{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,26]],"date-time":"2026-01-26T05:35:03Z","timestamp":1769405703065,"version":"3.49.0"},"reference-count":0,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"1","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["PoPETs"],"abstract":"<jats:p>Large language models have shown considerable abilities across many tasks, but their capacity to detect sensitive user information from text raises significant privacy concerns. While recent approaches have explored sanitizing text to hide private features, a deeper challenge remains: distinguishing true privacy preservation from deceptive transformations. In this paper, we investigate whether LLM-based sanitization reduces private feature leakage without misleading an adversary into confidently predicting incorrect labels. Using LLM as both sanitizer and adversary, we measure leakage using two entropy-based metrics: Empirical Average Objective Leakage (E-AOL) and Empirical Average Confidence Boost (E-ACB). These allow us to quantify not only how accurate adversarial predictions are, but also how confident they remain post-sanitization. We posit that deception, while reducing adversarial accuracy, will also increase confidence in incorrect inferences, and hence reduced accuracy alone should not be interpreted as true privacy. We show that while current LLMs can hide private features, their transformations sometimes cause deception. Finally, we evaluate the semantic utility of sanitized outputs using sentence embeddings, LLM-based similarity judgments, and standard metrics like BLEU and ROUGE. Our findings emphasize the importance of explicitly distinguishing between privacy and deception in LLM-based sanitization and provide a framework for evaluating this distinction under realistic adversarial conditions.<\/jats:p>","DOI":"10.56553\/popets-2026-0009","type":"journal-article","created":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T18:59:00Z","timestamp":1769367540000},"page":"154-174","source":"Crossref","is-referenced-by-count":0,"title":["Sanitization or Deception? Rethinking Privacy Protection in Large Language Models"],"prefix":"10.56553","volume":"2026","author":[{"given":"Bipin","family":"Paudel","sequence":"first","affiliation":[{"name":"Kansas State University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bishwas","family":"Mandal","sequence":"additional","affiliation":[{"name":"Kansas State University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"George","family":"Amariucai","sequence":"additional","affiliation":[{"name":"Kansas State University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shuangqing","family":"Wei","sequence":"additional","affiliation":[{"name":"Louisiana State University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"35752","published-online":{"date-parts":[[2026,1]]},"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"deposited":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T18:59:03Z","timestamp":1769367543000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2026\/popets-2026-0009.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1]]},"references-count":0,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,1]]}},"alternative-id":["10.56553\/popets-2026-0009"],"URL":"https:\/\/doi.org\/10.56553\/popets-2026-0009","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1]]}}}