"Coming soon", "Join the waitlist", etc. generally mean this work isn't ready to be discussed on HN.
Once there's something for people to try out, or at least some substantive information about what it actually is and how it actually works, it will be possible to have a good HN thread about it.
The project is not far from there, we are only weeks away before release.
BlindAI has been around for almost two years and is open source. We are improving on it with recent hardware and AI models, but this is not just communication stunt.
I apologize though for not providing as much as content as you would expect but we will do our best to provide something of value to the AI & privacy community ASAP.
Unless you have the power to define your own information boundaries (eg. via your own security in your own cloud account, or your own network), you can't assume privacy is protected.
Any kind of privacy assurance is only as good as the word of the salesman.
Would you send your medical records to an arbitrary 3rd party? Would you send your production code base to an arbitrary 3rd party?
There are very few entities that people trust for this (eg. AWS) because they have a history, reputation and audit history to support their claims.
I agree. But there are hardware based solutions called secure enclaves that enables software companies hosted on AWS (like us) to serve a SaaS to users without technically seeing the data. This can be verified remotely even before sending data to us with attestation.
I don't think that the model they are using is private. You can download it[1] and run yourself. Looks like it is GPT-NeoX which was fine tuned using the open source LAION OIG dataset[2].
If I can build the nitro image myself, I would just self host it.
If this is “self hosted ML” then that’s great, and it is secure!
…
That obviously isn’t their business model.
(Or is it? Did I totally misunderstand the offering?)
import blindai
blindai.api.Completion.complete("I love AI…
...I dunno, I feel like they'll say something like:
- You have a client side encryption key
- You encrypt the data before you submit it
- The encrypted data is put on the image along with our Magic Sauce
- In the secure enclave, the data in encrypted and processed
- The result is encrypted
- The encrypted result is returned to you
- You decrypt it locally!
The problem with that is there's a whole lot of magic hand waving about how the secure key that theoretically never leaves your local side, ends up inside the container image without them having access to it.
The client side SDK we provide manage the security for you. As the client side is open-source, as well as the server you can verify the claims I will make. In those simple lines of code we:
- The enclave uses primitives from AWS that we cannot fake to create a certificate containing a hash of the code loaded, a public key to exchange keys, and other security information. This certificate is signed by a hardware derived key from AWS, and therefore we cannot forge such certificates. Here I talk about AWS but it can be Intel or AMD depending on the solution you choose.
- You receive the certificate, check it's valid locally using AWS public key.
- Once you know locally on your machine that we are using a secure enclave without backdoor that will handle your data properly (because it is a valid enclave and you can check that the hash you see in the certificate is the same as the audited open-source code), you can finish setting up the TLS channel using the public key inside the certificate
- Data is encrypted locally and sent through this TLS to the enclave
- Data is decrypted there, where we cannot peek due to isolation
- AI model is applied inside
- Output is encrypted inside enclave
- Output is sent back to you for you to decrypt it
It's not much of a competitor with this performance. From the OpenChatKit model they claim to be using:
> Write a rhyming poem about ray tracing
OpenChatKit:
The sun is shining
The birds are singing, and the flowers are blooming.
I'm so glad that I'm alive, and I'm so glad that I'm here.
I'm so glad that I'm alive, and I'm so glad that I'm here.
I'm so glad that I'm alive, and I'm so glad that I'm here.
[repeated several more times]
ChatGPT:
In a world of graphics, sharp and bright,
Where realism is the ultimate sight,
There's a technique that takes the lead,
It's called ray tracing, indeed!
Ray tracing is a visual art,
That sets the scene right from the start,
By tracing rays of light in the air,
It creates an image beyond compare.
To me OpenChatKit is just a first step towards better and better open-source models. Other actors like AWS and Hugging Face are also working on that and Hugging Face has already proved its ability to train and make available LLMs on a huge scale like Bloom.
I think it's just the beginning and the open-source community will provide very competitive LLMs.
> I think it's just the beginning and the open-source community will provide very competitive LLMs.
It is indeed. The way to challenge OpenAI's offerings is with open-source AI models. Even better when they achieve and surpass GPT-4 level capabilities.
They (OpenAI) cannot win the race to the bottom or $0. Stable Diffusion (and even the leaked Facebook LLaMa) is already at the finish line and more alternatives will also be there to surpass GPT-3 and 4 and will release them for free in the open.
Eventually, Open source AI models will eventually disrupt closed ones. Just like how DALLE-2 has been disrupted quickly by Stable Diffusion.
I think one caveat is access to training data. If proprietary models can be trained on useful data from private sources, or worse, if there are successful legal challenges against using public but copyrighted data for training, then it will be difficult for open-source models to compete with proprietary models.
1) In a lot of western countries (EU, UK too I think) the hammer has already come down in favor of using public but copyrighted data.
2) Wouldn’t that cause open source models to be favored? A big company has lawyers that ensure that the internal practices comply with the law while on the other hand, good luck suing some random guy from 4chan who made a model that may or may not incorporate copyrighted data.
Sure there will be "bootleg" models available on BitTorrent or whatever, but generally "open source" refers to legitimately licensed code a big company with lawyers would be ok with incorporating into their own business.
It actually wasn’t that long ago that GPT based models (including Copilot) frequently got stuck in loops like that; I'm... not taking that as a big negative sign. Yeajz its behind the closed SOTA. That’s where you expect an open competitor to start.
In pixeled realms where photons race,
A wondrous dance of light's embrace,
Ray tracing weaves its subtle art,
Illuminating shadows' heart.
With every bounce and each reflection,
It births a scene of pure perfection.
A cascade of color, depth, and tone,
In virtual worlds, it carves its throne,
From mirrored glass to shimmering streams,
Ray tracing paints our digital dreams.
A masterstroke in the canvas vast,
Its legacy through ages cast.
"We can’t listen to your queries and no other party can. Privacy is built by design in our solution."
I don't really understand the technical solution behind this statement. Isn't this just e2e encryption up until you decrypt the query to pass to the LLM? ML operating via homomorphic encryption is very far away and OpenChatKit is just a standard self-hosted LLM. This seems more like "self host on semi trusted azure compute that isn't owned by openai and the model performance will be far worse than gpt4"?
> You might find other AI APIs available online. Those companies might put in place encryption in transit or at rest, but the companies running those APIs end up decrypting your data to apply their model.
> This means they eventually see all data you send to them, could leverage it for their interest, or get your data compromised without your knowledge!
> BlindAI API uses cutting-edge encryption mechanisms with secure enclaves so that even our admins cannot see the data sent to our AI models, and therefore cannot compromise our users' data.
Same question, what do they mean by a secure enclave? Homomorphic encryption is the only way that I can think of to really securely do this? Unless maybe they have decryption built into the LLM somehow so it only gets decrypted in RAM? But that still seems like it shouldn't be treated as E2EE.
E2EE means something, it shouldn't be used this lightly if all they mean is that they're promising not to touch the data on a machine.
I feel like I need to see a lot more details before I get excited about this.
More to the point, given the progress happening on LLaMa right now, it's hard to get excited about even homorphic encrypted models, because I strongly suspect that on-device/on-premise models are going to end up being the better solution for data privacy. This mattered more before it was possible to run an LLM on a high-end laptop.
I see your point. We have been creating content to democratize Confidential Computing, which is a field leveraging hardware-based (instead of software based like Homomorphic encryption) solutions to protect data in use.
I don't necessarily agree with your statement regarding deployment on laptop. Not everyone has the skill/hardware to deploy such models, and providing simple APIs to leverage those, especially if the model is complex, could bring a lot of value to users in our opinion. We have seen hospitals wanting a simple API to do speech to text for medical voice notes and they just want an app on their old phones. I hardly see them deploying a 1B Whisper model for this use case.
Using BlindAI would allow them to have state-of-the-art AI, without having to worry about showing their data to us.
I guess I should say to be fair, getting the user input and model output onto a single set of hardware with even semi-reasonable guarantees that it won't be examined in an unencrypted state is a heck of a lot better than what OpenAI is doing, so I don't necessarily want to say it's a bad business model -- there are lots of services I rely on that make privacy promises to me that aren't based on complete E2EE setups. What you're describing is absolutely an improvement over OpenAI's privacy.
I think my quibble is that (to me) the privacy terms on the homepage feel like they're suggesting something stronger than a secure enclave. My first thought when I saw it was "huh, somebody figured out homomorphic encrypted models." I'm not sure I'd have the same objections if I hadn't gotten that impression to start with.
----
My suspicion with local models is less that they'll run on a cell phone or a low-end laptop, and more that at the point they can run on high-end consumer hardware, they'll also be cheap enough to run that hosting an LLM might become a commodity service. In the same way that a hospital might not want to host its own website or data records, I'm still wondering how the companies involved in that stuff don't eventually just turn into generic hosting companies. And again, to be fair here, if the security model you're talking about holds up, maybe that's a model that can be applied to multiple products or hosting offerings. It does sort of feel like the main thing you're advertising here is the generic enclave, not the AI specifically.
And who knows, maybe I'm just completely wrong about all of it, I'm not an expert. But I sort of suspect that it's going to get progressively easier to host these kinds of models in the future.
The thing is that what they say on the homepage has to be trusted and cannot be verified. At best they put contractual commitments but no one will know what happens behind the scenes.
With attestation of secure enclaves (https://blog.mithrilsecurity.io/confidential-computing-expla..., sorry it's a bit old and not tech enough we will update it), you can have technical proof that people will respect what they say contractually. I don't think OpenAI is using any real Privacy Enhancing Technologies, and even if they did you have no actual proof they are doing anything (unless they use secure enclaves).
I agree, ideally you would like a purely mathematical solution like homomorphic encryption but truth is we might not see that before years or more (public key cryptography is not known to be fast).
Not everyone has access to high-end consumer hardware, and just maintaining the software/hardware stack on premise is complicated, so imagine having to manage thousands of device. It is not impossible unless you are Apple/Google, and even if you are it's not perfect.
By sending model on the device it is quite easy to reverse engineer it, so not only your IP gets stolen easily but people can start making adversarial attacks.
Yes enclaves are a generic solution. In the end it's a bunch of level hardware primitives. But to have something that is truly fast, secure and easy to use, you need to focus on a use case to serve your users. We have chosen to focus on AI because we love AI and think it's a first niche market that is relevant, especially today.
I am not sure about going more on device / on premise. You can benefit from huge scaling effects by relying on managed services that are easier to maintain, patch, and deploy.
We are not using homomorphic encryption as it would be too slow. We are working on hosting OpenChatKit inside a secure enclave that benefits from hardware isolation to protect data while it is in clear for the application of the AI model.
We have developed an attestation system that does not rely on Cloud providers, but is closer to the ones provided by hardware provider, for instance Intel. You can find more about our attestation here: https://blindai-preview.mithrilsecurity.io/en/latest/docs/ad...
The goal of our work is to provide a more transparent and privacy-friendly interface for people working in sensitive industries to leverage LLMs. With the attestation mechanism, technical proofs can be given regarding the fact that data will not be used for any other purpose than inference.
The scale and capability of LLMs are increasing exponentially... To me, this is a bit like trying hard on a workable privacy-first 80286, when OpenAI and other folks have been releasing Pentium or maybe i7 or Apple Silicon next year...
What if instead of trying to evaluate these models privately, which tends to have a lot of overhead, we instead try to mix lots of user queries and send them in batches?
We could use enclaves to do the mixing, and while there’s be added latency, we could achieve model outputs that are (by definition) at the current state of the art for LLMs. We would not hide the contents of queries, but we’d at least hide who is making which queries.
this looks to be nothing but a python library with a wait list—is there any sort of playground or ChatGPT-like interface to see what the capabilities are?
Its selling points are the privacy model of its hosting, and that ot is using an open source engine. The engine is OpenChatKit from Together: https://www.together.xyz/blog/openchatkit
I think the relevant legal mechanism would be a trademark, and in order for it to be a legal issue, you would need to be operating in the same business space as an existing registered trademark holder (because then you might cause confusion between yours and their products/services). Copyright generally doesn't apply in the case of a single word.
Once there's something for people to try out, or at least some substantive information about what it actually is and how it actually works, it will be possible to have a good HN thread about it.
https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...