Where Privacy Risk Lives in English-Source Multilingual RAG: A Stage-Decomposed Audit Across Five Query Languages

· Source: Paper Index on ACL Anthology · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Data Science & Analytics · Depth: Expert, medium

Summary

The paper "Where Privacy Risk Lives in English-Source Multilingual RAG: A Stage-Decomposed Audit Across Five Query Languages" by Li, Fan, and Zhuang investigates privacy risks in multilingual Retrieval-Augmented Generation (RAG) systems. It challenges the common assumption that non-English languages make RAG systems more vulnerable to personal information attacks. Using an English-source synthetic-PII corpus with five query languages and a two-stage defense (LLM input judge + regex output filter), the study found that English queries exhibited the highest unstructured-PII leak rate at the output stage. While English-vs-Swahili showed a clean separation in leak rates, adding an input judge still left residual leaks for Arabic and Swahili in a Qwen-mediated pipeline, which back-translating queries did not resolve. The authors note this is pipeline-conditional, not a causal language ranking, as translator, judge, and generator share one model family. An oracle diagnostic showed that attaching the gold corpus document to the input judge blocked 15/17 residual cells for adversarial queries, suggesting a future research direction.

Key takeaway

For AI Security Engineers deploying multilingual RAG systems, you should re-evaluate assumptions about non-English languages reducing PII leak risks. Your English query interfaces might be more vulnerable to unstructured PII leaks than expected. Implement robust, multi-stage defenses, including LLM input judges, and specifically audit for residual leaks in languages like Arabic and Swahili. Consider advanced input judge mechanisms, such as document attachment, to enhance privacy protection against adversarial queries.

Key insights

Multilingual RAG systems may leak more PII in English queries than non-English, challenging common assumptions.

Principles

Method

The study audited multilingual RAG privacy risk using an English-source synthetic-PII corpus, five query languages, and a two-stage defense: an LLM input judge and a regex output filter.

In practice

Topics

Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, NLP Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Paper Index on ACL Anthology.