➡ AI assistants like Microsoft Copilot and OpenAI Operator can increase productivity by handling tasks like writing memos, responding to emails, and booking flights. However, these AI tools pose a significant privacy risk as they can access and store personal data, including passwords. The solution proposed is to use a local AI bot that you control, which uses open source models and follows your rules. This bot would not store passwords and would operate in isolated sessions, preventing accidental leaks of personal data and ensuring better privacy.

➡ A small Chinese company has developed an AI model that rivals those of larger U.S. companies, showing that free, open-source AI models can compete with big tech. This AI, called DeepSeek R1, can be integrated into local AI systems and can be programmed to follow specific rules and preferences, ensuring user privacy. The creator suggests that such AI can be used to confuse online trackers, maintain private conversations, and avoid mass surveillance. The creator also offers privacy-focused products like the Brax 3 privacy phone and Brax’s Virtual phone, and invites users to join the privacy-focused community on Braxme.

When I made this video, DeepSeek R1AI model was just released and that caused tech stocks to crash. And this was also just after OpenAI released its first iteration of an AI assistant called Operator. Operator is another version of an AI companion similar to that found in Windows Copilot and of course it will be in Apple Intelligence. These changes starts the era I’ve been talking about since Earth early last year. An era that will have the real effect of AI on our lives, which will be the use of AI assistance or as they are technically known, AI agents.

For some of you this is a horrendous new concept in the use of AI and for others it is a subject of awe and envy as privacy aware people. Am I telling you that you can never use AI assistants, AKA AI agents to do work for you? Actually, that’s not true. The popular ones I’ve talked about are Windows Copilot, Apple intelligence and now OpenAI operator. And I made so many videos telling you how these are bad, but more are coming and believe it or not, there will be options. What I will discuss in this video is to compare the different methodologies for an AI assistant and show you the privacy and security flaws in each.

Then I will compare it to a future alternate method which will be just fine. And as of the time of this video, all these AI assistants are early stage and not quite ready for prime time. But by this time next year, the AI world will have changed. This will be an advanced preview of what will be available to you and I hope that based on this information you do not jump the gun and go full on into Operator Copilot or Apple Intelligence, which as I said are the bad choices. If you want to be a smart user and understand the implications of AI in this new world and know what the best options are, stay right there.

The announcement of OpenAI’s operator is a big deal as it heralds a new stage. As some in the AI field have stated, we are now in the decade of AI agents. If you understand this, you will understand the direction of Windows, Apple, Google and others and you can predict how it will impact all of us in this decade. Before 2025, most of what we’ve seen is AI in the form of an LLM large language model used as a brain to answer questions. But the real big leap is when the AI interacts with the real world intelligently.

Instead of just being a theoretical idea, machine actually powers real things in real life, like robots. In the software world, the equivalent of a physical robot is an AI agent. This would be a piece of software that can take the intelligence of the AI brain and do your computer work. In the past, for pieces of software to talk to each other, each application needs to communicate in a standard, predetermined way. And this means lots of programmers had to be involved and had to agree. And so it would take decades for many applications to work with each other.

The innovation with Windows Copilot, Apple Intelligence and OpenAI operator is that the AI can interact with the digital world of the human using a human interface. Thus there’s no programming needed, meaning it sees what you see and can then judge what it does, just like a human can. No complicated programming, no complex rules. You could just tell the AI agent to navigate the web and order your groceries online, or have it make restaurant reservations, or have it send emails to all your sales contacts and even have it personalize each message. Or you can have the AI watch your email inbox.

And based on its importance, the AI can give you a special notification or otherwise automatically respond to it. We need to dissect the pieces that allow agents to do work for us. This is in addition to the main brain or the LLM. The first thing you will find in the AI Agent version so far is that they can all see what you see. To be specific, here, the agent screenshots the screen and then passes it to the AI to identify what to click next based on objects it identifies on screen. And then the agent is guided to emulate a mouse click or to type some text at the point designated by the AI.

This is where you will see the operational differences in the choices made by OpenAI versus Microsoft and Apple. The way Operator works, they create a virtual machine in the cloud just running a browser. So the screenshots are made only inside the virtual machine, which you can see remotely. Here’s a short demo that illustrates how Operator works. This is from the promo video of OpenAI operator. I’m going to use Open Table and say hook me a table for two at Beretta tonight. So I’m going to expand this a little bit. So as soon as I type in the query, Operator instantiated a completely remote browser.

This browser is running in the cloud somewhere and as you can see, it’s already up and running. My hands are off the keyboard. I’m not typing these things. This is just. The AI is clicking around. AI is just clicking around. It is right now. Okay, it looks like 7pm isn’t available. But you know what, 7:45 is just fine. So we’re going to go do that. So you wouldn’t have had to watch this. You could have just let it go off while you’re doing other things. Then it would come back and say, hey, I can’t do seven.

Totally. Five. Yeah. Okay. Yes, that’s great. Let’s do it. Teaching a model how to use the same basic interface that we use on a daily basis, it just unlocks a whole new range of software that can use was previously inaccessible. And so this is keyboard and mouse, right? It’s kind of using keyboard and mouse just like you would. Exactly, yes. I chose a random spot. The first thing that KUA does when it controls the computer is it looks at the screenshot. So now you’re seeing maybe the search results page for eggs in Instacart. So CUA understands this.

It’s just seeing the raw pixels. And after CUA sees this image, it decides what to do next. So right now it’s making some inner monologues. And this is the summarized chain of thought. So what KUA is doing is, according to it, it’s selecting organic eggs and adding it to the cart, which is a reasonable thing to do. So after it does this plan, it then figures out what the next action it should take is. So let’s see what it does in the next step. Okay, so you see that it performed a click on this add button right here.

So that’s very reasonable. Now every time KUA does an action, it takes the next screenshot of the computer so that it knows what effect its action had on the computer. In contrast, the see what you see concept is much more invasive in a Windows copilot. The Microsoft approach is that it is not application dependent. It sees everything you do, no matter what it is on that device. In the OpenAI case, while you’re using Operator, the only thing known to OpenAI is what you’re doing on its virtual machine. For example, if you’re writing a memory demo on another window, it’s not going to see that.

If you’re using Signal in another window, it will not see that, but Microsoft will see everything. The Microsoft version is a completely different approach because it is a total see what you see, hear what you hear, know what you know approach. So again, to compare, what OpenAI will remember is what you’ve told the AI in the past. So let’s say you told Operator to book a reservation at Spago in Beverly Hills. You will expect OpenAI to remember that then as it will accumulate a history of your preferences as you use it. The Microsoft approach, which I presume will also Be the Apple approach is to know everything.

Let me emphasize that everything. Then it will have such a full history of your choices that in theory it could even select the restaurant for you automatically while arranging a date with your girlfriend on the day when you have the least business appointments. There’s a problem with all these AI agents, and that includes OpenAI operator. The problem with an AI agent, one by the way not controlled by you, is that you now have a man in the middle problem. To give you an obvious example of this, let’s say you want an operator to buy you groceries.

So Operator looks for grocery sites on Bing. Then it finds instacart.com which will then be a preference now. But the next step is to enter credentials on instacart.com well remember that someone is watching. So basically OpenAI can now see the password for instacart.com since you will enter it while running a cloud service. You can see that on the example here. Cool. I’m going to go ahead and log in here really quickly. So this is an example where I obviously need to log in or enter my credentials to actually purchase these tickets. And Operator just ask as you just described, with confirmations and making sure the control is on the right place and we can take control.

And at this point, as we talked about earlier, the session is completely private as well. I am going to you know what, login live, see how that goes. And in order to be efficient at this, OpenAI will of course store the password so you don’t have to keep re entering it and stored separately from your own password manager. And now by a third party. In the case of Microsoft Copilot, same thing, except it would be impossible to hide anything. And then Microsoft Copilot will store your password, likely in the browser and again separate from your own password manager, which it can see anyway, including the master key.

This is a major security problem because it has a man in the middle. This will always be the case when you don’t control the AI. In the case of Operator, you are basically just renting the AI agent for $200 a month. That by the way, is the cost of Operator. But you are giving Operator your personal data. In the case of Windows, you think you own your computer, but really it is the same as renting it as the full control of the OS is still with Microsoft, particularly with the AI. And a problem I discussed in other videos is that HQ can ask the AI what it knows about you.

That’s client side scanning. Now there’s a way to solve this Using other solutions. I’ll get back to that later. The question I want to pose first is that is there a value in this concept of an AI assistant? If you say no, then for many of you it’s a dishonest answer. Having a virtual assistant that can interact in the same way you do by watching this screen can introduce productivity in ways we have not seen so far. While the common examples of the use of operator are related to conveniences like buying groceries and making reservations, you really need to think of the productivity effects of this.

You can have the AI write memos for you and send to multiple parties with minimal instructions, perhaps just given verbally. The AI can be smart enough to respond automatically to emails without you even reading them. The AI can book you the cheapest flights or the cheapest hotels. You could have multiple agents running simultaneously. You could contact sales leads and provide sales support without lifting a finger. You could automatically pay your bills, but only at the last minute. And then you can start the day by just focusing on items that need decision making. All grunt work is eliminated.

There is absolutely good reason to think that this use of AI will change the way we work and interact. AI agents can automatically respond to texts as well, and even social media posts, or even any kind of app. Remember, the AI can see what you see, so it can interact with anything on screen. Not all of this is positive since obviously what may appear as personalized communications to you may just be an AI bot. Remember that the world will use the same AI bot, so humanness will disappear, niceties and cordiality will be fake, and even long detailed responses will be recognized as the work of a bot.

But the worst part of all this is the privacy loss since basically you’re handling the knowledge of your life to a third party and you’re making an assumption which will be incorrect, that the AI bot is working solely for you. Let me tell you the good news. There is absolutely nothing that Microsoft Copilot, Apple Intelligence and OpenAI operator can do that you cannot duplicate. Running a local AI with your own AI agents. Now what I will describe here is a plan for a design of a safe agentic AI. The alternative I’m proposing is a local AI bot that you run and that has no man in the middle.

Since you will own the AI, it will use open source models and you define the rules. There are already several browser based local AI agent projects that I’ve seen. One is an open source project on GitHub called browser use. This one is screenshot based like OpenAI and Copilot here are some sample interactions I’ve seen on YouTube demonstrating the use of browser use. Let’s now have the deep seq R1 go over and find me the cheapest flights from New York to Moscow. So let’s go ahead and run this agent and have it execute this task. Let’s just see this agent in action.

You can see that it is on trip.com and it’s sourcing flights from New York to Moscow, which is in Russia. There’s also a Chrome browser extension called do browser which appears to actually be intercepting the actual HTML code or DOM instead of taking screenshots. And here’s the example of do browser being used. If you click on these extensions and then just press pin on do browser, then you can just press here like that and then just open like a new tab and then you can say for example, find me five sponsorship opportunities inside my gmail and write a personalized response.

Do not send the email, just draft the email. Now the thing I personally don’t like about this or I’m not even sure if this is true, but I don’t think I can do other things at the same time. I feel like it’s controlling my mouse, but I’m not actually sure. So if I go on here again, the difference is that do browser can read the actual HTML and does not need to see the screen. Both are valid methods. Now these two projects are just examples. I’m thinking that in a year’s time many of these projects will actually be quite usable and able to do some more complex tasks.

By the way, cloud based AI has issues. Many sites like a Ticketmaster will block OpenAI as it will detect that a bot site is performing the action. This is where a completely locally running AI will appear to be a regular user to the outside world. First of all, I like the general approach of limiting the AI assistant to just web access. So kudos to operator for taking this approach. This would allow the ability to do isolation techniques. So I propose that this AI not be able to interact outside of a virtual browser. But I propose that you can initiate multiple completely independent bot sessions, all running simultaneously.

For example, a workbot versus a social bot. So a work AI bot would limit itself to work activities in a work session. A social bot would communicate with friends in a social session. Each instance of the AI bot would be insulated from the other. Currently this would be impossible on a Windows copilot, for example. It would see your entire life at all times, from your bank balances to your political choices to your Sales leads to which persons are attractive to you? This is one of the biggest flaws in AI bots. It assumes that we only have one aspect of life and the man in the middle sees all.

Running AI bot instances with different web connections for each purpose would be better for privacy and give each bot a more authentic style fit for its audience. Because of the isolation strategy, each bot only knows what you let it know, so the workbot will not know the names of your friends. This protects against the accidental leaks of personal data. Can you imagine cases where a bot gets confused with home address versus business address or personal numbers versus business number? Or how about this? What if there’s an email that is doxing you by asking questions and then the AI automatically gives answers of private information? Or how about a bot that sounded overly familiar in a business environment because it didn’t understand its place? This is a headache in a one size fits all bot, which personally I think is a very bad design.

In addition to being a privacy destroyer, also being isolated. Whatever else you do on your computer, obviously it would be will not be known to any AI bot unless you tell it. Even if it is a local AI, it is a security risk because someone could access your device and theoretically break into the AI environment and access these temporary variables used to store things like preferences and passwords. What I think is that anytime a password prompt is recognized, the AI bot should trigger a notification which will then be handled by a separate listening app that pops up for the user to acknowledge using a separate ui.

The purpose of this approach is to ensure that the AI bot itself is not in charge of storing passwords. It must never store credentials. A separate app can then be connected to a password manager for convenience. But of course you enable access to a password manager with a timed master key. This would be the equivalent of a two factor authentication, since the bot will always seek authentication from a different app. The bot can then pass the credentials to the website, but it will never store it. Deepsea caused shock waves in the AI industry. A small company in China with little money created an AI model close to the capability of the newest USA models.

Some say they just distilled or sucked the data from a larger model. But regardless of the creator of the AI model, what it has shown now is that open source models or free AI models will not be left behind in the dust by the big players. The average person will have access to free AI resources that are going to be advanced. DeepSeek R1 is roughly in line with OpenAI’s 01, which is incredible since it is free the way I envision this, you just slap a different model into your local AI as something new comes up. But the AI agents could be more stable.

The usefulness of the AI agents will be based on rules or preferences they have accumulated over time and they have to store your choices over a period. And this should be something that you can review if this is going to be a local AI. But our privacy is maintained also by doing the separation of activities depending on what aspect of your life you need to manage. Isolated bots with isolated histories and of course locally run and controlled. Am I wishing for something that is not likely to exist? We always think everything has to be controlled by big tech.

No, as I said here, pieces of this already exist in open source projects on GitHub. Someone can simply combine all these pieces and as long as this person understands the privacy aspect then it will work. I know it is doable because I could program this myself if I had time. I just want to make sure my goals are stated here so that I can guide other people to make the right choices and design local AI. Local agentic bots with isolation and web only access. Let me give you an example of a privacy use of this. You can instruct the AI to go visit both right wing and left wing websites constantly to confuse the trackers.

Right now this is very tedious to do manually. You could have several bots running with unique identities. This can then confuse any attempts to identify you because you’re not going to be exposed to the Microsoft See what you see, hear what you hear, know what you know. Your end to end encryption conversations can remain private assuming you’re talking to another safe user. Because there’s no man in the middle, there’s not a risk of someone asking the AI questions about what you’re doing on the computer. This is the whole point of client side scanning and is a very high probability risk for mass surveillance.

Remember that you must not use AI that sees what you see, hears what you hear and knows what you know. That’s ultra dangerous. My preferred approach here is that an AI that only sees what you wanted to see. And no, it shouldn’t be my AI companion, but it will not be a friend, it will be a slave robot that’s used only when I want it to be used. Folks, this channel is supported by this community and as many of you know, I don’t really take sponsors. What we’ve done instead is create solutions for you directly and offer it at reasonable prices.

One of our most recent Solutions is the Brax 3 privacy phone. This is a basic tool for privacy protection that everyone will need. It runs most apps but not those from Google. It doesn’t have a Google ID. This project is currently on Indiegogo.com and is set to ship by March so it’s coming soon. We also have Bragg’s Virtual phone which allows you to get additional phone numbers without using physical phones and we do it without requiring KYC or id. We have a braxmail service which allows you to create unlimited aliases so you can have unique email addresses online and with built in privacy protections.

We have Bytes VPN which is our reasonably priced VPN service that is offered internationally. These and other products are available in our store on Braxme. Braxme is a community built for privacy enthusiasts and has over 100,000 users. Join us there and interact with the community that talks about privacy issues daily. Thank you for your support on patreon locals and YouTube memberships and thanks for watching. See you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.