OpenAI releases Privacy Filter to scrub personal data before it reaches AI models

OpenAI launches Privacy Filter, an open source, on-device data sanitization model that removes personal information from enterprise datasets

In a significant shift toward local-first privacy infrastructure, OpenAI has released Privacy Filter, a specialized open-source model designed to detect and redact personally identifiable information (PII) before it ever reaches a cloud-based server. Launched today on AI code sharing community Hugging Face under a permissive Apache 2.0 license, the tool addresses a growing industry bottleneck: the risk of sensitive data "leaking" into training sets or being exposed during high-throughput inference. By providing a 1.5-billion-parameter model that can run on a standard laptop or directly in a web browser, the company is effectively handing developers a "privacy-by-design" toolkit that functions as a sophisticated, context-aware digital shredder. Though OpenAI was founded with a focus on open source models such as this, the company shifted during the ChatGPT era to providing more proprietary ("closed source") models available only through its website, apps, and API -- only to return to open source in a big way last year with the launch of the gpt-oss family of language models. In that light, and combined with OpenAI's recent open sourcing of agentic orchestration tools and frameworks, it's safe to say that the generative AI giant is clearly still heavily invested in fostering this less immediately lucrative part of the AI ecosystem. Technology: a gpt-oss variant with bidirectional token classifier that reads from both directions Architecturally, Privacy Filter is a derivative of OpenAI's gpt-oss family, a series of open-weight reasoning models released earlier this year. However, while standard large language models (LLMs) are typically autoregressive -- predicting the next token in a sequence -- Privacy Filter is a bidirectional token classifier. This distinction is critical for accuracy. By looking at a sentence from both directions simultaneously, the model gains a deeper understanding of context that a forward-only model might miss. For instance, it can better distinguish whether "Alice" refers to a private individual or a public literary character based on the words that follow the name, not just those that precede it. The model utilizes a Sparse Mixture-of-Experts (MoE) framework. Although it contains 1.5 billion total parameters, only 50 million parameters are active during any single forward pass. This sparse activation allows for high throughput without the massive computational overhead typically associated with LLMs. Furthermore, it features a massive 128,000-token context window, enabling it to process entire legal documents or long email threads in a single pass without the need for fragmenting text -- a process that often causes traditional PII filters to lose track of entities across page breaks. To ensure the redacted output remains coherent, OpenAI implemented a constrained Viterbi decoder. Rather than making an independent decision for every single word, the decoder evaluates the entire sequence to enforce logical transitions. It uses a "BIOES" (Begin, Inside, Outside, End, Single) labeling scheme, which ensures that if the model identifies "John" as the start of a name, it is statistically inclined to label "Smith" as the continuation or end of that same name, rather than a separate entity. On-device data sanitization Privacy Filter is designed for high-throughput workflows where data residency is a non-negotiable requirement. It currently supports the detection of eight primary PII categories: * Private Names: Individual persons. * Contact Info: Physical addresses, email addresses, and phone numbers. * Digital Identifiers: URLs, account numbers, and dates. * Secrets: A specialized category for credentials, API keys, and passwords. In practice, this allows enterprises to deploy the model on-premises or within their own private clouds. By masking data locally before sending it to a more powerful reasoning model (like GPT-5 or gpt-oss-120b), companies can maintain compliance with strict GDPR or HIPAA standards while still leveraging the latest AI capabilities. Initial benchmarks are promising: the model reportedly hits a 96% F1 score on the PII-Masking-300k benchmark out of the box. For developers, the model is available via Hugging Face, with native support for , allowing it to run entirely within a user's browser using WebGPU. Fully open source, commercially viable Apache 2.0 license Perhaps the most significant aspect of the announcement for the developer community is the Apache 2.0 license. Unlike "available-weight" licenses that often restrict commercial use or require "copyleft" sharing of derivative works, Apache 2.0 is one of the most permissive licenses in the software world.For startups and dev-tool makers, this means: By choosing this licensing path, OpenAI is positioning Privacy Filter as a standard utility for the AI era -- essentially the "SSL for text". Community reactions The tech community reacted quickly to the release, with many noting the impressive technical constraints OpenAI managed to hit. Elie Bakouch (@eliebakouch), a research engineer at agentic model training platform startup Prime Intellect, praised the efficiency of Privacy Filter's architecture on X: "Very nice release by @OpenAI! A 50M active, 1.5B total gpt-oss arch MoE, to filter private information from trillion scale data cheaply. keeping 128k context with such a small model is quite impressive too". The sentiment reflects a broader industry trend toward "small but mighty" models. While the world has focused on massive, 100-trillion parameter giants, the practical reality of enterprise AI often requires small, fast models that can perform one task -- like privacy filtering -- exceptionally well and at a low cost. However, OpenAI included a "High-Risk Deployment Caution" in its documentation. The company warned that the tool should be viewed as a "redaction aid" rather than a "safety guarantee," noting that over-reliance on a single model could lead to "missed spans" in highly sensitive medical or legal workflows. OpenAI's Privacy Filter is clearly an effort by the company to make the AI pipeline fundamentally safer. By combining the efficiency of a Mixture-of-Experts architecture with the openness of an Apache 2.0 license, OpenAI is providing a way for many enterprises to more easily, cheaply and safely redact PII data.

OpenAI Just Open-Sourced a Tool That Scrubs Your Secrets Before ChatGPT Ever Sees Them - Decrypt

It hits 96% F1 on the standard PII-Masking-300k benchmark out of the box. Every day, millions of people paste things into ChatGPT they probably shouldn't. Tax returns. Medical records. Work emails with client names. That weird rash. The API key they swore they'd rotate next week. OpenAI just released a free tool that cleans all of it up before the chatbot ever sees it. It's called Privacy Filter, and it launched this week under the Apache 2.0 license, meaning anyone can download it, use it, modify it, and sell products built on top of it. The model lives on Hugging Face and GitHub, weighs in at 1.5 billion parameters (the metric that measures a model's potential breadth of knowledge), and is small enough to run on a regular laptop. Think of it as spellcheck, but for privacy. You feed it a block of text, and it hands back the same text with all the sensitive bits swapped for generic placeholders like [PRIVATE_PERSON] or [ACCOUNT_NUMBER]. Remember when people were able to unredact parts of the Jeffrey Epstein files because the Donald Trump administration simply used a black marker to try to hide those secrets? Had they used this model, that wouldn't have been a problem. Privacy Filter scans for eight categories of personal information: names, addresses, emails, phone numbers, URLs, dates, account numbers, and secrets like passwords and API keys. It reads the whole text in one pass, then tags the sensitive parts so they can be masked or redacted. Here's a real example from OpenAI's announcement. You paste in an email that says: "Thanks again for meeting earlier today. (...) For reference, the project file is listed under 4829-1037-5581. If anything changes on your side, feel free to reply here at [email protected] or call me at +1 (415) 555-0124.." Privacy Filter spits back: "Thanks again for meeting earlier today (...) For reference, the project file is listed under [ACCOUNT_NUMBER]. If anything changes on your side, feel free to reply here at [PRIVATE_EMAIL] or call me at [PRIVATE_PHONE]." Instead of dealing with black boxes and markers, it changes the actual text. Plenty of tools already try to catch phone numbers and email addresses. They work by looking for patterns, like "three digits, dash, three digits." That's fine for obvious stuff but falls apart the second things get context-dependent. Is "Annie" a private name or a brand? Is "123 Main Street" a person's home or a business address on a storefront? Pattern matching can't tell. Privacy Filter can, because it actually reads the sentence around it. The model seems to be pretty good at detecting these nuances. OpenAI reports its model scored 96% on a standard benchmark using the PII-Masking-300k dataset out of the box, with a corrected version of the same test pushing it to 97.43%. In other words, it successfully detects private information 96% of the time. Your job, as a privacy-conscious person is to take care of the other 4% Privacy nerds may see this as a good thing: OpenAI made a model small and powerful enough to run on your machine, meaning your text never leaves your computer to get cleaned. That matters because the alternative, the one most companies currently use, is sending your raw data to some cloud service that claims to be secure and then trusting them. That arrangement does not always age well. It's also free and open source, so researchers can investigate it, improve it, and use it without worrying about legal consequences. The data gets sanitized on your laptop, and only the scrubbed version travels anywhere else. If you run a small business, it means you can use AI to summarize customer emails without handing the customer's name to a third party. Freelance lawyers can feed case notes into a chatbot without leaking the client. Doctors can draft patient referrals without the patient's identity. Developers can debug code with an AI without pasting their own API keys straight into the prompt, which is apparently a rite of passage nobody talks about. For regular people, the use case is more mundane and more common. You want to ask ChatGPT to rewrite that angry email to your landlord, but you don't love the idea of handing OpenAI your home address. Privacy Filter solves that in one step. Running open-source AI models locally used to be a project for hobbyists with gaming GPUs. It isn't anymore. Tools like LM Studio now make it roughly as hard as installing Spotify. OpenAI was blunt about the limits. The company warned that Privacy Filter "is not an anonymization tool, a compliance certification, or a substitute for policy review." Translation: don't use it as your only line of defense in a hospital, law firm, or bank. It can miss unusual identifiers, over-redact short sentences, and performs unevenly across languages. It is one tool in a stack, not a compliance checkbox. After all, 96% accuracy is not 100% accuracy.