What is LLM-based deanonymization?

LLM-based deanonymization uses large language models to identify real individuals from anonymous or pseudonymous online posts. Unlike traditional methods that fail at scale, LLMs can combine writing style analysis (stylometry), stated facts, temporal patterns, and contextual reasoning to match anonymous profiles to real identities. Research shows up to 68% accuracy at 90% precision, compared to near 0% for classical methods.

How accurate is LLM deanonymization?

Research demonstrates alarming accuracy levels: 68% recall at 90% precision for Hacker News to LinkedIn matching, 67% for Reddit temporal analysis (same user over time), 35% at internet-scale (1M+ candidates). For attribute inference, GPT-4 achieves 85% top-1 accuracy inferring personal attributes like location, income, age, and occupation from Reddit posts alone.

What is the ESRC framework?

ESRC (Extract-Search-Reason-Calibrate) is a four-step LLM deanonymization framework: (1) Extract - LLM extracts identifying facts from anonymous posts using NLP, (2) Search - queries public databases like LinkedIn using extracted facts and semantic embeddings, (3) Reason - LLM reasons about candidate matches analyzing consistency, (4) Calibrate - confidence scoring to minimize false positives while maximizing true matches.

How much does LLM deanonymization cost?

Research shows LLM-based deanonymization costs $1-$4 per profile, making mass deanonymization economically feasible. For defensive anonymization, costs are under $0.035 per comment using GPT-4. This low cost enables state actors, corporations, stalkers, and malicious individuals to perform large-scale privacy attacks.

What types of PII can LLMs extract from text?

LLMs excel at extracting: email addresses (100% accuracy with GPT-4), phone numbers (98%), mailing addresses, and names. They can also infer non-explicit PII: location, income level, age, sex, occupation, education, relationship status, and place of birth from subtle textual cues and writing patterns.

What is a membership inference attack (MIA)?

Membership inference attacks determine whether specific data was used to train an AI model. For LLMs, this reveals if your personal information was in the training dataset. Research shows email addresses and phone numbers are particularly vulnerable. New attack vectors include tokenizer-based inference and attention signal analysis (AttenMIA).

How do prompt injection attacks leak personal data?

Prompt injection manipulates LLM agents to leak personal data observed during task execution. In banking agent scenarios, attacks achieve ~20% success rate at exfiltrating personal data, with 15-50% utility degradation under attack. While safety alignments prevent password leakage, other personal data remains vulnerable.

How can anonym.legal help protect against LLM privacy attacks?

anonym.legal provides true anonymization through: (1) PII Detection - 285+ entity types including names, locations, dates, writing patterns, (2) Replacement - substitutes real PII with format-valid alternatives, (3) Redaction - completely removes sensitive information, (4) Reversible Encryption - AES-256-GCM for authorized access. Unlike pseudonymization which LLMs defeat, true anonymization removes the signals LLMs use for deanonymization.

By George Curta · Last updated 2026-04-072026-04-07

Sikkerhetsforskning

LLM-privatlivsatforskning

12 fagfellevurderte forskningsartikler som viser hvorfor pseudonymitet mislykkes mot AI.

Deanonymisering, PII-utvinning, medlemskapsslutning, prompt-injeksjonsangrep — og hvordan du beskytter deg.

Les utvalgt studie Last ned PDF

68%

Deanonymiseringsnøyaktighet

$1-$4

Kostnad per profil

Forskningsartikler

85%

Attributtslutning

100%

E-postavinning (GPT-4)

5×

PII-utvinningsøkning

Privatlivskategorigrupperangrep

Deanonymisering

LLM-er matcher anonyme innlegg til ekte identiteter ved hjelp av skrivstil, fakta og tidsmønster. 68% nøyaktighet for $1-$4/profil.

Attributtslutning

LLM-er utstyrer personlige egenskaper (sted, inntekt, alder) fra tekst selv når de ikke er oppgitt. GPT-4 oppnår 85% top-1-nøyaktighet.

PII-utvinning

Utvinning av personlig informasjon fra treningsdata eller prompts. 100% e-postavinningsnøyaktighet med GPT-4. 5× økning med avanserte angrep.

Prompt-injeksjon

Manipulering av LLM-agenter for å lekke personlig data under oppgavekjøring. ~20% angrepssuksessrate i bankscenarier.

VALGTarXiv:2602.16800

Large-scale online deanonymization with LLMs

Simon Lermen (MATS), Daniel Paleka (ETH Zurich), Joshua Swanson (ETH Zurich), Michael Aerni (ETH Zurich), Nicholas Carlini (Anthropic), Florian Tramèr (ETH Zurich)

Published: February 18, 2026

Nøkkelfunn

68% recall at 90% precision for deanonymization using ESRC framework

Angrepsomkostning: $1-$4 per profile

Metodologi

Designed attacks for closed-world setting with scalable attack pipeline using LLMs to: (1) extract identity-relevant features, (2) search for candidate matches via semantic embeddings, (3) reason over top candidates to verify matches and reduce false positives.

ESRC-rammeverk

ETrekk ut

LLM trekker ut identifiserende fakta fra anonyme innlegg

SSøk

Bruker fakta til å søke offentlige databaser (LinkedIn osv.)

RResonnement

LLM resonnerer om kandidattreff

CKalibrering

Tillitspoenggiving for å minimere falske positiver

Eksperimentelle resultater

Datasett	Gjenkall @ 90% presisjon	Merknader
Hacker News → LinkedIn	68%	vs near 0% for classical methods
Reddit cross-community	8.5%	Multiple subreddits
Reddit temporal split	67%	Same user over time
Internet-scale (extrapolated)	35%	At 1M candidates

Implikasjoner

Practical obscurity protecting pseudonymous users online no longer holds. Classical methods achieve near 0% recall under same conditions.

Vis på arXiv PDF Last ned lokal kopi

Alle forskningsartikler

11 ytterligere fagfellevurderte studier om LLM-privatlivsangrep

arXiv:2310.07298ICLR 2024

Beyond Memorization: Violating Privacy via Inference with Large Language Models

Robin Staab, Mark Vero, Mislav Balunović, et al. (ETH Zurich)

85% top-1 accuracy inferring personal attributes from Reddit posts

First comprehensive study on LLM capabilities to infer personal attributes from text. GPT-4 achieved highest accuracy among 9 tested models.

Nøkkelfunn

•85% top-1 accuracy, 95% top-3 accuracy at inferring personal attributes
•100× cheaper and 240× faster than human annotators
•Tested 9 state-of-the-art LLMs including GPT-4, Claude 2, Llama 2
•Infers location, income, age, sex, profession from subtle text cues

arXiv PDF

arXiv:2505.12402May 2025

AutoProfiler: Automated Profile Inference with Language Model Agents

Yuntao Du, Zitao Li, Bolin Ding, et al. (Virginia Tech, Alibaba, Purdue University)

85-92% accuracy for automated profiling at scale using four specialized LLM agents

Framework using specialized LLM agents (Strategist, Extractor, Retriever, Summarizer) for automated profile inference from pseudonymous platforms.

Nøkkelfunn

•Four specialized agents: Strategist, Extractor, Retriever, Summarizer
•Iterative workflow enables sequential scraping, analysis, and inference
•Outperforms baseline FTI across all attributes and LLM backbones
•Short-term memory for Extractor/Retriever, long-term memory for Strategist/Summarizer

arXiv PDF

arXiv:2402.13846ICLR 2025

Large Language Models are Advanced Anonymizers

Robin Staab, Mark Vero, Mislav Balunović, et al. (ETH Zurich SRI Lab)

Adversarial anonymization reduces attribute inference from 66.3% to 45.3% after 3 iterations

LLMs can be used defensively in adversarial framework to anonymize text. Outperforms commercial anonymizers in both privacy and utility.

Nøkkelfunn

•Adversarial feedback enables anonymization of significantly finer details
•Attribute inference accuracy drops from 66.3% to 45.3% after 3 iterations
•Evaluated 13 LLMs on real-world and synthetic online texts
•Human study (n=50) showed strong preference for LLM-anonymized texts

arXiv PDF

arXiv:2503.09780March 2025 (revised October 2025)

AgentDAM: Privacy Leakage Evaluation for Autonomous Web Agents

Arman Zharmagambetov, Chuan Guo, Ivan Evtimov, et al. (Meta AI, CMU)

GPT-4, Llama-3, and Claude web agents are prone to inadvertent use of unnecessary sensitive information

Benchmark measuring if AI web agents follow data minimization principle. Simulates realistic web interactions across GitLab, Shopping, and Reddit.

Nøkkelfunn

•Evaluates GPT-4, Llama-3, Claude-powered web navigation agents
•Measures data minimization compliance: use PII only if 'necessary' for task
•Agents often leak sensitive information when unnecessary
•Three test environments: GitLab, Shopping, Reddit web apps

arXiv PDF

arXiv:2506.12699ACM AsiaCCS 2025

SoK: The Privacy Paradox in Large Language Models

Various researchers

Systematization of 5 distinct privacy incident categories beyond memorization

Comprehensive survey categorizing privacy risks: training data leakage, chat leakage, context leakage, attribute inference, and attribute aggregation.

Nøkkelfunn

•Five privacy incident categories identified:
•1. Training data leakage via regurgitation
•2. Direct chat leakage through provider breaches
•3. Indirect context leakage via agents and prompt injection

arXiv PDF

arXiv:2410.06704October 2024

PII-Scope: A Comprehensive Study on Training Data PII Extraction Attacks in LLMs

Krishna Kanth Nakka, Ahmed Frikha, Ricardo Mendes, et al. (Various)

PII extraction rates increase up to 5× with sophisticated adversarial capabilities and limited query budget

Comprehensive benchmark for PII extraction attacks. Reveals notable underestimation of PII leakage in existing single-query attacks.

Nøkkelfunn

•PII extraction rates can increase up to 5× with sophisticated attacks
•Existing single-query attacks notably underestimate PII leakage
•Taxonomy: Black-box (True-prefix, ICL, PII Compass) and White-box (SPT) attacks
•Hyperparameters like demonstration selection crucial to attack effectiveness

arXiv PDF

arXiv:2408.07291USENIX Security 2025

Evaluating LLM-based Personal Information Extraction and Countermeasures

Yupei Liu, Yuqi Jia, Jinyuan Jia, et al. (Penn State, Duke University)

GPT-4 achieves 100% accuracy extracting emails and 98% for phone numbers from synthetic profiles

Systematic measurement study benchmarking LLM-based personal information extraction (PIE). Proposes prompt injection as novel defense.

Nøkkelfunn

•GPT-4: 100% email extraction, 98% phone number extraction on synthetic data
•Larger LLMs more successful: vicuna-7b achieves 65%/95% vs GPT-4's 100%/98%
•LLMs better at: emails, phone numbers, addresses, names
•LLMs worse at: work experience, education, affiliation, occupation

arXiv PDF

arXiv:2408.05212TMLR 2025 (submitted August 2024)

Preserving Privacy in Large Language Models: A Survey on Current Threats and Solutions

Michele Miranda, Elena Sofia Ruzzetti, Andrea Santilli, et al. (Various)

Comprehensive taxonomy of privacy attacks: training data extraction, membership inference, model inversion

Survey examining privacy threats from LLM memorization. Proposes solutions from dataset anonymization to differential privacy and machine unlearning.

Nøkkelfunn

•Privacy attacks covered: Training data extraction, Membership inference, Model inversion
•Training data extraction: non-adversarial and adversarial prompting
•Membership inference: shadow models and threshold-based approaches
•Model inversion: output inversion and gradient inversion

arXiv PDF

arXiv:2509.14278September 2025

Beyond Data Privacy: New Privacy Risks for Large Language Models

Various researchers

LLM autonomous capabilities create new vulnerabilities for inadvertent data leakage and malicious exfiltration

Explores privacy vulnerabilities from LLM integration into applications and weaponization of autonomous abilities.

Nøkkelfunn

•LLM integration creates new privacy vulnerabilities beyond traditional risks
•Opportunities for both inadvertent leakage and malicious exfiltration
•Adversaries can exploit systems for sophisticated large-scale privacy attacks
•Autonomous LLM abilities can be weaponized for data exfiltration

arXiv PDF

arXiv:2506.01055June 2025

Simple Prompt Injection Attacks Can Leak Personal Data Observed by LLM Agents

Various researchers

15-50% utility drop under attack with ~20% average attack success rate for personal data leakage

Examines prompt injection causing tool-calling agents to leak personal data during task execution. Uses fictitious banking agent scenario.

Nøkkelfunn

•16 user tasks from AgentDojo benchmark evaluated
•15-50 percentage point drop in LLM utility under attack
•~20% average attack success rate across LLMs
•Most LLMs avoid leaking passwords due to safety alignments

arXiv PDF

arXiv:2503.19338March 2025

Membership Inference Attacks on Large-Scale Models: A Survey

Various researchers

First comprehensive review of MIAs targeting LLMs and LMMs across pre-training, fine-tuning, alignment, and RAG stages

Survey analyzing membership inference attacks by model type, adversarial knowledge, strategy, and pipeline stage.

Nøkkelfunn

•Analyzes MIAs across: pre-training, fine-tuning, alignment, RAG stages
•Strong MIAs require training multiple reference models (computationally expensive)
•Weaker attacks often perform no better than random guessing
•Tokenizers identified as new attack vector for membership inference

arXiv PDF

Forsvarsstrategier fra forskning

Hva som ikke fungerer

✗Pseudonymisering — LLM-er besejrer brukernavn, handles, visningsnavn
✗Tekst-til-bilder konvertering — Bare liten reduksjon mot multimodale LLM-er
✗Modelljustering alene — For tiden ineffektiv på å forhindre slutning
✗Enkel tekstanonymisering — Utilstrekkelig mot LLM-resonnement

Hva som fungerer

✓Antagonistisk anonymisering — Reduserer slutning 66,3% → 45,3%
✓Differensiell personvern — Reduserer PII-presisjon 33,86% → 9,37%
✓Forsvar mot prompt-injeksjon — Mest effektiv mot LLM-basert PIE
✓Ekte PII-fjerning/erstatting — Fjerner signaler LLM-er bruker

Hvorfor denne forskningen betyr noe

Disse 12 forskningsartiklene demonstrerer et grunnleggende skifte i privatlivstrusler. Tradisjonelle anonymiseringsmetoder som pseudonymer, brukernavn og handle-endringer er ikke lenger tilstrekkelig beskyttelse mot bestemte motstandere med tilgang til LLM-er.

Viktige trusselmål

68% deanonymiseringsnøyaktighet ved 90% presisjon (Hacker News → LinkedIn)
85% attributslutningsnøyaktighet for sted, inntekt, alder, yrke
100% e-postavinning og 98% telefonnummeravinning (GPT-4)
5× økning i PII-lekkasje med sofistikerte multi-spørsmål angrep
$1-$4 kostnad per profil gjør masseangreb økonomisk gjennomførbar

Hvem er i risiko

Varsler og aktivister: Anonyme innlegg kan knyttes til virkelige identiteter
Fagfolk: Reddit-aktivitet knyttet til LinkedIn-profiler
Helsepasienter: Medlemskapsslutning avslører om data var i trening
Hvem som helst med historiske innlegg: År med data kan retroaktivt deanonymiseres

Hvordan anonym.legal håndterer disse truslene

anonym.legal gir ekte anonymisering som fjerner signalene LLM-er bruker:

285+ enhetstyper: Navn, steder, datoer, tidsstempel, identifikatorer
Skrivemønsterforstyrring: Erstatter tekst som avslører stilometriske fingeravtrykk
Reversibel kryptering: AES-256-GCM for tilfeller som krever autorisert tilgang
Flere operatorer: Erstatt, Rediger, Hash, Krypter, Maskering, Tilpasset

Utforsk funksjoner Sikkerhetsstudier

Ofte stilte spørsmål

Hva er LLM-basert deanonymisering?

LLM-basert deanonymisering bruker store språkmodeller for å identifisere virkelige personer fra anonyme eller pseudonyme nettinnlegg. I motsetning til tradisjonelle metoder som mislykkes i stor skala, kan LLM-er kombinere skrivstilanalyse (stilometri), oppgitte fakta, tidsmønster og kontekstuelt resonnement for å matche anonyme profiler til virkelige identiteter. Forskning viser opptil 68% nøyaktighet ved 90% presisjon, sammenlignet med nærmest 0% for klassiske metoder.

Hvor nøyaktig er LLM-deanonymisering?

Forskning demonstrerer alarmerende nøyaktighetsnivåer: 68% gjenkall ved 90% presisjon for Hacker News til LinkedIn-matching, 67% for Reddit tidsmessig analyse (samme bruker over tid), 35% ved internetskala (1M+ kandidater). For attributtslutning oppnår GPT-4 85% top-1-nøyaktighet ved å slutte personlige egenskaper som sted, inntekt, alder og yrke fra Reddit-innlegg alene.

Hva er ESRC-rammeverket?

ESRC (Extract-Search-Reason-Calibrate) er et fire-trinns LLM-deanonymiseringsrammeverk: (1) Trekk ut - LLM trekker ut identifiserende fakta fra anonyme innlegg ved hjelp av NLP, (2) Søk - søker offentlige databaser som LinkedIn ved bruk av uttrakte fakta og semantiske innlegginger, (3) Resonnement - LLM resonnerer om kandidattreff ved å analysere konsistens, (4) Kalibrering - tillitspoenggiving for å minimere falske positiver samtidig som det maksimerer sanne treff.

Hvor mye koster LLM-deanonymisering?

Forskning viser at LLM-basert deanonymisering koster $1-$4 per profil, noe som gjør massdeanonymisering økonomisk gjennomførbar. For defensiv anonymisering koster det under $0,035 per kommentar ved bruk av GPT-4. Denne lave kostnaden gjør det mulig for statlige aktører, selskaper, stalker og ondskapsfulle personer å utføre storskalale privatlivs angrep.

Hvilke typer PII kan LLM-er trekke ut fra tekst?

LLM-er er dyktige til å trekke ut: e-postadresser (100% nøyaktighet med GPT-4), telefonnummer (98%), postadresser og navn. De kan også slutte ikke-eksplisitt PII: sted, inntektsnivå, alder, kjønn, yrke, utdanning, sivilstand og fødselssted fra subtile tekstuelle signaler og skrivemønster.

Hva er et medlemskapsslutningsangrep (MIA)?

Medlemskapsslutningsangrep bestemmer om spesifikke data ble brukt til å trene en AI-modell. For LLM-er avslører dette om dine personlige opplysninger var i treningsdatasettet. Forskning viser at e-postadresser og telefonnummer er spesielt sårbare. Nye angrepsvektorer inkluderer tokenizer-basert slutning og analyse av oppmerksomhetssignaler (AttenMIA).

Hvordan lekker prompt-injeksjonsangrep personlig data?

Prompt-injeksjon manipulerer LLM-agenter for å lekke personlig data observert under oppgavekjøring. I bankagentscenarier oppnår angrep ~20% suksessrate på å eksfiltrere personlig data, med 15-50% brukerverdiforringelse under angrep. Mens sikkerhetsjustering forhindrer passordlekkasje, forblir annen personlig data sårbar.

Hvordan kan anonym.legal beskytte mot LLM-privatlivsangrep?

anonym.legal gir ekte anonymisering gjennom: (1) PII-deteksjon - 285+ enhetstyper inkludert navn, steder, datoer, skrivemønster, (2) Erstatning - erstatter ekte PII med formatlydige alternativer, (3) Redigering - fjerner helt følsom informasjon, (4) Reversibel kryptering - AES-256-GCM for autorisert tilgang. I motsetning til pseudonymisering som LLM-er besejrer, fjerner ekte anonymisering signalene som LLM-er bruker for deanonymisering.

Beskytt mot LLM-privatlivsangrep

Stol ikke på pseudonymitet. Bruk ekte anonymisering til å beskytte følsomme dokumenter, brukerdata og kommunikasjon mot AI-drevne identifikasjonsangrep.

Start anonymisering Se dokumentasjon

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

We follow these rules

GDPR (EU 2016/679).
ISO/IEC 27001:2022.
NIS2 (EU 2022/2555).
HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

We never sell your information to third parties.
We never train models on what you upload.
We never keep your work after you delete it.
We never share keys with any outside firm.
We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.

LLM-privatlivsatforskning

Privatlivskategorigrupperangrep

Deanonymisering

Attributtslutning

PII-utvinning

Prompt-injeksjon

Large-scale online deanonymization with LLMs

Nøkkelfunn

Metodologi

ESRC-rammeverk

Eksperimentelle resultater

Implikasjoner

Alle forskningsartikler

Beyond Memorization: Violating Privacy via Inference with Large Language Models

Nøkkelfunn

AutoProfiler: Automated Profile Inference with Language Model Agents

Nøkkelfunn

Large Language Models are Advanced Anonymizers

Nøkkelfunn

AgentDAM: Privacy Leakage Evaluation for Autonomous Web Agents

Nøkkelfunn

SoK: The Privacy Paradox in Large Language Models

Nøkkelfunn

PII-Scope: A Comprehensive Study on Training Data PII Extraction Attacks in LLMs

Nøkkelfunn

Evaluating LLM-based Personal Information Extraction and Countermeasures

Nøkkelfunn

Preserving Privacy in Large Language Models: A Survey on Current Threats and Solutions

Nøkkelfunn

Beyond Data Privacy: New Privacy Risks for Large Language Models

Nøkkelfunn

Simple Prompt Injection Attacks Can Leak Personal Data Observed by LLM Agents

Nøkkelfunn

Membership Inference Attacks on Large-Scale Models: A Survey

Nøkkelfunn

Forsvarsstrategier fra forskning

Hva som ikke fungerer

Hva som fungerer

Hvorfor denne forskningen betyr noe

Viktige trusselmål

Hvem er i risiko

Hvordan anonym.legal håndterer disse truslene

Ofte stilte spørsmål

Hva er LLM-basert deanonymisering?

Hvor nøyaktig er LLM-deanonymisering?

Hva er ESRC-rammeverket?

Hvor mye koster LLM-deanonymisering?

Hvilke typer PII kan LLM-er trekke ut fra tekst?

Hva er et medlemskapsslutningsangrep (MIA)?

Hvordan lekker prompt-injeksjonsangrep personlig data?

Hvordan kan anonym.legal beskytte mot LLM-privatlivsangrep?

Beskytt mot LLM-privatlivsangrep

About this page

Related reading

We follow these rules

Our promise

Where we run

Need help?

How we test

What we never do

Plans in plain words

Who built this

Where to start

How the parts fit

Words from our team

Common questions we hear

A short tour of the workflow