Chutes.ai security/privacy questions

Why would you need a product or 3rd party in between you and something you can do yourself?
The amount of companies created in the past 2 years that are literally ChatGPT in/out thanks to wrapper is quite long.
This is just one more of them with no specific added value and it can go down anytime.

And yeah, also the general vibe + buzzwords + style on Twitter, it’s part of an overall identity trend that startups try to replicate, the Vercel style pretty much.

Why do you need a product for an open source LLM like Qwen or DeepSeek?
Do you need to pay for a product to check the weather? Nah you can search it online yourself or through the window, same here, unnecessary middleman.

What do you mean with this:

Why do you need a product for an open source LLM like Qwen or DeepSeek?

I literally can’t host things like GLM-5 or DeepSeek V3.2 model myself. No normal consumer can because of the amounts of memory and processing power that is needed. Which means I have to rely on some provider. Which lead to me searching for providers that have good privacy policies and security practices.

Or do you mean I just simply shouldn’t use AI? That would be totally another discussion and not the one I asked for here.

Or do you mean I should just use Qwen or DeepSeek from the developers themselves and basically give my data to companies heavily associated with the government of the PRC?

So I once again ask: Do you (or anyone else for that matter) have a better recommendation for someone who needs an AI provider with SOTA models?

If you don’t have the size/computer/RAM/NPUs for it, use some cloud functions or VPS.
It will be cheaper because less people in the middle.

I know that not all models are hella huge anyway. And bigger doesn’t always mean better too.

Nobody does that if we’re honest.
Moreover, if you want the best, just pay for some ChatGPT.

Paying for an in-between product is having the worst of both worlds.

No. Do it by yourself as much as possible, at home or on a rented VPS/cloud function.

If you don’t have the size/computer/RAM/NPUs for it, use some cloud functions or VPS.

Can you link a VPS that is affordable and has a better design when it comes to privacy protection than Chutes.ai? Even if I rent a VPS from a provider I still need to know they don’t have the ability to snoop otherwise we’re comparing apples to bananas imo.

Well I am. We all should as AI is becoming more important than ever and privacy there is important.

Moreover, if you want the best, just pay for some ChatGPT.

First: ChatGPT being the best is heavily debated, depends on the use case etc.
Second: Did you even read the privacy policy of ChatGPT? I feel like every week I read something about ChatGPT being bad when it comes to privacy. It’s probably one of the worst companies when it comes to privacy and ethics.

I feel when it comes to AI people interested in privacy either turn a blind eye and pretend like ChatGPT is not 100x worse than Google when it comes to the data we feed it or they just pretend it doesn’t exist, hate it or both which of course doesn’t change the fact that AI is becoming increasingly more important in todays world.

No. In their blog post, Chutes said that verifiability is “the end goal”. In other words, it’s not verifiable at the moment.

Confidential computing has its upsides and downsides. You need two hardware features for it to work:

• Remote attestation: For example, I give you a software binary, which you can hash and compare it with the hash that the hardware produces from the software that it is running.
• TEE: If being used correctly by software, it can deprive the hardware owners of access to some data. The most popular use case is for “premium content protection”.

Connect the two dots and you can roughly understand how confidential computing works.

Out of the four (Chutes, Maple, Tinfoil, and Confer), Tinfoil is the best at transparency by virtue of being open source. I’m pretty sure that none are being audited by third-parties. You can read how their remote attestation works here. Their blog is also great if you want to learn more about confidential generative AI. But again, it has less LLM models than Chutes, which is unverifiable right now (but may in the future).

There are a few names on the forum in previous VPS recommendation but in EU, Hetzner is a decent choice. It really is a subjective topic with no clear winner.
You’ll never know if they do snoop or not anyway but that’s the drawback of not having your own beefy hardware for those kind of things as discussed in this previous threads.

Having a sustainable cloud provider (like Hetzner) vs a random no-name 2 year old startup is definitely not a vs comparison.
Especially given the fact that the startup will anyway be using a Cloud provider for their own infra. Hence it’s more of a ( + ) vs () kind of comparison.

Sorry, quoted poorly above. I meant to reply to the entire sentence aka

providers that have good privacy policies and security practices

VPS providers are doing their best given security and privacy given regulations etc.

What I was referring to when I said

Nobody does that if we’re honest.

is that the AI landscape is a wild west and nobody cares about your privacy: it is actually quite the opposite.
Everybody wants you to use their walled-garden toolkit and spend as much money while giving away all your access/data otherwise oh man, we can’t have good AI if you no give your data oi! kind of situation.

Even then, probabilistic nature makes it still quite unreliable for basic tasks.

Not everybody needs a beefy model for their needs but if you do have enough of those needs, then going open model + VPS (if not self-host) is still the most sustainable and privacy-respectful approach by far.

Burning an entire forest to know what’s the temperature outside is achieved the best by the biggest Tech companies. The more “accurate” you need that info from somebody else, the more you will need to give your privacy away.

AI and privacy are going into very opposite directions and the parity in terms of “quality” will never be equal.
old school ways might still be just fine enough for some use cases, don’t give up too easily

What I meant by “ChatGPT” here can be replaced by literally any other one.
Don’t be fooled, Microsoft, Google, Anthropic or anyone else really, do not care and are equally just awful.
You could spend your entire day following the latest propaganda and micro changes, realistically they all the want the same from you and are pouring trillions into their latest kinks of grandeur.

Imagine investing 4 time your yearly turnover into some hardware and then, being like

you know what? nah I don’t want a return on investment really, I’ll just cure cancer and help those people for the free because I don’t need to have money, just peace of mind knowing that I am a good human being really

I really don’t care about the weekly hourly drama around those companies if we’re honest.
They are all lying and equally bad because this is just the AI rat race based on FOMO, buzzword, BS “thoughtleaders”.

Are those your thoughts?
Or you starting to think it now that those companies shoved enough ideas into your mind with lots of marketing and potential groundbreaking social improvements?

Kinda related video that I just posted.

Unless it’s verifiable 100%, expect all of those AI bros/companies to probably just lie.
Sorry to break down the bad news here.

Caught live? Oh, apologize burn the evidence , rebrand under a new name and milk some people elsewhere with some over-the-weekend “product”.

I moreover don’t see anybody realistically investing any money into this as fast as the other privacy-invasive companies are doing on their side.
Or just making it sustainable/decently priced to their customers.

Would be curious to see how easy it is even to audit those claims, knowing that they could setup their servers in a way before the audit and revert to snoopy approaches after the audit.
Or that the audit teams even know how to audit those ones thoroughly.

Maybe I just don’t know enough about that topic, fair assumption too.

You said this because you think confidential computing only exists because of LLMs, aren’t you? The EU recognized it in its “state of the art” guideline published in 2021:

Privileged access by administrators to data during processing is traditionally only secured with organizational or reactive measures against misuse of the privilege. With the help of confidential data processing (Confidential Computing), this data is tamper-proof and preventively protected against unauthorized access. This is particularly important for applications in the field of cloud computing. Confidential data processing corresponds to the protection requirement when cloud services are used for critical infrastructures or for sensitive data processing processes, e.g. in medicine, industry or in regulated areas (e.g. regTech).

Meanwhile, the first one to use confidential computing for LLMs is Apple with its Private Cloud Compute, which released in mid-2024.

Granted, there are some unique problems when applying confidential computing to LLMs.

This is true, though. Those hardware requirements have a price tag.

The most straightforward way is open-source software and (additionally) reproducible builds. Even Apple publish some parts of the Private Cloud Compute.

I appreciate your thorough reply but I really think you’re contradicting yourself in several places here. Prepare for a long reply.

Having a sustainable cloud provider (like Hetzner) vs a random no-name 2 year old startup is definitely not a vs comparison.

The age of a company doesn’t automatically make it more or less trustworthy. By that logic we should never trust any new privacy tool or service and just stick with the old giants forever. Mullvad was “new” once. Proton was “new” once. Pretty much project Privacy Guides recommends was a “random no-name startup” at some point. Age doesn’t equal trustworthiness, what matters is what they actually do. Dismissing something solely because it’s young is not a privacy argument, it’s an appeal to tradition. I thought that was something we are actively challenging here

You’ll never know if they do snoop or not anyway

So your argument is essentially “trust nobody, verify nothing, just give up and use a VPS”? Because you literally just admitted you can’t verify what Hetzner does with your traffic either. So how is that really different from trusting a provider that has actually published their security architecture and privacy policies? At least some of these AI startups are publishing security docs and opening up to scrutiny. Hetzner isn’t exactly letting you audit their hypervisors either. Not that this matters as Hetzner isn’t an option anyways but more on that later.

the AI landscape is a wild west and nobody cares about your privacy

“Nobody” is doing a LOT of heavy lifting in that sentence. TEE implementations, confidential compute, E2EE approaches like Confer’s passkey-based encryption, zero-data-retention API policies. Afaik these are real, technical, verifiable privacy mechanisms that exist right now. Maybe I was also just drugged and am hallucinating. They’re not perfect, sure. But you know what? Nothing is. But saying “nobody cares” just because the big players are bad actors is like saying “nobody makes a secure phone OS” because Samsung and Xiaomi are awful. GrapheneOS exists. And in the AI space, privacy-focused approaches exist too. You just have to actually evaluate them instead of blanket-dismissing everything.

Don’t be fooled, Microsoft, Google, Anthropic or anyone else really, do not care and are equally just awful. They are all lying and equally bad

This kind of blanket nihilism is actually counterproductive to the privacy community imo. If everybody is “equally bad” then nothing matters and there’s no point evaluating anything. This is exactly the attitude that benefits the worst actors the most. There ARE material differences between companies. Lumping together a provider that uses TEE + accepts crypto + publishes no-log policies with OpenAI (which is literally court-ordered to retain all chat logs indefinitely) is not useful analysis. It’s doomerism dressed up as skepticism.

Not everybody needs a befy model for their needs but if you do have enough of those needs, then going open model + VPS (if not self-host) is still the most sustainable and privacy-respectful approach by far.

I actually agree with this in principle. But the keyword is “if you do have enough of those needs.” Not everyone does, and not everyone has the technical skill or budget to spin up a VPS with GPU passthrough. For those who need something more capable than what a small VPS can run, dismissing every cloud option as “equally bad” doesn’t help them make informed decisions. It just leaves them with zero actionable advice.

And about the “just use a VPS” suggestion. Let’s do the actual math on that. GLM-5, lets just call it the current open-weights SOTA, is a 744B parameter model that needs ~1.5TB of VRAM at full precision, or ~241GB even at aggressive 2-bit quantization. Hetzner’s best GPU server (GEX131) has 96GB VRAM and costs €889/month. Afaik you can’t split LLM inference across separate physical servers, so you’d need a specialized GPU cloud with an 8x H100/H200 node. We’re tlking $15,000-25,000/month, not exactly the “affordable VPS” you’re casually recommending. And if that is affordable for you then I seriously want your salary. You could run it on CPU with RAM offloading on a high-RAM dedicated box, but at 1-2 tokens/second it’s essentially unusable. And sure, you can run a 7B or 13B model on the €184/month GEX44, but then we’re back to what you yourself called “quite unreliable for basic tasks” because small open models are exactly that. So the realistic choice for most people who actually need capable AI for work is: spend thousands on hardware for a self-hosted setup that still can’t match frontier models, or use a cloud AI service with the best privacy practices you can find. Dismissing the second option as “equally bad” doesn’t help anyone make that decision.

Are those your thoughts? Or you starting to think it now that those companies shoved enough ideas into your mind with lots of marketing?

Come on mate. That’s just condescending. We don’t need any of that here. Yes, those are my thoughts. I use AI for work daily. Not because marketing brainwashed me, but because my workflow genuinely benefits from it and in some cases it’s pretty much required to reach goals. You can dislike the AI industry (I do too in maaaaany ways) without pretending that everyone who finds it practically useful has been manipulated.

And, I say this respectfully, you’re telling me all these companies are “equally awful” and that I’ve been brainwashed by marketing… while you stream on YouTube, speak at Google tech conferences, and run your whole streaming setup off a Mac Studio? You’re actively participating in Google’s and Apple’s ecosystems — two of the companies you just called “equally just awful”. You’re even considering running Cursor (an AI-powered code editor) on your streaming rig (which kinda tells me you use it on another computer) while telling me that thinking AI is useful means I’ve had ideas “shoved into my mind” by marketing.

And then there’s the contrast with how you treat startups. You dismiss Chutes as a “random no-name 2 year old startup” that can’t be trusted, but then you shared shared urban-privacy.com which is a company selling anti-facial-recognition clothing with zero testing data, zero peer-reviewed validation, and crazy high prices that other people rightfully called out. And your response was “let’s be patient and not kill them already” and “let’s assume that their intentions are honest.” So new startups deserve the benefit of the doubt and patience… unless they’re in the AI space?

Burning an entire forest to know what’s the temperature outside

Great metaphor honestly. But the solution isn’t to pretend forests don’t exist or that nobody should ever check the temperature. The solution is to find the most efficient and privacy-respecting way to do it. Which is literally what I tried with this thread before it turned into a lecture about how nothing matters because everyone is bad.

The “everything is equally terrible so don’t bother evaluating” approach helps nobody. It’s the privacy equivalent of “don’t vote, all politicians are the same.” Real threat modeling involves nuance not nihilism.

If you use OpenRouter and enable “Use ZDR Endpoints only” and disable “Enable paid endpoints that may train on inputs" in privacy settings, Chutes will be blocked for the following reasons:

brave_t26xvG4Fa0324×245 13.5 KB

Therefore, based off of that alone, I wouldn’t recommend using Chutes.

Now thats a good find! It might be good to follow that lead and find out why exactly and if that’s still up to date.

Roughly two years ago, a client asked if I could build them a fully encrypted server to run airgapped LLMs. I ended up building them a solution based on dual socket AMD EPYC 7702P 64-Core Processors. With AMD’s memory encryption, SEV-SNP, hardware-encrypted SSDs with an encrypted filesystem on top tied to the TPM and hardware token, and 512GB of ECC RAM. It’s not as fast as GPUs, but it still gets in the 100-200 tokens/sec on most modern LLMs. It met their requirements of encrypted at rest, encrypted in ram, and encrypted processing.

An example test is “what’s the airpseed of an unladen swallow?” with results along the lines of:

eval count: 585 token(s)
eval duration: 6.140339888s
eval rate: 95.27 tokens/s

This is full TEE/encrypted LLM processing. The Nvidia GPUs (at the time) with TEE-like capabilities were not fully encrypted and attestation was really only stating something was loaded into the TEE part of the GPU. Also, these GPUs were about as expensive as the entire system itself.

Once the models are loaded into ram, it’s really pretty responsive. In the end, we build a second system that used off-the-shelf AMD GPUs because they figured they could trust the PCI-e bus between the CPU/RAM and the GPU if the chassis was secured and one can’t snoop on the PCI bus if you can’t install any hardware to do it. This was vastly faster, with 4 GPUS per system plus the EPYC cpus, the whole thing is quite usable for models loaded into encrypted ECC RAM and then the VRAM loading is nearly instant.

All this is a long way to say, I’m seriously considering starting a site that runs something similar, but doesn’t require traditional accounts. I want it to be on my bare metal hardware, with something like a BIP-32 key for the account. Once payment clears, then you’re good to go. I want it to work with any device, with minimal javascript and zero webgl/wasm required. It should work with Tor/Mullvad browser in complete strict security mode.

Moxie has made some progress with passkey-based system running in TEEs provided by other cloud providers.

The more providers like tinfoil, running on real hardware, the better. As OpenAI’s ad-model and all these people reselling it show; your data is still the new oil.

Impressive to hear about your experience building an air-gapped LLM server using AMD processors. Achieving about 100/tps while having encryption at all stages is no small feat!

If you ever decide to build something similar for the public post it here please! I’m pretty sure a lot of people on here would find it very interesting.

https://xcancel.com/jon_durbin/status/1951685136732581918

Good comment, I don’t have the patience to write all this out and normally just ignore these people.

Annoying how every discussion about LLMs results in someone lecturing about why we can’t use them.

So if I’m understanding this correctly this should be fixed now since they use TEE? I think I might send them and OpenRouter an e-mail and ask them about this.

Edit: I’m still a bit unsure of what is going on here and who to trust so I’ll likely just watch from the side until all the smoke has cleared.

They still offer models not running in TEEs. But your best bet would be to ask them yes

I will report back once I hear from them. In the meantime I might get some popcorn and watch this thread or other AI related threads as they seem to make people very emotional.

I ended up messaging both OpenRouter and Chutes and both have answered pretty fast.

Chutes answer has been this:

We have never collected or trained on user data. We’re working on getting this flag removed, but OpenRouter has been difficult. Our last response was their verification team was “on vacation.” This flag should be removed soon, as we will likely have TEE-only models on OpenRouter.

If you’re concerned about privacy, use TEE models only. Miners could, hypothetically, retain logs on non-TEE models, but it would be difficult. This was the reason for the flag in the first place, as we were honest about this.

OpenRouters answer has been this:

Our data retention and training classifications are based on direct discussions with each provider, not solely on their public-facing privacy policies. We require explicit, unambiguous confirmation before assigning a favorable classification. Public documentation using phrasing like “no persistent storage” or “we do not collect the content of your requests” may not meet our threshold if the language leaves room for interpretation.

We have evaluated Chutes’ policies, but the language we’ve reviewed so far hasn’t been explicit enough to confirm zero data retention to our standards. We’re always willing to re-evaluate if additional documentation or clarification becomes available from the provider.

You’ve got it right. The “unknown” classification is a conservative default we apply when a provider hasn’t provided sufficiently explicit confirmation. We err on the side of caution to ensure transparency. It doesn’t necessarily mean there’s a genuine concern about how Chutes handles data, just that we haven’t received the level of explicit confirmation we require.

If you have any direct contact with the Chutes team, feel free to encourage them to reach out to us with explicit documentation addressing data retention and training policies. We’d be happy to reassess their classification based on that.

Make of that what you will but here are my thoughts:
From what I’m reading here it could be a genuine misunderstanding that should be resolved soon. I would advise people including OP to stop using it for now or at least only use it for non-personal stuff. I’m not saying that it is 100% safe when it has been verified by OpenRouter but at least people from a 3rd party have looked at it and deemed it safe. The verification team of OpenRouter probably knows more about this than most of the keyboard-warriors in this thread including me.

If you end up using it only use the TEE models.

Additional info on what open router allows in ZDR and the list of ZDR providers