Science the Hell Out of This! Podcast

AI's Privacy Problem: Why We Can't Just Trust the Tech Giants

If you pay attention to the buzz around AI, you may have read news articles about people using AI Chatbots as their psychiatrist, doctor, lawyer, and even as their boyfriend. However, most of these people probably don’t realize that all their questions, discussions, feelings, opinions, and personal details that they share with these large language models aren’t secret. The information is available to these high-tech companies, AND can be made available if subpoenaed to the government or other parties. OpenAI’s CEO, Sam Altman, confirmed this in a podcast (Perez, 2025). Sam Altman believes that laws need to be changed so that such information cannot be subpoenaed or should be restricted. However, I see this as another excuse by these high-tech company leaders to shift the responsibility to the government. The correct solution, in my opinion, is to create an LLM that is designed with privacy in mind. Altman may want to conveniently pass the burden to the government while continuing to profit from our data. Enter Lumo. Thanks for reading Science the Hell Out of This!! Subscribe for free to receive new posts and support my work. Lumo - The Privacy First Large Language Model More intelligent people than I realized this problem far earlier than it occurred to me. The privacy-first company Proton has developed a new LLM named Lumo. They claim that Lumo: * stores no logs, * all conversations with the LLM are stored using battle-tested zero-access encryption (which is just a fancy way of saying nobody but you can decrypt and read the text, not even Proton), * does not share any data with third-party vendors, advertisers (Proton makes money from their subscriptions), or government agencies, * user data is not used to train their AI model * is open-source, and therefore, the entire code base can be inspected by anyone. Why trust Proton? You can’t. For one thing, even though they claim to be open-source, I can’t find Lumo’s source code online. Proton does share their source code for their other applications, and I read online that they release their code after a bit of a delay, but until they do so, it remains locked code. So, let’s instead discuss their architecture. How are they keeping our conversation with the LLM secure? You, the user, signs in to Lumo using your Proton login. Once logged in, Lumo creates a unique key, which I will refer to as the request key. This request key is stored in your browser, either as a cookie, local storage, session storage, or similar mechanism. This key is used to encrypt your prompts as well as the AI’s responses. To ensure privacy, Proton/Lumo must send the entire conversation (i.e., the back and forth you have with the LLM) to Proton’s servers, ensuring that Proton never stores any of your discussion. LLMs that don’t promise privacy send the latest change and store the rest on their servers. Before sending the conversation to the proton backend, Lumo encrypts the conversation using your unique request key. The encryption mechanism they use is Advanced Encryption Standard (AES), which is a symmetric block cipher used for encrypting data. By symmetric, I mean that a single key is used for both encrypting and decrypting the data. Next, your web client needs to send this AES-encrypted data to the Proton backend server. But now, there is a problem. Proton needs to decrypt the AES-encrypted data, but it lacks access to the request key generated in your browser. Another encryption mechanism resolves this. Lumo Public Key is part of a public-private key cryptography mechanism that Proton uses to communicate between the client and the server backend. The public key is a static key common to all users. Only someone who has the private key can decrypt the data, and only the Proton backend has the private key. Lumo encrypts your request key using the public key, which I will call pked (public-key-encrypted-data), and sends this off to the backend. With the request key available, Proton servers can decrypt the AES-encrypted data at any time. Thus, public-private key encryption is a secure way to transmit the symmetric request key to the server, solving the “key exchange” problem. Lumo’s core AI server retrieves the request key by decrypting pked using the Lumo private key. With the request key on hand, the AES-encrypted data can be decrypted. The plain text is read in its entirety. Wait, if your entire conversation is available decrypted to the LLM, isn’t this a problem? Proton claims the private key is only accessible to Lumo's core AI servers. They claim it is not available to the rest of the backend system that Proton uses for other services, a claim we cannot verify until the source code is public. Proton also says that the data is decrypted at the AI server level and is fed to the LLM and never stored. Therefore, there is no privacy risk. The LLM takes the plain text, creates a response, and appends it to the plain text. It then encrypts this response text using AES encryption again. There is no need to use public-private-key cryptography since the user-side client already has the request key. Once the AES-response text is received on the client end, it is decrypted. Conclusion That is how the privacy-first LLM works. Some things can’t be trusted until Proton makes the source code publicly available. While their claim of open-source before releasing the code publicly is a dubious tactic that I cannot endorse, it appears they do eventually release it for public investigation. As for the fact that the data is decrypted at the AI server level, and could be a privacy risk, this IS a concern, but if it is merely fed to the LLM and not stored, the information is secure. Once the source code is made public, curious researchers can audit the code and confirm the truth. While the technical aspects of the Lumo LLM are exciting for the nerds, the key point that I would like the reader to take away from this article is the importance of securing private data. We need more privacy-first products and services. We should have control over our data lest someone malicious uses it for inappropriate ends. References: Perez, S. (2025, July 25). Sam Altman warns there’s no legal confidentiality when using ChatGPT as a therapist | TechCrunch. TechCrunch. https://techcrunch.com/2025/07/25/sam-altman-warns-theres-no-legal-confidentiality-when-using-chatgpt-as-a-therapist/ Lumo security model: How Proton makes AI private | Proton. (2025, August 4). Proton. https://proton.me/blog/lumo-security-model This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit krishna31254.substack.com [https://krishna31254.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

An Intuition for Convolutional Neural Networks

Machine learning models are interesting pieces of math, and when I first learned them, it always fascinated me how somebody came up with the ideas. It seemed entirely random. Some of these models are very complex, and for a long time, it seemed like people tried random things to get the results. Even when professors said, use a ReLU or sigmoid activation function, I didn't quite understand how they knew which to use, or why. They seemed to suggest that they figured out through practice and experience, and not necessarily because they understood the math. This assumption is likely false. But I have rarely heard ML teachers explain why the model works in class. They blurt out the model’s math, but not much else. I think trying to understand what the math is doing is useful. In some cases, perhaps building an intuition behind what the model is doing can be helpful in your growth of understanding a subject, and certainly ML. Consider this diagram similar to one I was shown during a class on machine learning. There is a lot going on in this diagram, and if you are a beginner, this isn’t very easy to understand. I always wondered how machine learning research scientists or mathematicians came up with the CNN. I don't know for a fact how the original researchers came up with the CNN, but I did arrive at an intuition. Let me explain with a story. Sherlock Holmes and the Mona Lisa! Once, the French police called on Sherlock Holmes to help them solve a crime at the Louvre. Jumping on the thought of another adventure, Holmes and his trusty friend Dr. Watson left their home in Baker Street and grabbed a train to France. Once they arrived at the Louvre, the inspector took Holmes and Watson to the crime scene, where a grisly scene awaited them. A man lay dead next to the Mona Lisa. "What happened here? This man has bled to death!" asked Watson. "We were informed by the morning staff at 7 AM this morning. They found the museum curator, Dr. Osbourne, lying dead right here, next to the Mona Lisa. It is clear that he was murdered, but there is no note, and nothing was stolen. We are not aware if the late Doctor has enemies. The people we talked to say he was a kind and affable," replied the inspector. "Interesting," said Watson. "We had heard of Mr. Holmes and his exploits from our friends in the Scotland Yard and decided to call on him to request assistance," said the Inspector. "We hope you can help us, Mr. Holmes." Holmes did not acknowledge the Inspector. He walked over and knelt towards the curator. He saw that the museum curator's fingertips were red, but there were no signs of blood or open wounds on the hands. He intently looked at the Mona Lisa, then pulled out his magnifying glass. Watson and the Inspector observed Holmes intently, but neither could figure out what Holmes was up to. They watched Holmes sniff the painting and scan his magnifying glass. After 20 minutes, Holmes returned to the Inspector. "You'd better leave this investigation to me. You are not equipped to handle this. This is beyond you," said Holmes. "What? Surely, we can assist. We are the French Police, after all! We have staff to support the case," replied the Inspector. "No, no. It won't do. Watson and I will handle this," said Holmes. The inspector was stumped. "Let's go, Watson," said Holmes. After they stepped out of the Louvre, Watson asked, "So you know who did it?" "Yes. It’s our dear friend, Moriarty, up to his mischief again." Elementary, My Dear Watson! "When you have eliminated the Impossible, what remains, however improbable, must be the truth" - Sherlock Holmes. 'How' did Sherlock Holmes deduce that this was Moriarty? Holmes observed that the curator's fingertips had some blood. It looked like the curator had left a message. Since he didn't find any on the walls, he turned to the paintings. He scanned the paintings closely, from left to right and top to bottom. When he sniffed, he noticed the smell of blood on the Mona Lisa. Upon closer inspection, he saw handwritten text markings on the Mona Lisa. Most were small letters, but some were bigger. He noted down the bigger letters. I R M T O Y A R He then tried different combinations of these texts and arrived at: M O R I A R T Y Convolutional Neural Networks Unlike Sherlock Holmes, computers don't have sight like humans. Digital images are made up of numbers, and that is what computers process. Consider a 32 x 32 pixel image, which is the size of an icon. A color image has 3 channels namely red, green and blue channel. A gray scale image has just one channel. Each pixel ranges from 0 to 255. In a grayscale image goes from 0 (black) to 255 (white). This is represented mathematically by tensors (a 3 dimensional matrix). For the Mona Lisa image that is 32x32 pixels in size, we have a 32x32x3 tensor that represents the image. Convolution Going back to our analogous story, Sherlock Holmes scans the image with his microscope. He focus his microscope on a portion of the image and slowly scans the portrait, left-to-right, top-to-bottom. We can do the same mathematically, using a concept called convolution. We choose a dimension size, for example 4x4 px and step through the tensor for each channel. How large a step to the right or to the bottom, should we take? This is determined by a parameter called the stride. We take each of the 4x4 px sub-matrix and multiple with another matrix called the kernel. This is equivalent to Holmes looking through the image and identifying the anomaly where he identifies the painted blood marks of the museum curator on the Mona Lisa. He has identified and extracted something important (in this case, alpha numberic characters) from the image. In ML, convolution process has created a newer smaller tensor of dimension (16x16x3). Pooling Next, Holmes paid attention to the text and observed that some letters are much larger than the rest. He identified those letters, and ignored the rest. In a CNN, we take the matrix that was just convoluted and perform pooling. There are different kinds of pooling like min pooling, max pooling, and average pooling. Since, Holmes extracted the letters that were the largest in size, imagine you want the CNN model to pull the largest number - that is max pooling. Unwrap Tensor to a Fully Connected Layers Once pooling is complete, we take the 3 dimensional tensor and convert it to a single dimensional fully connected layer at which point it becomes similar to a standard ML problem. In theory, we could have done this at the very beginning and not needed to do any convolutions, but then the computational time would have taken much, much longer. This is analogous to Holmes extracting the letters and writing them down into a sequence. I R M T O Y A R Solve for the Answer Finally, he tries different combinations of the letters to arrive at one that makes sense. M O R I A R T Y Once we have unwrapped the Tensor, the problem becomes simpler to solve, and we can arrive at a solution. Conclusion This is my intuition about convolutional neural network. It helps me mentally recall what the CNN model is. Of course, real application CNN models may involve more than one convolution, and we may try different kernel sizes, stride lengths, and other methods. Do you find this helpful? Does this help you understand what the CNN is doing? This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit krishna31254.substack.com [https://krishna31254.substack.com?utm_medium=podcast&utm_campaign=CTA_1]

Dot Code and Hidden AI Messages

What if a secret message was hidden right underneath your nose - in plain sight - and only a select few could ever hope to decipher it? The study of communicating secret messages and deciphering them is a field called cryptography. In this essay, I briefly describe a secret communication method used in World War II and then showcase how an analogous method is being used to manipulate AI. In World War II, British Intelligence was a leader in cryptography. Thanks to films like 'The Imitation Game,' more people outside of computer science now recognize Alan Turing and his brilliant team at Bletchley Park. They cracked the famous German ENIGMA encryption machine, which allowed the Allies to decipher German military communication messages and plan strategies to counter the Nazis. The British Intelligence services used several innovative ways to communicate covertly. One such method was the dot code. They embedded dots in public newspapers, which were widely available and read by many. The dots were placed in specific locations within the newspaper text. Each dot represented a letter, number, or word based on a pre-arranged key shared between the sender and receiver... These dots were small and integrated into the standard text of the newspaper, only noticeable by the keen observer, and even if observed, could easily be dismissed as a typographical error or a decorative element. Thus, secret communication was blended seamlessly with publicly available material. The intended recipient would make note of the dots, use their secret key, and decode the communication. Thus, even if someone familiar with the dot code observed the encrypted message in the newspaper, they would have a difficult time deciphering the message unless they had the key agreed upon between the sender and receiver. Secret Communications to LLMs Large Language Models (LLMs) like OpenAI’s ChatGPT, Google’s Gemini, and other similar applications can read typed text (usually in text or PDF format). Many companies use AI to review, summarize, or filter written documents to help speed up their work. For example, companies feed resumes through LLMs to filter for desired job candidates. Universities use LLMs to review essays for plagiarism. Scientists used LLMs to summarize research articles. Scientific journals use LLMs to produce peer review reports. While LLMs offer immense benefits, their increasing integration also introduces new vulnerabilities. For instance, recent reports indicate that unscrupulous scientists are exploiting LLMs used in peer review processes by including secret messages in their papers. According to Elizabeth Gibney, Nature independently found 18 such pre-print studies containing such hidden messages, and the authors span 44 institutions in the field of Computer Science, across North America, Europe, Asia, and Oceania. Prompt Injection This practice of inserting secret or coded messages to exploit LLMs is called prompt injection. It is a form of cybersecurity exploit that targets LLMs by crafting deceptive inputs to manipulate the model's output or behavior. Attackers exploit LLM’s tendency to treat all text inputs as potential commands and leverage this to execute unintended actions. These types of malicious injections can result in misinformation, disclosure of sensitive information, and even remote code execution. Similar to existing vulnerabilities such as SQL Injection, Bash injection, and cross-site scripting, prompt injection is a specific vulnerability that affects LLM models. How to Prevent Prompt Injection? To my knowledge at the time of writing this article, there isn’t a single pre-built coding method that prevents prompt injection. Unlike SQL injection, you cannot sanitize the input by using a parameterized query. Instead, you need to take several steps to reduce the likelihood of prompt injection. * Validate the input by sanitizing it to remove any potentially harmful commands. * Limit the context length to restrict the amount of context that can be passed to the model, thus minimizing risk. * Regularly clear the context to prevent the accumulation of harmful inputs. * Design and define structured prompts that limit malicious inputs. * Include user authentication to ensure only authorized users can interact with the model, thereby reducing the risk of malicious prompt injection. * Add rate limits to prevent user abuse. * Fine-tune the model to recognize prompt injection attempts and train it to reject such inputs. Reinforcement techniques can be used for this. These are some methods that an LLM designer should implement to reduce prompt injection. Conclusion As developers, when designing LLMs, we need to be careful about sanitizing the input provided by users and creating protection mechanisms (such as the ones I have outliner in this essay) to protect it. As a user, please start a new chat (which clears context) when we are changing conversation topics with an LLM. LLMs have context memory, and they may remember your past prompts even if you don’t want them to. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit krishna31254.substack.com [https://krishna31254.substack.com?utm_medium=podcast&utm_campaign=CTA_1]