LLM-driven autonomous web agents risk unnecessary processing of sensitive personal information during routine task execution, leading to privacy violations. Method: We propose a systematic assessment and mitigation framework grounded in the data minimization principle. We introduce AgentDAM—the first privacy leakage evaluation benchmark for web agents—defining and quantifying agents’ access to and use of non-essential sensitive data during dynamic web interactions. We develop a task-adaptive, generalizable privacy leakage quantification framework and curate a privacy-sensitive web task suite. Using GPT-4, Llama-3, and Claude-based agents, we empirically validate prompt engineering’s efficacy in enforcing data minimization. Contribution/Results: Experiments reveal pervasive redundant processing of sensitive information across mainstream agents. Our approach significantly reduces privacy leakage rates, demonstrating that data minimization can be effectively enforced via lightweight, instruction-based prompting—without architectural modifications or fine-tuning.

LLM-powered AI agents are an emerging frontier with tremendous potential to increase human productivity. However, empowering AI agents to take action on their user's behalf in day-to-day tasks involves giving them access to potentially sensitive and private information, which leads to a possible risk of inadvertent privacy leakage when the agent malfunctions. In this work, we propose one way to address that potential risk, by training AI agents to better satisfy the privacy principle of data minimization. For the purposes of this benchmark, by"data minimization"we mean instances where private information is shared only when it is necessary to fulfill a specific task-relevant purpose. We develop a benchmark called AgentDAM to evaluate how well existing and future AI agents can limit processing of potentially private information that we designate"necessary"to fulfill the task. Our benchmark simulates realistic web interaction scenarios and is adaptable to all existing web navigation agents. We use AgentDAM to evaluate how well AI agents built on top of GPT-4, Llama-3 and Claude can limit processing of potentially private information when unnecessary, and show that these agents are often prone to inadvertent use of unnecessary sensitive information. We finally propose a prompting-based approach that reduces this.