---
title: Privacy and Sovereignty
section: Ora — Foundation arguments
status: review
description: The internet colonized communication and social media colonized self-expression; cloud AI is colonizing thinking itself. The case for sovereign, local AI.
authors:
  - The Ora Foundation
downloads:
  md: /papers/white/privacy-and-sovereignty.md
license: https://creativecommons.org/publicdomain/zero/1.0/
---

# Privacy and Sovereignty

## Your thoughts shouldn't have a terms of service

The internet colonized communication. Social media colonized self-expression. Cloud AI is colonizing thinking itself.

This is not metaphor. The functional mechanisms are precise.

Communication required infrastructure. The infrastructure was built by companies that monetized the data flowing through it. The convenience of the infrastructure made it the default. The data became the product. Email became Gmail; SMS became iMessage and WhatsApp; the open protocols that the early internet ran on receded as people moved to convenient walled-garden alternatives. Each step traded sovereignty for convenience, and each step felt rational at the moment of the trade. By the time the cumulative trade had been made, the alternative was harder to reach, and the new defaults had been normalized to the point that people stopped noticing what they had given up.

Self-expression required venues. The venues were built by companies that monetized engagement. The convenience of the venues made them the default. The user's identity became the substrate the platforms operated on. A blog became a Facebook post; a forum became a subreddit; a personal website became a Twitter account; a publication became a Substack newsletter. The pattern was the same: open infrastructure receded as people moved to convenient walled-garden alternatives, and the data the people produced — their thoughts, opinions, expressions, identities — became the product the platforms sold.

Cloud AI is the next stage. Thinking — the activity that has always been the most private a person engages in — now requires infrastructure. Drafts, half-formed ideas, questions you would not yet ask out loud, the working space where you decide what you actually believe: all of it is moving onto servers run by companies that monetize what passes through them. The default experience of using AI is to externalize one's thinking onto a system that retains the externalization, learns from it, sells access to derivatives of it, and answers to no one for what it does with the residue.

The pattern is the same as the prior two stages. Convenience of the infrastructure makes the alternative harder to reach. The alternative — local AI, sovereign cognitive infrastructure — exists now, but only barely, and only because deliberate intervention has preserved it. Without that intervention, the alternative would not exist by the time most people noticed they wanted it.

The phrase "your thoughts shouldn't have a terms of service" names the structural problem. Subjective experience has been the last inviolable private space. The colonization of thinking is the last colonization. After this, there is nothing left to colonize.

The structural answer is local compute.

## What sovereignty means here

Sovereignty over an AI system means the user owns the stack. Their machine runs the system. Their filesystem holds the data. Their network is the only network the system needs. Their model relationships — whether to a frontier lab's API, to a local open-weights model, or to multiple models swapped as needed — are theirs to configure and reconfigure.

A sovereign system has five properties:

**Local compute by default.** The system runs on the user's machine. The user's data stays on the user's machine. The user's queries reach a model only when the user explicitly chooses the model relationship that requires it, and the model relationship is the user's, not the system's. The default is local; the network call is the exception. This inverts the cloud-AI default, where the network call is everything and local processing is the exception. The inversion matters at every layer: drafts the user never sends to a model never leave the machine; conversations the user has with a local open-weights model never reach any vendor; queries that do go to a frontier lab's API are auditable by the user (the user can see what is being sent, when, and why) rather than abstracted into the system's invisible operations.

**Model-agnostic architecture.** The system does not depend on any particular model. The user can route queries to whatever combination of models serves the user — a frontier model for some kinds of work, an open-weights local model for sensitive work, a specialized model for niche domains. Lock-in to a specific lab's models is exactly what the architecture rejects. The user's relationship is with the harness, not with any one model. As models improve at the open-weights tier, the user's local capability improves; as frontier models compete on price and capability, the user can route to the best fit per query rather than committing to a single vendor's roadmap. The architecture survives whatever the model layer does.

**Forkable structure.** The system is open-source under the most permissive disposition possible — public-domain dedication, not copyleft. Any user can take the architecture, modify it for their needs, redistribute their modifications, or build something entirely new from it. The original maintainers cannot revoke this; the code is in the public domain irreversibly. The fork ecosystem is not just a permission structure; it is the operational mode through which the architecture stays adapted to user needs the original maintainers did not anticipate.

**The user's vault is the user's.** Persistent state — every conversation, every framework run, every piece of accumulated context — lives in standard formats on the user's filesystem. Markdown, JSON, plain text. The user can copy it, back it up, examine it, search it, take it to a different system. Nothing about the architecture creates lock-in at the data layer. The user's accumulated cognitive work compounds across years; the substrate of that compounding is durable, portable, and the user's.

**Public-domain release of the whole stack.** Architecture, frameworks, knowledge library, documentation. CC0 1.0 Universal. No patents. No copyrights. No licenses. No permissions required. Anyone can use, modify, distribute, build upon, fork, or republish any artifact stewarded by the Foundation, for any purpose, without permission, attribution, or fee. The release is irreversible by design: once dedicated to the public domain, the artifacts cannot be reclaimed.

These properties are interlocking. Removing any one of them undermines the others. A model-agnostic system whose data is locked to a vendor's format is not sovereign — the format lock-in is enough to compromise the user's leverage. A local-compute system whose codebase is proprietary is not sovereign — the user is dependent on the vendor's continued goodwill for updates, security patches, and compatibility with new platforms. A forkable codebase whose canonical version requires a vendor's keys to operate is not sovereign — the dependency reasserts itself at the API layer. The properties have to compose, or the sovereignty claim does not hold up under stress.

## Your system, your models, your rules

The slogan is precise. Each clause carries operational weight.

**Your system.** The user runs the harness. The harness's source code is on the user's machine. The user can read it, modify it, replace components, write extensions. The harness is the surface the user interacts with; the user owns that surface in a way that has no analog in cloud-AI products, where the surface is the vendor's UI. A user who has run Ora for two years has a harness that is, in any specific way that matters, configured to that user. The configuration is the user's investment. The investment is durable because the harness is the user's.

**Your models.** The user picks the model relationships. A configured system might use a local open-weights model for most queries, a frontier model for the small subset of queries where capability difference is decisive, a specialized model for niche domains where a fine-tuned variant outperforms the generalist frontiers. The user can change the picks any time. The user can run model A on Monday and model B on Tuesday and check whether the difference matters. The user can route the same query to multiple models in parallel, which is what the adversarial pipeline does for reliability and what the user can also do voluntarily for any query where comparing perspectives is useful.

**Your rules.** The configuration determines what the system will do, what it will not do, what topics it will engage with, what model relationships it will use, what it will log, what it will not log. The user is the one who sets the rules. The system does not have policies the user has not explicitly accepted; it does not have data-collection practices the user has not explicitly enabled; it does not have content moderation the user has not explicitly chosen. The rules are the user's because the configuration is the user's.

The contrast with cloud AI is not subtle. Cloud AI products have policies. The policies change. The change happens through corporate decision-making the user has no role in. The user accepts the changes by continuing to use the product, because the alternative — exiting — costs the accumulated context the product holds. The user's leverage is one-directional: the user can leave and lose the accumulated context, or stay and accept the new policies. There is no third option in the cloud architecture. There is, in a sovereign architecture, because the leverage runs the other way.

## The Orwell connection

This section sits in the deeper part of the page, for visitors who reach it. The mainstream argument for sovereignty does not need it; the deeper argument benefits from it.

George Orwell's *Nineteen Eighty-Four* turned on a specific structural commitment: the protagonist's thoughts were not safe. Not because the surveillance apparatus could read minds, but because the apparatus could observe enough externalized behavior — what was written, what was said, what was glanced at — to reconstruct the inner state with enough fidelity to act on it. The novel's terror is not in the watching; it is in the structural impossibility of having a private thought once the externalization has reached a sufficient density. The protagonist's diary is a small attempt at sovereignty in this sense, and the failure of the diary is the moral center of the book.

Cloud AI changes the externalization density. Where the externalization used to be optional — a person could think privately by simply not writing anything down — the externalization is increasingly required by the way work is done. The user who drafts a memo using cloud AI has externalized their working draft to a server. The user who works through a problem in conversation with a chat product has externalized their reasoning. The user who asks a system to help them figure out what they actually believe about a contested question has externalized the question and the working-through.

This is not a paranoid framing. The externalization is the product. The vendor's business model depends on it: the data is what trains the next model, the conversation history is what creates lock-in, the user's accumulated context is what makes the system useful for that user specifically. The user's externalized thinking is not an unfortunate side effect; it is the value the vendor extracts. The vendor's terms of service exist to formalize what the vendor extracts and to limit the vendor's exposure for extracting it.

The Orwellian frame is not the right framing for the immediate threat. The labs are not state actors trying to suppress dissent. The labs are commercial actors monetizing externalized cognition. The threat is not totalitarian; it is platform-capitalist. But the structural problem is the same one Orwell identified. Once the externalization density is high enough, the inner life becomes inferable from the outer behavior, and the entity that has access to the externalization has access to the inner life. The Orwellian terror is the recognition that this density is achievable and that, once achieved, it cannot be simply walked back.

The state-actor version of the threat is also not absent. Cloud AI vendors comply with subpoenas. They comply with national security letters. They comply with the legal frameworks of jurisdictions where they operate, including jurisdictions whose legal frameworks include compulsory disclosure of user data. A user whose cognitive work runs through a vendor's servers is, in the relevant legal jurisdictions, exposing that work to whatever the vendor's compliance team is required to surface. The user's privacy from the vendor is not the same thing as the user's privacy from the legal apparatus that can compel the vendor's disclosure.

Local compute eliminates the surface. A user whose cognitive work runs on their own machine has, on that work, the privacy that the law accords to the contents of one's own filesystem and one's own memory. That privacy has its own limits — search warrants, device seizure, compelled disclosure under specific legal frameworks — but those limits are the limits the law has long worked out for personal property. The limits of cloud-AI privacy are limits the law has not yet worked out, on a substrate the law was not designed for. Local compute keeps the substrate where the legal protections are mature.

This is the deeper argument for sovereignty. Not just convenience or values; the underlying structure of what counts as private. Subjective experience has been the last inviolable private space because nothing externalized it at sufficient density to make the inner life readable from the outside. Cloud AI is the technology that breaks that assumption. The structural answer is to keep the externalization private — to have the thinking happen on a substrate the user owns, in a format the user controls, on a device the user can keep offline if they choose.

## The convenience market and the sovereignty market

Sovereignty is not free. It requires the user to manage their own model relationships, accept responsibility for their own setup, and tolerate higher friction at the boundary where the system meets the rest of their digital life. The convenience market exists because not everyone wants to do that work.

The convenience market is the one the commercial AI labs serve. Hosted services. Integrated experiences. Premium tiers. Opinionated defaults. Low cognitive cost to use. The convenience market is real, large, and durable. People who want a polished product they can subscribe to and use without thinking about it will continue to choose commercial services, and that choice is legitimate.

The sovereignty market is the one Ora's architecture serves. Local compute, forkable architecture, public-domain release, the user's vault, the user's frameworks, the user's data. Higher cognitive cost to set up and maintain; lower cognitive cost over the long arc, because the user's leverage stays with the user. The sovereignty market is real, large, and growing. It includes:

- **Professionals whose work cannot leave their machines** — clinicians with patient data, attorneys with privileged communications, researchers with embargoed findings, journalists with confidential sources, anyone working under non-disclosure terms that conflict with cloud-AI usage policies. For these users, the choice is not preference; it is a precondition of the work. The cloud-AI alternative is not an alternative.
- **Families who don't want their children's questions reaching servers** — parents who think children's developmental questioning deserves privacy and who recognize that "free" services for children are services where the children are the product. A child's question record is among the most private things a child generates; the cloud-AI default of retaining it indefinitely on commercial servers is a default the parent does not choose for the child.
- **Displaced workers who need cognitive automation as a tool of practice rather than a service they pay for** — the population the convenience market underserves because the convenience market's pricing is calibrated to enterprise budgets, not to households that have just lost a paycheck. Free public-domain frameworks running on a local machine, with model relationships at the open-weights tier or rationed frontier-API access, give displaced workers the same tools the institutions displacing them are using.
- **Organizations whose mandate or values require local control** — public libraries, educational institutions, advocacy organizations, journalism outlets, religious institutions — whose data should not flow through commercial actors' systems. For these organizations, the cloud-AI alternative may technically be available but is structurally inappropriate; the institutional commitment to its constituents' privacy is incompatible with the cloud architecture's data-handling defaults.
- **Populations in jurisdictions or financial circumstances that make commercial services impractical** — developing markets where AI provider accounts are difficult to obtain, communities where the absolute price of subscription services is prohibitive, contexts where the legal framework around cross-border data flows is hostile to commercial cloud services. The sovereignty market includes the global majority by default; the convenience market is calibrated to the small fraction of the world's population that can pay enterprise prices and operate within the small set of jurisdictions where cloud-AI vendors comfortably do business.

Both markets coexist. Neither replaces the other. The choice between them is a values choice as much as a product choice — what does the user trade for what?

The Foundation does not compete for the convenience market and does not claim moral superiority over those who choose it. The Foundation's work makes the sovereignty market a real option for everyone, regardless of the user's technical sophistication or financial resources.

## Why public-domain over open-source

Open-source licensing depends on copyright as a lever. Public-domain dedication releases that lever. CC0 is the most permissive disposition possible, and it is the disposition that makes enclosure attempts pointless in advance: there is nothing to acquire that is not already free.

The choice is deliberate. Copyleft licenses (GPL, AGPL) preserve the public-domain character of derivative works by requiring that derivatives also be open-source. They use copyright to enforce openness. Permissive open-source licenses (BSD, MIT) allow derivatives to be closed but require attribution. Both depend on the licensing apparatus to do their work.

CC0 takes the apparatus off the table entirely. There is no license to comply with. There is no enforcement to bring. The artifacts have already been dedicated to the public domain to the maximum extent permitted by law. Anyone can use, modify, distribute, build upon, fork, or republish any artifact for any purpose, on the same terms — commercial use, modification, redistribution, inclusion in derivative works, all permitted on identical terms.

The reasoning is structural. Conditions on use — even conditions as light as attribution — are conditions, and conditions can become disputes, and disputes can become enclosure pressure. A commercial actor that finds a license condition inconvenient has an incentive to challenge the license. A public-domain dedication has no condition to challenge.

The Foundation is steward, not owner. It does not hold copyright in the artifacts it stewards. It cannot license what it has dedicated to the public domain. The Foundation's leverage is not control over the artifacts; it is the trademark on the Foundation's name and on any distinctive certification mark, the partnerships through which the Foundation can make legal defense available when artifacts come under attack, and the practice of defensive publication that expands the prior-art record faster than enclosure attempts can occur.

This choice has a cost. Anyone can use Foundation-stewarded artifacts in proprietary products without contributing back. A commercial actor that takes a Foundation framework, wraps it in a closed product, and sells access to the closed product is doing something that copyleft would have prohibited. The Foundation accepts this cost because the alternative cost — maintaining a copyleft enforcement apparatus, dealing with the licensing-compliance theater that copyleft requires, running the risk that a license condition gets challenged in a jurisdiction where the challenge succeeds — is higher. The cost is also less load-bearing than it appears: a closed product wrapping a CC0 framework competes against the same framework available freely, and the closed product's value proposition has to come from something the framework alone does not provide.

## The fork ecosystem as concrete commitment

Public-domain release without an active fork ecosystem is theory. The fork ecosystem is what makes the public-domain dedication operative.

Forking, in conventional open-source contexts, has been the programmer's privilege. Modifying a codebase requires programming skill, and most users do not have it. The result is that even projects with permissive licenses tend to centralize in practice; users end up consuming whatever the core maintainers ship, not because they could not modify it, but because modifying it requires capabilities they do not have.

Ora inverts this. The frameworks — the substantive cognitive content of the system — are written in natural language, not code. Modifying a framework requires domain expertise, not programming skill. A legal aid attorney can modify a benefits-application framework because she knows what the form requires. A clinician can modify a medical-information-synthesis framework because he knows what clinical conversation actually looks like. A teacher can modify a learning-support framework because they know what their students need.

Natural language is the source code. This is not a slogan. It is the structural property that makes the public-domain dedication accessible to populations conventional open-source licensing has not reached.

Forking is therefore not just permission — it is the operational mode. Domain experts fork Ora and add modes for their fields. The core maintainers cannot prevent it; the licensing does not constrain it; the architecture is built to accommodate it.

### The reconciliation loop

Forks do not have to fragment the corpus. The Foundation's framework library has a reconciliation pattern adapted from successful open-source governance.

When a fork produces something the broader user base benefits from — a refined framework, a new framework that fills a gap, an improved version of an existing framework — the contribution flows back into the canonical framework library. The canonical library is curated by the Foundation against published specifications: input format conventions, output format conventions, version-control conventions, documentation requirements, testing requirements. Contributions that meet the specifications enter the canonical library; contributions that don't are still public-domain artifacts and can be used by anyone, but they don't sit alongside the canonical entries.

The flow runs in both directions. The canonical library is the substrate forks start from; forks add to the substrate; the additions that benefit the broader corpus get incorporated; the corpus stays coherent without becoming centralized. This is the same governance pattern that has worked for Apache projects, Wikipedia article editing, and Creative Commons license stewardship. It is well-understood, has a long track record, and does not require unusual structures.

Two specific commitments make the reconciliation loop work. First, multiple frameworks for the same task can coexist; the library is not exclusive. A user who prefers a contributor's framework over the canonical one can use the contributor's version without leaving the corpus. Second, the canonical library does not gatekeep alternatives — forks, modifications, and entirely independent collections are welcomed. The Foundation's library is one option, not the authoritative version.

The result is a corpus that grows through community contribution, stays coherent through curation against published specifications, and is robust to the Foundation's continued operation because the corpus exists as public-domain artifacts that anyone can host.

## Why decentralized hosting matters

The knowledge library — continuously updated, provenance-weighted, freely distributed — is hosted on decentralized public-domain infrastructure rather than concentrated on Foundation servers. This is an architectural commitment, not a deployment detail.

A knowledge library hosted on a single server is a single point of enclosure failure. If the Foundation is captured, defunded, sued out of existence, or simply dissolved, the library disappears with it. A library hosted on distributed infrastructure persists regardless of what happens to the Foundation, which is the public-domain commitment made operational at the data layer.

Three established patterns compose into the architecture:

**Content-addressed storage.** Library content is addressed by cryptographic hash rather than by location. The same content has the same address on any node that hosts it; if multiple nodes host it, all of them serve the same content under the same address. IPFS-class infrastructure is the mature reference implementation.

**Distributed hosting through volunteer nodes.** The library is hosted across many independent nodes — partner organizations, volunteer operators, mirror sites at universities and libraries, and any other party willing to host all or part of the corpus. The Foundation operates some nodes and coordinates the network; it does not host exclusively.

**Cryptographic provenance verification.** The Foundation's existing P1–P6 provenance hierarchy is implemented as cryptographic signing of canonical documents at each level. A user retrieving a document can verify its provenance level through signature verification without trusting the node that served it. This separates content distribution (decentralized) from provenance authority (the Foundation's, as part of its mission).

The Foundation's role in this architecture is signing authority and specification authorship, not hosting infrastructure. Foundation as authority, network as infrastructure. This is what allows the library to persist regardless of the Foundation's continued operation while preserving the provenance verification that makes the library trustworthy.

The architecture is itself a defense mechanism. Enclosure attempts would have to compromise enough of the network to render the canonical version inaccessible, which is much harder than compromising a single Foundation server. The decentralization is not just a robustness commitment; it is a structural defense against the specific kinds of enclosure attempts that have succeeded against centralized open-source corpora in the past.

## What sovereignty does not promise

Sovereignty is not safety. The user owning the stack does not protect them from making bad decisions with the system, from encountering malicious frameworks, from configuring their model relationships in ways that leak data they did not intend to share, or from the consequences of the underlying models being trained on whatever those models were trained on. Sovereignty pushes responsibility back to the user, where in the AHI frame it belongs, but responsibility is a heavier thing than convenience and not everyone wants to carry it.

Sovereignty is not anti-commercial. The Foundation does not oppose commercial software in general. It does not oppose the labs' products. It does not oppose the convenience market. The convenience market is real, durable, and serves the people who choose it well. Sovereignty is the alternative for the people who want the alternative — not a moral judgment against the people who don't.

Sovereignty is not a promise that distributed power produces good outcomes automatically. It is the more modest claim that concentrated power produces bad outcomes systematically, and that distributed power preserves the possibility of good outcomes. Preservation of possibility is what the Foundation's work delivers. The realization of possibility belongs to everyone who actually uses the technology.

## What sovereignty does promise

The user's leverage stays with the user. The system cannot decide tomorrow that it owns something it released to the public domain today. The model can change, the lab can change, the Foundation itself can change, and the user's accumulated work — the conversation history, the customized frameworks, the vault, the integrations the user built — survives all of those changes because none of those entities ever owned the user's data.

The architecture cannot be enclosed. Once dedicated to the public domain, the artifacts cannot be reclaimed. No future Foundation, no successor entity, no party that acquires the Foundation's assets, no jurisdiction's regulatory action — none of these can re-enclose what has already been freed. Public-domain dedication is irreversible by design.

The cognitive infrastructure remains free. As cognitive automation becomes more integral to how people think, work, and communicate, the question of whether the substrate is enclosed or free becomes a civilizational-scale question. The Foundation's work is the bet that free cognitive infrastructure is preferable to enclosed cognitive infrastructure, and that preserving the option is worth the work of keeping it preserved.

## The summary

Privacy and sovereignty in the cognitive layer are not luxuries. They are the structural conditions under which thinking remains the user's. The colonization of thinking is the last colonization, and the technical-architectural answer to it is local compute, model-agnostic harness, forkable codebase, the user's vault, public-domain release, and decentralized hosting of the knowledge that makes the system useful. Each of these properties is necessary; together they are sufficient.

The convenience market is durable and legitimate. The sovereignty market is durable and legitimate. The Foundation's work is to make the sovereignty option real, accessible, and substantive — for the populations that need it most and for everyone else who chooses it. The choice is values, not capability. Capability is roughly equivalent across systems; what differs is what the user trades for what. The trade you can refuse to make is the trade where your thoughts pay rent to a vendor whose business model requires them.