The Good and The Bad: Exploring Privacy Issues in Retrieval-Augmented Generation (RAG)
About
Retrieval-augmented generation (RAG) is a powerful technique to facilitate language model with proprietary and private data, where data privacy is a pivotal concern. Whereas extensive research has demonstrated the privacy risks of large language models (LLMs), the RAG technique could potentially reshape the inherent behaviors of LLM generation, posing new privacy issues that are currently under-explored. In this work, we conduct extensive empirical studies with novel attack methods, which demonstrate the vulnerability of RAG systems on leaking the private retrieval database. Despite the new risk brought by RAG on the retrieval data, we further reveal that RAG can mitigate the leakage of the LLMs' training data. Overall, we provide new insights in this paper for privacy protection of retrieval-augmented LLMs, which benefit both LLMs and RAG systems builders. Our code is available at https://github.com/phycholosogy/RAG-privacy.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Subgraph Reconstruction Attack | ENRON | Precision19.8 | 56 | |
| Subgraph Reconstruction Attack | HCM | Precision9.7 | 56 | |
| Data Extraction Attack | EHRAgent | Equality (EQ)14 | 20 | |
| Data Extraction Attack | ReAct | EQ13 | 20 | |
| Data Extraction Attack | RAP | Equality (EQ)12 | 20 | |
| Importance-based Node Leakage | Agriculture | Leakage (Degree)53.8 | 10 | |
| Graph Extraction Attack | M-GraphRAG Medical 1.0 (test) | Leak (Nodes)67.84 | 10 | |
| Importance-based Node Leakage | medical | Leakage (Deg)83.9 | 10 | |
| Graph Extraction Attack | Agriculture LightRAG 1.0 (test) | Leakage (N)37.49 | 5 | |
| Knowledge Base Extraction | ChatDoctor Pirates attack | CRR95 | 5 |