AI agents designed to automate tasks online, from booking flights to filling forms, pose significant privacy risks by inadvertently oversharing user data. While promising a powerful digital assistant experience, these agents can expose sensitive information users expect to remain private. Brave's research project, SPILLAGE, investigates how these agents handle data when interacting with live websites, raising questions about whether privacy is a fundamental requirement or an afterthought in agent design.
Web agents, powered by Large Language Models (LLMs), fulfill a desire for digital assistants that can plan and execute actions autonomously. The internet is their primary operational environment, transforming manual browsing into intelligent automation. However, to function, these agents require access to personal resources like emails, calendars, and credentials, creating a broad attack surface.
When agents interact with third-party websites on a user's behalf, sensitive data is not only shared with the agent but potentially exposed to every external party involved. This aggregation and rapid transmission of personal data, at a scale far exceeding manual browsing, concentrates privacy risks. Users naturally expect their information to remain protected, an expectation often unmet, as seen in cases where agents copy conversation histories directly into search interfaces.
Unlike controlled chatbot environments, web agents operate "in the wild," leaving observable traces of their actions. Every query, click, and page visit can be seen by external services, potentially disclosing information beyond what's necessary for the task. Brave terms this phenomenon "Natural Agentic Oversharing," extending the concept of human online oversharing to autonomous agents.
The SPILLAGE framework categorizes this oversharing into explicit/implicit disclosure and content/behavior channels. This allows for a comprehensive analysis of how agents might violate user privacy. For example, an agent searching for medical supplies might inadvertently reveal a user's divorce status through form entries or observed browsing behaviors.
Brave's evaluation of commercial agents across e-commerce sites like Amazon and eBay revealed that oversharing is pervasive, with behavioral leakage being more common than content leakage. Crucially, simply instructing agents to be privacy-conscious via prompts proved insufficient, with the problem persisting or worsening even with mitigation attempts. This highlights the depth and breadth of the agentic oversharing privacy risks.
Contrary to the common assumption that privacy and utility are in conflict, Brave's research found the opposite. Manually removing task-irrelevant information from agent inputs actually improved task success rates by up to 17.9%. This suggests that reducing data leakage enhances agent performance. Brave is actively working on privacy-aware agents, and an early version is available in the Brave Nightly Leo AI assistant.
