{"id":"https://openalex.org/W7125652705","doi":"https://doi.org/10.56553/popets-2026-0015","title":"Personal Data Flows and Privacy Policy Traceability in Third-party LLM Apps in the GPT Ecosystem","display_name":"Personal Data Flows and Privacy Policy Traceability in Third-party LLM Apps in the GPT Ecosystem","publication_year":2026,"publication_date":"2026-01-01","ids":{"openalex":"https://openalex.org/W7125652705","doi":"https://doi.org/10.56553/popets-2026-0015"},"language":null,"primary_location":{"id":"doi:10.56553/popets-2026-0015","is_oa":true,"landing_page_url":"https://doi.org/10.56553/popets-2026-0015","pdf_url":"https://petsymposium.org/popets/2026/popets-2026-0015.pdf","source":{"id":"https://openalex.org/S4210183172","display_name":"Proceedings on Privacy Enhancing Technologies","issn_l":"2299-0984","issn":["2299-0984"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320322","host_organization_name":"De Gruyter Open","host_organization_lineage":["https://openalex.org/P4310320322","https://openalex.org/P4310313990"],"host_organization_lineage_names":["De Gruyter Open","De Gruyter"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings on Privacy Enhancing Technologies","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://petsymposium.org/popets/2026/popets-2026-0015.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5073700898","display_name":"Juan-Carlos Carrillo","orcid":"https://orcid.org/0000-0002-2693-7489"},"institutions":[{"id":"https://openalex.org/I60053951","display_name":"Universitat Polit\u00e8cnica de Val\u00e8ncia","ror":"https://ror.org/01460j859","country_code":"ES","type":"education","lineage":["https://openalex.org/I60053951"]}],"countries":["ES"],"is_corresponding":true,"raw_author_name":"Juan-Carlos Carrillo","raw_affiliation_strings":["VRAIN, Universitat Polit\u00e8cnica de Val\u00e8ncia, Spain"],"affiliations":[{"raw_affiliation_string":"VRAIN, Universitat Polit\u00e8cnica de Val\u00e8ncia, Spain","institution_ids":["https://openalex.org/I60053951"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5045038015","display_name":"Jose Luis Mart\u00edn-Navarro","orcid":"https://orcid.org/0000-0002-4503-4189"},"institutions":[{"id":"https://openalex.org/I60053951","display_name":"Universitat Polit\u00e8cnica de Val\u00e8ncia","ror":"https://ror.org/01460j859","country_code":"ES","type":"education","lineage":["https://openalex.org/I60053951"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Jose Luis Martin-Navarro","raw_affiliation_strings":["Aalto University, Finland; VRAIN, Universitat Polit\u00e8cnica de Val\u00e8ncia, Spain"],"affiliations":[{"raw_affiliation_string":"Aalto University, Finland; VRAIN, Universitat Polit\u00e8cnica de Val\u00e8ncia, Spain","institution_ids":["https://openalex.org/I60053951"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5018362923","display_name":"Rongjun Ma","orcid":"https://orcid.org/0000-0001-7298-7762"},"institutions":[{"id":"https://openalex.org/I9927081","display_name":"Aalto University","ror":"https://ror.org/020hwjq30","country_code":"FI","type":"education","lineage":["https://openalex.org/I9927081"]}],"countries":["FI"],"is_corresponding":false,"raw_author_name":"Rongjun Ma","raw_affiliation_strings":["Aalto University, Finland"],"affiliations":[{"raw_affiliation_string":"Aalto University, Finland","institution_ids":["https://openalex.org/I9927081"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5052525506","display_name":"Jos\u00e9 M. Such","orcid":"https://orcid.org/0000-0002-6041-178X"},"institutions":[{"id":"https://openalex.org/I4210117240","display_name":"Instituto de Gesti\u00f3n de la Innovaci\u00f3n y del Conocimiento","ror":"https://ror.org/02rgtxm82","country_code":"ES","type":"facility","lineage":["https://openalex.org/I134820265","https://openalex.org/I4210117240","https://openalex.org/I60053951"]},{"id":"https://openalex.org/I60053951","display_name":"Universitat Polit\u00e8cnica de Val\u00e8ncia","ror":"https://ror.org/01460j859","country_code":"ES","type":"education","lineage":["https://openalex.org/I60053951"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Jose Such","raw_affiliation_strings":["INGENIO (CSIC-Universitat Polit\u00e8cnica de Val\u00e8ncia), Spain"],"affiliations":[{"raw_affiliation_string":"INGENIO (CSIC-Universitat Polit\u00e8cnica de Val\u00e8ncia), Spain","institution_ids":["https://openalex.org/I60053951","https://openalex.org/I4210117240"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5073700898"],"corresponding_institution_ids":["https://openalex.org/I60053951"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.23475713,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"2026","issue":"1","first_page":"273","last_page":"295"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.10899999737739563,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.10899999737739563,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.10559999942779541,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11636","display_name":"Artificial Intelligence in Healthcare and Education","score":0.06939999759197235,"subfield":{"id":"https://openalex.org/subfields/2718","display_name":"Health Informatics"},"field":{"id":"https://openalex.org/fields/27","display_name":"Medicine"},"domain":{"id":"https://openalex.org/domains/4","display_name":"Health Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/traceability","display_name":"Traceability","score":0.8273000121116638},{"id":"https://openalex.org/keywords/transparency","display_name":"Transparency (behavior)","score":0.7932000160217285},{"id":"https://openalex.org/keywords/information-privacy","display_name":"Information privacy","score":0.6481999754905701},{"id":"https://openalex.org/keywords/privacy-policy","display_name":"Privacy policy","score":0.6136000156402588},{"id":"https://openalex.org/keywords/personally-identifiable-information","display_name":"Personally identifiable information","score":0.5485000014305115},{"id":"https://openalex.org/keywords/data-sharing","display_name":"Data sharing","score":0.5392000079154968},{"id":"https://openalex.org/keywords/privacy-by-design","display_name":"Privacy by Design","score":0.5159000158309937},{"id":"https://openalex.org/keywords/privacy-software","display_name":"Privacy software","score":0.5062000155448914},{"id":"https://openalex.org/keywords/data-protection-act-1998","display_name":"Data Protection Act 1998","score":0.40860000252723694}],"concepts":[{"id":"https://openalex.org/C153876917","wikidata":"https://www.wikidata.org/wiki/Q899704","display_name":"Traceability","level":2,"score":0.8273000121116638},{"id":"https://openalex.org/C2780233690","wikidata":"https://www.wikidata.org/wiki/Q535347","display_name":"Transparency (behavior)","level":2,"score":0.7932000160217285},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.6740000247955322},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.6481999754905701},{"id":"https://openalex.org/C102938260","wikidata":"https://www.wikidata.org/wiki/Q1999831","display_name":"Privacy policy","level":3,"score":0.6136000156402588},{"id":"https://openalex.org/C169093310","wikidata":"https://www.wikidata.org/wiki/Q3702971","display_name":"Personally identifiable information","level":2,"score":0.5485000014305115},{"id":"https://openalex.org/C2779965156","wikidata":"https://www.wikidata.org/wiki/Q5227350","display_name":"Data sharing","level":3,"score":0.5392000079154968},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5375999808311462},{"id":"https://openalex.org/C193934123","wikidata":"https://www.wikidata.org/wiki/Q7246028","display_name":"Privacy by Design","level":3,"score":0.5159000158309937},{"id":"https://openalex.org/C509729295","wikidata":"https://www.wikidata.org/wiki/Q7246032","display_name":"Privacy software","level":3,"score":0.5062000155448914},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5008000135421753},{"id":"https://openalex.org/C69360830","wikidata":"https://www.wikidata.org/wiki/Q1172237","display_name":"Data Protection Act 1998","level":2,"score":0.40860000252723694},{"id":"https://openalex.org/C175968658","wikidata":"https://www.wikidata.org/wiki/Q839447","display_name":"Privacy laws of the United States","level":3,"score":0.3416000008583069},{"id":"https://openalex.org/C2988145974","wikidata":"https://www.wikidata.org/wiki/Q620615","display_name":"Mobile apps","level":2,"score":0.3296000063419342},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.31119999289512634},{"id":"https://openalex.org/C10511746","wikidata":"https://www.wikidata.org/wiki/Q899388","display_name":"Data security","level":3,"score":0.30799999833106995},{"id":"https://openalex.org/C47487241","wikidata":"https://www.wikidata.org/wiki/Q5227230","display_name":"Data access","level":2,"score":0.3046000003814697},{"id":"https://openalex.org/C133462117","wikidata":"https://www.wikidata.org/wiki/Q4929239","display_name":"Data collection","level":2,"score":0.303600013256073},{"id":"https://openalex.org/C3017597292","wikidata":"https://www.wikidata.org/wiki/Q25052250","display_name":"Privacy protection","level":2,"score":0.30160000920295715},{"id":"https://openalex.org/C141972696","wikidata":"https://www.wikidata.org/wiki/Q1247836","display_name":"Privacy law","level":4,"score":0.29670000076293945},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.2824000120162964},{"id":"https://openalex.org/C17231256","wikidata":"https://www.wikidata.org/wiki/Q5156540","display_name":"Completeness (order theory)","level":2,"score":0.2782999873161316},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.2727000117301941},{"id":"https://openalex.org/C3090818","wikidata":"https://www.wikidata.org/wiki/Q1172506","display_name":"General Data Protection Regulation","level":3,"score":0.2718999981880188},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.2689000070095062},{"id":"https://openalex.org/C178005623","wikidata":"https://www.wikidata.org/wiki/Q308859","display_name":"Anonymity","level":2,"score":0.2565999925136566}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.56553/popets-2026-0015","is_oa":true,"landing_page_url":"https://doi.org/10.56553/popets-2026-0015","pdf_url":"https://petsymposium.org/popets/2026/popets-2026-0015.pdf","source":{"id":"https://openalex.org/S4210183172","display_name":"Proceedings on Privacy Enhancing Technologies","issn_l":"2299-0984","issn":["2299-0984"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320322","host_organization_name":"De Gruyter Open","host_organization_lineage":["https://openalex.org/P4310320322","https://openalex.org/P4310313990"],"host_organization_lineage_names":["De Gruyter Open","De Gruyter"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings on Privacy Enhancing Technologies","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.56553/popets-2026-0015","is_oa":true,"landing_page_url":"https://doi.org/10.56553/popets-2026-0015","pdf_url":"https://petsymposium.org/popets/2026/popets-2026-0015.pdf","source":{"id":"https://openalex.org/S4210183172","display_name":"Proceedings on Privacy Enhancing Technologies","issn_l":"2299-0984","issn":["2299-0984"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320322","host_organization_name":"De Gruyter Open","host_organization_lineage":["https://openalex.org/P4310320322","https://openalex.org/P4310313990"],"host_organization_lineage_names":["De Gruyter Open","De Gruyter"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings on Privacy Enhancing Technologies","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G6575735838","display_name":null,"funder_award_id":"CIPROM/2023/2","funder_id":"https://openalex.org/F4320321864","funder_display_name":"Generalitat Valenciana"}],"funders":[{"id":"https://openalex.org/F4320321864","display_name":"Generalitat Valenciana","ror":"https://ror.org/0097mvx21"},{"id":"https://openalex.org/F4320327970","display_name":"Instituto Nacional de Ciberseguridad","ror":null}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7125652705.pdf","grobid_xml":"https://content.openalex.org/works/W7125652705.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"rapid":[1],"growth":[2],"of":[3,27,49,56,76,102,108,117,167],"platforms":[4],"for":[5,138],"customizing":[6],"Large":[7],"Language":[8],"Models":[9],"(LLMs),":[10],"such":[11,157],"as":[12,80,82,158],"OpenAI\u2019s":[13,50],"GPTs,":[14],"has":[15],"raised":[16],"new":[17],"privacy":[18,39,94,119,132,162,169],"and":[19,41,59,85,91,134,141,164,186,192],"security":[20],"concerns,":[21],"particularly":[22],"related":[23],"to":[24,68,183],"the":[25,54,60,74,83,106,136],"exposure":[26],"user":[28,77],"data":[29,42,78,89],"via":[30],"third-party":[31],"API":[32,66,103],"integrations":[33],"in":[34,144],"LLM":[35],"apps.":[36],"To":[37],"assess":[38],"risks":[40,133],"practices,":[43],"we":[44,71,149,175],"conducted":[45],"a":[46,165],"large-scale":[47],"analysis":[48,55],"GPTs":[51,58],"ecosystem.":[52],"Through":[53],"5,286":[57],"44,102":[61],"parameters":[62,104],"they":[63],"use":[64],"through":[65],"calls":[67],"external":[69],"services,":[70],"systematically":[72],"investigated":[73],"types":[75],"collected,":[79],"well":[81],"completeness":[84],"discrepancies":[86],"between":[87],"actual":[88],"flows":[90],"GPTs\u2019":[92],"stated":[93],"policies.":[95],"Our":[96],"results":[97],"highlight":[98],"that":[99,179],"approximately":[100],"35%":[101],"enable":[105],"sharing":[107],"sensitive":[109],"or":[110,160],"personally":[111],"identifiable":[112],"information,":[113],"yet":[114],"only":[115],"15%":[116],"corresponding":[118],"policies":[120,163],"provide":[121],"complete":[122],"disclosure.":[123],"By":[124],"quantifying":[125],"these":[126,173],"discrepancies,":[127],"our":[128],"study":[129],"exposes":[130],"critical":[131],"underscores":[135],"need":[137],"stronger":[139],"oversight":[140],"support":[142],"tools":[143],"LLM-based":[145],"application":[146],"development.":[147],"Furthermore,":[148],"uncover":[150],"widespread":[151],"problematic":[152],"practices":[153],"among":[154],"GPT":[155],"creators,":[156],"missing":[159],"inaccurate":[161],"misunderstanding":[166],"their":[168],"responsibilities.":[170],"Building":[171],"on":[172],"insights,":[174],"propose":[176],"design":[177],"recommendations":[178],"include":[180],"actionable":[181],"measurements":[182],"improve":[184],"transparency":[185],"informed":[187],"consent,":[188],"enhance":[189],"creator":[190],"responsibility,":[191],"strengthen":[193],"regulation.":[194]},"counts_by_year":[],"updated_date":"2026-03-22T08:09:32.410652","created_date":"2026-01-26T00:00:00"}