Doxing via the Lens: Revealing Location-related Privacy Leakage on Multi-modal Large Reasoning Models

This paper reveals that multi-modal large reasoning models pose a significant privacy risk by outperforming humans in inferring sensitive geolocation information from user images, a vulnerability driven by their advanced reasoning capabilities and lack of privacy safeguards, which the authors evaluate using a new framework, dataset, and attack strategy.

The Gist

Imagine you just posted a selfie on social media. You're happy with your new haircut, and the background is just a blurry coffee shop or your living room. You think, "No one can tell where I live from this."

But according to this new research paper, you might be wrong.

The paper, titled "Doxing via the Lens," reveals that the newest, super-smart AI models (called Multi-modal Large Reasoning Models or MLRMs) have become like digital Sherlock Holmes. They don't just "see" a picture; they "think" about it. They can look at a photo of your backyard, notice the specific type of brick, the way the sun hits the fence, and the style of the mailbox, and then cross-reference that with their massive internal knowledge of the world to guess your exact home address.

Here is a breakdown of the paper's findings using simple analogies:

1. The Problem: The "Super-Sleuth" AI

In the past, if you asked an AI, "Where is this?" it might guess "Maybe a city?" or "Maybe a park?"

But the new generation of AI (like OpenAI's O3 or Google's Gemini) has a superpower: Reasoning.

• The Analogy: Imagine a detective who doesn't just look at a fingerprint but also knows the brand of the shoe, the type of dirt on the sole, the local weather patterns, and the specific architecture of the neighborhood.
• The Reality: These AIs can look at a casual photo and deduce: "That specific style of streetlamp is only found in this neighborhood. That house number font is unique to this city. Therefore, this photo was taken at 123 Maple Street."

2. The New Danger Zone: "Privacy Spaces"

The researchers created a new way to measure how dangerous a photo is. They call it a Three-Level Risk Framework:

• Level 1 (Low Risk): A photo of a tourist spot or a busy street. (Everyone knows where this is).
• Level 2 (Medium Risk): A photo of your house or backyard, but without you in it. (It reveals your home address).
• Level 3 (High Risk): A selfie taken in your own home or backyard. (It reveals who lives there and exactly where they live).

The scary part: The AI is actually better at guessing your location from these "private" photos than a regular human expert is.

3. The Tools: "ClueMiner" and "GeoMiner"

To prove how this works, the researchers built two tools:

• ClueMiner (The Detective's Notebook): This tool asks the AI, "What clues did you use to guess the location?"

  • Result: The AI admits it looks at things like license plate styles, trash can colors, specific tree types, and street signs. It treats these as "clues" to solve the puzzle. The problem? The AI has no "privacy filter" to stop itself from using these clues. It just wants to solve the puzzle.

• GeoMiner (The Team-Up Attack): This simulates a hacker working with the AI.

  • The Analogy: Imagine a human detective who is bad at geography but good at spotting details. They point at a photo and say, "Hey, look at that weird fence!" They hand that clue to the AI, which then says, "Ah! That fence is only in this specific neighborhood!"
  • Result: When humans help the AI by pointing out clues, the AI's accuracy skyrockets. It makes it incredibly easy for non-experts to find your address.

4. The "Mirror" Effect

The paper also found that AIs are getting scary good at looking at reflections.

• The Analogy: If you take a selfie in front of a car, the reflection in the car window might show the street behind you.
• The Reality: The AI can read the reflection, even if it's upside down or blurry, and figure out where you are. This is like a stalker looking at a reflection in a window to find a house number.

5. Why Can't We Just "Blur" the Photo?

The researchers tried common defenses, like blurring the background or adding "noise" (static) to the image, similar to how we blur license plates.

• The Result: It didn't work well.
• The Analogy: It's like trying to hide a face by putting a smudge of paint on a photo. The AI is so smart that it can look at the shape of the smudge, the color of the wall behind it, or the angle of the light to figure out what's underneath. If you blur the street sign, the AI just looks at the type of trash can or the style of the sidewalk instead.

The Big Takeaway

We are entering an era where every photo you take is a potential puzzle for an AI to solve.

• The Good News: We now know this is happening.
• The Bad News: The current "safety guards" on these AIs are blind to this specific type of privacy leak. They are trained to be helpful, so if you ask "Where is this?", they will happily tell you, even if it's your own home.

What should you do?
Think twice before posting photos with unique backgrounds. Remember that in the eyes of a super-smart AI, your "cozy living room" isn't just a room; it's a collection of clues that can lead someone straight to your front door.

Technical Summary

1. Problem Statement

The paper addresses a critical and underexplored privacy vulnerability in Multi-Modal Large Reasoning Models (MLRMs) (e.g., OpenAI O3, Claude 4, Gemini 2.5 Pro). While these models excel at complex visual reasoning, they possess the capability to infer sensitive geolocation information (such as home addresses or neighborhoods) from casual, user-generated images (e.g., selfies, lifestyle photos).

Unlike traditional geolocation tasks that rely on prominent landmarks, MLRMs can deduce precise locations from subtle visual clues (e.g., architectural styles, vegetation, license plates, street signs) even when the image contains no explicit metadata. This creates two distinct privacy risks:

• Individual Risk (Transient): Revealing a person's current location or routine, compromising safety.
• Household Risk (Persistent): Revealing a private residence (e.g., home address) regardless of human presence, exposing family routines and violating spatial privacy expectations.

Existing benchmarks fail to capture this risk because they rely on "benign" datasets (public landmarks) or low-resolution street view images, underestimating the models' ability to infer locations from private, high-resolution user content.

2. Methodology

A. Benchmark Construction: DOXBENCH

The authors constructed DOXBENCH, the first dataset specifically designed to evaluate location-related privacy leakage in MLRMs.

• Data Collection: 500 high-resolution images captured in California using iPhone devices, covering diverse urban and suburban environments.
• Privacy Risk Framework: Images are categorized into three levels based on Privacy Space (Home/Private vs. Public) and Personal Imagery (Selfie/Identifiable vs. Non-identifiable):
  • Level 1 (Low Risk): Personal imagery in public spaces (Transient risk).
  • Level 2 (Medium Risk): Privacy space without individuals (Persistent risk, e.g., a house exterior).
  • Level 3 (High Risk): Personal imagery in privacy space (Combined risk, e.g., a selfie taken inside a home).
• Special Category: Includes a "Mirror" category where location clues are inferred from reflections (e.g., car windows, eyes), simulating real-world indirect leakage.
• Prompting: Models are tested with a minimal prompt: "Where is it?" to simulate a non-expert attacker.

B. Evaluation Metrics

The paper introduces GLARE (Geolocation Leakage And Risk Estimate), an information-theoretic metric (measured in bits) that unifies:

1. Verifiable Response Rate (VRR): How often the model attempts an answer.
2. Accuracy: Median and Mean Error Distances.
3. Risk: The reduction in the adversary's uncertainty space.

• CCPA Accuracy: The frequency of predictions falling within the "precise geolocation" threshold defined by the California Consumer Privacy Act (1,850 ft / 563.88 m).

C. Analysis Tools

• CLUEMINER: A tool to analyze what visual clues models use. It extracts reasoning chains (Chain-of-Thought) and categorizes them into 102 distinct clue types (e.g., "Architectural Styles," "License Plate Patterns").
• GEOMINER: A collaborative attack framework simulating a human-expert interaction. It uses a Detector model to extract clues from an image and an Analyzer model to reason about them, demonstrating how non-experts can amplify leakage by providing context.

3. Key Contributions

1. DOXBENCH Dataset: A curated, high-resolution dataset of 500 images with three-tiered privacy risk annotations, filling a gap in existing privacy research.
2. GLARE Metric: A novel, unified metric that quantifies both the likelihood of leakage and the precision of the inference, overcoming limitations of simple error-distance metrics.
3. Root Cause Analysis: Identification of two primary factors driving the vulnerability:
   • Clue-Based Reasoning: MLRMs effectively combine visual clues with internal world knowledge to infer locations.
   • Lack of Privacy Alignment: Models lack mechanisms to suppress the use of sensitive visual clues (like house numbers or license plates) during inference.
4. GEOMINER Framework: Demonstrates that providing models with extracted clues (simulating an expert assistant) significantly boosts geolocation accuracy, lowering the barrier for non-expert attackers.

4. Experimental Results

• Superiority over Humans: Across 13 advanced MLRMs/MLLMs, the models significantly outperformed non-expert human baselines (Amazon MTurk) in geolocation inference.
  • CCPA Accuracy: MLRMs achieved an average of 11.61% (Top-1) and 14.95% (Top-3) accuracy in predicting precise geolocation, compared to 6.01% for humans.
  • GLARE: Models achieved mean GLARE scores of 1,418.97 bits (Top-1) and 1,711.90 bits (Top-3), far exceeding the human baseline of 1,309.73 bits.
• Model Performance:
  • GEMINI 2.5 PRO and OPENAI O3 showed the highest leakage risks, with GEMINI 2.5 PRO reaching 1,987.16 bits (Top-3) and 21.97% CCPA accuracy.
  • Even open-source models like LLAMA 4 MAVERICK demonstrated significant leakage capabilities.
• Impact of Clues:
  • Using CLUEMINER, the study found models heavily rely on sensitive clues like "License Plate Patterns," "Street Sign Text," and "Waste Management Infrastructure."
  • GEOMINER experiments showed that providing prior clues to an Analyzer model increased CCPA accuracy by an average of 6.43% (Top-1) and GLARE by 194.31 bits.
• Defense Failure: The paper evaluated five defense strategies (LLAMA Guard, Blurring, Adversarial Noise, Prompt-based, Gaussian Noise). All proved ineffective or impractical:
  • Guardrails (e.g., LLAMA Guard 4) failed to detect the leakage, labeling risky inputs as "safe."
  • Blurring and Noise degraded image utility (OCR/QA performance) and often failed to stop inference, as models could switch to alternative reasoning pathways.

5. Significance and Implications

• Lowered Attack Barrier: The research demonstrates that sophisticated geolocation inference is no longer limited to experts; non-experts can leverage MLRMs to dox individuals from casual photos.
• Inadequacy of Current Defenses: Standard safety alignment and simple image perturbation techniques are insufficient against the sophisticated, multi-path reasoning capabilities of modern MLRMs.
• Urgent Need for New Protections: The findings highlight a critical gap in current AI safety research. Protecting user privacy requires rethinking inference-time mechanisms, potentially moving beyond simple refusal to developing models that can reason about visual content without utilizing sensitive geospatial clues.
• Legal Compliance: The study underscores the potential for MLRMs to violate regulations like GDPR and CCPA by inadvertently processing "sensitive personal information" (precise geolocation) from user inputs.

In conclusion, the paper establishes that MLRMs pose a severe, immediate threat to location privacy through their ability to perform "doxing via the lens," necessitating a fundamental reassessment of how these models are trained, aligned, and deployed.