{"id":"https://openalex.org/W4416307771","doi":"https://doi.org/10.1145/3733802.3764048","title":"From Privacy Chains to ChainShield: Structured Privacy Risks and Defense in Vision-Language Models","display_name":"From Privacy Chains to ChainShield: Structured Privacy Risks and Defense in Vision-Language Models","publication_year":2025,"publication_date":"2025-10-13","ids":{"openalex":"https://openalex.org/W4416307771","doi":"https://doi.org/10.1145/3733802.3764048"},"language":null,"primary_location":{"id":"doi:10.1145/3733802.3764048","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3733802.3764048","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3733802.3764048","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 24th Workshop on Privacy in the Electronic Society","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3733802.3764048","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5088464971","display_name":"Minxing Liu","orcid":"https://orcid.org/0009-0001-0554-3720"},"institutions":[{"id":"https://openalex.org/I102134673","display_name":"Link\u00f6ping University","ror":"https://ror.org/05ynxx418","country_code":"SE","type":"education","lineage":["https://openalex.org/I102134673"]}],"countries":["SE"],"is_corresponding":true,"raw_author_name":"Minxing Liu","raw_affiliation_strings":["Link\u00f6ping University, Link\u00f6ping, Sweden"],"raw_orcid":"https://orcid.org/0009-0001-0554-3720","affiliations":[{"raw_affiliation_string":"Link\u00f6ping University, Link\u00f6ping, Sweden","institution_ids":["https://openalex.org/I102134673"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5038446527","display_name":"Minh\u2010Ha Le","orcid":"https://orcid.org/0000-0003-2391-5951"},"institutions":[{"id":"https://openalex.org/I102134673","display_name":"Link\u00f6ping University","ror":"https://ror.org/05ynxx418","country_code":"SE","type":"education","lineage":["https://openalex.org/I102134673"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Minh-Ha Le","raw_affiliation_strings":["Link\u00f6ping University, Link\u00f6ping, Sweden"],"raw_orcid":"https://orcid.org/0000-0003-2391-5951","affiliations":[{"raw_affiliation_string":"Link\u00f6ping University, Link\u00f6ping, Sweden","institution_ids":["https://openalex.org/I102134673"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5077044865","display_name":"Niklas Carlsson","orcid":"https://orcid.org/0000-0003-1367-1594"},"institutions":[{"id":"https://openalex.org/I102134673","display_name":"Link\u00f6ping University","ror":"https://ror.org/05ynxx418","country_code":"SE","type":"education","lineage":["https://openalex.org/I102134673"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Niklas Carlsson","raw_affiliation_strings":["Link\u00f6ping University, Link\u00f6ping, Sweden"],"raw_orcid":"https://orcid.org/0000-0003-1367-1594","affiliations":[{"raw_affiliation_string":"Link\u00f6ping University, Link\u00f6ping, Sweden","institution_ids":["https://openalex.org/I102134673"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5088464971"],"corresponding_institution_ids":["https://openalex.org/I102134673"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":1,"citation_normalized_percentile":{"value":0.33734513,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"116","last_page":"133"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11714","display_name":"Multimodal Machine Learning Applications","score":0.6787999868392944,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11714","display_name":"Multimodal Machine Learning Applications","score":0.6787999868392944,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.10639999806880951,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.05959999933838844,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/timeline","display_name":"Timeline","score":0.5935999751091003},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.5907999873161316},{"id":"https://openalex.org/keywords/information-privacy","display_name":"Information privacy","score":0.5497000217437744},{"id":"https://openalex.org/keywords/private-information-retrieval","display_name":"Private information retrieval","score":0.546500027179718},{"id":"https://openalex.org/keywords/orchestration","display_name":"Orchestration","score":0.4440999925136566},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.4309000074863434},{"id":"https://openalex.org/keywords/information-sensitivity","display_name":"Information sensitivity","score":0.4000999927520752},{"id":"https://openalex.org/keywords/privacy-software","display_name":"Privacy software","score":0.3953999876976013},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.39430001378059387}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7605000138282776},{"id":"https://openalex.org/C4438859","wikidata":"https://www.wikidata.org/wiki/Q186117","display_name":"Timeline","level":2,"score":0.5935999751091003},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.5907999873161316},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.5497000217437744},{"id":"https://openalex.org/C99221444","wikidata":"https://www.wikidata.org/wiki/Q1532069","display_name":"Private information retrieval","level":2,"score":0.546500027179718},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5116999745368958},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.5037000179290771},{"id":"https://openalex.org/C199168358","wikidata":"https://www.wikidata.org/wiki/Q3367000","display_name":"Orchestration","level":3,"score":0.4440999925136566},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.4309000074863434},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.4000999927520752},{"id":"https://openalex.org/C509729295","wikidata":"https://www.wikidata.org/wiki/Q7246032","display_name":"Privacy software","level":3,"score":0.3953999876976013},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.39430001378059387},{"id":"https://openalex.org/C102938260","wikidata":"https://www.wikidata.org/wiki/Q1999831","display_name":"Privacy policy","level":3,"score":0.38589999079704285},{"id":"https://openalex.org/C75684735","wikidata":"https://www.wikidata.org/wiki/Q858810","display_name":"Big data","level":2,"score":0.358599990606308},{"id":"https://openalex.org/C193934123","wikidata":"https://www.wikidata.org/wiki/Q7246028","display_name":"Privacy by Design","level":3,"score":0.34709998965263367},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.3440000116825104},{"id":"https://openalex.org/C36464697","wikidata":"https://www.wikidata.org/wiki/Q451553","display_name":"Visualization","level":2,"score":0.3345000147819519},{"id":"https://openalex.org/C4679612","wikidata":"https://www.wikidata.org/wiki/Q866298","display_name":"Aggregate (composite)","level":2,"score":0.33059999346733093},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.33000001311302185},{"id":"https://openalex.org/C2779201187","wikidata":"https://www.wikidata.org/wiki/Q2775060","display_name":"Information leakage","level":2,"score":0.30399999022483826},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2989000082015991},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.29319998621940613},{"id":"https://openalex.org/C199033989","wikidata":"https://www.wikidata.org/wiki/Q1318295","display_name":"Narrative","level":2,"score":0.28369998931884766},{"id":"https://openalex.org/C3017597292","wikidata":"https://www.wikidata.org/wiki/Q25052250","display_name":"Privacy protection","level":2,"score":0.2766999900341034},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.2578999996185303}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3733802.3764048","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3733802.3764048","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3733802.3764048","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 24th Workshop on Privacy in the Electronic Society","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3733802.3764048","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3733802.3764048","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3733802.3764048","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 24th Workshop on Privacy in the Electronic Society","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320321040","display_name":"National Science Council","ror":"https://ror.org/02kv4zf79"},{"id":"https://openalex.org/F4320322225","display_name":"Link\u00f6pings Universitet","ror":"https://ror.org/05ynxx418"},{"id":"https://openalex.org/F4320322327","display_name":"Knut och Alice Wallenbergs Stiftelse","ror":"https://ror.org/004hzzk67"},{"id":"https://openalex.org/F4320322581","display_name":"Vetenskapsr\u00e5det","ror":"https://ror.org/03zttf063"},{"id":"https://openalex.org/F4320336380","display_name":"National Supercomputer Centre, Link\u00f6pings Universitet","ror":null}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416307771.pdf","grobid_xml":"https://content.openalex.org/works/W4416307771.grobid-xml"},"referenced_works_count":31,"referenced_works":["https://openalex.org/W1834627138","https://openalex.org/W1861492603","https://openalex.org/W1933349210","https://openalex.org/W2018881137","https://openalex.org/W2024922353","https://openalex.org/W2134167315","https://openalex.org/W2341528187","https://openalex.org/W2603766943","https://openalex.org/W2746600820","https://openalex.org/W2774644650","https://openalex.org/W2799244840","https://openalex.org/W2895097814","https://openalex.org/W2896348597","https://openalex.org/W2911978475","https://openalex.org/W2954182683","https://openalex.org/W2962785568","https://openalex.org/W2962847335","https://openalex.org/W2962995403","https://openalex.org/W3023939840","https://openalex.org/W3090449556","https://openalex.org/W3173826007","https://openalex.org/W3183199078","https://openalex.org/W4225683910","https://openalex.org/W4229907684","https://openalex.org/W4249013746","https://openalex.org/W4283317927","https://openalex.org/W4287887758","https://openalex.org/W4312529624","https://openalex.org/W4313130906","https://openalex.org/W4382460786","https://openalex.org/W4400477233"],"related_works":[],"abstract_inverted_index":{"Vision-Language":[0],"Models":[1],"(VLMs)":[2],"are":[3,58],"increasingly":[4],"deployed":[5],"in":[6],"applications":[7],"that":[8,38,146,171],"interpret":[9],"and":[10,15,76,110,121,127,179],"generate":[11],"information":[12,52],"from":[13,44,132],"visual":[14],"textual":[16],"inputs.":[17],"While":[18],"powerful,":[19],"these":[20],"models":[21,178],"pose":[22],"emerging":[23],"privacy":[24,34,90,100,129,175,186],"risks.":[25],"In":[26],"this":[27,95,137],"paper,":[28],"we":[29,67,97,139],"introduce":[30],"the":[31,55,104,183],"concept":[32],"of":[33,85,185],"chains:":[35],"structured":[36],"narratives":[37],"emerge":[39],"when":[40,54],"adversaries":[41],"aggregate":[42],"outputs":[43,57,156],"VLMs":[45,114],"across":[46,115,177],"multiple":[47],"images,":[48],"often":[49],"exposing":[50],"sensitive":[51],"even":[53,131],"individual":[56],"seemingly":[59],"innocuous.":[60],"Using":[61],"LangChain,":[62],"an":[63],"open-source":[64,113],"orchestration":[65],"framework,":[66],"show":[68,170],"how":[69],"identity-linked":[70],"data":[71],"extracted":[72],"via":[73],"both":[74],"benign":[75,162],"targeted":[77],"prompts":[78],"can":[79],"be":[80],"compiled":[81],"into":[82],"detailed":[83],"timelines":[84],"private":[86],"behavior,":[87],"significantly":[88],"amplifying":[89],"threats.":[91],"To":[92,135],"systematically":[93],"assess":[94],"risk,":[96],"develop":[98],"a":[99,142],"leakage":[101,176],"pipeline":[102],"within":[103],"Visual":[105],"Question":[106],"Answering":[107],"(VQA)":[108],"framework":[109],"evaluate":[111],"six":[112],"three":[116],"tailored":[117],"datasets:":[118],"Celebrity,":[119],"Car,":[120],"Tattoo.":[122],"Our":[123,168],"analysis":[124],"reveals":[125],"substantial":[126],"model-dependent":[128],"leakage,":[130],"general-purpose":[133],"queries.":[134],"mitigate":[136],"threat,":[138],"propose":[140],"ChainShield,":[141],"white-box":[143],"adversarial":[144],"defense":[145],"applies":[147],"targeted,":[148],"imperceptible":[149],"perturbations":[150],"to":[151],"images.":[152],"ChainShield":[153,172],"reduces":[154],"privacy-relevant":[155],"by":[157],"redirecting":[158],"VLM":[159],"responses":[160],"toward":[161],"alternatives,":[163],"while":[164],"preserving":[165],"image":[166],"realism.":[167],"experiments":[169],"substantially":[173],"lowers":[174],"datasets,":[180],"effectively":[181],"disrupting":[182],"formation":[184],"chains.":[187]},"counts_by_year":[],"updated_date":"2026-03-09T07:00:12.390032","created_date":"2025-11-18T00:00:00"}