In (single-server) Private Information Retrieval (PIR), a server holds a large database DB of size n, and a client holds an index i ∈ [n] and wishes to retrieve DB[i] without revealing i to the server. It is well known that information theoretic privacy even against an "honest but curious" server requires Ω(n) communication complexity. This is true even if quantum communication is allowed and is due to the ability of such an adversarial server to execute the protocol on a superposition of databases instead of on a specific database ("input purification attack"). Nevertheless, there have been some proposals of protocols that achieve sub-linear communication and appear to provide some notion of privacy. Most notably, a protocol due to Le Gall (ToC 2012) with communication complexity O( √ n), and a protocol by Kerenidis et al. (QIC 2016) with communication complexity O(log(n)), and O(n) shared entanglement.We show that, in a sense, input purification is the only potent adversarial strategy, and protocols such as the two protocols above are secure in a restricted variant of the quantum honest but curious (a.k.a specious) model. More explicitly, we propose a restricted privacy notion called anchored privacy, where the adversary is forced to execute on a classical database (i.e. the execution is anchored to a classical database). We show that for measurement-free protocols, anchored security against honest adversarial servers implies anchored privacy even against specious adversaries.Finally, we prove that even with (unlimited) pre-shared entanglement it is impossible to achieve security in the standard specious model with sub-linear communication, thus further substantiating the necessity of our relaxation. This lower bound may be of independent interest (in particular recalling that PIR is a special case of Fully Homomorphic Encryption).containing n binary entries 1 , and a client who wishes to retrieve the ith element of the database but without revealing the index i. Privacy can be defined using standard cryptographic notions such as indistinguishability or simulation (see [Gol04]). The simplicity of this primitive is since there is no privacy requirement for the database (i.e. we allow sending more information than necessary) and that the server is not required to produce any output in the end of the interaction, so functionality and privacy are one sided.Clearly PIR is achievable by sending all of DB to the client. This will have communication complexity n and will be perfectly private under any plausible definition since the client sends no information. The absolute optimal result one could hope for is a protocol with logarithmic communication, matching the most communication efficient protocol without privacy constraints, in which the client sends the index i to the server and receives DB[i] in response.Alas, [CGKS95] proved that linear (in n) communication complexity is necessary for PIR, and that this is the case even in the presence of arbitrary setup information. 2 Despite its pessimistic outlook, this low...