’s device can run a lightweight on-device privacy extractor and can securely maintain the local mapping database. The approach is tailored to memory-bearing edge-cloud agents rather than to all privacy problems in model training or offline corpora. Its guarantees are operational rather than cryptographic, and if the local device or mapping store is compromised, protection weakens. The paper therefore characterizes the method not as eliminating privacy risk globally, but as shifting the trust boundary so that the cloud never sees raw sensitive spans while still preserving enough semantics for effective memory use (Chen et al., 10 May 2026).