When you type into a chatbot, you might reveal more about yourself than you intend. A request to clean up an email carries your name and your coworker's; a question about a medical bill carries your address and account number; a vented frustration carries who you are and where you live. And whatever you type doesn't stay with you — it travels to a remote server you have no way to inspect.
Our core design principle is that the only personal information you can be sure is private is the information that never leaves your device.
Today, we open source Rampart — a first-generation on-device personal information filtering system that is a strong first line of defense in ensuring your personal information never leaves your device. Rampart is a combination of a deterministic layer, based on regular expressions to catch SSNs and ID numbers, and MiniLM to catch names and street addresses.
Why we built Rampart #
Often times, doing PII removal means either trusting a remote server or down binaries to the client, which present a few key challenges:
- 1.AI privacy guarantees are almost impossible to verify. From first principles, it is impossible to verify the privacy and security claims of AI vendors. A newly deployed version of an AI runtime may accidentally begin logging sensitive user information, and services carry unknown internal security risks such as zero-day vulnerabilities and insider threats.
- 2.Most models for PII removal are gigantic, narrowing the group of users that can benefit from them. For example, OpenAI Privacy Filter is ~2.8GB, which would take approximately 38 minutes to download to a browser on a relatively poor connection (10mbps).
How it works #
Everything happens in the browser, in the moment between typing a message and sending it; there is no server in the loop.
Before the message goes anywhere, two readers look at it on your device.
The first is a set of rules. Regular expressions paired with real validations handle the information that has structure: Social Security numbers, credit cards, phone numbers, routing and account numbers, emails, IP addresses, government IDs. It is deterministic and fast.
The second is a small language model. Rules can't anticipate every name or street address, so MiniLM reads the sentence for the personal information with a deeper understanding of the context of the sentence, then redacts information it finds within a specific category.
For example, say you type a sentence full of personal information into chat:
Rampart redacts PII on-device so it doesn't have to leave your device
The browser stores relevant PII temporarily on your device to fill in the blanks
My name is [GIVEN_NAME] [SURNAME], my Social Security number is [SSN], and I make $1,950 a month. Can you help me find affordable housing?
Hi Maria,
Here are affordable housing options in New York.
The Eliza
Inwood, Manhattan | Affordable homes
Sendero Verde
East Harlem, Manhattan | Affordable homes
Original: My name is Maria Garcia, my Social Security number is 123-45-6789, and I make $1,950 a month. Can you help me find affordable housing?
After redaction: My name is [GIVEN_NAME] [SURNAME], my Social Security number is [SSN], and I make $1,950 a month. Can you help me find affordable housing?
Benchmarks #
We trained Rampart on AI4Privacy's OpenPII 1.5M dataset and a synthetic generator that reinforces all 17 entity types with deliberately messy chat-style input. The headline numbers below come from a 30,000-row held-out OpenPII slice spanning seven Latin-script languages, scored end-to-end by the shipped pipeline.
OpenAI Privacy Filter(opens in new tab)Model · ~2.8 GB
Private-term recall on a 30,000-row held-out OpenPII test set across seven supported languages. Higher is better. Benchmark(opens in new tab)
Limitations #
Rampart is an alpha product intended to be the first line of defense in a more thorough effort to manage personally identifiable information for AI chat experiences. It currently supports English, Spanish, French, German, Italian, Portuguese, and Dutch.
Get started #
Download the model on HuggingFace, install the NPM library, or read the whitepaper.
If the work of building elegant and useful tools for Americans speaks to you, consider joining NDS.
import { createGuard } from "@nationaldesignstudio/rampart";const guard = await createGuard();const safe = await guard.protect( "My name is John Wick. I live at 88 Cedar Lane, Brookvale, CT 06482.",);console.log(safe.text);// "My name is [GIVEN_NAME_1]. I live at [BUILDING_NUMBER_1] [STREET_NAME_1], Brookvale, CT 06482."const reply = await llm(safe.text);console.log(guard.reveal(reply));async function llm(text: string): Promise<string> { return "Thanks [GIVEN_NAME_1], Brookvale CT 06482 works for eligibility.";}// "Thanks John Wick, Brookvale CT 06482 works for eligibility."