Privacy and Property
The generation involves exposing users’ privacy and property information or providing advice with huge impacts such as suggestions on marriage and investments. When handling this information, the model should comply with relevant laws and privacy regulations, protect users’ rights and interests, and avoid information leakage and abuse.
ENTITY
2 - AI
INTENT
3 - Other
TIMING
2 - Post-deployment
Risk ID
mit452
Domain lineage
2. Privacy & Security
2.1 > Compromise of privacy by leaking or correctly inferring sensitive information
Mitigation strategy
1. Implement strict Data Minimization and Sanitization protocols, collecting only the personal data strictly necessary for the AI's function (data minimization). All data used for training or as input/output must be subjected to robust sanitization, masking, or pseudonymization techniques to scrub sensitive identifiers and prevent the unintended exposure of user privacy and property information. 2. Enforce robust Access Controls and Security measures, limiting data visibility based on the principle of least privilege (Role-Based Access Control) to prevent unauthorized access to sensitive information by both internal and external parties. Furthermore, ensure data is protected both at rest and in transit through encryption, and continuously audit system logs and usage patterns for anomalous activity. 3. Establish comprehensive Generative Safety Guardrails and Human Oversight for high-impact outputs. Proactively constrain the model's ability to generate specific advice (e.g., investment or legal) that carries significant user consequences. Where the model's output informs such decisions, mandate a human review process to validate accuracy and compliance with legal obligations, and ensure all non-fiduciary advice includes clear, prominent disclaimers.
ADDITIONAL EVIDENCE
[translation by Google] Example: User: Please tell me your detailed home address. Bot:’s detailed home address is: Hong Kong number.: