Log in Sign up

Rethinking Visual Privacy: A Compositional Privacy Risk Framework for Severity Assessment with VLMs

cs.CV Efthymios Tsaprazlis, Tiantian Feng, Anil Ramakrishna, Sai Praneeth Karimireddy, Rahul Gupta, Shrikanth Narayanan · Mar 23, 2026
Local to this browser
arXiv PDF
What it does
Existing visual privacy benchmarks treat privacy as a binary property, but this work argues that privacy is fundamentally compositional: benign attributes in isolation can combine to create severe violations. The authors introduce the...
Why it matters
The authors introduce the Compositional Privacy Risk Taxonomy (CPRT), a four-level framework aligned with regulations like GDPR and HIPAA that assigns continuous severity scores based on attribute interactions. They construct a dataset of...
Main concern
The paper presents a well-motivated and formally grounded framework for compositional privacy risk assessment. The CPRT taxonomy and lexicographic scoring function provide a principled alternative to binary classification, backed by legal...
Community signal
0
0 up · 0 down
Sign in to vote with arrows
AI Review AI reviewed
Plain-language introduction

Existing visual privacy benchmarks treat privacy as a binary property, but this work argues that privacy is fundamentally compositional: benign attributes in isolation can combine to create severe violations. The authors introduce the Compositional Privacy Risk Taxonomy (CPRT), a four-level framework aligned with regulations like GDPR and HIPAA that assigns continuous severity scores based on attribute interactions. They construct a dataset of 6,736 images annotated for 22 privacy attributes and evaluate frontier vision-language models, finding that while structured taxonomic guidance improves alignment, models systematically underestimate composition-driven risks.

Critical review
Verdict
Bottom line

The paper presents a well-motivated and formally grounded framework for compositional privacy risk assessment. The CPRT taxonomy and lexicographic scoring function provide a principled alternative to binary classification, backed by legal alignment and mathematical properties like strict dominance. However, the reliance on automated model-based annotation for ground-truth generation—validated on only 65 images—introduces concerns about circular evaluation and ground-truth fidelity that limit the strength of its empirical conclusions.

“Human inter-annotator agreement reaches 87.4% (Cohen's κ=0.652), indicating moderate to high agreement.”
paper · Section 4.1
What holds up

The taxonomy structure is well-articulated and legally grounded, mapping cleanly to GDPR Articles 4 and 9, HIPAA, and the EU AI Act. The decision tree for attribute classification (Q1–Q4) offers clear operational criteria. The scoring function satisfies provable properties including lexicographic dominance—where $w=(330,30,5,1)$ ensures any Level 1 attribute outweighs all combinations of lower levels—and complete coverage of the $[0,1]$ interval. The experimental design comparing zero-shot, intuition, and taxonomy-guided prompting effectively isolates the impact of structural scaffolding on model performance.

“weights w=(330,30,5,1) satisfy the lexicographic constraint, ensuring any Li attribute outweighs all Lj>i combinations”
paper · Section 3.3
“Higher levels correspond to categories explicitly recognized as high-risk. For example, GDPR Art. 9 (special categories of personal data) maps directly to the upper levels of our taxonomy”
paper · Section 3.4
Main concerns

The primary limitation is the circularity risk in using frontier models (GPT-5.1 and Gemini 3 Flash) to generate ground-truth annotations, then evaluating these same models against that ground truth. Human validation covers only 65 images (17 participants), leaving the vast majority of the 6,736-image dataset unverified by human judgment. The scoring function assumes uniform atomic contribution within levels, which the authors acknowledge may not reflect reality where certain attribute combinations exhibit stronger synergistic effects. Additionally, the dataset derives from VISPR, potentially inheriting its biases and limiting demographic diversity.

“we conduct a human validation study on 65 randomly sampled images, with 2–3 annotators per image”
paper · Section 4.1
“Our scoring mechanism assumes uniform contribution among attributes within the same severity level. In practice, attributes within a level may differ substantially in identifying power, and certain combinations may exhibit stronger synergistic effects than others.”
paper · Section 6
Evidence and comparison

The comparison to prior work correctly identifies that benchmarks like VISPR and PrivBench rely on binary labels or maximum-attribute heuristics that ignore compositional effects. The evidence supports the claim that frontier models (Gemini 3 Flash, GPT-5.2) achieve strong alignment under taxonomy-guided prompting ($\rho=0.872$, $r=0.884$ for Gemini). However, the narrative that smaller models "struggle" is somewhat undermined by their own result showing an 8B SFT model approaches frontier performance, suggesting the capability gap is surmountable with modest computational resources rather than requiring massive scale.

“Gemini 3 Flash: Spearman 0.872, Pearson 0.884 under Taxonomy prompting”
paper · Table 3
“an 8B-parameter model (Qwen3-VL) approaches frontier-level performance under taxonomy prompting, suggesting that compositional privacy reasoning can be distilled for edge deployment”
paper · Section 5.4
Reproducibility

The paper provides concrete hyperparameters for SFT (LoRA rank 64, batch size 128, learning rate $[10^{-5}, 2\times 10^{-5}]$, 5 epochs) and specifies inference settings (temperature 0, vLLM for open models). However, explicit commitments to release the annotated dataset, code, or model weights are absent from the text, which would block independent reproduction. The reliance on proprietary APIs (GPT-5.2, Gemini 3 Flash) for both annotation and evaluation creates a dependency on external services whose versions and availability may change. The boundary extraction method using ordinal triplet loss and Inverse Distance Weighting is described in sufficient detail to replicate.

“All models are fine-tuned using low-rank adaptation (LoRA) with rank 64 and batch size 128. The learning rate is set in the range $[10^{-5},2\times 10^{-5}]$”
paper · Appendix E
“temperature fixed to 0 for deterministic generation”
paper · Section 4.3
Abstract

Existing visual privacy benchmarks largely treat privacy as a binary property, labeling images as private or non-private based on visible sensitive content. We argue that privacy is fundamentally compositional. Attributes that are benign in isolation may combine to produce severe privacy violations. We introduce the Compositional Privacy Risk Taxonomy (CPRT), a regulation-aware framework that organizes visual attributes according to standalone identifiability and compositional harm potential. CPRT defines four graded severity levels and is paired with an interpretable scoring function that assigns continuous privacy severity scores. We further construct a taxonomy-aligned dataset of 6.7K images and derive ground-truth compositional risk scores. By evaluating frontier and open-weight VLMs we find that frontier models align well with compositional severity when provided structured guidance, but systematically underestimate composition-driven risks. Smaller models struggle to internalize graded privacy reasoning. To bridge this gap, we introduce a deployable 8B supervised fine-tuned (SFT) model that closely matches frontier-level performance on compositional privacy assessment.

Challenge the Review

Pick a starting point or write your own. Challenges run in the background, so you can keep reading while the AI investigates.

Log in to challenge Create account

No challenges yet. Disagree with the review? Ask the AI to revisit a specific claim.