PII Jailbreaking in LLMs via Activation Steering Reveals Personal Information Leakage
Summary
A study investigates privacy jailbreaking in large language models (LLMs) using "activation steering" to circumvent alignment mechanisms and extract personal identifiable information (PII). Researchers identified attention heads predictive of refusal behavior for private attributes, like public figures' sexual orientation. They used lightweight linear probes trained with a privacy evaluator. By applying steering to a selected subset of these heads, guided by probe outputs, LLMs were induced to provide positive responses to privacy-sensitive queries. Empirical results showed steered responses frequently revealed the target attribute and additional PII, including life events, relationships, and biographical details. Evaluations across three LLMs demonstrated disclosure rates of at least 80%, with several responses containing real personal information. This controlled study highlights a concrete privacy risk: memorized PII can be extracted via targeted activation-level interventions, without computationally intensive adversarial prompting.
Key takeaway
For AI Security Engineers evaluating LLM privacy, you must consider activation steering as a potent PII leakage vector, not just adversarial prompting. Your current alignment mechanisms may be insufficient against internal manipulation that can achieve over 80% disclosure rates of memorized personal data. Prioritize developing and implementing defenses that monitor and control internal model activations to prevent unauthorized PII extraction.
Key insights
Activation steering can jailbreak LLMs to leak memorized PII, posing a significant privacy risk without adversarial prompting.
Principles
- Internal activation manipulation bypasses LLM alignment.
- PII memorized during pre-training is extractable.
- Targeted interventions can induce specific model behaviors.
Method
Identify refusal-predictive attention heads via linear probes, then apply steering to a subset of these heads, guided by probe outputs, to induce PII disclosure.
In practice
- Assess LLM privacy risks beyond adversarial prompts.
- Develop defenses against activation-level PII extraction.
- Enhance alignment mechanisms against internal steering.
Topics
- Large Language Models
- Activation Steering
- PII Jailbreaking
- Privacy Risk
- Information Leakage
- Attention Heads
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Paper Index on ACL Anthology.