PIIGuard: Webpage-Level Defense Against PII Harvesting by LLM Assistants
A new protective system called PIIGuard has been created by researchers to safeguard personally identifiable information (PII) from being extracted by browsing-capable LLM assistants. Unlike earlier protective measures that functioned at the model, service, or agent levels, PIIGuard works directly at the webpage level by utilizing indirect prompt injection. Website owners can insert specially designed hidden HTML fragments that prevent LLMs from revealing or reconstructing contact PII. The mechanism assesses leakage through rule-based scoring, evolutionary mutation, and a final recoverability evaluation. In tests involving three models—GPT-5.4-nano, Claude-haiku-4.5, and DeepSeek-chat (latest v3.2)—PIIGuard demonstrated a defense success rate of at least 97.0%. This solution provides a practical way for website owners to protect against PII harvesting without altering LLM or service frameworks.
Key facts
- PIIGuard is a webpage-level defense against PII harvesting by LLM assistants.
- It repurposes indirect prompt injection as a protective mechanism.
- Page owners embed optimized hidden HTML fragments to steer LLMs away from disclosing contact PII.
- The system uses rule-based leakage scoring, evolutionary mutation, and judge-based recoverability assessment.
- Evaluated on GPT-5.4-nano, Claude-haiku-4.5, and DeepSeek-chat (latest v3.2).
- Achieved at least 97.0% defense success in direct-HTML evaluation.
- Prior defenses are deployed at model, service, or agent layer, not at the webpage.
- PIIGuard is designed for ordinary page owners with limited deployable options.
Entities
—