Date: 2026-02-24
All LLM companies (OpenAI, Anthropic, Google) log every query tied to user identity. Users want access to the best frontier models but don't want their queries surveilled. Running models locally doesn't work for SOTA models — they're too large and too slow even on high-end consumer hardware (e.g., 4x Mac Studio Max running Kimi K2.5 is still slow and not state-of-the-art).
The identifying element is not what's contained in the prompt — it's who makes the prompt. That's the link to break. "Someone asked about antibiotics for a rash" — who cares. "Boris asked about antibiotics for a rash" — that's the problem.
Mass surveillance is increasing. AI companies, Gmail, all have access to our data. There is less and less privacy. This is both a societal problem and a business opportunity.
- TEEs (Trusted Execution Environments) on GPUs
- Secure Multi-Party Computation (split model across providers)
- Fully Homomorphic Encryption (compute on encrypted data)
- Zero-Knowledge Proofs for authentication
- Blockchain for coordination layer
Verdict: Theoretically sound but requires years of R&D, hardware cooperation from NVIDIA/AMD/Intel, massive performance overhead (2x-10,000x). Not practical near-term. Requires AI company cooperation.
- Onion routing for API calls
- Credential pooling with blind signatures
- Local small model (3-7B) decomposes complex queries into generic sub-queries
- Each sub-query goes to different provider via different pooled account
- Local model reassembles responses
- PII stripping before sending
Verdict: More practical but still too complex. Query decomposition degrades quality. PII stripping is fragile. The local model requirement adds friction. Manipulating prompts is a "technical nightmare" that affects processing quality.
- Don't touch the prompt at all. Send it verbatim, full quality.
- Only sever the link between WHO asks and WHAT is asked.
- Every user is a relay node (like BitTorrent — use it = contribute to it)
- Queries route through the network and exit from pooled API accounts
- Encrypted return paths (onion routing) so response finds its way back
- No logs anywhere — nodes are stateless, queries pass through memory only
- BitTorrent-style tit-for-tat incentives (relay for others = earn query credits)
- "Tor for AI" — one install, same UX as ChatGPT, nobody knows it's you
Verdict (from Codex GPT-5.3 and Gemini 3.1 Pro review):
- Directionally right on product, but over-optimistic on security and operations
- Fatal flaw: exit node trust. Random peers see plaintext. "You're asking users to trade surveillance by a heavily regulated $80B corporation for surveillance by xX_CryptoSniper_Xx running an exit node in his basement."
- Economics don't work: bandwidth is cheap, tokens are expensive. Tit-for-tat on relay bandwidth doesn't pay model costs.
- ToS/account survivability: pooled accounts will get flagged and banned
- Stylometry/content fingerprinting still links users over time
Both external AI reviewers converged on:
- Blind tokens (Privacy Pass style) for unlinkable payment
- 2 non-colluding relays (ingress sees IP, egress sees prompt, neither sees both)
- TEE at egress with remote attestation
- Legitimate enterprise/reseller API agreements with providers
- Service-owned model access, not gray-market key sharing
- Position as "B2B AI middleware provider" for compliance
- Viral hook: aggregation ("one app, every model, one subscription, anonymous")
Verdict: Solid architecture but it's a company, not a protocol. A company can be shut down — enterprise API keys revoked, bank accounts frozen, domain seized, executives pressured. The user explicitly wants something that survives even if governments and banks try to kill it. Like Bitcoin or BitTorrent — no single point of failure.
Core insight: Don't share pooled accounts or enterprise keys. Instead, individuals contribute their own API keys to the network. They earn more from serving anonymous queries than their API usage costs. Privacy is the markup.
Key innovation — Ghost Nodes:
- Anyone with an API key (OpenAI, Anthropic, Google, any provider) plugs it into the protocol
- The network routes anonymous, onion-encrypted queries through their key
- The provider sees normal API usage from that individual's account — indistinguishable from the person using it themselves
- The Ghost earns ecash tokens per query served
- The payment covers their API cost + profit margin (the buyer pays a premium for anonymity)
Architecture:
- Three node types:
- Relay nodes (everyone) — pass encrypted traffic, see nothing
- Ghost nodes (API key holders) — serve queries via their keys, earn tokens
- GPU nodes (hardware owners) — run open-source models, earn tokens
- Onion routing: no node sees both who's asking AND what's asked
- Payment: Cashu ecash over Bitcoin Lightning — blind-signed, untraceable, no banks
- Discovery: DHT (BitTorrent-style) — no central servers
- Code: open source, no company, a protocol
Economics:
OpenAI charges Ghost's API key: $2.50/1M input, $10/1M output
Network charges buyer: $5.00/1M input, $20/1M output (2x markup)
Ghost's profit: ~50% margin per query
Buyer pays more than direct API for the anonymity premium. Ghost earns passive income from an API key they already have. GPU miners compete with Ghosts — cheaper but potentially slower.
The Ghost node setup is literally:
- Install the app
- Paste your API key
- Click "Start Earning"
Why it can't be shut down:
- No company (it's a protocol, open source)
- No servers (DHT discovery)
- No bank accounts (Cashu/Lightning only)
- No shared API keys to revoke (each Ghost uses their own individual key)
- No enterprise accounts to ban (thousands of individual accounts, each looking normal)
- If one country bans it, nodes in other countries continue
- Like Bitcoin + BitTorrent + Tor combined
Viral hook: Not privacy — money. "Your API key earns Bitcoin while you sleep." Early adopters earn the most (fewer nodes competing for query volume). Dashboard showing daily earnings is the viral screenshot.
Initial concern: multi-turn conversations require sending conversation history, which could expose a full thread to one Ghost.
Resolution: This is actually fine. Even in the worst case:
- One Ghost sees up to 128K tokens of ONE anonymous conversation
- No identity attached. No link to any other conversation.
- Next conversation goes through a different Ghost.
- Reconstructing one person's full history requires searching across thousands of Ghosts, jurisdictions, time periods — computationally expensive and scales with N users.
- The asymmetry: adding data to a centralized account is O(1). Searching across distributed fragments is O(N²). Surveillance becomes expensive, not free.
- The more people on the network, the harder reconstruction becomes.
The context window limit is a natural privacy boundary. No single exposure exceeds it. Conversations are naturally siloed across different Ghosts.
Not trying to make surveillance mathematically impossible. Making it economically infeasible at scale.
- State actor spending $10M to reconstruct one terrorism suspect? Maybe possible.
- AI company building profiles on every user for ad targeting? Economically impossible.
- That's the right bar: economic infeasibility, not mathematical perfection.
- Same bet that cash, Tor, VPNs, and crowded city streets make.
- Phase 1 (now): Mostly Ghost nodes routing through frontier APIs. Open-source models available but inferior.
- Phase 2 (2-3 years): Open-source models reach ~90% of frontier quality. GPU nodes start competing with Ghosts.
- Phase 3 (5+ years): Open-source models are competitive. Network primarily GPU-powered. Corporate AI providers optional. Fully sovereign AI access.
The protocol is designed to make itself less dependent on corporate AI over time. It starts as a parasite on their infrastructure, then gradually grows its own.
The same infrastructure — onion routing, ecash payments, P2P mesh — is a general-purpose private computation and communication layer. Once it exists for AI queries (the killer app), it could extend to:
- Private messaging (like Bitchat, built on the same mesh)
- Private deal flow and document exchange
- Private identity (ZK proofs of credentials without revealing identity)
- Trust networks for high-net-worth individuals and sensitive business dealings
Inspired by:
- Bitchat (Jack Dorsey) — Bluetooth mesh, Cashu ecash, no accounts, no servers
- BitTorrent — DHT, tit-for-tat incentives, every user is the network
- Bitcoin — no company, no central authority, protocol survives everything
- Tor — onion routing, identity unlinkability
- Cashu — Chaumian ecash on Lightning, blind signatures, bearer tokens
Two things that don't exist in any current project:
-
Ghost nodes — nobody has connected anonymous payments to API key sharing for frontier model access. Bittensor has decentralized AI but no privacy. Tor has privacy but no AI. This bridges frontier model quality with anonymous access.
-
The anonymity marketplace for AI inference — a protocol where API key holders and GPU owners compete to serve anonymous queries, paid in ecash. The privacy premium funds the network. The network effect strengthens the privacy.
- Idea 3 too optimistic — exit node trust, ToS, economics mismatch
- Proposed: blind tokens + dual relay + TEE at egress
- Start federated, not P2P
- Threat-model tiering is needed (account linkage → network observer → global adversary → stylometry)
- "Kill the P2P idea — exit node problem is fatal" (for the raw P2P version)
- Proposed "Blind Consortium" — Chaumian e-cash + oblivious relay
- Viral hook should be aggregation, not just privacy
- Light NER masking is sweet spot for prompt modification
- Must handle adversarial game: ToS positioning, moderation to protect keys
- "Privacy is a feature, not a product"
Both reviews informed the final Peer2Prompt Protocol design but their centralized/company approach was rejected in favor of the protocol approach for censorship resistance.
Plug in your API key, earn Bitcoin by anonymously serving AI queries for others. Pay with ecash, ask any AI model anything, nobody knows it's you. A protocol, not a company — can't be shut down.