Releases: RAMBOXIE/vanish
AI-era privacy toolkit
v0.3.0 — AI-era privacy toolkit
Release date: 2026-04-25
Tag: v0.3.0
Prior release: v0.2.0 (broker scan + opt-out + verify, 109 tests)
This release expands Vanish from a "DeleteMe alternative for data brokers" into a privacy toolkit that covers 7 distinct AI-era threats through 11 CLI subcommands, with a deliberately narrow scope: identification + jurisdiction-cited legal-letter generation + HMAC-signed audit trails. Vanish does not auto-submit, auto-delete, kill processes, or send notifications — every destructive action is yours to take.
Paste-ready release blurb (for HN comment / Reddit reply / Twitter):
Vanish v0.3.0 ships today — open-source privacy toolkit covering data brokers (210), AI training exposure (30 platforms), face-search (PimEyes/Clearview), NCII takedown (StopNCII + DMCA + Google intimate-imagery), workforce-monitoring detection (ActivTrak/Teramind/Hubstaff/...), LLM memorization probing, training-dataset membership checks, and AI history cleanup. Free MIT, local-first, 346 tests across Ubuntu/macOS/Windows × Node 20/22. https://github.com/RAMBOXIE/vanish
🎯 What's new
5 new threat surfaces
| Surface | Subcommands | Coverage |
|---|---|---|
| 🤖 AI training exposure | ai-scan, ai-opt-out |
30 platforms (ChatGPT / Claude / Gemini / LinkedIn / Reddit / Cursor / 24 more); 26 with browser-assisted opt-out walkthrough; 60-day reverify |
| 👤 Face-search | face-scan, face-opt-out |
8 services (PimEyes / FaceCheck.ID / FindClone / Lenso / TinEye / Yandex / Google Lens / Clearview AI). Vanish never uploads your photo |
| 🛡️ NCII / leak takedown | takedown |
12 leak sites + StopNCII.org hash registry + Google intimate-imagery removal + 4 legal templates (DMCA §512(c) / C&D / police report / civil pre-suit). Crisis hotlines built-in |
| ⚖️ Third-party AI + workforce-monitoring | third-party-ai |
22 tools across workplace / HR / medical / workforce-monitoring (the Meta-memo case). 8 commercial workforce-monitoring agents detectable via --detect-installed |
| 🧠 Deep AI checks | llm-memory-check, dataset-check, clean-ai-history |
LLM memorization probe (GPT-4o-mini + Claude 3.5 Haiku); Common Crawl CDX query + walkthroughs for 7 other datasets; AI conversation history discovery across 9 tools |
Architectural improvements
- Capability matrix in README hero — explicit triage / walkthrough / live-adapter distinction. Most privacy tools blur these; we don't.
vanish verifykind dispatcher — broker entries get HTTP liveness check, AI/face entries get manual-confirm reminder walkthroughs, one-shot kinds (history, takedown) explicitly skipped.b1-livemarked EXPERIMENTAL — captchas block real submissions; usevanish opt-outfor real opt-outs.scanwording softened — explicit "heuristic triage / priority-ordering" framing, NOT a real-time broker lookup.- Web app v2 — three tabs (broker / AI / face) + triple-threat share card combining all three scores.
12 new jurisdictions cited in legal templates
US Shield Act · US Take It Down Act 2025 · Illinois BIPA (740 ILCS 14/) · NY Electronic Monitoring Act §52-c · NYC Local Law 144 · GDPR Article 17/21/22/88 · UK Online Safety Act 2023 · Canada Criminal Code §162.1 · Australia Online Safety Act · German Betriebsverfassungsgesetz §87 · CCPA + AB-331 · Illinois AI Video Interview Act · HIPAA 45 CFR §164.506
Source citations
8 top AI platforms (ChatGPT / Claude / Gemini / LinkedIn / Reddit / Twitter / GitHub Copilot / Cursor) and 4 face services (PimEyes / FaceCheck / FindClone / Clearview) now have per-platform sources arrays with vendor policy URLs + regulator references (UK ICO, BfDI, ACLU v Clearview BIPA settlement, Reuters Reddit-Google deal coverage) + verifiedAt ISO dates.
Compliance guard
tests/skill-compliance.test.mjs (12 tests) locks SKILL.md ↔ code consistency in CI. Future PRs that add a new process.env.X read or new HTTP endpoint without updating SKILL.md will fail CI. This eliminates the "claim drift" that Clawhub-style review processes flag.
📊 By the numbers
| v0.2.0 | v0.3.0 | |
|---|---|---|
| Subcommands | 4 (scan / cleanup / verify / queue+aux) | 11 (+ 7 new) |
| Threat surfaces | 1 (data brokers) | 7 |
| Total tests | 109 | 346 |
| CI matrix | 6 jobs | 6 jobs (unchanged) |
| Test files | 17 | 27 |
| Brokers in catalog | 210 | 210 |
| AI platforms cataloged | 0 | 30 |
| Face services cataloged | 0 | 8 |
| Third-party AI tools cataloged | 0 | 22 |
| NCII takedown destinations | 0 | 12 leak sites + 3 hash registries + 3 search engines |
| Legal letter templates | 0 | 9 (5 third-party AI + 4 takedown) |
| Jurisdiction clauses | 0 | 14 |
🔒 Security
SECURITY.md updated with v0.3 surface:
- API-key leakage check (
OPENAI_API_KEY/ANTHROPIC_API_KEYmust never persist) - Photo-upload invariant (face-scan / face-opt-out must never read user photos)
- False-positive forensic exhibit risk (workforce-monitoring detection paths)
- Catalog tampering as trust-boundary concern
- Common Crawl CDX SSRF (private-IP URL guard recommended)
- Browser-open + clipboard injection surface
Coordinated disclosure timeline added (24h / 72h / 7d initial response by severity).
🧭 Migration notes
Backward-compatible release. No CLI breaking changes. All v0.2 commands and flags continue to work.
data/queue-state.json— schema unchanged. Existing follow-up entries from v0.2 (withoutkindfield) are auto-classified askind: 'broker'for backward compatibility.vanish verify— gains new flags (--kind,--assume) but defaults are the v0.2 behavior for broker entries.vanish opt-out --help— text was wrong in v0.2 (claimed "8 brokers" while supporting 58); now dynamically enumerates from catalog. Behavior unchanged.
🙏 Acknowledgments
This release covers privacy threats that surfaced in 2024-2025 reporting:
- LinkedIn's Sept 2024 default-on AI training toggle
- Reddit's reported $60M/yr Google training data deal
- Twitter/X feeding all tweets to Grok
- Meta's GDPR objection workflow for AI training
- Stack Overflow's OpenAI partnership
- Multiple BIPA class actions against employers using keystroke biometrics
- Reports of internal employer-built tools that train AI agents on workforce telemetry (the "Meta memo" case)
- The Take It Down Act 2025 (US federal NCII)
- StopNCII.org reaching 100K+ users since 2021
Sources cited per-platform in the catalog JSON files.
🔗 Links
- Repo: https://github.com/RAMBOXIE/vanish
- Web app: https://ramboxie.github.io/vanish/
- Changelog: see
CHANGELOG.md - Skill manifest:
SKILL.md(also: Clawhub publication target) - License: MIT
📦 Install
# Zero-install (recommended for v0.3 — no npm publish yet)
npx github:RAMBOXIE/vanish scan --name "Your Name"
# Local clone
git clone https://github.com/RAMBOXIE/vanish
cd vanish && node scripts/index.mjs scan --name "..."🐛 Known limits in v0.3.0
- Workforce-monitoring detection paths are based on vendor documentation, not live-verified on real installs (PRs welcome — see issue template "Verify workforce-monitoring path").
b1-liveadapter (8 brokers) is experimental; real captcha integration was deliberately not built (would break the zero-cost open-source promise).llm-memory-checkrequires user's own OpenAI / Anthropic API keys (--dry-runmode for testing without keys).- Legal templates cite real law but are not legal representation.