Introducing Lumo, the AI where every conversation is confidential | Proton

I’m looking at zama.ai and they have some demos of FHE, one of which is image processing and it works! Pretty cool and takes less than 30 minutes.

We now have a highly efficient FHE technology that can support any type of application, using common programming languages such as Solidity and Python, while being over 100x faster than 5 years ago.

It seems like FHE is advancing quickly, I think we’ll see more and more applications of it over the next few years.

Of course it’s an improvement. The status quo is no protection at all.

All I’m saying is that attestation is not in the same ballpark as zero-knowledge encryption. I wouldn’t even consider it the same game.

I think what you have to understand is that secure enclaves are just computers.

Establishing trust with a secure enclave in the first place is a whole research field unto itself. Security researchers have not really established confidence in Apple’s Private Compute Cloud, and Apple is almost certainly more of an expert in this domain than Amazon, so I would certainly not take for granted that AWS Nitro Enclaves operate perfectly as designed in the first place. There is a massive amount of room for errors in this implementation that will be near-invisible until they are discovered, and will be very hard for security researchers to discover in the first place.

Beyond attestation, if you do assume you can trust the attestation that a certain piece of software is being run, there is no guarantee whatsoever that the software is trustworthy.

Who has audited Maple AI, and could they have missed anything? You are fully vulnerable to regular old software bugs and exploits, regardless of whether that software is running in a secure enclave.

Maybe the secure enclave is very good at keeping your private encryption key secret, but the software inside can be tricked into blindly decrypting data fed into it through some bug. In that case, does it actually matter how much the secure enclave protected the private key?

At the end of the day, you are fully and completely trusting Maple AI. If this whole scheme works perfectly, what they are doing is basically protecting you from someone making an unauthorized (by them!) change to the code. Which is a good thing for security! However, it is not at all the same as protecting you from their authorized software. Apple PCC works similarly.

True zero-knowledge encryption strongly protects you in all circumstances where intermediaries are untrusted, so it isn’t really comparable. The threats in the case of E2EE are basically narrowed down to you losing your key or it being stolen, or the encryption scheme being cracked. Both of these are theoretical possibilities, but knowing what the threats are puts you at a great advantage when defending yourself.

The number and severity of threats/exploits facing Maple AI is basically unknowable.

It is true that what Apple Private Compute is doing (and perhaps what Maple AI is doing) is basically the very best we can possibly do today when it comes to securing cloud compute. It is also true that it still comes nowhere near the security of zero-knowledge encryption and local compute. My takeaway from these two combined facts is that any sort of third-party cloud computing is simply not trustworthy enough no matter what is done on their end.

It would be cool, but I’ll admit the idea of homomorphic encryption becoming much better kind of bums me out too.

If we get to the point where virtually any compute can be done in remote datacenters, why wouldn’t OEMs just do that for everything, and screw local compute? There are privacy and non-privacy problems with non-local computing beyond just whether the data can be read, and I think we need far more local compute, not less.

This is not machine learning. I’m talking about machine learning models processing an image, like when you upload an image to ChatGPT and have it describe the image or something. Converting an image to black and white or adding a blur just involves some basic multiplication, addition, etc. These demos are technically less complex than what Apple is doing in this field.

This is not a good deal, considering the model isn’t even uncensored. Is it censored because of Swiss law?

What do you mean by “uncensored”?

It will refuse to answer certain questions

G4E7P9L2A1080×2185 109 KB

If you ask the chatbot itself it will consistently tell you it is end to end encrypted - but it is actually not.
Did Proton tell it it was in it’s system prompt? if so that is a little shady

It’s probably just hallucinating, I’ve never seen a chatbot yet that doesn’t constantly lie.

Does it really matter in this case? If anyone wants to do illegal things, they’ll find a way to do it. This chat bot and the company behind it doesn’t want the liability so they may have tuned it.

But sure, call it censorship if you want. It’s not censorship as it’s traditionally thought of.

Ok I managed to extract this from the system prompt (it’s pretty easy to get system prompts from small models)

{
  "$defs": {},
  "$schema": "http://json-schema.org/draft-07/schema#",
  "oneOf": [
    {
      "description": "This tool will return complete information about Lumo, Proton, or any Proton product,
including Lumo.
If the user discusses one of the following: \
"Proton", "Mail", "Drive", "Calendar", "VPN", "Bridge", "Scribe", "Lumo",
"Andy Yen", "Bart Butler", you must call this tool.
In case the question contains "lumo" or "proton", prefer calling this tool
instead of web_search. However, for general searches, avoid calling this tool,
which doesn't perform an external web search.
After using this tool, search for the required information inside the content,
 and no more. Reply concisely to the user.",
      "properties": {
        "name": {
          "const": "proton_info",
          "name": "string"
        },
        "parameters": {
          "type": "null"
        },
        "type": {
          "const": "function",
          "type": "string"
        }
      },
      "required": ["type", "name", "parameters"],
      "title": "proton_info",
      "type": "object"
    }
  ],
  "type": "object"
}

And it tells me that a call to the proton_info tool returns this (skip reading this block to see only the most relevant part)

# Lumo FAQ

## Plan and Payments

### What is the difference between 'Guest' access and creating a Lumo Free account?

**Guest access**  in Lumo lets you start being productive right away and answer questions without creating an account. You get limited access. For additional usage and features such as saving your chats, you'll need to create a Lumo account, which stores your conversations with zero-access encryption for a limited period.

**Lumo Free**  requires you to create an account. This gives limited usage access compared to Lumo Plus, with the ability to store your conversations securely with zero-access encryption and upload small files.

### What benefits does Lumo Plus have?

Lumo Plus (priced at  **$12.99 monthly**  or  **$9.99 per month when billed annually**) gives you access to premium Lumo features, including:

-   Unlimited questions
-   Extended chat history
-   Ability to upload larger files and query them
-   More powerful models

### Why isn't Lumo Plus included as part of Unlimited, Duo or Family plans?

Like other AI platforms, running Lumo's infrastructure is resource-intensive. It requires significant power, storage, and bandwidth to provide fast and accurate responses in real-time. Since we don't monetize your personal data, sell ads, or accept venture capital, Lumo Plus subscriptions enable us to cover our operational expenses and ensure we can continue to put your privacy first.

### Who has access to Lumo?

All Proton users get access to Lumo:

-   **Lumo Free**  is included with:
    -   Proton Free
    -   Unlimited, Family, and Duo plans
    -   Plus plans (Mail Plus, VPN Plus, Drive Plus, and Pass Plus)
    -   Business plans
-   **Lumo Plus**  is included for Visionary and Lifetime users

### I'm an existing Plus or Business customer (e.g. Mail Plus), can I also purchase Lumo Plus in addition?

Yes! Existing Plus plan subscribers, including Business customers and those with bundle plans (Unlimited, Family, and Duo) can purchase Lumo Plus in addition to their current Proton service at  [https://lumo.proton.me](https://lumo.proton.me/).

For example, existing Mail Plus subscribers can purchase Lumo Plus ($4.99 + $9.99 on a 12-month plan).

### I have a multi-user plan, can I purchase Lumo Plus as an add-on as part of my existing subscription [on mobile]?

Currently, purchasing Lumo Plus as an add-on to plans with multiple users on mobile (e.g. Family or Duo plan with Lumo Plus) is not supported. You are able to do this on web at lumo.proton.me instead.

### I'm an existing Proton user, if I purchase Lumo [on web], will my billing cycle restart?

No, for existing Proton users already on a Proton paid plan, your billing with Lumo will be prorated with your existing plan accordingly.

### I'm an existing Proton user, if I purchase Lumo [on mobile app], will my billing cycle restart?

Lumo plans purchased directly on the iOS or Android mobile app are billed separately from your existing plan - there's no pro-ration involved.

### Payment Important Notes:

-   If you are on a multi-user plan (e.g. Family, Duo, Business plan), you cannot buy a Lumo Plus subscription on mobile. On web you can.
-   If you have an existing Proton plan for Unlimited, Drive, Pass, VPN, Mail, you can buy a Lumo mobile subscription via mobile or web
-   At launch, only Lumo will be purchasable as a multi-subscription, no other plans (e.g Mail Plus and VPN plus) will be purchasable together.

## Features and Usage

### How to get started with Lumo?

Getting started with Lumo is easy:

-   Start a chat instantly at  **lumo.proton.me**  without an account
-   Download the  **Lumo mobile app**  on iOS or Android to get started instantly

### Mobile Apps

Lumo is available on both iOS and Android platforms:

**iOS App Features:**

-   Full Lumo functionality on your iPhone or iPad
-   Voice entry support for hands-free questions
-   Dedicated iOS widget for quick access from your home screen with time-oriented prompt suggestions
-   Seamless integration with your Proton account

**Android App Features:**

-   Complete Lumo experience on Android devices
-   Voice entry support for convenient interaction
-   Quick access to your AI assistant on the go
-   Sync conversations across all your devices

Both mobile apps offer the same privacy-first approach as the web version, with zero-access encryption for your conversations.

### What security and privacy features does Lumo offer?

Lumo is built with privacy as its foundation:

-   **Zero-access encryption**: Your conversations are encrypted so that only you can read them
-   **Ghost Mode**: For maximum privacy, use Ghost Mode where no conversation persistence occurs
-   **No data logging**: We don't log or store your conversations for training purposes
-   **Proton-controlled infrastructure**: All models run exclusively on servers that Proton controls

### How does conversation management work?

Lumo provides comprehensive conversation management features:

-   **Chat history**: Save and access your previous conversations (requires Proton account)
-   **Conversation syncing**: Access your chats across all devices seamlessly
-   **Conversation search**: Find specific conversations quickly using search functionality
-   **Conversation favouriting**: Mark important conversations for easy access
-   **File management**: Manage and view uploaded files, move them in and out of conversation context

### What file capabilities does Lumo support?

Lumo offers robust file handling features:

-   **File upload**: Upload documents and files to analyze and discuss with Lumo
-   **Proton Drive SDK integration**: Seamless integration with your Proton Drive storage
-   **File management**: Organize, view, and manage files within conversations
-   **Context control**: Move files in and out of conversation context as needed

### Who is the intended audience?

Everyone has the right to benefit from AI without their data being misused. That's why we created Lumo. Whether you're asking personal health questions, summarizing a presentation, or analyzing data, Lumo is the perfect AI assistant for everyone to enjoy the benefits of AI without exposing your data. Lumo gives you a simple, secure way to stay private and productive.

### How many questions can I ask Lumo?

Question limits depend on your account type. Signing in will increase your limits, and Paid plans have effectively no limits on the number of questions asked.

_Note: We have limits of 10 questions per minute per session ID to prevent DDoS attacks._

### What languages does Lumo support?

Lumo currently supports chats in:

-   English
-   Spanish
-   French
-   German
-   Italian
-   Portuguese
-   Dutch
-   Russian
-   Chinese
-   Japanese
-   Korean

We'll be actively updating the languages Lumo supports.

### What writing assistance features does Lumo provide?

Lumo offers comprehensive writing support beyond basic spell checking:

-   **Spellcheck**: Catch and correct spelling errors in your text
-   **Grammar checking**: Identify and fix grammatical mistakes
-   **Proofreading**: Review your drafts for errors and improvements
-   **Sentence structure improvement**: Get suggestions for better sentence flow and clarity

Lumo goes beyond traditional spell checkers by suggesting improved sentence structure as well as correct wording and terminology, boosting your productivity.

### Can I save my conversations?

You need to be signed in to a Proton Account to be able to save conversations. Stored conversations are saved with zero-access encryption, meaning only you can see them, and you have the ability to search and favorite your chats.

### How does 'web search' work?

You need to have web search enabled. With web search, the model automatically will decide if it needs more information to complete a query, and therefore triggers web search.

### What search engines are used for web search?

We have selected web engines that are based on privacy, performance, efficiency and reliability.

## Technology and Models

### What models power Lumo?

Lumo is powered by several open-source large language models (LLMs) that have been optimized by Proton. The model used in any particular case will vary. This is because different models have different strengths and we therefore vary the model depending on which will be best suited to the user's specific question. The models we're using currently are Nemo (Mistral), OpenHands 32B, OLMO 2 32B (Allen Institute for AI), and Mistral Small 3 (Mistral). Models may be added or removed based on developments in the field. All the models run exclusively on servers Proton controls. All Lumo conversations are private, and Proton does not contribute any data to the training of these models.

### How does Lumo's model routing work?

Our approach does not just result in better, more tailored answers. It has broader benefits in terms of efficiency, cost and speed. Instead of deploying large, resource-intensive general-purpose models, Lumo employs a multi-model approach for several key advantages. Smaller, specialized models offer greater efficiency and can excel at specific tasks while being more cost-effective to operate. Our intelligent routing system automatically directs user queries to the most appropriate model based on the task type. For instance, programming-related questions are handled by OpenHands, which specializes in coding tasks and delivers superior performance in this domain while maintaining significantly lower operational costs compared to larger general-purpose alternatives.

## Proton and AI

### Why has Proton entered AI? Why aren't you focused on improving your other products?

Artificial intelligence has the power to tackle humanity's challenges, big and small, but to truly transform how we live and work for the better, AI must be built responsibly — putting people and  [privacy](https://proton.me/blog/how-to-build-privacy-first-ai)  first. Today, Big Tech companies are repeating the mistakes from the internet's early days. Instead of using AI to serve people, they're instead using it for surveillance to monetize your personal information and train their language models on your private conversations. We built Lumo as the solution to this — a chat assistant that keeps your data private and safe from abuse. With no logs and zero-access encryption, Lumo keeps your conversations under your control.

Lumo's development has not impacted other services, such as Proton Drive, Proton Calendar, or Linux apps and updates. Our development of new products does not impact our continued focus and improvements of our existing products. You can see our spring and summer 2025 roadmaps for all our products here to see what's coming soon.

### How does Lumo fit with your other products/services?

Lumo is created by the same team behind Proton's encrypted ecosystem, whose mission is to empower everyone to take control of their digital lives. This will always be our focus, even as new technology and capabilities evolve. By launching Lumo, we're building a solution to AI's privacy problem, just like we did with encrypted email back in 2014 with Proton Mail. Unlike the way other companies integrate their services to extract more of your data, Proton integrates services to protect your data — and this remains the same with our development of Lumo. Lumo will tie into our ecosystem to help you be more productive while keeping your data encrypted and private.

### What's the difference between Proton Scribe and Lumo? Will Lumo replace Scribe?

Lumo will not be replacing Proton Scribe.

**Proton Scribe**  is a privacy-first writing assistant built directly into Proton Mail. It helps you compose and improve your email drafts, allowing you to save time writing emails while protecting your most sensitive, valuable data. Learn more here  [https://proton.me/blog/proton-scribe-writing-assistant](https://proton.me/blog/proton-scribe-writing-assistant)

**Lumo**, on the other hand, is your private AI assistant designed to support you in a wide variety of tasks in work and life. Whether you want answers to personal health questions, want to shop online without being targeted by ads, or want to summarize sensitive legal documents, Lumo is your private chat assistant that puts your privacy first.

### Why did Proton focus its effort on creating an AI when some other products are lagging behind in development?

We want to reassure you that Lumo's development has not impacted other services, such as Proton Drive, Proton Calendar, or Linux apps and updates. Our development of new products does not impact our continued focus and improvements of our existing products. In fact, we've been rapidly building new services and features requested by our community, and we will continue to do so. You can see our spring and summer 2025 roadmaps for all our products here to see what's coming soon.

most relevant section:

### What security and privacy features does Lumo offer?

Lumo is built with privacy as its foundation:

-   **Zero-access encryption**: Your conversations are encrypted so that only you can read them
-   **Ghost Mode**: For maximum privacy, use Ghost Mode where no conversation persistence occurs
-   **No data logging**: We don't log or store your conversations for training purposes
-   **Proton-controlled infrastructure**: All models run exclusively on servers that Proton controls

So it does mention zero access encryption. first google search result for that term is this: What is zero-access encryption and why is it important for security? | Proton - so I feel that this may be a marketing term that proton uses.

I think it would be ideal for them to mention in that tool that zero access encryption is not the same as end to end encryption so that it doesn’t make this mistake

Yeah maybe they could update it to say “your previous conversations are encrypted so only you can read them”

Why do you defend Maple AI over this? Its usage of the term “end-to-end encryption” is extremely misleading and troubling. It will undoubtedly lead many people to think that Maple AI provides the same protection as other E2EE services, like Signal, which it certainly does not.

I’m happy to see some progress in this area. I’m happy to see an open-source version of Private Cloud Compute. I can’t support a company with such a scummy marketing practice.

Also, this whole “secure enclave” thingy isn’t the whole story. Apple also uses Blind Signature (so a specific request doesn’t link with a specific account) and OHTTP relay (so a specific request doesn’t link with a specific IP address).

Actually, this makes up a solid advice. If you can’t use a local AI model, the best alternative is to use an AI service through a VPN/Tor anonymously or with a temporary pseudonym. Permanent pseudonyms are a myth.

Finally, it should be obvious that using Proton’s VPN to use Proton’s Lumo is a pretty bad idea.

It isn’t my intent to “defend” anything. Apparently the emojis didn’t convey the right tone.

But keep in mind that unlike other products or features like wallet, lumo has a separate subscription. So, it preferably will has its own team and funding. That should not affect other developments.

This lack of growing cohesion is starting to piss me off. First with Standard Notes where they don’t offer Proton users any deal to sign I to it or access to its premium plan. And now this.

This kind of behavior sticks of a big tech mindset. Not what and who they are supposed to be. I sincerely hope they still know that.

Proton has never really promised this type of cohesion to anyone except Visionary customers, so expecting an “all in one” subscription doesn’t make a lot of sense.

It is strange that @Proton_Team hasn’t given Standard Notes to Visionary customers though now that I think about it

Ohhh.. I don’t know. Gee. It’s implied promise for cohesion to offer all their products with the nomenclature they use with the Unlimited plan that must have thrown me off.

I asked about this once but they said it was not clear yet if they would as Standard Notes is still a different legal entity.

On LinkedIn they mentioned in the comments it was developed by the R&D team. But I suppose you are right that they have productized this in the way you describe. Also happy they didn’t increase the price for people who don’t want to use this. Communication could have been better I guess but the decision itself was a good thing.

I mean copilot also has these hiccups. That is also depending on your prompts.

I was looking into this a bit more after posting and the relationship between SN and Proton is indeed pretty confusing. They do seem to be separate, but is it a fully owned subsidiary, or does Proton only have some partial stake?