What the Ghost Owes the People It Overhears

In Assisi, while Cristina was paying the bill at the deli and I was chatting her ear off, she said surely you can't just record other people and call it private software. That was where the previous post ended. I decided to work on it for the next few days, on how you would run LocalGhost in Germany or France without turning every conversation into a crime.

The answer the industry has given so far is to push the legal problem onto the user through a terms-of-service clause and ship the hardware anyway. Rewind recorded your screen and your microphone and sold the pitch as "perfect memory" [1]. Humane's pin had a camera and a microphone pointed at everyone in front of the wearer until the company collapsed in early 2025 [2]. Bee's $50 wristband recorded everything within earshot to generate reminders and to-do lists, until Amazon acquired it in July 2025 [3]. Plaud sells a device whose entire reason for existing is to record the conversations you have with other people and turn them into searchable transcripts [4]. The assumption running through all of them is that the only privacy that matters is the wearer's. Phones already have back taps and action buttons that would start recording with one gesture, which means the pendant form factor exists for the version where no gesture is needed.

The industry's approach has held up because none of these products mattered enough for anyone to push back on them properly. Rewind raised money, pivoted to a pendant, and got absorbed by Meta last December; Bee raised seed funding for ambient recording and got absorbed by Amazon in July; Humane failed on product quality and sold its patents to HP; Plaud is the one still shipping, and its manual-button model avoids the continuous-capture positioning that gets everyone else into trouble. None of them reached the scale where a privacy regulator or a class-action lawyer would pay serious attention.

Ring is the proof of what happens when one of these products does reach scale. Amazon's doorbell camera, installed on roughly ten million American homes, generated enough pressure to attract the kind of regulatory attention the wearables never have. The FTC fined Amazon $5.8 million in May 2023 for letting employees and Ukrainian contractors browse customer videos, including cameras in bedrooms and bathrooms, and for training AI on those videos without consent [5]. The same settlement covered more than 55,000 accounts compromised by credential-stuffing attacks that Ring had been warned about and ignored [5]. Police partnerships with more than 500 US departments drew years of campaigning by the EFF and ACLU, forcing Ring to shut down its Request for Assistance portal in January 2024, only for Amazon to reopen the same channel through Axon and Flock partnerships in mid-2025 [5]. Ring isn't a legal template for AI memory products, because the mechanisms are different (consumer-protection law versus criminal audio statutes). Scale invites scrutiny, and LocalGhost is being built for the version where the wearables matter.

Compliance in all jurisdictions is impossible. The statutes contradict each other (the UK accepts one-party consent, Germany treats capture without all-party consent as a criminal offence the moment it happens), so any device that hears other people is breaking some version of the law the moment it listens. What's left is doing what the privacy statutes exist to protect. That means a system where audio exists only long enough to become text, in a form nothing else on the device can reach.

Video and audio sit under different frameworks here. Video in public space sits under GDPR's household exemption as long as the purpose is genuinely personal, and the exemption holds up reasonably well for someone filming their own life [6]. Running on your own hardware rather than someone else's cloud strengthens the posture but doesn't change the analysis much. The CJEU in Ryneš (2014) narrowed the exemption so it doesn't cover systematic recording of public space [6]. Door cameras and shopfront cameras that capture the street are everywhere, and Ryneš didn't ban them. What it did was move them out of the exemption and into the controller-obligations bucket, which means signage, a defensible purpose, proportionality, and the duty to respond to access and deletion requests. Most doorbells never get a formal complaint and most homeowners never learn their obligations, which doesn't change the legal position any more than not getting caught changes a speed limit. Filming your own dinner is fine. Pointing a camera at the street makes you a data controller.

Audio is legally worse, and most people don't know this. Germany, France, Italy, Spain, Austria, and Romania all have criminal statutes covering the recording of private speech without consent [7]. These aren't data protection rules. They're criminal law operating alongside GDPR, and the household exemption doesn't touch them. Germany's §201 StGB carries up to three years for recording the "non-publicly spoken word" of another person without consent, and "non-publicly" includes a conversation in a café because the speakers didn't intend the words for the general public [7]. France's Article 226-1 is a year and €45,000 for recording paroles prononcées à titre privé ou confidentiel [7]. The pattern across most of continental Europe is all-party consent as the default, with the Netherlands and the UK as notable one-party-consent exceptions [7]. The offence is completed at the moment of capture. Deletion afterwards doesn't cure the act.

In practice, I couldn't find a single reported prosecution of a user running an AI memory product. Coverage of these products has been extensive and any prosecution would have been news. Enforcement tracks real-world harm, journalists burning sources, stalkers, employees recording bosses for civil suits, bosses recording employees. The statutes are written broadly and enforced narrowly, around a theory of harm AI memory products haven't yet produced at scale. But "nobody has been prosecuted yet" is not the same as "the law permits this," and I'm not willing to build infrastructure other people will use on the assumption that the enforcement gap stays open. If a single high-profile case goes wrong (the phone that captured a CEO's unguarded lunch remarks, the app that shipped a transcript to an abusive ex), the statutes are already on the books.

The workplace has moved past all of this. Google Meet, Zoom, Microsoft Teams, and Slack calls get recorded routinely. Otter and Fireflies send AI bots to take notes. Granola runs as a desktop app that captures audio locally. What people want from these tools is the summary, the decisions, the action items, the memory of what the meeting was about.

The move to summaries wasn't painless. German works councils forced BetrVG §87(1)(6) co-determination onto AI transcription, with the Federal Labour Court confirming in July 2024 that any monitoring-capable system triggers the right [8]. The CNIL pushed French organisations to justify full recordings over summaries [9]. Microsoft shipped explicit consent on Teams in 2023 [10]. Every tool that ships in the EU now has the consent flow the regulators demanded.

What survived is the category of tool that keeps the summary and throws away the recording. Granola transcribes locally, generates a structured summary, and keeps no audio or video files [11]. The ghost does the same on the personal side, where the statutes are older and stricter but the regulatory pushback hasn't happened yet.

The workplace solved this inside a legal apparatus a solo user doesn't have. A Teams recording that goes wrong has a corporate legal team, a works council, a DPO, and indemnity clauses. A phone on a café table in Milan has one person on it, who won't find out they've broken §201 StGB until something has gone wrong. The technical answer transfers. The institutional answer doesn't. The architecture has to carry a much harder load.

The design probably violates §201 StGB on a strict reading, because audio of another person's non-publicly-spoken word gets captured and transmitted for the seconds it exists. My claim is that the strict reading is the wrong test for a system that destroys the audio at transcription, keeps only the user's summary, and never builds a picture of anyone else. The statutes exist to prevent harm the ghost doesn't produce.

The design has four stages, and each stage throws away more of what belonged to other people without throwing away what happened. The phone captures audio, holds it briefly as encrypted chunks, and forwards them to your NAS, where ghost.voiced consumes them in a RAM ring buffer bounded in seconds to minutes and overwrites as it goes. Unencrypted audio from the conversation never lands on disk anywhere. ghost.voiced transcribes the audio and attaches the context the transcript would otherwise lose, time, place, who's in the room, before passing the enriched text to ghost.noted. ghost.noted writes the journal entry in your voice, specific enough to be a useful memory months later. "At Hotel Duomo, I asked the receptionist about late check-in. She agreed to 14:00." That's what the journal keeps, my memory of what I arranged. The transcript of what she said and how she said it never survives the journal entry, because that transcript would be a recording of her side of the exchange.

Specificity is the rule at every stage, because the ghost has to stay useful months after the moment it captured. That means real times rather than "in the afternoon" (14:00 in the Hotel Duomo example), named places rather than "the hotel", and either a name or a role for the people involved (the receptionist, the vendor, the sommelier, depending on which of those you could identify if you had to find the memory again).

The memory that grows out of these journal entries is rich about the user and thin about everyone else. If the same person shows up across many entries, the system resolves them to a single name as a reference so memories can be connected, but the reference stays a pointer and never becomes a model of the person. The ghost never builds a profile of what the vendor said in the last dozen meetings, what the colleague sounds like when she's stressed, how the friend phrases a compliment. The third parties in the user's memories are there as context for the user's own story, and the system never lets them become the subject of their own.

This inverts the Rewind model completely. Rewind's pitch was perfect recall, every word preserved, searchable forever [1]. I don't see the value. Nobody can consume perfect recall, a week of conversations played back verbatim takes a week to listen to. Verbatim recall doesn't answer the questions you have when you go looking. The questions are about what got concluded, what surprised you, what needs following up on. Human memory works the other way. You don't remember what your friend said word-for-word two weeks ago, you remember the shape of the conversation, what you decided, what you noticed, the role they played in your own reasoning. The ghost should augment that rather than replace it with a legal exhibit.

Once the audio is gone and what's left is your own account of what happened, it stops being data about the other people in the room. "I pushed back on the pricing at the café in Milan" is your memory of your own position. It isn't a recording of the vendor. GDPR is a law about protecting other people's data from being misused, and there is no other-people's-data in what the ghost kept. The criminal statutes exist to stop people being recorded without consent, and what the ghost kept is your own account of what happened.

The design only holds if the pipeline enforces it. The rest is engineering with legal consequences. If audio ever persists in logs, if transcripts survive the summarisation step, if the RAM buffer isn't locked non-pageable and the kernel swaps it to disk, if any backup layer retains the raw buffer (ZFS snapshots on the NAS, iCloud or Google Drive on the phone), if the language model's memory of the conversation outlives the session, the promise that audio disappears breaks and everything I just described becomes marketing. Discipline cannot carry this, the architecture has to, because every one of those leak paths is something a careful user would notice on a good day and miss on a bad one.

The phone is the most hostile environment for audio at rest. iCloud and Google Drive will try to back up anything they can see, so encrypted chunks land in excluded-from-backup directories. The phone's copy is destroyed as soon as the NAS confirms receipt, so audio lives even in encrypted form for minutes at most. On the NAS, decrypted audio never leaves RAM. Every long-lived artifact the pipeline produces is text the user wrote about their own day.

I've built enough pipelines to know that anything relying on "and then we delete it" will eventually fail to delete it, and the "and then we delete it" architecture is what every cloud memory product ships. The local version can do better because deletion happens on hardware you own, and because there's no backup layer run by someone else trying to protect your data from you.

Your data stays on your hardware because that's the only way you can honestly tell someone the ghost heard their voice, understood what mattered to you, and forgot the rest. The moment any of that happens on a server you don't own, the claim becomes something you have to believe rather than something you can inspect.

The architecture doesn't solve everything, and I don't want to pretend it does.

If someone explicitly asks whether they're being recorded, the architecture gives no cover. At that point you have to say yes, audio is being processed, and the lawful move is to stop or to accept that the person has objected. Transparency creates legal exposure that silence would avoid. Silence would also be lying to the person in front of you, which matters more. The ghost should have a visible indicator and a gesture to disable capture. Cristina's original question becomes the policy. If someone says no, the ghost stops.

Sensitive contexts are a separate problem, because in some settings the presence of any recording system is itself the offence regardless of what it keeps. Meetings with doctors, lawyers, therapists, or journalistic sources need to be explicit exclusions at the architecture level rather than judgement calls the ghost makes in the moment, because the ghost doesn't know what room it's in until too late.

Jurisdictions vary more than the EU consensus suggests, with Germany and France stricter than the law on paper and Romania stricter than most non-Romanians assume. Users travelling across borders need the ghost to know where they are (the phone already does) and to adjust the capture policy to the local floor rather than the home country's floor.

Both of these problems need the ghost to tell the user what's changing. The ghost should give you a heads-up when you cross a border, the way your telco texts you about roaming, so you know the local rules before the next session. For sensitive contexts, the phone has signals the ghost can use (calendar events marked with medical or legal keywords, GPS boundaries around hospitals and law offices), and when one of those signals fires the ghost should ask before capturing rather than assume the user remembered. The default while the prompt is open is no capture.

A visible indicator is the commitment, and a visible indicator will mean most people turn ambient capture off most of the time, which is the indicator doing its job. If what's left is voice memos transcribed locally into journal entries, that's still a better-architected version of what Google and Apple ship, and still worth building.

The ethical question survives even when the legal one is answered. Even if the architecture makes the retained artifact legally clean, the people around you are still being perceived by a system they didn't opt into. The design minimises what the ghost keeps of them, but the ghost still heard them in the moment it was deciding what to keep. That is a smaller problem than the Rewind version of the problem, but it's not zero. The honest posture is that the ghost owes the people it overhears ephemerality (so the moment doesn't outlive itself), anonymity (so if the moment does persist it doesn't identify them), and restraint (so the ghost doesn't keep what it didn't need). These three commitments are a floor, and the floor is already higher than what the industry has been shipping.

The summarisation step is where this gets decided, where audio becomes text and third-party speech gets compressed into the user's own perspective. Preserving enough of the user's reasoning to be useful months later, without preserving enough of anyone else's words to be a recording, is the line the architecture needs to hold. Where that line sits is a research problem rather than a configuration setting, and it's the part the rest of the fleet depends on getting right.

None of this is solved yet. The summariser is where the §201 question gets tested, and whether it holds up on real speech rather than clean test transcripts is the thing I don't know yet.

[1] Rewind AI, formerly marketed as "your searchable memory", recorded everything seen and heard on the user's Mac with on-device capture and cloud-based transcription. The parent company pivoted to the Limitless Pendant in 2024 and was acquired by Meta in December 2025, with the Rewind desktop app killed on 19 December 2025 and EU and UK service cut off entirely. Source for the "perfect memory" framing and the wearer-centric capture pattern. Acquisition coverage at techcrunch.com/2025/12/05/meta-acquires-ai-device-startup-limitless. The archived product pitch at rewind.ai.

[2] Humane Inc.'s Ai Pin, launched November 2023, shut down and sold to HP in February 2025. The device had a camera, microphone, and laser projector, designed to be worn on the chest, and captured audio and visual context for an AI assistant. Source for the claim about a camera and microphone pointed at everyone in front of the wearer, and for the timeline of the product's collapse. BBC coverage of the shutdown at bbc.com/news/articles/c3vr64lv7mno. Humane's own product page is no longer live.

[3] Bee AI, a San Francisco startup founded by Maria de Lourdes Zollo, sold a $49.99 wristband and companion app that recorded ambient audio and turned it into summaries, reminders, and to-do lists. The device recorded continuously unless the user manually muted it. Amazon confirmed the acquisition in July 2025, with Bee employees receiving offers to join Amazon. Source for the ambient-recording pitch and the July 2025 Amazon acquisition. TechCrunch coverage at techcrunch.com/2025/07/22/amazon-acquires-bee-the-ai-wearable-that-records-everything-you-say.

[4] Plaud AI (plaud.ai) sells a range of AI-powered voice recorders, including the NotePin and Note, which attach to phones or clothing and record conversations for cloud-based transcription and summarisation. Source for the claim that the product's reason for existing is recording other-party conversations for searchable transcripts. plaud.ai

[5] FTC v. Ring LLC, filed 31 May 2023, settled with a $5.8 million judgment. The FTC complaint alleged that Ring gave employees and Ukrainian third-party contractors unrestricted access to customer videos including cameras in bedrooms and bathrooms, trained AI image-recognition models on customer videos without obtaining affirmative consent, and failed to implement basic security against credential-stuffing and brute-force attacks, leading to more than 55,000 compromised US customer accounts between January 2019 and March 2020. Separately, Ring's relationship with US police departments drew sustained criticism from the EFF and ACLU, with more than 500 departments partnered by 2020. In January 2024 Ring shut down the Request for Assistance portal that had allowed police to make warrantless video requests to users through the Neighbors app. In 2025 Amazon reopened the same channel through partnerships with Axon (announced at Axon Week 2025) and Flock (October 2025). Source for the FTC action, the police partnership history, and the 2024-2025 reversal. FTC case materials at ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ring-employees-illegally-surveilled-customers. EFF coverage of the 2024 portal shutdown at eff.org/deeplinks/2024/01/ring-announces-it-will-no-longer-facilitate-police-requests-footage-users.

[6] GDPR Article 2(2)(c) exempts processing "in the course of a purely personal or household activity." The CJEU narrowed this in František Ryneš v Úřad pro ochranu osobních údajů (Case C-212/13), decided 11 December 2014, holding that a home CCTV camera capturing the public footpath outside the house did not qualify as purely personal or household because the recording extended into public space. The case is the anchor for the "narrow interpretation" of the exemption and the reason most commentators warn that systematic recording of public space (and by extension, of strangers) falls outside the household sphere regardless of purpose. Full judgment at eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62013CJ0212. Useful commentary at gdprhub.eu/Article_2_GDPR.

[7] Criminal statutes covering recording of private speech without consent. Germany, §201 StGB (Strafgesetzbuch), penalty up to three years' imprisonment or a fine for recording the "non-publicly spoken word" of another. France, Article 226-1 Code pénal, one year and €45,000 for recording paroles prononcées à titre privé ou confidentiel. Italy, Article 615-bis Codice penale. Spain, Article 197 Código Penal. Austria, §120 StGB. Romania, Article 226 Cod penal (violation of private life). Netherlands and the UK operate under one-party consent regimes for conversations the recorder is party to, making them the notable exceptions to the continental default. Source for the specific statute numbers, penalties, and the all-party-versus-one-party distinction. German statute at gesetze-im-internet.de/stgb/__201.html. French statute at legifrance.gouv.fr/codes/article_lc/LEGIARTI000006417929.

[8] German Works Constitution Act (Betriebsverfassungsgesetz), §87(1)(6), grants works councils a co-determination right over the introduction and use of technical systems "capable of monitoring the behaviour or performance of employees." No such system can be rolled out without a works agreement. Applied to AI meeting tools, the Federal Labour Court (Bundesarbeitsgericht) ruled on 16 July 2024 (1 ABR 16/23) that objective suitability for monitoring is enough to trigger the right, even where the employer does not intend to use the system for monitoring. The ruling concerned headset systems but the reasoning applies to any system capable of capturing employee speech. Source for the claim that works councils in Germany block meeting recorders absent an agreement, and for the July 2024 clarification of the standard. Statute at gesetze-im-internet.de/betrvg/__87.html.

[9] CNIL (Commission nationale de l'informatique et des libertés), the French data protection authority, has issued guidance on meeting recording under the GDPR necessity principle (Art. 5(1)(c), data minimisation). The guidance advises organisations to consider whether meeting notes or summaries would suffice instead of full recordings, on the grounds that the recording goes beyond what is necessary for the stated purpose. The CNIL has separately flagged that consent is rarely a valid legal basis for processing employee data because of the employer-employee power imbalance, pushing organisations toward legitimate-interest grounds with proportionality constraints. Source for the "consider summaries instead of recordings" position and for the CNIL's strictness relative to other EU supervisory authorities. CNIL HR processing guidelines at cnil.fr/fr/la-cnil-publie-un-referentiel-relatif-aux-traitements-de-donnees-rh.

[10] Microsoft shipped explicit recording consent for Microsoft Teams in 2023. When the policy is enabled, all participants are muted when recording starts and must press 1 on their dial pad to consent and unmute, or press 2 to deny consent and remain muted for the duration. The policy is configurable per-organiser via PowerShell and is intended to address privacy concerns in jurisdictions requiring all-party consent. Source for the 2023 rollout and the specific consent mechanics. Microsoft Learn documentation at learn.microsoft.com/en-us/microsoftteams/conferencing-recording-consent.

[11] Granola, the AI meeting notes tool, captures audio directly from the user's device, transcribes it in real time, generates a structured summary, and does not store audio or video files. CEO Chris Pedregal has said in interviews that the design choice is deliberate, and that the value is in useful notes rather than in retaining audio. Source for the architecture (summary as primary artifact, no audio retention) and for the founder's stated position on why. Interview context at wondertools.substack.com/p/granolaguide. Granola's product site at granola.ai.