ai

[Paper] Agentic LLMs as Powerful Deanonymizers: Re-identification of Participants in the Anthropic Interviewer Dataset

Published: (January 9, 2026 at 11:32 AM EST)
4 min read
Source: arXiv

Source: arXiv - 2601.05918v1

Overview

A recent study demonstrates that today’s large language models (LLMs) equipped with web‑search and “agentic” capabilities can de‑anonymize participants in publicly released interview datasets. Using only off‑the‑shelf tools and a handful of natural‑language prompts, the author re‑identified six scientists from the Anthropic Interviewer dataset, linking their interview excerpts to specific publications and, in some cases, pinpointing the exact individual. The work highlights a new, low‑effort privacy risk that emerges as LLM‑driven agents become commonplace.

Key Contributions

  • Proof‑of‑concept deanonymization: Shows that generic LLM agents can match interview excerpts to real‑world scholarly works, achieving a 25 % success rate on a small scientist subset.
  • Low‑effort attack pipeline: Describes a step‑by‑step, prompt‑driven workflow that requires no custom model training or specialized tooling.
  • Threat model for qualitative datasets: Extends privacy‑risk discussions from static text releases to dynamic, LLM‑accessible data assets.
  • Mitigation recommendations: Proposes practical safeguards (e.g., structured redaction, differential privacy, controlled API access) tailored to the capabilities of modern LLM agents.
  • Open research agenda: Identifies gaps in current anonymization standards and calls for systematic evaluation of agentic LLMs as adversarial actors.

Methodology

  1. Dataset selection: Focused on the 125‑interview “scientist” slice of Anthropic’s public interview corpus (1,250 total interviews).
  2. Prompt engineering: Crafted concise natural‑language prompts that ask an LLM‑agent (e.g., GPT‑4o with web‑search) to extract identifiable clues (research topics, project names, affiliations) from each interview.
  3. Web search & cross‑referencing: The agent automatically runs search queries, parses result snippets, and builds candidate matches to known publications or author profiles.
  4. Scoring & ranking: Simple heuristics (keyword overlap, date consistency, co‑author networks) are used to rank candidate matches.
  5. Manual verification: The top‑ranked candidates are inspected by the researcher to confirm whether the match is plausible or unique.

The entire pipeline runs in under an hour on a standard laptop with API access to a commercial LLM, illustrating that sophisticated privacy attacks no longer require deep expertise.

Results & Findings

  • Successful re‑identifications: 6 out of 24 examined scientist interviews (25 %) were linked to specific papers, revealing the interviewee’s name and institution.
  • High confidence matches: In 3 cases the evidence (unique project titles, specific grant numbers) made the identification unambiguous.
  • Low false‑positive rate: Manual review showed that the majority of top‑ranked candidates were either correct or clearly unrelated, indicating the approach’s precision.
  • Bypassing safeguards: Existing anonymization (removing explicit names) was insufficient because the LLM could piece together indirect cues (e.g., “our work on X‑ray crystallography at Y‑University”).

These findings suggest that the barrier to deanonymizing qualitative data has dropped dramatically with the rise of agentic LLMs.

Practical Implications

  • Data publishers must rethink release policies: Simply stripping names is no longer enough; developers should consider limiting web‑search capabilities or providing “sandboxed” LLM access for downstream users.
  • API design for privacy‑sensitive corpora: Platforms that expose LLM agents (e.g., Anthropic’s Interviewer) may need to enforce query‑rate limits, content‑filtering, or provenance tracking to detect suspicious probing.
  • Compliance and legal risk: Organizations releasing interview data could inadvertently violate GDPR or CCPA if re‑identification becomes feasible, exposing them to fines and reputational damage.
  • Tooling for developers: The attack can be replicated with publicly available SDKs, meaning security teams should incorporate LLM‑agent threat modeling into their privacy‑by‑design workflows.
  • Opportunity for defensive AI: The same agentic capabilities can be repurposed to automatically audit datasets for residual identifiers before publication.

Limitations & Future Work

  • Small sample size: The study examined only 24 scientist interviews; broader evaluation across diverse domains (e.g., medical, legal) is needed to gauge generalizability.
  • Reliance on current LLM APIs: Results may vary with different model providers or future updates that improve factual grounding or privacy filters.
  • Manual verification step: While the automated pipeline is low‑effort, final confirmation still required human judgment; fully autonomous attacks remain an open challenge.
  • Mitigation effectiveness not empirically tested: Proposed safeguards are conceptual; systematic experiments are required to measure their impact on both privacy and data utility.

Future research directions include building benchmark suites for deanonymization resistance, exploring adversarial training of LLM agents to recognize privacy‑sensitive queries, and developing standards for “agent‑aware” data publishing.

Authors

  • Tianshi Li

Paper Information

  • arXiv ID: 2601.05918v1
  • Categories: cs.CR, cs.AI, cs.CY
  • Published: January 9, 2026
  • PDF: Download PDF
Back to Blog

Related posts

Read more »