Focus on your mission, not your tech - Another Cup of Coffee (Posts about Security)

Secure Your AI Workflow Using Local Tokenisation

Anthony Lopez-Vito — Tue, 12 Nov 2024 13:59:03 GMT

Secure your AI workflow with local tokenisation. PaigeSafe is a lightweight tool perfect for small agencies and freelancers handling sensitive client data in ChatGPT, Claude and other AI tools.

If you've spent any time at all using cloud-based LLMs like ChatGPT or Claude for client work, you've probably had that voice in the back of your head kick in: "Should I really be pasting this into a chat?" I'm sure that moment of hesitation is all too familiar for those who have started to integrate AI into work workflows.

Every day, many of us paste sensitive content into AI tools—client data, business strategies, internal documents—often without really thinking about where that information ends up. That data potentially becomes part of training sets, risking leaks by cropping up in future chats with other users. For freelancers and small agencies handling confidential client work, Large Language Models (LLMs) create a real dilemma. They're too useful to avoid but carefully sanitising content is a real chore.

Enterprises solve this with expensive solutions which are overkill and far too expensive for the rest of us. Those who want to take advantage of LLMs have been left with carefully reading through documents and running manual search and replace for names and numbers. This is tedious, error-prone and still stands a high likelihood of data leaks. Unfortunately, taking unnecessary risks with client data, spending ages on manual anonymisation, or avoiding AI tools altogether when working with sensitive information is no longer a good option to remain competitive.

Introducing the PaigeSafe Document Security Tool

PaigeSafe is a document security tool that helps protect your confidential information when using Large Language Models (LLMs) like ChatGPT and Claude. It uses the process of tokenisation by replacing sensitive data with non-sensitive placeholders. We originally built it as an in-house tool because we faced these exact same challenges. As a small team, we needed something that just worked without the expensive licenses and high learning curve.

PaigeSafe is currently in the prototyping stage to test if there is demand for this type of utility. It offers basic functionality, and the code lacks robust error checking. However, since it is intended to be run locally, there is minimal risk to your documents. All it does is offer a convenient way to search and replace text before you paste or upload sensitive text to LLMs. I regularly use it to sanitise my own documents.

Uses and Limitations

PaigeSafe does not try to offer an enterprise solution for those who need to meet strict compliance regulations. Here's where it fits in the document security landscape:

Perfect for: Freelancers, small agencies, independent developers
Good for: Regular business documents, client communications, project data
Not for: Banking systems, medical records, top-secret government files

PaigeSafe is a lightweight tool that helps you avoid accidentally exposing sensitive information to AI models. If you're handling typical client work like website data, marketing plans, business strategies, and project specs, this solution is for you. It's perfect for those, "I need to run this past ChatGPT but shouldn't share the client's name" moments. Or when you want to analyze customer feedback without exposing individual identities.

If you work for a financial institution, healthcare provider, or government contractor, this solutions of course will not be for you.

Where to Find it

The tool is built using Python and the Streamlit framework but if you use Docker, it can be easily installed by pulling the PaigeSafe image from Docker Hub. For more information, please visit the dedicated site at paigesafe.com.

Remember that it is still very much an early prototype but more useful features will follow. Please send feedback to paigesafe@anothercoffee.net

How to install PaigeSafe

Find out how to install the prototype application by following the instructions on the PaigeSafe website.

Safeguard your email address by registering a domain

Anthony Lopez-Vito — Sat, 10 Aug 2013 13:51:07 GMT

A primary email address tied to your email provider could set you up for a great deal of inconvenience if they shut down. Registering your own domain helps control your email regardless of which company you're currently using. On Thursday, 8th August 2013, a secure email service provider called Lavabit suddenly suspended operations. Its founder, Ladar Levison, wrote in an open letter on the company's website that he would rather shut the company down than "become complicit in crimes against the American people." Although Mr Levison took what he believed to be a principled stand, Lavabit customers were understandably angry at being blocked from accessing their emails. Without warning, long-time customers lost years worth of archived messages. Active users who relied on the company to host their primary email now face the inconvenience of updating their contacts and online accounts with a new address. One may be tempted to think that a simple solution would be just to set up another email account elsewhere. After all, there are many free email providers offering reliable services. If you're in this camp, ask yourself how your day-to-day life will be affected if you suddenly and unexpectedly lose access to your email account.

Do you conduct business over email? How much productivity will be lost re-establishing communication with clients?
Have you saved passwords, document attachments and important account information in your webmail folders? What happens if you can't log in to the webmail account?
How much time will it take to inform all your relatives, friends and contacts of your new email address, especially if your address book was also hosted with the lost email service?
How easy is it to reset the passwords of your other online accounts (internet banking, Facebook, Skype, etc.) without that lost email address?

Keeping control of your email address

There are some important lessons we can learn from the Lavabit incident and two things can save you from similar trouble:

Register your own domain and link it to your email provider. That way, you can switch providers while retaining the same email address.
Do not rely on webmail as your only method of accessing your messages. Set-up an email client on your computer and regularly download copies of your email.

Exactly how you go about using your own domain and downloading emails depends on your existing set-up and requirements. I'll give a quick overview in this post but please note that it only briefly touches on some steps which can be quite technical.

Step 1: Register your own domain

An email address under your own domain keeps it independent of the email host. Your current email provider may go out of business, get bought-out or become unreliable but having your own domain means that you can switch to another while retaining the same email address. To get an email address under your own domain, you first need to register a name with a domain name registrar. (See this post for more information.) You can register your domain with the following companies but a web search for "domain registration" will bring up a list of other providers:

Another Cup of Coffee Limited - we'll handle the details of domain registration under your name for £9.99 GBP per year
123-reg.co.uk - a popular UK-based registrar and hosting company
namecheap - a US-based registrar that seems to have a good reputation for customer service (I personally haven't used them)
Network Solutions - one of the oldest and well-known registrars but quite expensive

Regardless of which domain registrar you choose, the whole process should only take a few minutes to complete. However, depending on their system, it could take a few hours to a day or more before it's available for use.

Step 2: Link your domain to your email provider

Linking your domain to an email provider can be intimidating for non-technical people. To make matters more complicated, some end up with different combinations of registrar, free web-based email, business email hosting, and web hosting. Everything can be under one roof or you may have different companies handling each component. The exact steps needed will depend on your subscription packages so covering them in a short tutorial is not practical. (That's why companies like us exist!) In general, your registrar will give you an online control panel. This lets you specify settings to hand over control of the domain's email to an external email provider. Alternatively, it may offer an email forwarding service that automatically redirects messages to another address, such as Gmail or Yahoo Mail. Changing email providers then becomes a matter of adjusting the control panel to reflect the new company's settings. Here are some help pages for a few of the popular email providers:

Yahoo Mail
Gmail via Google Apps
outlook.com (formerly Hotmail)

Step 3: Download backups of your emails

For many people, their main method of checking and sending email is through their provider's webmail interface. It's very convenient because there are no programs to set up on your computer. All that's needed is to open up a web browser and log in. The downside is that you do not retain any copies of your messages. As some of the Lavabit customers found, you will lose everything if the provider suddenly ceases operations. The solution is to set up an email program (also known as an email client), like Mac Mail, Microsoft Outlook or Mozilla Thunderbird to download emails from your server. Even if you prefer webmail, periodically connecting from your email client ensures that you save the latest messages on your computer's hard-drive. Most email providers offer you a choice of 'POP' or 'IMAP' as mechanisms for retrieving your email. POP will simply download all the messages and if set in your email client, delete the messages after they're read. IMAP synchronizes your email client with the server so it copies the same structure of read, unread, sent messages and saved folders. (This Rackspace article gives more detail on the difference between the two.) I find IMAP to be the most convenient option. If you mostly use webmail, you should also use IMAP if it's available.

Too much trouble?

These steps might seem daunting but you don't need to be a computer expert to get everything set-up. Business users usually have more complex configurations that may need an IT administrator to get everything working properly. However, for personal users and micro-businesses with simple needs, a little bit or research and background reading should allow you to get the job done without any help. Of course, if you'd rather not go to the trouble of doing this yourself, we'll be very happy provide you with a quotation. This is not a big budget job as the whole process is fairly quick for those familiar with what's required.

Some background on the Lavabit incident

I'll make a slight digression from technical matters as the Lavabit incident may have wider implications for anyone using US-based internet services. Lavabit offered encrypted email services and was reported in the press to have been used by the NSA whistleblower Edward Snowden. Unlike most email systems, the company's technology meant that there was no way for them to directly read user emails. While we may never know the truth, it seems likely they were ordered to participate in ongoing surveillance in a form that the founder believed to be against the United States Constitution. Levison was issued with a 'gag order' preventing him from giving details on the matter. Shortly after the Lavabit news broke, Silent Circle, another secure email provider, pre-emptively shut down its own service in order to protect its customers. There is increasing industry speculation that the US government's surveillance is jeopardizing the country's businesses since they can no longer be trusted to protect their users' privacy. It's clear that no matter which country you're in, if your email is hosted with a US provider, you need to assume that the US government will want (or already has) backdoor access to them. Whether or not this is acceptable is a discussion outside the scope of this post. Regardless of where you stand, it's important to realize that the industry landscape is changing and we can no longer be complacent about safeguarding our data.