Researchers propose MemPrivacy to keep raw PII out of cloud memory while preserving utility

A cross‑institutional team from MemTensor (Shanghai), HONOR Device and Tongji University has proposed MemPrivacy, an edge-cloud architecture that keeps raw personal values off cloud memory systems while preserving those memories’ usefulness for downstream reasoning. The authors released the work as an arXiv preprint and position MemPrivacy for production LLM agent deployments where persistent cloud memory increases exposure risk. The system matters because it aims to let cloud agents form and reuse contextual memories without access to actual identifiers or sensitive values.

MemPrivacy implements local reversible pseudonymization: a lightweight on‑device component detects privacy‑sensitive spans in user text, classifies each span by type and sensitivity, and substitutes the original value with a structured, typed placeholder before any uplink. The device stores the original→placeholder mappings securely and persistently so the same original maps to the same placeholder across sessions, enabling consistent references without revealing raw values to cloud infrastructure.

The design runs as a three‑stage pipeline. Stage 1, Uplink Desensitization, performs on‑device span detection and substitution and produces sanitized text for transmission. Stage 2, Cloud Processing, sends that sanitized text with placeholders to cloud agents and memory systems so memory formation, retrieval, and indexing retain semantic structure while never containing raw PII. Stage 3, Downlink Restoration, returns sanitized outputs to the device and replaces placeholders with the original values via a local lookup and string replacement, adding only minimal latency to responses.

The paper contrasts MemPrivacy with simpler or heavier countermeasures. Naive masking (for example replacing values with ***) strips semantics and prevents useful cloud reasoning. Differential privacy and cryptographic protections can be difficult to integrate into interactive memory pipelines and often degrade response quality. The authors also cite prior attack studies that demonstrate multi‑turn memory and leakage attacks with reported success rates up to about 69% and 75%, underscoring practical exposure risks in current persistent‑memory setups.

For implementers, MemPrivacy changes integration points: teams must run a span detection and classification model on‑device, maintain a secure local mapping store, and design placeholders that carry sufficient type semantics for retrieval and indexing in vector databases and external memory systems. The approach aims to keep cloud logs, vector stores, and external memories free of raw identifiers while enabling personalized and coherent responses after local restoration.

To guide protection levels, the researchers propose a four‑level privacy taxonomy (PL1 — PL4). PL1 covers non‑identifying preferences and low‑risk stylistic data; PL2 covers identifiable PII such as names, emails, phone numbers and usernames; PL3 covers highly sensitive items like government IDs, financial and health records, biometrics and precise trajectories; PL4 is the highest protection tier. Full technical details and evaluations are available in the authors’ arXiv preprint.