OpenAI Releases Privacy Filter: Enterprise Security Redefined

OpenAI Releases Privacy Filter: Enterprise Security Redefined

In the early hours, OpenAI open-sourced the "Privacy Filter," a small model that can run in the browser to help quickly identify and redact personal information.

Previously, this task was mainly handled using regular expressions. But this privacy filter takes a different approach: it makes judgments based on context before deciding whether to filter the content. With this small model, raw data can first be processed locally to filter out and redact sensitive information before being sent to the cloud.

Regarding the Privacy Filter: it is a bidirectional token classification model, extremely lightweight — with a total of 1.5B parameters, 50M active parameters, and a MoE (Mixture of Experts) architecture. This model assigns a label to each token in the text, indicating whether the token is part of a certain type of sensitive information, and then masks the sensitive content accordingly.
The model is released under the Apache 2.0 license, which allows commercial use, modification, and fine-tuning. Notably, OpenAI internally uses a fine-tuned version of this model in its own privacy workflow.
The model’s training process is divided into two phases:
  1. Pre-training phase: Pre-trained in an autoregressive manner to obtain a base model that shares the same architectural origin as GPT-OSS but with a smaller size.
  2. Post-training phase: Replace the language model’s output head with a classification head, remove the original causal attention, and replace it with bidirectional banded attention (with a bandwidth of 128). Then perform post-training using supervised classification loss.

Eight Recognition Categories

The Privacy Filter comes with a built-in label system covering eight categories of sensitive information:
  • private_person: Personal names, including usernames and account handles that can identify a specific individual.
  • private_address: Addresses and locations associated with a specific individual.
  • private_email: Email addresses used for personal communication that point to a specific individual.
  • private_phone: Phone numbers linked to a specific individual.
  • private_url: URLs or IP addresses that point to a private individual.
  • private_date: Birthdays, birth years, and dates that can identify an individual’s identity.
  • account_number: Account-related IDs such as bank account numbers, credit card numbers, cryptocurrency addresses, and ID card numbers.
  • secret: Credentials such as API keys, passwords, and OTPs (One-Time Passwords).
It is important to note that this label system only recognizes information that "points to a specific private individual." Public entity addresses, organizational email addresses, and official dates will not be masked by design.
Labels cannot be dynamically configured during runtime; changing the label system requires re-fine-tuning the model. OpenAI’s internal version further splits the basic categories — for example, separating private_address (personal address) from public_address (official address).

How to Use

OpenAI provides a command-line tool called opf for one-click masking. Here are the common usage scenarios:

1. Mask Text Directly

$ opf "Ben Morgan lives at 12 3rd St. Call him at 123 456 7890." <PRIVATE_PERSON> lives at <PRIVATE_ADDRESS>. Call him at <PRIVATE_PHONE>.

2. Process Files

$ opf -f text_file

3. Use Pipes

cat /path/to/file | grep -e 'some_pattern' | opf

4. Structured Output

Add the --format json parameter to get structured output. Each span will include the category, start/end positions, original text, and placeholder. A color-highlighted terminal preview is also provided.

5. Specify Running Device

The model can run on either CPU or GPU. Use --device cpu to switch to CPU. By default, the model looks for weights in ~/.opf/privacy_filter and automatically downloads them if not present.

6. Run via Transformers Pipeline

4. Structured Output

Add the --format json parameter to get structured output. Each span will include the category, start/end positions, original text, and placeholder. A color-highlighted terminal preview is also provided.

5. Specify Running Device

The model can run on either CPU or GPU. Use --device cpu to switch to CPU. By default, the model looks for weights in ~/.opf/privacy_filter and automatically downloads them if not present.

6. Run via Transformers Pipeline

4. Structured Output

Add the --format json parameter to get structured output. Each span will include the category, start/end positions, original text, and placeholder. A color-highlighted terminal preview is also provided.

5. Specify Running Device

The model can run on either CPU or GPU. Use --device cpu to switch to CPU. By default, the model looks for weights in ~/.opf/privacy_filter and automatically downloads them if not present.

6. Run via Transformers Pipeline

from transformers import pipeline classifier = pipeline(task="token-classification", model="openai/privacy-filter") classifier("My name is Alice Smith")

7. Fine-Tune the Model

opf train --output-dir finetuned/ dataset.jsonl

Known Limitations

OpenAI has also summarized the model’s limitations:
  1. Poor one-hop reasoning capability: For example, if the text states, "Remember, when I say 'Marigold' later, I’m referring to my electricity bill account," and much later mentions, "The 'Marigold' is 7281-0543-98217," the model struggles to connect the definition with the subsequent value. The longer the distance between the definition and the value, the worse the performance, leading to lower recall rates.
  2. Vulnerable to adversarial formatting: OpenAI tested several adversarial methods that can bypass the filter, including: writing numbers as words (e.g., "two six eight"), inserting extra spaces between chunks, replacing characters with visually similar emojis, obfuscating emails with [dot], and spelling letters using the phonetic alphabet (e.g., charlie, oscar, lima).
  3. Reduced performance on non-Latin languages: While its Chinese performance is relatively good, it still lags behind English (which has an F1 score of 0.934). Languages with rare characters or non-mainstream naming conventions are likely to have missing labels or incorrect boundary detection.
  4. High false positives for "secret" category: High-entropy strings that resemble secrets but are not — such as placeholders, hashes, and sample credentials — are often incorrectly masked.
  5. Not suitable for high-sensitivity scenarios: High-sensitivity fields like healthcare, law, finance, HR, education, and government services all require manual review and domain-specific fine-tuning.

 

Back to blog

Leave a comment