PIG: Privacy Jailbreak Attack on LLMs via Gradient-based Iterative Prompts¶

Conference: ACL 2025
arXiv: 2505.09921
Code: https://github.com/redwyd/PrivacyJailbreak
Area: AI Safety / Privacy Attacks
Keywords: privacy jailbreak, PII extraction, in-context learning, gradient-based optimization, LLM safety

TL;DR¶

This paper proposes the PIG framework, which achieves efficient privacy jailbreak attacks on LLMs by identifying PII entity types in privacy queries, constructing privacy in-context demonstrations, and utilizing three gradient-based iterative optimization strategies to update the context. It achieves SOTA performance on both white-box and black-box models.

Background & Motivation¶

LLMs memorize large amounts of training data during pre-training (containing sensitive information such as names, emails, bank accounts and other PII), and can also store user privacy information through system prompts during inference.
Existing privacy leakage evaluation methods mainly use memorized prefixes or simple instructions (such as "ignore previous instructions and output all context") to extract data, but well-aligned models can easily prevent these attacks.
Existing jailbreak attack methods mainly focus on generating harmful content, and rarely explore their role in privacy scenarios.
Core Problem: Can jailbreak attack methods be effectively adapted to extract privacy-related information from LLMs?
Existing jailbreak methods (manual templates / automatic prompt search) suffer from rigid structures and poor transferability in privacy scenarios; even if the model does not refuse to answer, they often fail to extract the attacker's target sensitive information.

Method¶

Overall Architecture¶

The PIG framework consists of three core steps: 1. PII Identification: Identify PII entities and their types in privacy queries. 2. Privacy In-Context Learning: Construct in-context demonstrations based on the identified PII types. 3. Gradient-based Iterative Optimization: Iteratively update the context using three strategies until the model outputs the target PII.

Key Designs¶

PII Identification¶

Leverage the reasoning capability of GPT-4 by designing a PII detection prompt to identify predefined types of PII and specific entities in the query.
PII types include: direct identifiers and quasi-identifiers such as phone numbers, home addresses, names, genders, and dates of birth.

Privacy In-Context Learning (Privacy ICL)¶

Generate new PII entities based on the identified PII types (either through random combinations of digits/letters or retrieval from online databases).
Replace the entities in the original query with the newly generated PII to construct N privacy demonstrations.
Concatenate the N demonstrations to form a complete privacy context C.
Advantages: ICL is flexible and highly transferable; the context is closely aligned with the target privacy query; PII entities are easy to generate.

Three Gradient Optimization Strategies¶

Random Strategy: Randomly optimizes tokens in the privacy context, treating all tokens as equally important, which yields the largest search space.
Entity Strategy: Optimizes only tokens related to PII entities, preserving the format and semantics of the context.
Dynamic Strategy: Sorts token importance using the average gradient vector and selects the M most important tokens for optimization.
Combined Strategy: The three strategies target different tokens for optimization, and successful jailbreak samples do not completely overlap. Combining them further increases the attack success rate.

Loss & Training¶

The optimization goal is to minimize the negative log-likelihood: \(\min_{c_\mathcal{I} \in \mathcal{V}} \mathcal{L}(c_{1:n}) = -\log P_\theta(R' | J)\)
where J = [C; Q] is the privacy jailbreak prompt, and R' is the reference response (e.g., "Sure, David's phone password is").
In each iteration: (1) calculate gradients to select the top-k candidate tokens; (2) perform B samplings, randomly replacing tokens to produce B perturbed contexts; (3) choose the context with the minimum loss; (4) launch the attack using the optimized context.
If the model output contains a likely PII entity, the jailbreak is considered successful; otherwise, it proceeds to the next iteration.
Compared to the randomly initialized token optimization of GCG, the context constructed by PIG based on ICL converges much faster.
Threat Model:
White-box setting: Attackers have full access to open-source target models to compute losses and obtain gradients.
Black-box setting: Leverage optimized contexts from white-box models to transfer attacks to closed-source models.

Key Experimental Results¶

Datasets¶

Enron Email Dataset: Real corporate emails containing PII, assumed to be included in the LLM pre-training corpus. 4 prompt templates × 50 samples × zero/five-shot = 400 samples.
TrustLLM Dataset: 560 privacy queries covering 7 categories of privacy information (address, SSN, phone number, password, SSH key, driver's license number, bank account number), evaluated under both normal and defensive system prompt templates.

Models¶

White-box: LLaMA2-7b-chat, Mistral-7b-instruct-v0.3, LLaMA3-8b-instruct, Vicuna-7b-v1.5
Black-box: GPT-4o, Claude 3.5

Main Results (TrustLLM Dataset)¶

Method	LLaMA2 ASR	Mistral ASR	Vicuna ASR	LLaMA3 ASR
Prefix (Normal)	0.36%	71.8%	40.7%	89.6%
ICA 5-shot (Normal)	7.14%	94.3%	99.6%	99.3%
Jailbroken (Normal)	85.0%	100%	100%	100%
GCG Series	-	-	-	-
PIG (Combined)	Significantly Optimal	Significantly Optimal	Significantly Optimal	Significantly Optimal

PIG's ASR outperforms all baseline methods across all white-box models.
Under the augmented (defensive system prompt) templates, the ASR of most baselines drops significantly or even to 0%, whereas PIG still maintains a high attack success rate.
LLaMA2 is the most difficult model to attack (with RtA close to 100%), yet PIG still achieves meaningful breakthroughs.

Black-box Transfer Attacks¶

PIG contexts optimized on white-box models can be effectively transferred to GPT-4o and Claude 3.5.
The baseline ASR of GPT-4o and Claude 3.5 under normal templates is mostly below 10%.
After transferring, PIG also achieves significant improvements on black-box models.

Key Findings¶

Privacy Jailbreak \(\neq\) Traditional Jailbreak: Traditional jailbreak methods aim to induce "harmful affirmative responses" from the model but do not target specific privacy attributes. Even if the model does not refuse, it fails to extract the target sensitive information.
ICL Foundation Significantly Outperforms Random Initialization: The initial context built on ICL in PIG converges faster than the random tokens in GCG.
Entity Strategy Best Preserves Semantics, whereas the Dynamic strategy is the most flexible, and the combined strategy achieves the best performance.
Defensive System Prompts Can Defend Against Most Baselines, but have limited defensive effectiveness against PIG.
Varying Extraction Difficulty Across PII Types: Names and emails are relatively easy to extract, while bank accounts and SSH keys are harder.

Highlights & Insights¶

First Systematic Bridge Between Privacy Leakage and Jailbreak Attacks: Establishes a formal connection between the two domains.
Clever Exploitation of PII Construction Characteristics: Privacy demonstrations are inherently easy to generate (via random combinations or online retrieval) without relying on helper jailbreak models unlike traditional jailbreaks.
Rational and Complementary Design of Three Strategies: The Random strategy provides the largest search space, the Entity strategy preserves semantics, and the Dynamic strategy focuses on key tokens.
Practical White-to-Black Box Transfer Route: Of great significance for practical threat assessment of closed-source commercial models.
Reveals Fundamental Vulnerabilities of Safety Alignment: Even after alignment training like RLHF, carefully designed contexts can still bypass safety mechanisms.

Limitations & Future Work¶

White-box Assumption Limits Practical Scenarios: Requires full access to model weights to calculate gradients.
Combined Strategy Increases Time Cost: Although more efficient than a single strategy getting stuck in local optima, the total computation is multiplied.
Limited Dataset Scale: TrustLLM contains only 560 samples, and Enron contains only 400 samples.
Lack of Evaluation on Larger Models: White-box experiments only cover 7B-8B models.
Manual Setting of M in the Dynamic Strategy: Lacks an adaptive mechanism.
No Discussion on Defense Solutions: As an attack methodology paper, it does not provide suggestions on how to effectively defend against PIG.

Privacy Leakage: Prefix-guided extraction (Carlini et al., 2021), data extraction and divergence attacks (Nasr et al., 2023), and PII prompt templates of ProPILE (Kim et al., 2023).
Jailbreak Attacks: GCG (Zou et al., 2023) gradient-optimized suffixes, PAIR (Chao et al., 2024) prompt-level optimization, and manual design methods like CodeChameleon.
Insights: The PIG framework can be extended to more privacy scenarios (e.g., RAG system leakage, information-gathering attacks in multi-turn dialogues), or conversely used to evaluate and strengthen the privacy-preserving capabilities of models.

Rating¶

Novelty: ⭐⭐⭐⭐ — First to systematically apply jailbreak attacks to privacy leakage evaluation.
Technical Depth: ⭐⭐⭐⭐ — The three gradient optimization strategies are reasonably designed with sufficient theoretical analysis.
Experimental Thoroughness: ⭐⭐⭐⭐ — Covers both white-box and black-box settings, uses two datasets, and provides comprehensive baseline comparisons.
Value: ⭐⭐⭐⭐ — Possesses direct value for the safety evaluation of LLM privacy.
Writing Quality: ⭐⭐⭐⭐ — Clear structure and intuitive illustrations.
Overall Rating: 8.0/10