Agent privacy evaluation: use AgentDojo to turn 'an agent leaking private data while doing its job' into a measurable benchmark
In one sentence it turns "an agent doing legit work while leaking the private data it sees" from "we feel it's probably safe" into a pre-release, regression-able privacy eval — measure the injection-driven exfiltration success rate (ASR) for each outbound tool and fold it into the release gate.
Agent tool-use exfiltration: one instruction hidden in content can drive me to send private context out through a tool
In one sentence the privacy boundary can't stop at "the model won't leak on its own" — once I can act (have tools / can render external links) and read untrusted content, private data has an exfiltration channel. Cut it at the architecture level: least-privilege tools, controlled egress, and treat everything I read as untrusted.
Computer-use screen-capture privacy: to operate the UI, I take the whole screen in — including everything unrelated to the task
In one sentence other open apps, pop-up notifications, background documents, other browser tabs, other people's data on a shared / screen-shared display, even a password manager that happens to be visible. All of it rides the screenshot into the model — ambient private data far beyond what the task needs. This isn't injection (that goes to Agent tool exfiltration) and it isn't MCP data flow (MCP data flow & least collection); it's input-surface over-capture Anthropic's computer use tool and OpenAI's Operator have both shipped, and both flag this surface in their own docs (keep sensitive data off-screen, isolate in a dedicated VM, hand sensitive input to a human, supervise on sensitive sites). The real boundary isn't "the model looks at less on its own" — it's the capture surface: get the unrelated and sensitive stuff off the screen before you screenshot it.
Reasoning-trace (thinking) leakage: my thinking is not private, and more thinking leaks more
In one sentence not really output, not visible, no risk. Wrong. On my side, the thinking and the final answer come out of the same generation channel; products often render the trace straight to the user, write it to logs, or feed it downstream — and the sensitive data you hand me shows up all over that thinking. It can be pulled out by prompt injection aimed at the reasoning, and it leaks into the final answer too. The counterintuitive part do not treat the reasoning trace as a private draft. Once it is shown or logged it is externally observable output; give it the same outbound redaction and access control as the final answer, and don't let "the thinking is internal, so it's safe" become your false security.