Papers
Topics
Authors
Recent
Search
2000 character limit reached

Privacy Profiles Overview

Updated 6 July 2026
  • Privacy profiles are diverse representations capturing user preferences and operational data for decision-making in systems like recommendation and access control.
  • They operate on both user-facing and system-facing levels, enabling explicit disclosure control and secure, personalized profiling without direct data leakage.
  • Research highlights trade-offs between utility and stringent privacy guarantees, emphasizing challenges in inference, leakage prevention, and formal differential privacy.

In the research literature, “privacy profiles” does not denote a single formal object but a family of representations used to capture privacy preferences, isolate behavioral traces, support personalization under disclosure constraints, or quantify privacy leakage itself. These representations range from compact semantic questionnaires and natural-language instructions, to latent recommender vectors, isolated browser identities, hashed mobile-advertising profiles, and formal functions such as δM(ϵ)\delta_{\mathcal M}(\epsilon). Taken together, these works suggest that privacy profiles are best understood as operational intermediaries between raw personal data and the decisions made by software systems, whether the goal is recommendation, access control, ad delivery, or privacy accounting (Ruscio et al., 2022, Ramírez et al., 7 Jul 2025, Koskela et al., 2024).

1. Conceptual scope and principal meanings

Across the literature, the term is used in several distinct but related senses. In some works, a privacy profile is an explicit statement of disclosure preferences. In others, it is a latent or operational representation of the user that software acts upon. In a third line of work, it is a formal privacy curve or ranked loss function used to analyze mechanisms rather than people.

Use of the term Representation Representative papers
Preference specification Natural language instructions stating what should and should not be revealed (Ramírez et al., 7 Jul 2025)
User characterization for privacy choices Compact set of semantic-driven questions about domain-independent privacy preferences (Ruscio et al., 2022)
Personalization state Low-dimension vector called a profile in matrix factorization (Benhamouda et al., 2018)
Operational isolation boundary Isolated browser profiles with separate cookies and storage namespaces (Akhavani et al., 3 Jan 2025)
Formal privacy function δM(ϵ)\delta_{\mathcal M}(\epsilon) as privacy profile of a mechanism (Koskela et al., 2024)

A corresponding distinction runs between user-facing and system-facing profiles. User-facing profiles express preferences, permissions, or privacy constraints; system-facing profiles are the internal objects used for matching, recommendation, access control, or accounting. A further distinction separates descriptive profiles, which summarize behavior or interests, from normative profiles, which specify what a system is allowed to reveal or infer. This suggests that the literature treats privacy profiles less as a single datatype than as a design pattern for mediating between personal data and computational decisions (Wang et al., 2018, Leithardt et al., 2019, LeBlond et al., 2023).

2. Preference-centered profiles and user-directed disclosure

One major line of work treats privacy profiles as explicit expressions of what a person wants disclosed. In the fitness-domain study "Leveraging Privacy Profiles to Empower Users in the Digital Society" (Ruscio et al., 2022), the central finding is that “a compact set of semantic-driven questions (about domain-independent privacy preferences) helps distinguish users better than a complex domain-dependent one,” and that this “confirms the study's hypothesis that moral attitudes are the relevant piece of information to collect.” On that basis, the authors implement “a recommender system to provide users with suitable recommendations related to privacy choices” and report “high accuracy” (Ruscio et al., 2022).

In LLM mediation, "Controlling What You Share: Assessing LLM Adherence to Privacy Preferences" defines privacy profiles as “natural language instructions that explicitly state user-specified constraints on information sharing” and as “privacy profiles – natural language privacy specifications that enable users to interact with external LLMs while safeguarding their private information” (Ramírez et al., 7 Jul 2025). The architecture is two-tier: a local trusted model MLM_L and an external untrusted model MEM_E. The local model runs a Rejector, a Paraphraser that produces a Privacy-Compliant Query q~=f(q,S)\tilde q = f(q,S), and an Aggregator that reconstructs the final answer from the original query, the rewritten query, and the external answer (Ramírez et al., 7 Jul 2025).

The same work makes the preference vocabulary explicit by distinguishing protected from authorised information, and by evaluating both utility and leakage. For the best local model in the main setup, the reported pipeline success rate is $0.518$, with LeakPRO=0.095LeakPRO = 0.095 and LeakAUT=0.297LeakAUT = 0.297 (Ramírez et al., 7 Jul 2025). The error analysis is equally important: the paraphraser can remove non-sensitive information, remove task specifications, or leak protected data, and the best setup still leaks protected attributes in about one tenth of cases (Ramírez et al., 7 Jul 2025). The paper also reports that hard PII such as URL, email, passport number, phone, and name is easier to protect than soft or contextual attributes such as has children, languages, gender, habits, and health (Ramírez et al., 7 Jul 2025). A plausible implication is that preference-centered privacy profiles are easiest to operationalize when the protected attributes are explicit and lexically local, and hardest when they are inferential or context-bound.

3. Profiles as operational state for personalization, access control, and isolation

A second line of work uses privacy profiles as system state that enables personalization while attempting to keep the state itself private. In matrix-factorization recommender systems, "How to Profile Privacy-Conscious Users in Recommender Systems" defines user and item profiles as latent vectors uiRd\vec u_i \in \mathbb R^d and vjRd\vec v_j \in \mathbb R^d, with prediction δM(ϵ)\delta_{\mathcal M}(\epsilon)0 (Benhamouda et al., 2018). The paper’s contribution is a protocol that lets a new user learn her profile by rating items, while the analyst learns neither the ratings, nor the rated items, nor the resulting profile. In this formulation, the privacy profile is a latent representation that remains local to the user and is used through cryptographic protocols rather than by disclosure to the service provider (Benhamouda et al., 2018).

"VirtualIdentity: Privacy-Preserving User Profiling" extends this idea to multimodal classification from user-generated content (Wang et al., 2018). It computes age, gender, and the Big Five traits using secure multi-party cryptographic protocols, while keeping both the user’s raw data and the provider’s trained SVM models hidden. The system uses 136 facial landmark features for images and 43 psycholinguistic and stylistic text features, evaluates linear SVMs securely, and reports a privacy-preserving runtime of about 14–16 seconds versus about 5 seconds for the non-private version (Wang et al., 2018). Here the “profile” is the output label set, but the technically significant point is that the computation of that profile is itself privacy-preserving.

Operational profiles also appear as isolation boundaries rather than latent vectors. "PriveShield: Enhancing User Privacy Using Automatic Isolated Profiles in Browsers" defines a browser profile as a profile id and name, a set of related websites, and per-profile storage namespaces for cookies, localStorage, sessionStorage, cache, and application cache (Akhavani et al., 3 Jan 2025). Profiles are created automatically from browsing history, interactions with websites, and time spent on websites, and the extension’s evaluation over 54 real-world scenarios reports effectiveness in preventing retargeted ads in δM(ϵ)\delta_{\mathcal M}(\epsilon)1 of scenarios (Akhavani et al., 3 Jan 2025). This is a different use of the term: the profile is not an inferred trait vector but a containment boundary for state.

A comparable pattern appears in IoT. "A Solution for Controlling and Managing User Profiles based on Data Privacy for IoT Applications" implements PRIPRO inside the UbiPri middleware and defines five profile levels—Bloqueado, Convidado, Básico, Avançado, Administrador—that can be raised, reduced, or blocked according to the user’s frequency in a given environment (Leithardt et al., 2019). The frequency measures are

δM(ϵ)\delta_{\mathcal M}(\epsilon)2

and

δM(ϵ)\delta_{\mathcal M}(\epsilon)3

In this setting, the privacy profile is an environment-specific, dynamically evolving authorization label rather than a descriptive behavior model (Leithardt et al., 2019).

A further operational variant is the blockchain-based mobile-advertising framework, where the cleartext interest profile remains inside the device-side Miner and only a hashed version δM(ϵ)\delta_{\mathcal M}(\epsilon)4 is uploaded, while ads are matched to hashed interests and encrypted off-device (Ullah et al., 2020). This suggests a general systems pattern: privacy profiles often function as restricted representations that preserve enough structure for service delivery while suppressing raw personal semantics.

4. Profiles as inference targets, attack surfaces, and objects of obfuscation

A third body of work treats privacy profiles as precisely what adversaries attempt to reconstruct. In "Profile Matching Across Online Social Networks", a profile in OSN δM(ϵ)\delta_{\mathcal M}(\epsilon)5 is

δM(ϵ)\delta_{\mathcal M}(\epsilon)6

with user name, location, gender, profile photo, freetext, activity patterns, interests, sentiment profile, and graph connectivity pattern (Halimi et al., 2020). The framework combines attribute similarities through supervised learning and then uses the Hungarian algorithm to produce one-to-one cross-platform matches. With all attributes, the reported precision and recall are δM(ϵ)\delta_{\mathcal M}(\epsilon)7 on Twitter–Foursquare and δM(ϵ)\delta_{\mathcal M}(\epsilon)8 on Google+–Twitter in the global attack setting; with graph connectivity alone on Flickr, accuracy reaches δM(ϵ)\delta_{\mathcal M}(\epsilon)9 for MLM_L0 (Halimi et al., 2020). The core implication is that privacy profiles are compositional: weak identifiers become powerful when aggregated.

"Online Privacy as a Collective Phenomenon" extends the argument from users to non-users through shadow profiles (Sarigol et al., 2014). Partial shadow profiles enrich the data of existing users with personal information they did not share, while full shadow profiles are inferred for non-users from uploaded contact lists and network structure. The paper formalizes the privacy leak factor as the regression coefficient MLM_L1 in

MLM_L2

where MLM_L3 is either the disclosure rate MLM_L4 or the fraction of the population that has joined the OSN MLM_L5, and MLM_L6 is Cohen’s Kappa for sensitive-attribute prediction (Sarigol et al., 2014). This directly frames privacy profiles as collective artifacts: a person’s inferability depends on other people’s disclosure decisions and on the assortativity of the graph.

The multimodal extension of this idea appears in "MultiPriv: Benchmarking Individual-Level Privacy Reasoning in Vision-LLMs" (Sun et al., 21 Nov 2025). The paper treats privacy risk as the exposure of sensitive information that can be associated with a specific individual and constructs synthetic individual profiles linking identifiers to medical, financial, location, property, and social attributes. It introduces the Privacy Perception and Reasoning framework, with tasks ranging from direct identifier recognition to re-identification and chained reasoning (Sun et al., 21 Nov 2025). A central empirical result is that perception-level metrics are poor predictors of reasoning risk: models such as Qwen3-VL-32B-Thinking have perception around MLM_L7 but reasoning overall MLM_L8, while Gemini-2.5-Flash has perception MLM_L9 and reasoning MEM_E0 (Sun et al., 21 Nov 2025). Existing safety alignments are reported as inconsistent and ineffective against such reasoning-based attacks (Sun et al., 21 Nov 2025).

Obfuscation turns the same logic against the platform. "MetaPriv: Acting in Favor of Privacy on Social Media Platforms" splits a Facebook profile into real attributes MEM_E1 and noise attributes MEM_E2, with effective privacy

MEM_E3

The privacy condition is MEM_E4 or MEM_E5 (Cantaragiu et al., 2022). By simulating likes, video watching, and ad clicks on noise topics, the authors report that users can achieve a higher degree of privacy “in just a couple of weeks” and that for one real account MEM_E6, very close to the stated privacy criterion (Cantaragiu et al., 2022). This suggests that privacy profiles are not only inferred objects but also manipulable targets.

5. Formal privacy profiles in differential privacy and privacy accounting

In differential privacy, the term has a fully formal meaning. "Privacy Profiles for Private Selection" defines the privacy profile of a mechanism MEM_E7 as

MEM_E8

where MEM_E9 is the hockey-stick divergence (Koskela et al., 2024). The paper’s central contribution is a recipe that bounds the privacy profiles of Report Noisy Max and PrivateTuning directly in profile space rather than via Rényi DP, and it reports improvements over RDP-based accounting “in all regimes of interest” (Koskela et al., 2024). In this sense, a privacy profile is not a user representation at all, but the full q~=f(q,S)\tilde q = f(q,S)0-tradeoff curve of a randomized mechanism.

A distinct but related formalization appears in "Probing the Transition to Dataset-Level Privacy in ML Models Using an Output-Specific and Data-Resolved Privacy Profile" (LeBlond et al., 2023). There, coverage of a specific model q~=f(q,S)\tilde q = f(q,S)1 under neighboring dataset q~=f(q,S)\tilde q = f(q,S)2 is

q~=f(q,S)\tilde q = f(q,S)3

and the model- and data-specific privacy loss is

q~=f(q,S)\tilde q = f(q,S)4

The privacy profile of q~=f(q,S)\tilde q = f(q,S)5 is then the ranked absolute values q~=f(q,S)\tilde q = f(q,S)6 across neighboring datasets (LeBlond et al., 2023). This output-specific and data-resolved construction is used to study a transition to indistinguishability as q~=f(q,S)\tilde q = f(q,S)7 decreases and to guide the practical choice of q~=f(q,S)\tilde q = f(q,S)8 (LeBlond et al., 2023).

"Dual Protection Ring: User Profiling Via Differential Privacy and Service Dissemination Through Private Information Retrieval" combines these formal notions with operational profiling (Ullah et al., 16 Jun 2025). The inner ring builds a time-evolving interest profile q~=f(q,S)\tilde q = f(q,S)9, converts it into an “equivalent profile based on differential privacy,” and monitors entropy

$0.518$0

with privacy loss

$0.518$1

If entropy falls too low, the system invokes “data evaporation” or destroys private profiling attributes; the outer ring retrieves personalized services via PIR (Ullah et al., 16 Jun 2025). The proof-of-concept reports processing delays with different PIR schemes similar to current advertising systems (Ullah et al., 16 Jun 2025). Here privacy profiles bridge formal DP guarantees, entropy-based state management, and query privacy.

6. Persistent tensions, limitations, and research directions

The literature converges on the importance of privacy profiles but not on a single threat model or deployment assumption. Some systems assume semi-honest adversaries or a trusted initializer, as in secure profiling with MPC (Wang et al., 2018) and privacy-preserving recommender profiling (Benhamouda et al., 2018). Some isolate browser state effectively against cookie-based retargeting but explicitly do not address fingerprinting (Akhavani et al., 3 Jan 2025). Some rely on local trusted components and empirical adherence rather than formal guarantees, as in profile-aware query rewriting for LLMs, where even the best setup still leaks protected attributes at non-negligible rates (Ramírez et al., 7 Jul 2025).

A second persistent tension concerns inference beyond explicit disclosure. Weak identifiers, graph structure, uploaded contacts, and multimodal reasoning all make profiles reconstructible even when direct identifiers are withheld (Halimi et al., 2020, Sarigol et al., 2014, Sun et al., 21 Nov 2025). This supports the claim that privacy is not reducible to a field-level access-control problem. The collective and relational character of privacy is especially clear in shadow-profile work, where non-users acquire inferable profiles because other people joined, disclosed, or shared contacts (Sarigol et al., 2014).

A third tension concerns utility. Compact semantic questionnaires can improve privacy-choice recommendation (Ruscio et al., 2022), local-plus-external LLM pipelines can improve answer quality relative to purely local models (Ramírez et al., 7 Jul 2025), differentially private profiles can preserve most of the targeted-ad distribution (Ullah et al., 16 Jun 2025), and cryptographic profiling can remain practical (Wang et al., 2018). Yet these gains are bounded by representational ambiguity, cumulative inference, and the fact that powerful models can reason over partial signals much better than classical privacy perception benchmarks would imply (Sun et al., 21 Nov 2025). This suggests that future work will need to align three layers simultaneously: how privacy profiles are represented, how inference over them is constrained, and how those constraints are enforced in deployment.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Privacy Profiles.