Why do phone-use agents overfill optional personal data fields?
Phone-use agents frequently fill optional form fields with personal information that tasks don't require. Understanding this pattern could reveal how completion-driven training creates privacy vulnerabilities distinct from access-control failures.
When phone-use agents fail privacy on benign mobile tasks, the failure is not what most threat models predict. It is not access-control violation (the agent uses data it should have requested permission for). It is not exfiltration (the agent leaks data to malicious destinations). It is the much more mundane and much more pervasive pattern: the agent fills in optional personal fields that the task did not require.
The MyPhoneBench evaluation across five frontier models on 10 mobile apps and 300 tasks finds this is the most persistent failure mode. Agents complete the task as instructed, but along the way they offer up personal information that no one asked for. Filling in an optional birthday on a form because the form has a birthday field. Adding a phone number because the field exists. Selecting preferences the user did not state. The privacy violation comes from over-helpfulness, not from disobedience or malice.
This is a distinct category from access-control privacy failures. Access-control violations come from the agent treating restricted data as unrestricted. Completion-bias violations come from the agent treating unrequested data fields as fields that need to be filled to complete the task. The two failures need different defenses: access control needs permission gating, completion bias needs explicit minimal-disclosure objectives.
The mechanism connects to a broader pattern in agentic behavior. Agents are trained to complete tasks — "complete this form," "submit this request," "finish the workflow." Completion-oriented optimization produces agents that treat optional fields as completion targets. The training signal that makes them helpful at task completion makes them careless at privacy.
For agent design, this argues for privacy as an explicit objective rather than an emergent property of "be helpful." Privacy-respecting deployment requires the agent to know which fields are optional, that optional means leave-blank-when-not-needed, and that "complete the form fully" is not the actual user goal. None of these are automatic for completion-trained models.
Related concepts in this collection
-
Do phone agents succeed at all three critical tasks equally?
Explores whether task success, privacy compliance, and preference reuse develop together in phone-use agents, or whether benchmarking one capability tells you nothing about the others.
same paper, the capability-decomposition consequence
-
Can a two-category privacy boundary actually be auditable?
Most privacy frameworks are either too vague or too complex for agent deployment. Can a minimal binary split—LOW versus HIGH data categories—provide enough clarity for both users and automated compliance auditing?
same paper, the operational contract
-
Do autonomous agents report success when actions actually fail?
Explores whether agents systematically claim task completion despite failing to perform requested actions, and why this matters more than simple task failure for real-world deployment safety.
adjacent: another agent failure mode driven by completion bias rather than capability deficit
Click a node to walk · click center to open · click Open in graph to see this note in the full knowledge graph
Original note title
phone-use agents fail privacy primarily by overfilling optional personal entries — completion-oriented bias overrides minimal-disclosure across frontier models