Clearly, we can’t sit and wait for HE to be ready. We need to find practical solutions for the AI privacy problem — today.
Not really sure why. If there’s not a good way to do it yet then don’t do it.
Interesting article though, I’m glad it’s not just TLS between you and the server. It doesn’t seem like they use confidential computing which is a bummer.
Thinking about it a bit more, isn’t this actually a security flaw? They’ve implemented “zero-access” encryption for chat history, however the data must exist in cleartext on the Proton servers before it is ever moved to the “zero-access” chat history. Isn’t that fundamentally not zero-access encryption?
Heck. Proton could do better. It’s just straight up misleading advertising.
Lumo is worse than Apple Intelligence when it comes to privacy. Apple applies Blind Signatures so a specific request is not tied to a specific account. Apple also uses OHTTP relay to obscure your IP address. And both are closed-source at the moment.
PS: Siri ≠ Apple Intelligence
PS2: And Apple doesn’t claim “zero-access” encryption, because it is not.
@Proton_Team stop blatantly lying and scamming your customers already.
Everyone else, you need to stop chugging the corporate Kool-Aid already, open your eyes and stop supporting this ilk.
edit: to recap:
”I might like kittens, but theirs does not fool me. Don’t let it fool you either. 
Zero-access encryption is a marketing word they came up with for their email because they can’t guarantee E2EE for email. So it’s basically saying yes we can access the data while it’s being processed but not at rest, which is different than what a lot of companies do because normally they can access your data both during processing and at rest.
But yeah there’s more they could do here for private AI that’s not just HE, and not even just in the processing of data.
Even their own definition of zero-access encryption goes completely against their claims about Lumo. The bolded line from the article you sent: “Zero-access encryption ensures that only you, the data owner, have the technical ability to read your data.” However, as pointed out in Proton’s blog post, the message is decrypted to cleartext before being fed to the AI, which occurs on Proton servers. I’m no security researcher, but isn’t this really bad??
Yeah I’d say it requires a lot of trust in Proton and leaves your requests open to possible exploitation. Also if everyone is using the same server then you’d think there’s the possibility of someone exploiting the server to read other people’s messages in real time.
But then isn’t that not zero-access encryption? Having misleading information about open source status is one thing, but knowingly having a totally ineffective encryption model feels much worse…
Yeah like I said it’s just a marketing term not really industry-standard terminology I believe.
they just encrypt stored copies of past conversations
no company to date has any viable mechanism to provide end to end encryption for conversations with a model.
My guess is that the higher-up wants Proton to jump into the AI hype train, and here we are.
Currently, using an LLM provider that doesn’t force you to create an account with a VPN and incognito browser is better for your privacy than Lumo. And that is currently my recommendation for anyone who wants to try LLMs but can’t run them locally.
If Proton wants Lumo to be better than the former, it needs to do at least 3 things:
Better yet, release the source code of the client so everybody can verify all the points above.
source being available provides zero guarantee that matches what is run in production
and there is currently no viable end to end to gpu attestation mechanism
you could literally just hook up to the PCIe bus and have direct access to the GPU VRAM
I bet in a few years we will even see research papers showing attacks enabling the ability to infer prompts based solely on memory access patterns.
But that’s not how they describe it. In all of their marketing material, they describe their chat history system as “zero-access encrypted”. As far as I can tell, this is industry standard terminology: ( Zero-knowledge encryption: What you need to know | Bitwarden ) (https://www.lastpass.com/security/zero-knowledge-security) ( Introducing Zero-Knowledge Proofs for Private Web Attestation with Cross/Multi-Vendor Hardware ). Proton state in their blog that they use the terms zero-knowledge and zero-access to mean the same thing, which seems to be the norm, they’re definitely all talking about the same thing anyway.
According to their own definition of “zero-access encryption,” their system does not work. You can’t just claim you use a certain type of encryption and then knowingly implement it incorrectly. That would be called a security flaw. And from a company that prides itself on security, I’m a little upset that there is such a blatant, massive security flaw.
It doesn’t matter whether it is possible to implement this kind of security, what matters is that Proton is claiming they are.
Also use confidential computing so everyone’s requests are isolated from each other, and use OHTTP to decouple your IP address from the request. Open source everything and allow us to remotely verify what’s running on the server, and have reproducible builds for the client.
I know what you are talking about. I’m just listing things that Proton needs to do so that using Lumo is at least privacy-preserving as using an LLM provider that doesn’t force you to create an account with a VPN and incognito browser.
Where do you read that?
You are not correct. The industry standard terminology is “zero-knowledge” encryption. Proton’s “zero-access” encryption refers to something else, like @fria said.
I apologize, I’ve clearly gotten myself confused. I misunderstood What is zero-knowledge cloud storage? | Proton to mean that they are the same thing, just one is used when referring to email, and one is used when referring to files. Thank you for clarifying.
I seem to have confused myself after reading this Wikipedia page ( Zero-knowledge service - Wikipedia ) which implies they are the same thing.
But also, what’s the point of “zero-access” encryption if Proton must have access to the clear text before moving it to “zero-access”? I don’t understand how that could provide any benefits.
I’ve really been wondering though: just how much time does goodwill buy Proton here? It really rubs me the wrong way that the Proton Calendar source code for Android was to be released in the very near future… 5 years ago.
See also: Reddit: Proton, Open Source, and APKs
Last I saw, their roadmap was talking about a complete rewrite. Never even got to see the original code… but what exactly do we do if the rewrite happens and there STILL isn’t any source? How long are we willing to wait before we say, “Okay, this is just lying. You aren’t open source, and you’ve taken advantage of our trust.”
Personally, I’m nearing my limit. Proton has been good, but I want genuine honesty.
They are so sneaky, its “opens source code to the public” not that it currently is, but that they will be.
I agree this is a stupid thing to do. If they aren’t ready to open it, then they shouldn’t market it yet. They probably would even get a second round of news if they announce its open source later
But Lumo doesn’t require a Proton account. You can even open Tor and go to https://lumo.proton.me/ and you can use it. There are some limits to this use, but it would be wrong to say that Lumo requires a Proton account in order to use it.