How a 0.6B Model Beats GPT‑5.2 at Agent Privacy – Introducing MemPrivacy

01 The Privacy Dilemma of Edge‑Cloud Agents

Early agents simply transmitted raw user input to the cloud, exposing personal data such as phone numbers and addresses. Later, a brute‑force masking approach replaced sensitive tokens with "***", which protected privacy but rendered the agent "stupid" because it lost contextual information.

These two extremes forced a trade‑off: either sacrifice privacy for utility or sacrifice utility for privacy.

02 MemPrivacy’s Three‑Stage Closed‑Loop Design

The core idea is to keep raw privacy data off the cloud while still allowing the model to understand the type of each piece of information.

Stage 1 – Local De‑identification : A lightweight on‑device model scans the user request, tags sensitive items (e.g., phone numbers, names, verification codes) with privacy levels PL1‑PL4, and replaces them with typed placeholders such as <NAME_1>, <PHONE_1>, <VERIFICATION_CODE_1>. The mapping between placeholders and original values is stored securely on the device.

Stage 2 – Cloud Processing : The placeholder‑filled request is sent to the cloud. Because the placeholders retain type information, the LLM can still perform accurate understanding and reasoning. All memory stored in the cloud (vector databases, long‑term memory modules) contains only placeholders, so any breach yields meaningless tokens.

Stage 3 – Local Restoration : The cloud returns a response containing placeholders. The device looks up the local mapping and restores the original values, delivering a fully personalized answer without the user noticing any privacy handling.

03 Four‑Level Privacy Tiering

PL1 (Low Sensitivity) : Hobbies, expression habits, non‑diagnostic emotions – allowed for personalization with minimal storage.

PL2 (Identifiable Information) : Names, phone numbers, emails, detailed addresses, account IDs – not uploaded by default but optionally shareable.

PL3 (High Sensitivity) : ID numbers, bank cards, medical records, precise location, biometric data – protected by default.

PL4 (Highest Confidentiality) : Passwords, verification codes, API keys, private keys, session tokens – absolutely prohibited from upload; intercepted immediately.

04 Training Method – Two‑Stage Fine‑Tuning

MemPrivacy was trained on three model sizes (0.6B, 1.7B, 4B). First, a supervised fine‑tuning (SFT) stage used 26 k high‑quality multi‑turn dialogues to teach Qwen‑3 series models (minimum 0.6B) to recognize privacy‑related tokens (learning rate 1e‑5, one epoch).

Second, a reinforcement learning stage employed GRPO (Group‑Relative Policy Optimization) on 1 k instances. For each input, the model generated eight candidates; an F1‑based reward ranked them, guiding the model toward better privacy‑aware outputs without training a separate critic.

To evaluate, the team built MemPrivacy‑Bench, a benchmark containing 200 synthetic users and over 52 k privacy instances across 7 major scenarios and 23 sub‑scenarios.

Paper: https://arxiv.org/pdf/2605.09530v2
Code: https://github.com/MemTensor/MemPrivacy
Model weights: https://huggingface.co/collections/IAAR-Shanghai/memprivacy

05 Experimental Results

Privacy Identification : On MemPrivacy‑Bench, MemPrivacy‑4B‑RL achieved 85.97 % F1, surpassing GPT‑5.2 (68.99 %) and Gemini‑3.1‑Pro (78.41 %). OpenAI’s privacy‑filter (1.5B) reached only 35.50 %.

Latency on a real‑world PersonaMem‑v2 workload stayed below 0.5 seconds per message, whereas Gemini‑3.1‑Pro required nearly 30 seconds.

Impact on Memory System Utility : Protecting PL2‑PL4 caused at most a 1.60 % drop in QA accuracy across LangMem, Mem0, and Memobase. Protecting only PL4 reduced the drop to 0.33 % (Mem0) and below 0.1 % on the other systems.

Traditional irreversible masking ("***") caused accuracy to plunge to 26.67 %–41.87 % on the same systems.

Privacy‑Dense Scenarios : When conversations contained a high proportion of privacy‑related queries, conventional methods’ performance collapsed, while MemPrivacy remained stable, highlighting its suitability for medical, financial, or legal assistants.

Conclusion

MemPrivacy demonstrates that a modest‑size, purpose‑built model can provide strong privacy protection without sacrificing agent utility or incurring prohibitive latency, offering a practical path forward for privacy‑conscious edge‑cloud AI agents.