RSS

Rampart: 14.7MB model for privacy by redacting personal information

cahaya1 pts1 comments

Introducing Rampart - National Design Studio<br>Skip to content

Follow on X<br>Designed in D.C. By National Design Studio

← All posts

June 22, 2026<br>Introducing Rampart

Tai Groot & Edward Coristine

3 min read

TL;DRBuilt by National Design Studio, Rampart runs entirely in the browser, identifying and removing personal information before a message is sent. It combines deterministic rules and machine learning to deliver privacy protection in milliseconds.<br>When you type into a chatbot, you might reveal more about yourself than you intend. A request to clean up an email carries your name and your coworker's; a question about a medical bill carries your address and account number; a vented frustration carries who you are and where you live. And whatever you type doesn't stay with you — it travels to a remote server you have no way to inspect.<br>Our core design principle is that the only personal information you can be sure is private is the information that never leaves your device.<br>Today, we open source Rampart — a first-generation on-device personal information filtering system that is a strong first line of defense in ensuring your personal information never leaves your device. Rampart is a combination of a deterministic layer, based on regular expressions to catch SSNs and ID numbers, and MiniLM to catch names and street addresses.<br>Why we built Rampart<br>Often times, doing PII removal means either trusting a remote server or downloading binaries to the client, which present a few key challenges:<br>1.AI privacy guarantees are almost impossible to verify. From first principles, it is impossible to verify the privacy and security claims of AI vendors. A newly deployed version of an AI runtime may accidentally begin logging sensitive user information, and services carry unknown internal security risks such as zero-day vulnerabilities and insider threats.<br>2.Most models for PII removal are gigantic, narrowing the group of users that can benefit from them. For example, OpenAI Privacy Filter is ~2.8GB, which would take approximately 38 minutes to download to a browser on a relatively poor connection (10mbps).<br>How it works<br>Everything happens in the browser, in the moment between typing a message and sending it; there is no server in the loop.<br>Model size, including tokenizer14.7MB<br>p50 runtime latency, in the browser (WebGPU)3.9ms<br>Private-term recall, seven languages98.4%

Before the message goes anywhere, two readers look at it on your device.<br>The first is a set of rules. Regular expressions paired with real validations handle the information that has structure: Social Security numbers, credit cards, phone numbers, routing and account numbers, emails, IP addresses, government IDs. It is deterministic and fast.<br>The second is a small language model. Rules can't anticipate every name or street address, so MiniLM reads the sentence for the personal information with a deeper understanding of the context of the sentence, then redacts information it finds within a specific category.<br>For example, say you type a sentence full of personal information into chat:<br>Rampart redacts PII on-device so it doesn't have to leave your device<br>The browser stores relevant PII temporarily on your device to fill in the blanks

My name is [GIVEN_NAME] [SURNAME], my Social Security number is [SSN], and I make $1,950 a month. Can you help me find affordable housing?

Hi Maria,<br>Here are affordable housing options in New York.

The Eliza<br>Inwood, Manhattan | Affordable homes

Sendero Verde<br>East Harlem, Manhattan | Affordable homes

Message

Original: My name is Maria Garcia, my Social Security number is 123-45-6789, and I make $1,950 a month. Can you help me find affordable housing?<br>After redaction: My name is [GIVEN_NAME] [SURNAME], my Social Security number is [SSN], and I make $1,950 a month. Can you help me find affordable housing?

Benchmarks<br>We trained Rampart on AI4Privacy's OpenPII 1.5M dataset and a synthetic generator that reinforces all 17 entity types with deliberately messy chat-style input. The headline numbers below come from a 30,000-row held-out OpenPII slice spanning seven Latin-script languages, scored end-to-end by the shipped pipeline.<br>RampartDeterministic + model · 14.7 MB<br>98.42%

OpenAI Privacy Filter↗(opens in new tab)Model · ~2.8 GB<br>97.4%

GLiNER small v2.1Model · ~600 MB<br>94.2%

Community BERT-small PIIModel · ~29 MB<br>81.5%

Microsoft PresidioDeterministic + model · ~13 MB<br>65%

AWS Bedrock GuardrailsModel · Cloud<br>63.8%

Private-term recall on a 30,000-row held-out OpenPII test set across seven supported languages. Higher is better. Benchmark↗(opens in new tab)

Limitations<br>Rampart is an alpha product intended to be the first line of defense in a more thorough effort to manage personally identifiable information for AI chat experiences. It currently supports English, Spanish, French, German, Italian, Portuguese, and Dutch.<br>Get started<br>Download the model on HuggingFace, install the NPM library, or read the whitepaper.<br>If the work of...

information rampart model personal device privacy

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.