Where Privacy Risk Lives in English-Source Multilingual RAG: A Stage-Decomposed Audit Across Five Query Languages
Summary
The paper "Where Privacy Risk Lives in English-Source Multilingual RAG: A Stage-Decomposed Audit Across Five Query Languages" by Li, Fan, and Zhuang investigates privacy risks in multilingual Retrieval-Augmented Generation (RAG) systems. It challenges the common assumption that non-English languages make RAG systems more vulnerable to personal information attacks. Using an English-source synthetic-PII corpus with five query languages and a two-stage defense (LLM input judge + regex output filter), the study found that English queries exhibited the highest unstructured-PII leak rate at the output stage. While English-vs-Swahili showed a clean separation in leak rates, adding an input judge still left residual leaks for Arabic and Swahili in a Qwen-mediated pipeline, which back-translating queries did not resolve. The authors note this is pipeline-conditional, not a causal language ranking, as translator, judge, and generator share one model family. An oracle diagnostic showed that attaching the gold corpus document to the input judge blocked 15/17 residual cells for adversarial queries, suggesting a future research direction.
Key takeaway
For AI Security Engineers deploying multilingual RAG systems, you should re-evaluate assumptions about non-English languages reducing PII leak risks. Your English query interfaces might be more vulnerable to unstructured PII leaks than expected. Implement robust, multi-stage defenses, including LLM input judges, and specifically audit for residual leaks in languages like Arabic and Swahili. Consider advanced input judge mechanisms, such as document attachment, to enhance privacy protection against adversarial queries.
Key insights
Multilingual RAG systems may leak more PII in English queries than non-English, challenging common assumptions.
Principles
- PII leak rates are pipeline-conditional, not language-inherent.
- Input judges reduce PII leaks but may leave residual vulnerabilities.
- Back-translation does not always mitigate cross-lingual PII leaks.
Method
The study audited multilingual RAG privacy risk using an English-source synthetic-PII corpus, five query languages, and a two-stage defense: an LLM input judge and a regex output filter.
In practice
- Audit RAG systems for PII leaks across query languages.
- Implement multi-stage defenses including input judges.
- Consider document attachment for input judge enhancement.
Topics
- Multilingual RAG
- Privacy Risk
- Personal Information Leakage
- LLM Input Judge
- Qwen Pipeline
- Adversarial Queries
Best for: Research Scientist, CTO, VP of Engineering/Data, AI Scientist, NLP Engineer, AI Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Paper Index on ACL Anthology.