The AI Will Read Your Data. The Only Question That Matters Is Who Else Can.
A few days ago I read Meredith Whittaker's warning about agentic AI and privacy. It's worth your time.
What struck me wasn't that I disagreed with the president of Signal. It was how exactly her critique described the threat model we'd already spent the last three months building Brianni-AI around.
Her argument is straightforward: modern AI assistants demand extraordinary access to your life — messages, calendars, contacts, browser, payment details, documents. To do something as ordinary as buy a concert ticket, the "magic genie bot" needs your card, your calendar, and permission to message your siblings on your behalf. Once an AI can see all of that, traditional privacy guarantees begin to collapse. An agent that reads your messages before they're encrypted — or after they're decrypted — renders the encryption irrelevant.
She's right. And her article didn't inspire our architecture; the architecture already existed. Her article articulated, better than we had, why it matters.
This isn't a rebuttal. It's a description of what falls out when you treat her critique as a build spec.
The agent was never the problem
The agent — the thing that books the ticket, files the expense, drafts the reply — is not where the privacy fight lives. The agent is an actuator: your computer taking actions for you instead of you clicking through fourteen screens. That capability is coming, it's useful, and no privacy argument is going to stop it. Nor should it.
The fight lives one layer down. An agent is only as smart as the model that drives it, and that model is far too big to run on your phone. Until on-device models are good enough to be your operating system — a day that's coming, but isn't here — your content has to leave your device and reach a frontier model that one of a handful of labs operates.
That crossing is the irreducible privacy event. Everything else is plumbing.
So let's be honest about the part most AI privacy pitches skip: the AI will read your data. Not because anyone was careless, not because encryption failed, but because most useful AI tasks are impossible without it. A model cannot summarise a document, analyse a spreadsheet, or draft a reply to an email it never receives. No privacy architecture changes that.
The industry keeps asking whether AI should read your data. For most use cases, that's already settled. The question that actually matters is the one Whittaker is pointing at:
Once the AI reads your data, who else can?
The wrong threat model
Most discussions about AI privacy fixate on content. Can the company read my conversations? Can its employees see my files? Will my prompts train the next model? Those questions matter — but they miss the larger one.
Imagine two systems.
In the first, a company holds your name, email, payment details, contacts, location history, and every conversation you've ever had with its AI.
In the second, the company can see the content being processed but has no reliable way to connect that content back to your identity.
The content can be identical. The privacy properties are not.
The real power of surveillance doesn't come from knowing what was said. It comes from knowing who said it. Identity plus content. Name plus activity. That's where profiling begins, and where targeting begins. The most dangerous thing an AI system can hold is not your content — it's your content welded to your identity.
No single party should ever hold both halves
Long before Whittaker's remarks — in fact, from the day I started Brianni — we'd reached one conclusion that became the foundation of Brianni-AI:
No single party should ever hold both your identity and your content.
Most privacy systems protect content. Most compliance regimes protect identity. Very few recognise that surveillance emerges from the join of the two. Breaking that join is the entire design.
So we split the pair across parties that are structurally blind to one another:
- Our servers know who you are — they handle your sign-in and billing — but they only ever store ciphertext they cannot read. You hold the keys; we never had them. It's the same zero-knowledge architecture the rest of Brianni is built on: breach our infrastructure and you get encrypted bytes, not readable data.
- The model provider sees what was asked — with personal identifiers already stripped out on your device before it left — but has no idea who asked. Every request leaves under one shared key, so to the provider, every Brianni-AI user looks like the same anonymous account.
- Between them sits a sealed enclave that decrypts the request, calls the model, re-encrypts the answer, and zeroes its own memory. It's the airgap that guarantees the two halves never meet — not even we, the operator, can reach inside it.
The "database of your entire digital life" that Whittaker warns becomes "a prime target" — in this design, that database doesn't exist in readable form. Breach our infrastructure and you get ciphertext, not content. There's no honeypot, because there's no honey.
Verifiable, not "trust us"
There's still one moment where content must be processed in the clear: the model has to do its job. This is the part most AI privacy stories hand-wave. We don't.
Instead of sending your request into a conventional server an operator fully controls, Brianni-AI processes it inside a hardware-backed Trusted Execution Environment. The enclave doesn't hide your content from the model — it can't; the model must read the request to answer it. What it does is make every privacy-relevant step auditable.
The enclave's code is open-source and reproducibly built, and your device verifies its cryptographic measurement before every single session. If the running code doesn't match the published, audited code — to the byte — the session fails closed. There is no silent fallback to a weaker mode.
So when I say the request that reaches the model carries no account ID, no user tag, no per-user cache key — nothing that ties it back to you — you don't have to take my word for it. The build is reproducible and the measurement is public: you can verify it yourself. "We de-identify before the model ever sees your request" stops being a line in a privacy policy and becomes a property you can check.
That's the difference between a privacy policy and a privacy architecture. One asks for your trust. The other removes the need for it.
Her specific points, answered
On "AI chatbots are not your friends." She's right, and we answer it head-on: Brianni-AI has no analytics, no trackers, no ad pixels, no retention. We can't read your conversations, so we can't mine them, profile you, or train on them. We make money the boring way — you pay us. The incentive to hoard your data, the engine behind the suspiciously friendly chatbot, simply isn't wired in.
On Recall-style monitoring and the "backdoor." Brianni-AI is the opposite of an assistant that screenshots your screen or watches your family chats. It doesn't sit beneath your apps with root access. When it reaches an outside service for you — your calendar, say — it does so through a narrow permission you grant, with the access token held encrypted on your device and the call made by your client, not our servers. We don't insert ourselves between you and your other encrypted apps. That's the whole point.
On "pervasive access across applications." We don't take operating-system root. Integrations are scoped per service, default to least privilege, and are capped per task — narrow, revocable doors, not a master key.
What privacy architecture can — and can't — solve
It's important not to overclaim.
Privacy architecture can reduce identity linkage, limit unnecessary exposure, restrict operator visibility, and undercut the business model that turns your data into a product. It cannot guarantee a model never errs, eliminate prompt injection, or settle whether an assistant should feel like a friend. Those are real and important questions — and separate ones.
And there's one honest limit specific to this design: the on-device step strips high-confidence identifiers — emails, phone numbers, card numbers, names — but the substance of a free-form request still reaches the model. We minimise what crosses the boundary; we don't eliminate it. Your trust in the model provider is reduced — to content without identity, in a pool of millions — not erased. Anyone who tells you their cloud AI processes your data with the model somehow not reading it is selling you something.
It's also why the architecture is built to shrink over time: as on-device models improve, more inference runs locally and less crosses the wire. It is the minimal-disclosure version of a crossing that, for now, is unavoidable.
Why this matters
I don't think the future holds less AI. The incentives are too strong, the convenience too compelling, the capabilities advancing too fast. The future holds far more of it.
Which means the challenge was never to stop AI from accessing information. It's to make sure that access doesn't automatically become surveillance.
For years the industry has framed this as a trade-off: useful systems or private systems, pick one. I reject that premise. The model may need to read your request. It does not need to know who you are. That distinction is the whole game — and it's the problem we built Brianni-AI around.
It's why Whittaker's warning resonated. Not because it changed our thinking, but because it described, precisely, the problem we were already trying to solve.
The AI will read your data.
The only question that matters is: who else can?