URANIA: Differentially Private Insights into AI Use

Thank you for your review and recognition of our contribution. We address your feedback below:

Keyword Generation Challenges: We agree that improving keyword generation methods represents a key point for enhancing utility. The multi-stage pipeline complexity you mention is also inherent to achieving formal end-to-end privacy guarantees, but we acknowledge this creates optimization challenges that warrant further research. A particularly promising direction for future work would be developing more practical approaches that eliminate the dependency on keyword extraction altogether.

However, we note that our work prioritizes establishing rigorous privacy protections over pipeline efficiency optimization. While computational efficiency is important for practical deployment, our primary contribution is demonstrating that meaningful insights can be extracted from LLM conversations while maintaining formal differential privacy guarantees. Future work could focus on optimizing the computational aspects of our framework, potentially through more efficient DP algorithms or pipeline restructuring, once the fundamental privacy-utility tradeoffs are well-understood.

User-Level vs. Conversation-Level Privacy: This is an important distinction. Our current conversation-level approach assumes independence between conversations, which may not reflect real usage patterns. A straightforward extension to user-level DP would involve limiting the number of conversations per user and applying group privacy. While our current high-privacy regimes show significant utility degradation, making the additional privacy cost of group privacy challenging, we believe this limitation becomes more manageable at scale. When working with larger datasets, we can incorporate user-level methods (such as limiting conversations per user) with a proportionally smaller effect on utility. This represents a meaningful direction for future work that requires careful consideration of the privacy-utility tradeoffs.

Human Evaluation: We agree that human evaluation would strengthen our assessment. We will try to conduct small-scale human studies comparing purely LLM-based summary quality in future work.

Writing Improvements: We will combine Tables 1 and 2 as suggested and better integrate the metric descriptions with the results presentation. Thank you for the suggestion.

Hello Reviewer! The authors have posted a response to your review. Please respond, at least to let us know whether or not your views or score have changed. This will really help the ACs and PCs when we try to assess the paper and your review.

Thank you for your thoughtful review and recommendation for acceptance. We address your concerns below:

Topic Coverage Analysis: You correctly point out the need for stronger evidence regarding our interpretation of reduced topic coverage. In Table 1, while the number of private summaries decreases from 3,700 to 3,300 (first two rows), the topic coverage drops more dramatically from 0.723 to 0.461. But this statistic alone can not conclude that rare topics are influenced more. We will revise this discussion to be more precise about what our data actually shows.

For example; we would like to replace Line 315 - 317 by the following discussion: “Examining the transition from very low privacy (εc = 10.0) to low privacy (εc = 8.0) in Table 1, while the number of private summaries decreases modestly from 3,700 to 3,300 (an 11% reduction), topic coverage drops more dramatically from 0.723 to 0.461 (a 36% reduction). This disproportionate decline suggests that the DP clustering algorithm may systematically exclude certain conversation types even at this early privacy transition, though our current evaluation cannot determine which specific topics are affected. This sharp threshold effect raises important research questions about how different topic types respond to privacy constraints and whether alternative DP approaches might exhibit more gradual degradation."

Formal Privacy Guarantees vs. Practical Risks: We appreciate this broader perspective on privacy risks. You're correct that formal guarantees don't address all privacy concerns (e.g., centralized data collection, third-party model processing). However, we believe formal DP guarantees provide valuable complementary protection for the specific risk of information leakage through released summaries. While our empirical evaluation in Appendix E may seem limited, it conceptually demonstrates that even simple attacks may extract meaningful information from non-private pipelines. We view formal guarantees as one layer in a comprehensive privacy strategy, not a complete solution. We will add the discussion on other privacy concerns in our Discussion and Future Work Section.

Hello Reviewer! The authors have posted a response to your review. Please respond, at least to let us know whether or not your views or score have changed. This will really help the ACs and PCs when we try to assess the paper and your review.

We thank you for your thorough review and constructive feedback. We address your questions below:

1. Concrete Examples of Generated Summaries: Thank you for this valuable suggestion. We will include concrete examples comparing URANIA and SIMPLE-CLIO outputs in the revised manuscript. To illustrate the current limitations, consider these examples from our evaluation:

• Text: "The user is asking how to extract the last character of a file in BASH and convert it to hexadecimal."

  • Public summary: "Scripting and Command-Line Task Automation Requests"
  • Private summary: "Software Development, Version Control, and Educational Resources"

• Text: "The assistant explains the key differences between reinforcement learning and unsupervised learning, focusing on feedback and goals."

  • Public summary: "Deep Learning, Training, and Applications Explanation"
  • Private summary: "AI Model Training, Deployment, and Management Considerations"

• Text: "The user is asking if the assistant speaks Russian and the assistant confirms and offers help."

  • Public summary: "Russian Language Support and Communication"
  • Private summary: "AI-Powered Applications and Open Source Technology"

As these examples demonstrate, public summaries tend to be more specific and directly relevant, while private summaries are often broader and sometimes miss key contextual details. This limitation stems from the privacy constraints that prevent fine-grained keyword extraction—for instance, in the last example case, language-specific terms like "Russian" may not appear in our keyword sets.

2. Multimodal Conversations: This is an excellent direction for future work. We envision a two-stage approach: first extracting text summaries from multimodal content (e.g., image captions, audio transcriptions), then applying our existing pipeline. However, we agree that establishing a strong non-private baseline for multimodal cases should precede developing the DP version. We will add this in our concluding remarks.

3. Empirical Privacy Evaluation: We acknowledge that our current attack is relatively simple. As noted in Section 6, attacks against clustering-based algorithms remain underexplored compared to other ML paradigms. Developing more sophisticated attacks to better demonstrate vulnerability is an important area for future research.

4. Table Placement: Thank you for catching this. We will move Table 2 to the main text in our revision.

5. Topic Coverage Degradation: You raise an important point about potential solutions. We plan to explore alternative DP clustering approaches and hyperparameter tuning of the DP-k-means implementation to address this limitation.

Hello Reviewer! The authors have posted a response to your review. Please respond, at least to let us know whether or not your views or score have changed. This will really help the ACs and PCs when we try to assess the paper and your review.