¶ Intro / Opening
Welcome on to the show, Marks. It's, it's really awesome to get to, to meet you, to, to chat and to learn a lot more about what I think are two really fascinating projects that I don't normally talk about here on Opt Out. So I think it's especially interesting because it's not just kind of a. Another privacy tool, but it's something that's, that's quite different in, in concept and execution. So looking forward to it.
I thought first, I mean obviously I haven't had you on the show, but we also haven't chatted before now. So I'd love to just hear a little bit more about your background and how you came to be at Open Secret and ultimately Maple AI.
¶ What's your background, and how did you end up starting OpenSecret?
Yeah, sure. Thanks Seth. Yeah, I, I think I first came to know you on Nostr probably when I joined a couple years ago and then discovered your podcast some at some point during that time listened to you. I really loved your, your last one with James some Lop, I think you had him on. So yeah, it's been good. A bit about my background. So I come from the startup world. I was an early employee at a few different startups working on tech.
The very first one I did was actually an online backup company where you would install our software on your computer and upload all of your files to our servers. And that was like my first real run in with privacy technology because we had, as you can imagine, there's a lot of sensitive information that people upload and so we would have this giant database of petabytes of data and most of our users were just fine with that.
But we had this like hardcore base of users, about 10% of them that wanted to have private encryption. So we gave them a private encryption option where they could write down their own key. So that kind of launched me off into this thing where it's like it was this ever running threat in my background, in the back of my mind of privacy.
But I went to a few different, few different startups, had some great learning experiences and then over the last six years I actually found myself at the anti startup which was Apple. I was at the largest company, big tech company in the world, but I was working on software engineering specifically with a focus on privacy and a focus on machine learning, AI, computer vision, type stuff. Um, so it was, it was really interesting and I, I learned a lot there.
Had a. Had some tough times working there as well just because I have kind of this startup mentality within my mind and so I was always trying to find like where are the spots in the company that I can flex that muscle and, you know, scratch that itch that I have. So about a year ago, I was kind of looking around like, what can I do? And I was active on Nostr.
I was active in the Bitcoin and Lightning communities as well, and decided to reach out to the guys that were working on the Mutiny Wallet and said, hey, I've got this great experience of scaling mobile apps. I've worked in the mobile app space, you know, since the beginning of the App Store. Let me team up with you guys and let's see if we can make this more mainstream and bring like a privacy solution of, of Lightning to more users. And that's, that's kind of how I was born.
I can go into the details more if you want of, like, how Mutiny Wallet ended up shutting down and how we started up Open Secret, but that's kind of my, My, my personal story there.
Yeah, I think it would be helpful for people because I know probably quite a few listeners were probably Mutiny Wallet users or at least aware of Mutiny Wallet's approach. And I think the guys in Mutiny did some very interesting things. Some things that I loved, some things that I didn't love on the ecash side specifically, but I've always been an E Cash hater. So I know that there's a. There's a little different perspective there than a lot of people in the Bitcoin space.
But I think it would be interesting maybe just to hear before we dive too deeply into what's Open Secret, why Maple AI, that sort of thing, why the pivot from mutiny wallet to OpenSecret and like, how did that pathway develop? Because I know it was a relatively clear pivot because there was a lot of alignment between those two. But maybe just a little bit about why the shift from Mutiny to Open Secret and why that made sense.
¶ How did the shift from Mutiny to OpenSecret happen?
Sure, yeah. With anything, it is multiple variables all working at the same time. And the situation constantly changes as you all make one decision together. Then that opens up new possibilities and people have to, like, rethink the entire decision tree again and come up with the next decision. So really what, what happened is, you know, I started there last year and this was right when the samurai guys got arrested. Samurai Wall got shut down. We. We decided, let's just keep moving forward.
Like, that doesn't deter us. Yeah, it sucks. And I really think that we need to see some justice for those guys and that they are being wrongfully detained in my mind. But we kept taking a look at what we were building and what do we need to do to scale this thing? And there were some privacy trade offs that were made. A lot of the privacy tech that exists online is still within the realm of trust that we aren't logging mentality.
And so with Mutiny Wallet we gave people their private key up front, they wrote it down and then they, they could feel somewhat safe in knowing that their experiences encrypted end to end. However, they still didn't know what we were running on our backend. They couldn't verify that code. And so the, the option was for those users who were truly wanted to have the highest level of privacy, they could run Mutiny Wallet on their own.
A lot of people would do that on their something like a start9 server because it was point and click and it was, it was easy and that was great. But a majority of our users just went to app.mutinywallet.com and ran our own, you know, hit our backend instance. And so they were just trusting us. And even though we couldn't see their data, we knew that we wanted to offer stronger privacy there.
So we started looking at rebuilding the entire experience and we started researching confidential computer and what could we do with secure enclaves in the cloud. And that really led us down this whole path of if we're going to rebuild this, do we want to be in the wallet game? There wasn't anything out there for us to build a wallet that was based on secure enclaves. And so we would have to build that ourselves.
And that ends up putting us in this dilemma of having to build the platform and build this really good user experience on the front end. And as you know, building a front end wallet is like a very difficult process.
It's crazy.
It's crazy, right? And oh yeah, it's super hard. And so trying to focus on both of those at the same time with a very small team and very small amount of funding is a recipe likely for a disaster. So we decided let's not pursue the wallet anymore because we think there's actually a real big need for a developer platform that makes it easy for other app developers to have strong privacy and to build end to end encryption into their experience.
And so we can dive into Open Secret and what that is, but that's really where it came from, is where one Mutiny Wallet might be retired. We hope that we can actually build a platform where thousands of other wallets and not just wallet apps, not just cryptocurrency, but tens of thousands of other apps. The things that you run on your phone, in your Pocket that those could all benefit from privacy. And so we want to build a platform that allows them to incorporate that easily.
Yeah. Tell me, tell me a little bit more about Open Secret. Because this, this idea of secure enclaves is one that's been, I feel like floating around the space for a long time and even in the cryptocurrency space I know that like signals approach to their cryptocurrency that they launched, which I guess is dead, haven't heard anything about in a very long time, was using secure enclaves.
There's been a lot of different approaches to use those, but a lot of times it feels more like a buzzword than a central focus. And I'm really curious to hear like what, what's the vision behind Open Secret? What, what do you enable by having the secure enclave approach? And how does this actually work to provide the end user better privacy or more provable privacy maybe is the right word.
¶ What's the vision behind OpenSecret?
Yeah, so I'll, I'll put a few words out there like glossary terminology words just so people following this conversation might be able to like grab onto things from their past that they've heard.
So confidential computing, secure enclaves, you know, TEE, trusted execution environments, hardware security modules, HSMs, these are all kind of buzzwords that float around the same concept of you can have a server running in the cloud and it is this secure box where the code that is put inside of it, people are able to audit it and verify what code is running there.
Very similar to the concept that you might download some project from GitHub onto your laptop and you can see the open source code and then you can build and run it yourself. And so you know what code is running, you know there's no backdoors in there. However, that experience has never been possible on the back end in the cloud.
And so this is the idea behind confidential computing is let's provide a way for people to see that it mostly has become a viable option in like the last five years where it is available now on AWS and some other platforms like on Azure. But there were some early on hacks and vulnerabilities with like the Intel SGX implementation of confidential computing. And so that set people back a little bit and rightfully so.
There was a lot of distrust, but since then there have been a few other iterations and we're using the AWS Nitro implementation right now, which they made some different trade offs and I think that it's a stronger platform. I am not as technical on this topic as my co founder is, but I've researched enough now that I feel more confident in this approach that we're going with on this one.
The biggest vulnerability here is that you're essentially trusting the hardware manufacturer and you are entrusting Amazon AWS that they are not going to insert a backdoor at the hardware level for them to basically get access to all of the keys of everything. So there is some level of trust, but they are financially incentivized to maintain that for their reputation and for the massive scale that they run at.
So ultimately, when you are putting data on someone else's computer, there is going to be some level of trust. Think there's a way around that. So the option is to reduce the attack vector as much as possible and try to mitigate that as much as possible.
And so with open secret and with confidential computing, what happens is we are able to publish our code open source online, we have reproducible builds and you get a checksum after you build the code and then you can go look at the attestation from the secure enclave in the cloud and, and look at that checksum and compare the results and see that it is indeed the same code running on both. And that's, that's the security model that we are building on top of.
And we want to bring that to, you know, any app developer out there without them having to learn how to build an enclave, how to run code there and, and deal with all of that. Headache.
Yeah. So I think kind of just summarizing to make sure that I'm understanding the idea behind this is that I mean, we've been able to do intent encryption for a very long time, but the problem has normally been how do you prove that perhaps the server that you're sending data to or maybe the encryption itself, how is, how can you prove that on the server side that's doing what it's supposed to and how do you store those secrets in a way that's provable and that's the big breakthrough here,
is that now it's, it's not just we promise that we're using the servers that we say we are and that we're not doing all of these extra things, but now there's a way for users to actually validate that and then obviously the clients, the wallet apps, the web apps, whatever, to be able to actually validate what's running in the cloud.
So it's kind of a two pronged thing where you're using it for privacy, it can be used for a lot of other things, but you're Using it for privacy in a way that users can really be sure that you're doing what you say you're doing. And even like you said, go through build it themselves, make sure that the code that you're running in secure enclaves is actually what's expected there. And that gives much more trust minimization.
And I'm glad that you mentioned that, like there always is trust, like there's, I think this, the word trustless shouldn't really be in our vocabulary when it comes to technology because at some level there always is trust. I mean, even when we're talking about. Well, yeah, basically no one has the ability to individually, by themselves understand every level of the stack and have built every level of the stack from bottom to top.
You're not building the CPUs or if you are, you're not writing all the code or like there's no one that can prop. That can possibly say they know for sure that nothing can happen or go wrong. So it's not about being trustless, but it's about minimizing the amount of trust and the people that you have to put trust in. And I think that's the exciting thing for me with OpenSecret is it continues to minimize that.
Yes, you're still reliant on intel or whoever the secure enclave hardware manufacturer at it is, but that's another shift in trust away from any sysadmin at Amazon or something. Being able to have access to the data.
Yeah, yeah, definitely. And to piggyback on that, there's trust minimization I think is something that we should all strive for. And then the other big unlock here with Open Secret is the user experience, because with end to end encryption you can provide a very strong E2E product in the sense that users can manage like this long private key or a passphrase or some pin.
There are things that they can do and then they can use apps like little Snitch to kind of inspect the traffic as it goes out and they can run the client software themselves. And there are a lot of assurances you can give yourself, but that is a much more difficult experience for the user. And when you look at trying to scale an app to millions of users or a hundred million users or a billion users, it that user experience becomes a non starter for them.
So then they end up just going to some kind of like proprietary backend, some big captured system and they end up with no privacy. They end up being the product of that system. So how do we like, you know, find this middle ground where we can have great user experience but provide the highest level of privacy possible within that. And that is the, the balance. And the marriage that we're trying to have here with Open Secret is, is you get like a really easy login experience.
You can create your account with email, you can create your account. You actually don't have to create an account. You know, some of our app developers, we have like this guest mode where an open secret account is created for them automatically. It's, it's anonymous. And then they still get the benefit of, you know, of that end to end encryption that's happening for them.
So we have to solve the UX in order to make people adopt privacy tools because sadly people just don't care about privacy enough in their lives. Right. They have so many other things to worry about that it's low on the totem pole. Like deep down they do care about it, but they just don't have time to think about it. So they go with the thing that feels safe enough.
Yeah, I definitely echo that. I think the thing that's become clear to me in the last few years of really focusing heavily in the privacy space is I would argue that basically everyone does care about personal privacy. I think there's many examples of that shift, especially the last four or five years of it becoming a much more commonplace thing. I mean, even you working at Apple, their shift in marketing to be very privacy centric shows how valuable the idea of privacy is.
So they're willing to spend hundreds of millions of dollars or however much they've spent on those marketing campaigns around privacy. But people are not usually willing to sacrifice a serious amount of quality of life or spend a ton of time or lose access to friends and family or those sorts of things in order to achieve that privacy. So it really is that the lower we get that barrier of entry, the better we make the user experience.
Far more people will actually take actionable steps and will actually jump into doing something about their personal privacy because I think people really do care. They just feel overwhelmed by it. Well, I don't, I can't actually do these things. They seem too, too daunting. U but that UX piece, the user experience is really where we can drive change. So I'm glad that that's a big focus at OpenSecret and shifting gears a little bit.
So with OpenSecret, obviously you talked about it, you want it to be a broad developer platform and that's really the vision that people can build more privacy, preserving more trust, minimized tooling by using OpenSecret as part of their backend. And y'all as a company, launched the first product that's using Open Secret and that's called Maple AI. You launched that, I don't know, a month or two ago.
Yeah, last month.
Yeah, last month. So. So that was the first kind of. I mean, it's not a proof of concept, it's a, it's a live, functioning, really good production tool, but proof of concept in the sense that it shows what's possible with Open Secret and hits on a niche that's very popular today. So I'd love to hear a little bit more about, like, why. Why was an AI chat product the first thing that you wanted to launch out of Open Secret? What made it the go to starter project?
¶ Why show off the power of OpenSecret with an AI product of all things?
Sure. So when we started looking at pivoting to Open Secret, you know, like any good startup would do, you start meeting with potential users and potential customers. And we just, we floated this idea. By then we're like, this isn't a sales meeting. We just want to say, like, if this thing existed, would you use it the developer platform? And we got, we got varying responses. About half of the developers were like, hell yeah, we want to jump onto something like this.
This is, this is exactly what we've been waiting for. The other half said, well, we just build these apps for people that they're okay with their data getting slurped up and we like selling our information to third parties and advertisers. So they're like, even though we can see why this is cool, like we wouldn't actually use this for our apps.
However, almost a hundred percent of the people we talked to, regardless of which side of that debate they fell on, we asked them like, well, what are some use cases that you would use personally in your life? And they said, well, we would use AI. I don't like the fact that when I chat with ChatGPT or other companies, I'm giving away all of this, like really sensitive information about me. And you know, we.
Fifteen years ago, the big thing online was go look at your Google Ad profile and look at what they've built about you. Right. And like you can go click on it. And it's very creepy to see what Google knows about you. They can guess your age pretty closely, they can guess your gender, they can guess all these things about you just based off of your web surfing traffic.
And Fast forward now 15 years later and AI is able to like build a much more detailed profile on you and take action on that if they want to. So there's this like huge privacy leak of us just giving all this information away. So they kept telling us if that existed, if I could chat privately with AI, like that's something I would use. So we thought we need some kind of proof of concept to see if this developer platform is viable. Because for us the user experience is paramount.
There is no reason really I think, to build a privacy platform if it just ends up with the same difficult user experience that other end to end encrypted apps have. And app developers wouldn't adopt it if the user experience wasn't there. So we said let's build this, build this AI product. We set out just to build it, mostly for us to see if it would work. But then very early on it was one, it was very simple to build.
We were surprised at the ease of which we were able to build on this platform. And then we said, well, other users could benefit from this. There wasn't anything on the market. We found two other proof of concept apps out there, but they were only proof of concept and they kept giving us know 500 level server errors when we try to use them. And so we said let's just build this and put it out in the market, let users use it.
And if we don't make any money off of it and it just ends up being a proof of concept in the end, that's fine. But we think that people are going to find real value in it. And so we put it out there and the response has been great so far. We have a lot of users who are really enjoying it. But that's, that's the impetus for, is really just born out of developers telling us this is a tool that we would use in our personal life.
Yeah, AI is a fascinating example of that because like you mentioned, it's, it's not even just your browsing history, but it's, it's almost even like your thought process. If you think about what you're giving to an AI in these conversations is you're essentially detailing how you think, what do you think, what your reasoning is, like how you approach different logic, like what things you're interested in. Obviously trips you're planning. I know a lot of people use it for planning trips.
Like it's a, it's a very large amount of information from a personal level. So I can definitely understand the personal draw there as well.
But I think also on the business level, I know that there are a lot of companies that are just absolutely terrified of their employees using any AI tool right now, because most of them would love to siphon off whatever data enterprise employees are willing to upload because of how valuable that is, how much IP there is, all of the things that are involved in the information at businesses.
And like, I even know a friend who works in a. A business in the tech industry who have essentially outlawed any AI app at all for any employee because they're just scared of that. But something like Maple is a really fascinating solution.
Obviously, if they can't build their own LLM setup on site or something like that, it's a really interesting solution because they can again, have cryptographically guaranteed privacy and ensure that their data is not just going to some ChatGPT or to the Chinese government through Deep SEQ or something like that. So it opens up a lot of potential pathways too, for the enterprise level to be able to comfortably use it, even when it's used with more sensitive information.
So I definitely see that there's a lot of, a lot of value there. And I know that there are. There's other providers in the space who make a lot of claims about privacy. And I don't necessarily want to get into like a bash fest, but I know, like, specifically Venice is one that I've used. Eric talks a lot about the privacy that's theoretical around it, but it seems to me that a lot of their claims are basically just that.
What you mentioned at the top of the show, like, this idea of just trust us not to log is basically the claim. And I'm just curious how you would compare, like, Maple's privacy to something like Venice, which also markets itself as privacy, but doesn't seem to take the same technical approach on the back end.
¶ How does Maple's privacy for the user compare to something like Venice?
Yeah, definitely. And I think I got that line from you in your email to me that trust us not to log. So I don't want to take credit from you, but Venice is a cool product. I am a paying user of Venice. I have been for a long time. I first found out about it when he went on to the what Bitcoin did podcast. And I was totally sold on it. I've followed Eric for years and other things that he's done in the space, in bitcoin space and crypto. So I thought, okay, this is a cool idea, cool concept.
I signed up right away and then I started looking into the privacy claims. And it is a lot of trust. They're running a proxy, and so you send your request to them, they proxy it through to the LLM and then back. So when you're looking at trust minimization, like, it does minimize it, minimizes your risk a little bit more than using ChatGPT. So for me, that felt fine. Like, okay, I'm still trusting another company, but at least this one is claiming to be secure.
And given their track record of other things they've worked on, I trust them a little bit more. But I'm still not willing to, like, divulge my deepest, darkest thoughts or, you know, even my most personal thoughts. It doesn't have to be dark. And I'm not going to give my company secrets over to it either. So that's, that's really what it is. And I've interacted with Eric a little bit on Twitter and he did mention that they're.
They're currently looking at a cryptographic solution so that you can verify the trust model that they have. I don't know what that means. We haven't talked more beyond that, really, but that's the public information out there. So it just comes down to users having different options available to them and choosing the piece of information that I'm about to share. What functionality do I need from my AI and what level of privacy is needed for this information?
Now, ChatGPT has like, some of the best functionality out there. Their 01 Pro deep research model is really cool. It's very powerful. And so if you don't, if you're acting on public information and you need to use that for some reason, like, go for it, but just know what risk you're taking. And then if you need something that is private so you can share proprietary information from work or your own personal proprietary information, then you would use something more like Maple.
But Maple doesn't have as much functionality. Right. We don't have image generation right now. We just have text reasoning with the model. So you can look at something like Venice to say, well, I want to do ImageGen. I don't want, I don't trust ChatGPT. Maybe I want to generate something that is more personal for me and you can use that. So it's really just these, this spectrum of privacy that you have to choose from.
Yeah, I think when I think about it, I almost think of Venice. Like a VPN provider is an interesting analogy because like you said, essentially they're, they are acting as the person that you trust instead of whatever LLM provider you would be trusting otherwise. Whether that's ChatGPT or Deep Seek or whoever, you're just trusting them with your data instead of someone else. And I think that's a reasonable model.
I mean, just like VPNs, they're really good VPNs that have proven that they do not log, that do have a real commitment to privacy. But it is, I would argue, not trust minimization, but rather a shift in trust.
Sure.
To someone who hopefully you trust more and who should be aligned with that and who does have a financial incentive to preserve privacy. So like, there's, there's good rationale there, but it is definitely like a. Just a shift of trust rather than trust minimization. Whereas I almost think of Maple and Open Secret as like using Tor, but with a website that's actually on Tor, where there's very, very, very little trust actually happening because you're, you're using. It's not a great analogy.
Maybe it falls apart a little bit, but just that it's a little bit more end to end and much more trust minimized than something like a vpn. So, yeah, definitely pros and cons though. And like you, I've been using Venice as well for quite a while and do really appreciate the product and really like a lot of things Eric has done in the space.
So it's cool to see again that privacy is so important to people now that we have AI products marketing themselves around the privacy that they provide and building better and better solutions to provide privacy. Because there is real demand. I think it's just, it's a really encouraging thing to think about that there actually is enough demand for this for there to be multiple products in the space that are trying to make something like this more privacy preserving.
So I think that's, that's really cool to see there.
Yeah. And I don't see a need really to like go after them and try and bash them. I don't think it's a zero sum game here. There are enough people in the world that need to have better privacy with AI that we could all kind of benefit from just expanding and educating the market more on these tools. I just think it is important to point out what the privacy arrangement is and if people are okay with what Venice has, then they should totally go use that product again.
They have more functionality than we do, so they might only need to use that because we don't have the feature that they're looking for. We are looking at expanding Maple. We have a long list of features that we want to add to it and those will come. We will be releasing more. Right now we've switched gears and the focusing on getting Open Secret, the developer platform, up and running in production. Maple is the only app in production right now.
Just yesterday we hit a major Milestone with it where we actually segregated it out to be an act, to be its own separate third party app. As you're probably aware, when you're developing, sometimes you co mingle code where that shouldn't be commingled. And as we were building this proof of concept with the backend of OpenSecret, Maple was just kind of like in there in the code.
And so last night we pushed to production a new version of Maple that is fully separated now, so it is being treated as a third party app. And then next month we hope to have some announcements around our first third party developer that is building and launching in production with us and we have a couple others in the works as well.
And sometime soon we will just open up the floodgates and say like any developer can come hop on, play around with it, tinker with it, self service portal where you can set up your app and just really go hog wild. So we're looking forward to that.
Our focus is on getting open Secret to that point and then we will come back around to Maple and we have a whole bunch of great ideas that we want to add into the app to make it just that much more functional while still providing the awesome user experience that, you know, that private AI can give you.
Yeah, yeah, definitely. And I'm, I'm, I'm definitely curious on the Maple side. I know maybe you don't have too much detail to share, but I'm curious where y'all will go with especially like adding other models, expanding functionality, because that is really the only shortcoming to me. Like I would love to use Maple for everything, but I can't quite yet. But it'll definitely be cool to see y'all expand that.
I guess the last question around Maple and then I want to circle back to the Open Secret a little bit more is just what, like we've been talking about privacy and the different privacy guarantees of these different approaches. Are there any shortcomings? Like we've talked about how nothing is trustless, not even Maple and Open Secret is trustless.
Are there any specific shortcomings or risks that people need to be aware of, especially if they have like a more extreme threat model or like we mentioned, if they're thinking about uploading work secrets or something like that? Like what are the, the thought, what's the thought process for them around. What are the potential things that could go wrong where they would lose privacy or not have the full privacy that maybe they expect?
¶ Can you describe any potential privacy shortcomings with Maple?
Yeah, so a couple things come to mind. The biggest, so the biggest cryptographic threat I guess or the biggest vulnerability would be that the AWS team becomes compromised in some massive way. It would take a lot, it would have to be a well orchestrated attack and it would completely undermine their entire business model around confidential computing. So it would be something that would take down not only us, but financial institutions. You mentioned signal, right?
Like a lot of big, large enterprise are already using confidential computing internally. So we're talking like a massive breach of epic proportions. So that's really kind of like in our minds, the thing that we are keeping our eye on is, is how do we continue to build around that and shore up security around that.
We're looking in the future, like could we provide a way for a developer building on open secret to bring their own hardware security module and like their own signing key basically that would potentially minimize their risk of that threat. So with when it comes to Maple users, in my mind that's the biggest one, the one that is the second one that users would need to be aware of more is like us secretly, not secretly, but us putting a backdoor in the code and nobody noticing.
So the way the Maple works, and this is really the way that OpenSecret works and confidential computing works is, you know, the code gets published open source and then when you go into the client, you start interacting with the app. There is this verified badge in there. So if you go onto Maple, you've probably seen it, there's like this lock icon. You click on that, it's got this green screen, verified check. And when you go in, we call it the proof of security.
And this shows you the attest station. It shows you the servers that you're connecting to, all of the servers in between you and you know, and the end of the line. And so you can verify things along the way. And if we push an update into our servers, then, but the client doesn't know about it, then that attestation breaks and that lock icon breaks and the client actually will refuse to connect. So that is in the code. The code will not connect to a server fingerprint that it isn't familiar with.
So that prevents us from just like quietly pushing something without publishing an open source into the client. But the other thing we could do is if nobody's looking, we can just publish it and say, hey client, talk to this new backend code, put the code on GitHub with a massive backdoor just sitting in there. And if nobody notices, then their client is going to happily connect because all the things check out.
And now we're logging all of your chats so that, and that's just kind of like that would be, you know, out in the open. So where, where I think users could protect themselves is one, they can depend on watchdogs, people that are in the industry that are looking at every new release of Maple, every new release of Open source, sorry, of Open Secret code and making sure no backdoors have been inserted. But most users aren't that technical.
They don't know how to look at code and discover those backdoors. And this is actually where AI can really help out. You could take our GitHub repo and feed it to ChatGPT and it's public info, so who cares? You feed it to ChatGPT and you say, hey, here's the latest release, here's the latest code diff. Will you please tell me if they inserted any backdoors? Are there any new security vulnerabilities here? And 01Pro?
Or you can feed it to Claude, you can feed it to these LLMs that are really good at coding. Grok3 is great now too and it'll be able to do a code audit for you. So you don't have to depend on like hiring a code auditor anymore. You don't have to be your own software engineer.
You can have the AIs do the code audit for you and keep us honest and make sure that when you're connecting that you're okay with that green verified badge because you know that you've done your own personal security audit of the code.
That's a fascinating idea. I'd never thought of that. For, for, for auditability there before is just use it, use AI to at least help. And obviously it's not the same level as like an actual like auditing firm looking at the code or someone who's individually deeply comfortable with the code. But it does provide another level of assurances, especially if you're using a different AI platform to do that. Which is, which is interesting. But that like you do raise a really good point.
Just being able to prove that what's running on the server is what you expect doesn't prove that what's running on the server is good. You could just have provably bad software on a server and know that you're running bad software and use it and have issues as a result. So it is, it is yet another reminder that Open Source is absolutely vital.
And hopefully there will be lots of other people building around Open Secret that have more and more vested interest in making sure that Open Secret itself is well built, that you're not doing anything malicious or the more likely thing that there's no accidental security vulnerability or something that that gets shipped.
And that's one of the really beautiful things is as Open Secret grows in usage, as there's more devs, as maybe other people try to implement their own version of OpenSecret because the code is open source, the security gets better. Instead of security through obscurity, it's security through more and more eyes on the code. So it is definitely a, a cool piece of this that is, is good to see and just another, another win for, for open source generally.
Yeah. And we, we looked at Apple and their whole private Apple intelligence stuff that they're doing with their private cloud compute and it's really awesome what they're doing. But in the end you're still trusting the third party auditors that they have hired to look at their code because they're not open sourcing it. So they're using secure enclaves, they're using all the confidential computing. But you have to trust the people that they're working with.
And Apple could put a backdoor in there and then they're paying these people and these people might bend their credibility to say, oh yeah, there's no backdoor here. We didn't see it. Whereas open source, like you can't hide from it. It's out there, it's in the open. And I think truly that is the answer to have the highest level of security and privacy.
Yep. Yeah, it absolutely is open source. Open source is how we win there.
Yep.
So more on Open Secret. I'm really curious and I know I didn't send you this question in advance, so I'll blindside you with it. But in the crypto space, like obviously I work at Cake Wallet, um, I've been in the Bitcoin space for a while in the cryptocurrency scene. You have as well. Y'all, y'all ran Mutiny Wallet. What are kind of the, maybe a pie in the sky reality. What's kind of an ideal way that you could see a wallet developer using Open Secret to help improve the user experience?
Maybe that's simplifying backup of private keys. What's kind of the, the ideal that you see or something you'd love to see a wallet developer build around OpenSecret?
¶ What would you love to see a cryptocurrency wallet dev build using OpenSecret?
Okay, that's a good question. The two big unlocks. One is the user experience of private key management and not having to present the user during this onboarding experience. You know, here's a big complicated private key because if you think about it, we've, we've tried hundreds of different wallets, right? If you've been in the space long enough, you're always looking at new ones that come along.
And the very first step in the process, or maybe step number three or something is write down this key, keep it safe. Big, you know, big warning on the screen. You will lose your funds if you don't do this. And you're like, I, I just want to try this out. You know, I don't want to like, I don't want to like enter into a marriage with this app and like now have to store this thing in a safe somewhere or go get a safe deposit box at the bank. Like just want to see if it's useful.
So with something like Open Secret, you can remove that and you can just give them a normal login experience. And then later on down the line when they've been using it for a little while, you can say, hey, we noticed that you've put like a significant amount of money in here or you're starting to add money in here. You feel like you've got a hang of it. We might recommend you back up your private key. Here it is. By the way. You can back it up.
Apps can actually choose the security model they want to do around private keys and showing to the user. But I think you can create a healthier relationship with that user. And then the second big unlock is encrypted sync that. Having that private key is like, is a superpower where you now have the ability to synchronize their data on, from your cloud.
You can host it on your cloud and not have the liability of their personal information, not have the ability to steal their coins, anything like that. And so now you can actually synchronize it to other devices. And this is a flaw that Venice back on the AI thing really quick. This is a flaw that Venice has and a lot of other really privacy focused things have and that is they don't want to have your data on the back end. So they store it locally in your browser or locally in your app.
And then when you move to another device, you don't have the information there. Even if you log in with their account that they created for you, they don't, they aren't able to synchronize the data because they don't want to touch it. And honestly that's to me, that's a tell that Venice isn't truly private because they're not willing to synchronize your data for you.
So the way to do that then is you have to, like, show a QR code on the primary device and then scan that on the secondary device or do some kind of, like, private key management. That just becomes a difficult thing for a user. So with Open Secret, what you could do is, because we're managing the private key using confidential computing, you simply just log in on the second device and boom, all your data's there. And you didn't have to do any kind of dance between the devices.
You just use the login experience that you're familiar with, that you've, you know, done for years and years. So I see those two being huge unlocks, and then I've got a third one. But if you have any, like, ideas or thoughts or questions on those, we can, we can go down those rabbit holes.
I was, I was just going to say we definitely need to, to chat offline about it because that's, I mean, that's one of. I would say that's the most pressing issue in every crypto wallet. And it's something that we've been thinking about how we can better solve at Cake, like Foundation, I think, has a really novel approach that they've done in their Envoy app. But, yeah, we'll definitely, we'll definitely need to talk more.
I think that that idea of greatly simplifying the initial user experience is just so absolutely vital without stripping away the full manual backup seed words, all that fun stuff for the more advanced users. So we'll definitely talk more, but I definitely want to hear the third one.
Yeah, yeah, sure. Along those lines. Yeah, let's. Let's chat offline. Happy to. I don't want people to walk away from this conversation. Like, if they hit stop right now. What I want them to walk away from is you don't have to just blindly turn over your private key management to something like Open Secret. And you don't have to put your entire life savings in an app that is built on Open Secret. Again, you have to look at the risk profile and the threat model.
And so we actually want to build a platform where apps can choose how complex it needs to be. So let's say that you have Cake Wallet and you just want to use it for spending cash. Well, you're fine just like doing a login with email or even login with Google or something, have the private key generated for you and you stick like $50 in there a month and you use that to, like, buy your coffee or something. That's fine.
If someone were to hack into your Google and get access to Your cake wallet and get your $50, it would be a bummer. But that's not the end of the world. If you were to do something like Casa or Unchained or something where you're going to host maybe your keys that have access to your generational wealth, then on OpenSecret, you actually, you could actually build like a multi tier, multifaceted authentication. So multifactor I guess, would be the word.
But you could have it do like, you know, an email password as one of them. But then you could also, you know, bring, bring some other form of authentication into the mix. Maybe your app requires like three different forms of authentication and the keys are all separated and sharded up. And then maybe that is only one piece of like a multi key wallet, multisig wallet that your key is stored and brought from a hardware wallet or something.
So there are different ways to make an app that is more secure if it's going to be handling much more sensitive and valuable data. So I just want people to understand, like, I'm not asking people to just blindly trust some apps with all of their life savings. Make sure that you understand the risks that you're taking on. So, sorry, do you have anything there? Or I can go into the third option here.
No, go and jump into it.
Okay. Yeah. So the, the third one really is AI. And I, I know that it's a big buzzword and so some people get turned off by it, but there's a cool power here that once you have the private key and then you have their data encrypted on the cloud. Well, apps also want to allow users to, you know, interact with AI and leverage that power. But the struggle is, is they just go, go to ChatGPT and they grab an API token and they stick it in their app.
And then suddenly you're taking all this private information and you're just sharing it out with ChatGPT again. So it kind of breaks the paradigm. At that point, what we really need is private AI. And this is where Maple no longer is a proof of concept. It actually becomes like a third pillar of open secret that becomes this awesome superpower that they can use. And that is, imagine that you were building a, like a meal tracking app and you're logging all of your food that you eat every day.
And then you want to have AI to help make suggestions of like, here's, here's what your next day should look like. Or, you know, you're trying to track these macros and you're building toward this goal. Let me build up an entire nutrition plan for you and maybe a workout plan for you. And some people might say, I'm okay with ChatGPT doing that.
But if we're trying to be trust minimized, we're trying to be more private in our life, then we want to keep that all, you know, safe and secure within our app that we're using that's built on Open Secret. I went through the links to make sure that it's all private. I want to bring AI into that.
Well, we can, we can bring AI in a private way that can interact on that data and you can verify end to end that the GPU as well is running secure enclaves and is running the code that we say it's running. So we feel like that is going to unlock a new level of functionality within apps that we haven't even seen or considered that privacy apps can now have AI in them as well without giving up on that privacy that they have.
Yeah, it's almost like the best possible non local AI. Like obviously the ideal for privacy would be that you run these models locally, but obviously we're not there yet on. I mean it is possible to run a lot of the smaller models, the distilled models on a high end phone, but we're not there yet to having the full power that you would need to really build an experience like this around it. So something like Open Secret for that.
And Maple is really fascinating one of being able to do AI and not just give all of your info to a company that's definitely going to sell it or train their AI on top of it. So yeah, it's a fascinating one. I hadn't really thought through that one at all.
And that's something, that's something we want to offer. You asked about Maple and like what our future roadmap is. That's something we want to offer to our users. I don't know if you have seen the Project Goose that Jack Dorsey mentioned a while ago, right?
Yeah.
So for people listening, if they haven't looked at Goose, Goose is really cool. It's this concept that uses mcp. Is that what it is? When I get on these things, the terms fly out of my head. But it's a standard that Anthropic has established for AIs to talk to each other effectively. So Goose is using that standard and it is kind of this, this tool now that can like pull from all of the AI tools that are local on your device and will allow you to chain them together.
So we were thinking, well, it would be really cool if Goose had access to private AI. So what we would love to offer is, you know, is some kind of Maple app that could run on your laptop that rather than having to, like you were just pointing out, like, download your own models, run them locally, figure out which one's the best one, maybe your machine is underpowered. You know, spoiler alert.
All of our machines are underpowered when you're going against these H1 hundreds that are running in the cloud. So you want to have like the power of the cloud, but you don't want to spend and manage that yourselves. Well, if you could run some kind of Maple AI proxy on your laptop, some, some software that's running there locally, and then you can plug it in the Goose or some of these other tools like Cursor or other.
Other great tools that already exist, suddenly you can unlock these great interfaces. But the power of private AI. So we get really excited about, you know, the option of offering that to our users hopefully in the future.
Yeah, I know that that's something that, like, I was actually trying out Cursor with Venice the other day. Cause they just added the ability to use an API key. That's you. You lie and say that it's ChatGPT essentially, but it works within Cursor. I think that thing would, that would be fantastic to see with Maple.
Again, just to make sure that the users who care about privacy, which I would argue is everyone and are willing to pay a little bit to have an AI that actually respects that privacy, are able to use that everywhere, will be pretty awesome.
Yeah, well, last real question I have for you is, and maybe we've covered this, so if we have, we can just skip it, but is there any other, like, major target use case for open Secret, generally outside of the crypto space that you're really excited for, or maybe just a thing that you'd love to see built on it, even if maybe it's not possible today?
¶ What do you think is the next major target use-case for OpenSecret, or what's something you'd just love to see built on it?
Yeah, really, everything. The sky's the limit. I come from a mobile app background. I've worked in online backup, like I mentioned at the very beginning. I've also worked in education tech, both at large education tech companies as well as a small ones. And so I think that there, there are just so many places where we are sacrificing our privacy unnecessarily. I like to talk about how our phones are just giant privacy leaks that are just like flowing, you know, endlessly.
And it would be great to start plugging up some of those holes. And I think like the, the most Immediate wins that, that I think a normal user would see are things that are location based. So if you are tracking your runs that you do on a daily basis or your bike rides, what you're doing is you're building this, this location profile of yourself. But you don't know the developers that are actually running that.
Like if you're using Strava or you know, Matt My Ride or some of these other ones, you don't know who they've hired over there. And they can jump in the database at any time that they want to. Now they're probably not going to, but the threat is there. And if you were a celebrity, like, absolutely, you'd want to have some kind of privacy around that.
I wouldn't be using an app where I'm going on a run around my neighborhood and, and some third party developer can now suddenly know where I live and what my daily routine is. So I think those kinds of apps could, could greatly benefit from building on something like Open Secret and then naturally like health apps, meal tracking, you know, any kind of medical thing that you're doing. We are not HIPAA compliant or certified yet. That's something that'll become in our future.
But there are lots of help things you can do that don't require HIPAA compliance that you would still benefit from. And then I think you could just go down the list, you could just start swiping on your phone and looking at all the different apps you use and think, oh, that would be CO1 was more private. That would be cool if that one's more private. And the reason they're not is because the tools just aren't that easy for them to work with.
And so they've just picked the developer backends that are out there and they're using them. And because everybody else is using them, they feel safe doing it. But obviously we aren't safe because every week you get a new headline of some kind of data breach that has happened. And so our data is just this liability. Our personal information is a liability. It's sitting there. It's a liability for the developer and it's a liability for us as a user on the developer side.
You know, there's been industry reports out there that in 2023 companies incurred on average like a $5 million cost hit to them when they had a data breach that occurred in 2024. The research that I've been doing, it looks like that's gone up. It's now like $9 million or so. So if you're a UA, those are just US based companies because the report and I think is a little bit easier to find.
But if you're a developer like you are taking on this liability that you might have to clean up some kind of cost from that. And then obviously on the user side, having your privacy spilled online, you are now, you know, a target for identity theft and all sorts of other problems that can cause personal harm to you and your family. So you naturally don't want your data leaked there. So really, I think it's a future world of let's get as many of these apps as we can build in this way.
And if another Open Secret pops up, if we have multiple competitors, I think that's a big win for all of us. Maybe I end up not being as successful as I want to be because other companies are doing it, but I kind of follow the same mantra that Elon Musk was following early on in the years of Tesla, where he said they open sourced a lot of their patents because they just wanted the electrification of the automobile market.
And you can, you can have your opinions of him and your opinions of, of whether EVs are, are good for the world or a Net positive or net negative. But the concept is true. I want to, I want other people to be building on Open Secret or building on something like Open Secret. Let's just bring better privacy to all of the apps that we use.
No kidding. The, the world would be such a better place if all of these developers and companies didn't have access to this data. And it greatly simplifies their jobs too. I mean, the less data they need to manage, the easier their lives are and the less risk they have. So it's definitely a hopeful future and I'm glad to hear that Open Secret is building out the tools to make this easier for developers and really excited to see what else launches this year.
It feels like 2025 is going to be a really, really good year for privacy and for privacy tech. It sounds like Open Secret is going to be a key part of that. So thanks for chatting about it today.
¶ What would you like to leave listeners with?
Yeah, yeah, definitely. I hope so.
Awesome. Well, thank you so much for coming on. I think we covered pretty much everything I have, but any last thoughts or things you want to leave the audience with?
As far as what I would leave for users or leave for people who are listening is if you're a developer, like come chat with us and let's look at how we can help you bring better privacy into your app. You do not need to move your entire stack over to Open Secret. There are, there are major ways that you can just get a win by plugging parts of your stuff into here.
A great example is there's a bitcoin exchange that we've been talking to that obviously needs to have customer data because they're a centralized exchange. I don't think they're just bitcoin, they're cryptocurrency exchange. But what they do want to do is they have to hold on to these driver's licenses and government IDs.
And so they're looking at how can we use Open Secret to better secure that information so that we don't have to have this liability of some rogue employee that now just like dips their hand in the cookie jar and grabs all these government IDs. So we're looking at ways that we can help them with their meet their obligations of long term retention of documents but still protect themselves from that liability. So if you're a developer, come talk to us.
If you're a user, search out tools that are more private search out tools and always be scrutinizing the privacy policy and the privacy model that your app that you're using is built around. And if you don't think it's strong enough, talk to the developer and we'd love for you to let them know that we exist and we will be launching soon to the public for people to come play around with it. And let's try and elevate the game of all of our tools together.
Awesome. Well, thank you so much, Mark. Have a great rest of your day.
Okay, great. Thanks.
Thanks for listening and I hope you enjoyed this episode of Opt Out. If you did, please take a moment and subscribe to the podcast. Or if you already subscribed, share it with one friend or family member this week. As always, you can check out the link to the guest content and contact info, as well as links to all of the tools we discussed in today's episode. Now get out there and Opt Out. This week.