Overview
- The technique infers conversation topics by analyzing the size and timing of encrypted packets created by token‑by‑token streaming, without breaking TLS encryption.
- In controlled experiments, Microsoft reported many classifiers achieving above 98% AUPRC, indicating distinct traffic patterns tied to specific topics.
- A simulated surveillance scenario showed high precision even when a single sensitive chat was hidden among 10,000 conversations, with some models reaching 100% precision while detecting a fraction of targets.
- OpenAI, Microsoft Azure, Mistral, and xAI deployed mitigations that add randomness or padding to streaming outputs, with Azure’s testing indicating the risk drops to non‑practical levels.
- Microsoft cautioned that attackers could improve results with more labeled data or repeated multi‑turn chats and advised users to avoid sensitive queries on untrusted networks, use VPNs, prefer providers with mitigations, or select non‑streaming modes.