WebPerson: Personalized Agents & Datasets
- WebPerson is an emerging term describing both adaptive web agents that tailor interactions to user history and large-scale person-centric datasets for image-text research.
- It integrates methodologies from user behavior modeling, personalized ranking, and privacy-aware data access to enhance web personalization and secure interactions.
- Empirical evaluations highlight modest retrieval improvements with history-enabled agents and robust persona inference from behavioral and encrypted web data.
to=functions.exec_command 天天中彩票提现 全民彩票={"cmd":"python - <<'PY'\nprint('test')\nPY"} WebPerson is an emerging but non-uniform term in recent arXiv literature. In one usage, it denotes a broader vision for web agents that adapt to a particular user’s history, habits, and latent preferences, with personalization treated as a core capability rather than an auxiliary feature. In another, it names a large-scale person-centric image-text dataset derived from web data for CLIP-style person retrieval. Across these usages, the common technical object is the representation of persons in web-scale systems: as users whose interests must be modeled, as browsing behaviors that can be inferred from traffic metadata, as privacy subjects exposed by agent interface access, or as humans depicted in image-text corpora (Kim et al., 19 Feb 2026, Zhang et al., 15 Sep 2025, Zheng et al., 11 Sep 2025).
1. Terminological scope and research landscape
Recent work uses the term heterogeneously. One line centers on personalized web interaction, where agents must infer unstated constraints from historical behavior. Another centers on person-centric vision-language pretraining, where “WebPerson” is the name of a web-sourced corpus. A third, adjacent line studies the inferability of user identity or persona from browsing traces and encrypted metadata. This suggests that “WebPerson” functions less as a single standardized framework than as a family of person-representation problems on the web (Kim et al., 19 Feb 2026, Song et al., 15 May 2026).
| Usage in the literature | Representative formulation |
|---|---|
| Personalized web agents | “WebPerson” vision instantiated by Persona2Web |
| Web-agent privacy protection | WebPerson / web-agent context in PrivWeb |
| Persona inference from traffic | Persona fingerprinting on modern websites |
| User profiling from web behavior | Profiling from web transactions |
| Person-centric vision-language data | WebPerson dataset for person retrieval |
The personalized-agent usage is explicit in Persona2Web, which presents itself as the first benchmark for personalized web agents on the real open web and states that it is motivated by a broader “WebPerson” vision in which web agents adapt to user history, habits, and latent preferences. PrivWeb adopts the same framing when describing privacy protection for the WebPerson / web-agent context. By contrast, the paper titled “Gradient-Attention Guided Dual-Masking Synergetic Framework for Robust Text-based Person Retrieval” uses WebPerson as the proper name of a large-scale dataset constructed from COYO-700M for person-centric image-text pretraining (Kim et al., 19 Feb 2026, Zhang et al., 15 Sep 2025, Zheng et al., 11 Sep 2025).
2. Foundations in web user modeling and personalization
A foundational precursor is the multidimensional user data model for web personalization, whose purpose is “to identify, index and prioritize the keywords that are relevant or important to a particular user.” The model combines explicit preferences, online behavior, and offline activity, and organizes profiling around three modules—Crawler, Analyzer, and Ranker—so that standard search results can be re-ranked according to inferred user interests (Anil et al., 2013).
The online profile is constructed from browser-derived signals including websites visited, searches conducted, web-based e-mail, bookmarks, downloads, cookies, autosuggestion, keystrokes and click patterns, and URL visit types and navigation paths. For Chrome, the model uses the browser’s SQLite history database, specifically the urls and visits tables. Offline profiling inspects file names, textual content of documents and text files, metadata for other formats, and top visited websites via domain and URL-path parsing. The system emphasizes recency through the Window of Observation (WOB): if the history database grows beyond 100 MB, a new WOB is created, while older WOBs are retained with reduced weight so that long-term interests are not discarded (Anil et al., 2013).
The representation is built from four concept types: Keywords, Topics, URLs, and clusters. Keywords are the basic indexed units; search queries themselves are treated as important keywords. Topics are higher-level abstractions formed from groups of related keywords and organized as rooted trees and graph nodes with weighted similarity edges. URL profiling uses frequency of visits, visit duration, typed-versus-clicked status, and freshness via last-modified time. The URL grade is computed as
and topic weighting combines recency and persistence through
where the current WOB is weighted more heavily than Old_WOB (Anil et al., 2013).
Personalized ranking is then performed over a search bank of the first 100 Google results. For each result, the system extracts the URL, topic, keywords, and web rank, matches them against the user profile, and computes
with . The reported experiments, conducted on the user models of two computer science teachers, do not alter the underlying search engine’s precision and recall curves, but they do report that “the utility of the first page and user satisfaction has improved much when personalization is applied,” with the most relevant results moved to earlier positions and “marginal improvement in utility” (Anil et al., 2013).
3. Personalized web agents and the clarify-to-personalize principle
Persona2Web operationalizes the WebPerson vision as a benchmark for personalized web agents on the real open web. Its central principle is “clarify-to-personalize”: the agent must resolve ambiguity not by asking for more information, but by retrieving and reasoning over the user’s implicit context. The benchmark therefore masks query details at three levels. Level 0 retains website and preference constraints; Level 1 hides the website but leaves preferences explicit; Level 2 hides both website and preference cues and is the primary setting for evaluating personalized behavior (Kim et al., 19 Feb 2026).
The benchmark constructs 50 synthetic user profiles with demographic information and domain preferences across 21 domains. Preferences are not exposed directly. Instead, they are rendered into browsing histories through profile generation, event-seed generation, action decomposition, and history rendering. Roughly 2,000 history entries are generated per user across a year, with approximately 10% cancellations or modifications injected to mimic real-world inconsistency. The final set comprises 105 accessible websites filtered from 144 sites used in prior benchmarks to remove CAPTCHAs, regional restrictions, and outdated content (Kim et al., 19 Feb 2026).
Evaluation is reasoning-aware rather than purely outcome-based. Using GPT-5-mini as an LLM judge over full trajectories, the framework scores website personalization, preference personalization, and intent satisfaction. Website and preference personalization are each decomposed into retrieval accuracy and utilization accuracy, and success rate requires perfect scores on both personalization and intent satisfaction. This design targets a recurring failure mode in personalized agents: retrieving relevant history but failing to use it correctly in planning or execution (Kim et al., 19 Feb 2026).
The agent stack augments AgentOccam and Browser-Use with a personalization module consisting of a Planner, a Retriever, and a Generator. The retriever uses Stella V5 1.5B with FAISS and inner product search, indexing history entries by concatenating type and object while storing the full entry as value. Three history-access schemes are evaluated—No-history, On-demand, and Pre-execution—across five backbone models: o3, GPT-4.1, Gemini-2.5-Flash, Qwen3-80B-Instruct, and Llama-3.3-70B-Instruct (Kim et al., 19 Feb 2026).
The main result is that, on ambiguous Level 2 queries, all agents without user history fail completely, with 0% success rate. With history access, performance improves but remains in the low double digits at best. Browser-Use generally outperforms AgentOccam when history is available; proprietary models outperform open-source models; GPT-4.1 tends to do better with on-demand history access, whereas Qwen3-80B-Instruct and Llama-3.3-70B often do relatively better with pre-execution access; and performance drops sharply as ambiguity increases from Level 0 to Level 2. The error taxonomy identifies redundant history access, personalization hallucination, history retrieval failure, and history utilization failure, with retrieval failure reported as the most common (Kim et al., 19 Feb 2026).
4. Behavioral inference from web activity and traffic metadata
A distinct but related WebPerson line studies whether a person can be inferred from web behavior even when the system is not explicitly designed for personalization. “Profiling Users by Modeling Web Transactions” defines a web transaction as a sequence of HTTP requests and responses to a single URL and profiles users from transaction windows rather than coarse flow records. Each transaction is encoded into an 843-dimensional feature vector derived from HTTP-action, uri-scheme, public/private destination flag, reputation, category, media type split into super-type and sub-type, and application type. Transactions are aggregated into sliding windows of duration and shift , with binary features combined by logical OR and numeric features averaged (Tomsu et al., 2017).
Per-user models are trained with one-class classification, specifically One-Class SVM and Support Vector Data Description. On a six-month enterprise dataset with 9,450,474 web transactions, 36 users, and 35 devices—reduced to 25 users for evaluation after removing users with fewer than 1,500 transactions—the selected global windowing parameters are seconds and seconds. For OC-SVM at these settings, the paper reports , , and 0; SVDD yields 1, 2, and 3. Classification time is under 100 microseconds per window, and the method can identify active users from single 1-minute windows in a shared-device setting (Tomsu et al., 2017).
PersonaFingerprint extends this inferential perspective to encrypted traffic metadata on modern websites. The attacker is a passive network adversary observing only packet lengths with direction and inter-arrival times on channels such as Tor or VPNs, without payloads, URLs, HTTP headers, cookies, browser fingerprints, or client-side identifiers. The observation window is formalized as
4
with 5 packets. The paper defines closed-set and open-world persona classification over 15 canonical personas plus an open-world class, and studies both per-site and mixed-site settings across 10 real websites: Amazon, CNN, Yelp, YouTube, Reddit, Bilibili, eBay, Yahoo, Zhihu, and LinkedIn (Song et al., 15 May 2026).
To generate labeled data, the paper builds an LLM-driven multi-agent browsing framework with a persona-conditioned decision agent and a computer-use agent that executes DOM-level actions in a real browser. Offline segmentation produces non-overlapping windows of 1,000 consecutive packets, yielding approximately 6 labeled windows. A shared 1D CNN encoder supports both site and persona classification, and the paper introduces a joint objective
7
Across mixed-site traffic, persona inference achieves about 84% accuracy; the closed-set variant is about 82%, and the open-world variant about 80%. Open-world metrics are weaker—OW precision 65.7%, OW recall 65.6%, OW F1 65.6%, MisAttr@OW 34.4%, and Top-3 Share 58.7%—but the site-only website fingerprinting baseline remains strong at about 93% on the original five English-language sites. Probing shows that persona information is already latent in standard WFP representations: frozen site-only encoders outperform random encoders by roughly 20 to 30 percentage points absolute on persona classification. This indicates that web telemetry can reveal not only which site is being visited, but also how a user browses and, in behavioral terms, who is browsing (Song et al., 15 May 2026).
5. Privacy protection for WebPerson-style agents
The WebPerson framing also exposes a reciprocal problem: if agents personalize by accessing interface-level context, they inherit direct privacy risk. PrivWeb addresses this by inserting a trusted add-on or system service between the browser and the web agent. Its design premise is that web agents access rendered screenshots, DOM trees, form fields and values, accessibility labels and placeholders, and other interface text that may contain sensitive personal information, while users want awareness and control without persistent micromanagement (Zhang et al., 15 Sep 2025).
The architecture has three parts: browser-side interception and parsing, localized LLM privacy detection, and a user-facing privacy UI. When the agent requests page information, PrivWeb intercepts access, extracts text-containing elements such as <div>, <span>, <a>, <input>, <textarea>, and <select>, assigns each element-information pair a unique ID, sends the extracted content to a local Qwen3-8b model via Ollama, and receives a list of detected PIIs with privacy classes and IDs. Using those IDs, the system maps detections back to the page and either removes elements from the DOM before the agent sees them or re-renders screenshots without them. Sensitive elements are highlighted in situ for about 3 seconds, a side panel shows detected items ranked by sensitivity, and the task is paused for explicit Allow or Deny decisions only when highly sensitive information is detected (Zhang et al., 15 Sep 2025).
PrivWeb distinguishes a two-tier control logic and a three-level sensitivity ranking. Highly sensitive information—financial information, ID, online identity, and email—triggers explicit control and interruptive notification. Medium sensitive information includes name, address, phone number, demographic attribute, and health information. Low sensitive information includes affiliation, educational record, time, and geo-location. The panel uses red, orange, and yellow to encode these levels and is ordered from most sensitive to least sensitive. Lower-sensitivity information is anonymized by default under a privacy-by-default policy, while manual clicking in the UI acts as a persistent override if the classifier misses an item (Zhang et al., 15 Sep 2025).
On a synthetic but realistic benchmark of 100 tasks, 107 sessions, 2,041 steps, and 2,189 unique sensitive information instances spanning entertainment, work, travel, shopping, and information retrieval, Qwen3-8b achieves 75.4% average detection accuracy. Address, geo-location, demographic attribute, health information, and financial information each reach 100%; online identity, educational record, and affiliation are harder categories. Average per-DOM latency is 6.42 seconds for qwen3-8b, compared with 8.52 seconds for deepseek-7b, 4.05 seconds for qwen3-4b, and 2.86 seconds for qwen3-1.7b (Zhang et al., 15 Sep 2025).
The within-subjects user study with 14 participants compares PrivWeb against notification-only and neither-notification-nor-control baselines. There are no significant differences across most NASA-TLX dimensions, but Frustration shows a significant effect 8, with the notification-only condition producing more frustration. Trust is significantly affected 9, and privacy outcomes improve strongly: unnecessary information protection 0, personal information protection 1, and reduced concern 2. No significant differences are found for perceived control, UMUX-Lite user experience, or willingness to use. In the WebPerson context, this establishes that privacy protection can be content-aware, in-situ, and comparatively low-burden rather than purely reactive or purely declarative (Zhang et al., 15 Sep 2025).
6. WebPerson as a web-sourced person-centric dataset for retrieval
In vision-language research, WebPerson denotes a large-scale person-centric image-text dataset built to address the scarcity of large-scale annotated vision-language data focused on person-centric images and the semantic noise of web-scale captions or MLLM-generated descriptions. The corpus is derived from COYO-700M and filtered with YOLOv11 for human detection and YOLOv11-Pose for pose verification. An image is kept only if the shorter side is larger than 90 pixels, the aspect ratio is between 1:2 and 1:4, human detection confidence exceeds 85%, and pose quality includes at least eight visible keypoints, including at least one hip keypoint and two head keypoints. This yields 5 million high-quality human-centric images; the appendix statistics table reports 5,002,723 images, 10,005,446 descriptions, a vocabulary size of 96,623, and MLLM-based labeling (Zheng et al., 11 Sep 2025).
Caption construction is template-driven and noise-resistant. Existing captions from CUHK-PEDES, ICFG-PEDES, and RSTPReid are transformed by Qwen2.5-72B-Instruct into structured templates with standardized placeholders such as “[colored top]” and “[hairstyle].” Template texts are embedded with OPENCLIP ViT-bigG/14 and clustered with k-means; from each cluster, the most representative template and five random templates are retained; Qwen2.5-72B-Instruct then synthesizes additional templates; and the final set is manually reviewed to remove biases and stereotypes, resulting in 1,000 curated templates. Each image is assigned a random template, and Qwen2.5-VL-7B-Instruct or Qwen2.5-VL-32B-Instruct generates a caption conditioned on that template, with vLLM used to speed up large-scale inference (Zheng et al., 11 Sep 2025).
The associated model, GA-DMS, introduces the Gradient-Attention Guided Dual-Masking Synergetic framework. It computes a token-wise importance score, the Gradient-Attention Similarity Score (GASS), by combining gradient information and attention information from the text encoder, then uses dual masking to suppress likely noise tokens and reconstruct informative tokens. The total objective is
3
with appendix values 4, 5, and 6 reported as the best masking ceilings. Conceptually, the first branch attenuates hallucinated or irrelevant text, while the second compels the model to recover informative fine-grained attributes such as clothing patterns, accessories, and body-part descriptors (Zheng et al., 11 Sep 2025).
The experimental results are reported on CUHK-PEDES, ICFG-PEDES, and RSTPReid with Rank-1/5/10 and mAP. Using 1.0M pretraining samples, GA-DMS reaches 77.02 Rank-1 / 69.65 mAP on CUHK-PEDES, 69.07 / 41.91 on ICFG-PEDES, and 70.30 / 54.89 on RSTPReid. With the full 5.0M WebPerson, it improves to 77.60 / 69.82, 69.51 / 42.30, and 71.25 / 55.43, respectively. Compared with NAM, Rank-1 gains are reported as 0.2%, 2.02%, and 1.8% on the three benchmarks; fine-tuning with IRRA yields a 10.10% Rank-1 and 7.72% mAP improvement on RSTPReid over the IRRA baseline. Although this usage is distinct from the personalized-web-agent sense of WebPerson, both share an emphasis on large-scale person representation under noisy web-derived data (Zheng et al., 11 Sep 2025).
7. Synthesis, limitations, and unresolved questions
Across these literatures, the central technical challenge is not merely accessing more web data, but representing the person at the right level of abstraction. Early personalization models emphasize keywords, topics, URLs, clusters, and recency-aware weighting; personalized web agents require long-horizon retrieval and utilization of implicit preferences; transaction and encrypted-traffic studies show that user identity or persona can be inferred from behavioral traces even without explicit personalization; privacy systems must therefore mediate what an agent can observe at the interface; and the vision-language WebPerson corpus addresses an orthogonal but structurally similar problem of extracting person-centric signal from noisy web-scale supervision (Anil et al., 2013, Kim et al., 19 Feb 2026, Song et al., 15 May 2026, Zhang et al., 15 Sep 2025, Zheng et al., 11 Sep 2025).
The limitations are also recurring. Persona2Web uses synthetic user histories, and its results show that retrieval is not enough: utilization remains a major bottleneck. PersonaFingerprint relies on LLM-generated browsing traces, and its open-world setting still exhibits substantial misattribution, with MisAttr@OW at 34.4%. The earlier multidimensional personalization model reports only simple experiments on two users, and the web-transaction profiling work, although strong on its enterprise dataset, still reports nontrivial false acceptance. In PrivWeb, local detection remains imperfect at 75.4% average accuracy, and in the WebPerson dataset work, caption noise is sufficiently serious to motivate specialized masking and reconstruction mechanisms (Kim et al., 19 Feb 2026, Song et al., 15 May 2026, Anil et al., 2013, Tomsu et al., 2017, Zhang et al., 15 Sep 2025, Zheng et al., 11 Sep 2025).
A plausible implication is that future WebPerson systems will need to treat personalization, privacy, and inference risk as coupled design variables rather than separate modules. The literature already points in that direction: the same historical and behavioral signals that make contextual reasoning possible can also leak persona information through network traces or interface access. Conversely, systems designed only to protect access may degrade the very context needed for personalization unless their controls are content-aware and selectively applied. In that sense, WebPerson has become a useful umbrella for a broader research program: modeling persons on the web with enough fidelity to support adaptation, while constraining the channels through which those persons can be inferred, exposed, or misrepresented (Kim et al., 19 Feb 2026, Song et al., 15 May 2026, Zhang et al., 15 Sep 2025).