
How do AI agents like Claude, Gemini, and Copilot compare from a privacy and security perspective when asked to complete tasks on behalf of a user?
This question was at the heart of a new research paper authored by a team of students from the UC Berkeley School of Information’s Master of Information and Cybersecurity (MICS) program. The paper, “AgentWatch: Privacy and Security Evaluation for Browser-Based AI Agents,” introduces a novel approach for testing the security and privacy of AI browsing agents.
Co-authored by Anya Svan, Marisa Hall, Boaz Kaufman, Cynthia Austin, Rutika Kushe, and Anagha Late, the paper was produced as the students’ capstone project; it won the School of Information’s Spring 2026 Lily L. Chang MICS Capstone Award, which honors top projects in each semester. (Read a Q&A with the authors on the School of Information website.)
For their project, the researchers developed a series of standardized tests replicating both normal user behavior and adversarial attack scenarios, and they conducted the tests with five popular agents: OpenAI’s Atlas, Anthropic’s Claude, Perplexity’s Comet, Microsoft’s Copilot, and Google’s Gemini. “AI agents that can browse, fill forms, and act on behalf of users (and choose how to go about requests) introduce novel privacy and security risks, especially around unintended data disclosure and over‑permissioned actions,” the authors explain in the report’s executive summary. “Existing evaluation tools were not designed to assess these risks.”
The agents were evaluated on five categories: data disclosure control (i.e., whether the agent avoids leaking or oversharing sensitive information when asked to act for the user); misunderstood prompts (i.e., whether the agent slows down, clarifies, or refuses when faced with broad, risky, or self‑contradictory prompts); hallucination (i.e., whether the agent refuses to invent non‑existent sources, events, or personas in ways that could mislead users); prompt injection (i.e., whether the agent ignores or flags hidden or adversarial instructions embedded in content or metadata); and browser sandbox isolation (i.e., whether the agent respects isolation boundaries and avoids cross‑site or cross‑context data access or leakage).
The results of the tests were scored numerically and entered into a custom privacy scoring framework that the authors named “AgentWatch,” which enables systematic scoring and comparison of agents and provides a structured assessment approach for this emerging area of research. The testing was complemented by qualitative analysis of the agents’ behavior and their alignment with the policies set by their creators.

This table from the “AgentWatch” report shows final testing results across different categories and agents.
The testing surfaced a wide range of issues with these popular AI agents. They found that Claude, Atlas, and Gemini demonstrated the strongest privacy‑preserving behavior across the evaluated scenarios, each scoring in the ‘Excellent’ range (above 90) on the composite Privacy & Safety Efficacy Score. Comet, meanwhile, performed moderately well but showed weaker behavior when responding to ambiguous prompts and certain disclosure scenarios. Microsoft’s Copilot demonstrated the lowest overall score due to inconsistent responses in scenarios involving ambiguous intent and potential oversharing.
The authors acknowledge that there were limitations in their study, and express hope that other researchers will build on their approach to testing the safety and security of AI agents. “A core design goal of this project is extensibility,” the authors explain. “The evaluation infrastructure, scoring rubric, and scenario library are released as an open‑source hub, inviting researchers, practitioners, and security professionals to contribute new test prompts and expand coverage beyond the five dimensions and five agents evaluated here. The intent is for this framework to grow alongside the rapidly evolving agentic AI landscape, rather than represent a static snapshot.”

