A GitHub repository went live this week, and privacy engineers are already pulling it into their pipelines. Until now, scrubbing sensitive data meant regex patterns for phone numbers and email addresses — brittle, context-blind, and prone to false positives. The new model reads entire sentences and decides whether a piece of information is safe to expose or uniquely identifies an individual.

OpenAI's Privacy Filter: 1.5B Parameters, 50M Active, 96% F1

On April 15, 2025, OpenAI released Privacy Filter, an open-weight model for detecting and masking personally identifiable information (PII). The model uses 50 million active parameters out of 1.5 billion total — a deliberately small footprint. On the PII-Masking-300k benchmark, it scored an F1 of 96% (precision 94.04%, recall 98.04%). OpenAI also reported top performance on a corrected version of the dataset after fixing annotation errors they discovered during internal evaluation.

The model covers eight categories: PERSON, EMAIL, PHONE, ADDRESS, PRIVATE_DATE, ACCOUNT_NUMBER (bank accounts, credit card numbers), SECRET (passwords, API keys), and PUBLIC. Each category is decoded using BIOES tags (begin-inside-out-end-single), producing clean masking boundaries without overlapping spans.

Architecturally, it is a bidirectional token classifier. The team started from a pretrained autoregressive checkpoint, replaced the language model head with a token classification head, and fine-tuned via supervised learning. During inference, constrained Viterbi decoding finds the most probable tag sequence, ensuring consistent spans. Long inputs are processed in a single pass — no chunking, no sliding windows.

What Makes This Different from Regex Tools

Traditional PII masking relies on pattern matching: `010-xxxx-xxxx` for phone numbers, `*@*.*` for emails. These work when the format is fixed, but they cannot distinguish "my email is [email protected]" from "contact our support team at [email protected]." Both get flagged, or neither does, depending on the rule set.

Context is the differentiator. Consider the sentence "Q2 planning follow-up: the release date is September 18, 2026." A regex tool sees a date and masks it. Privacy Filter evaluates whether the date is a public product launch or a private appointment. In OpenAI's example, "the product launch is scheduled for September 18, 2026" had the date masked as [PRIVATE_DATE], while "project file is listed under 4829-1037-5581" was tagged [ACCOUNT_NUMBER]. The model understands that a product launch date is public information, but a specific project identifier is not.

Training used a mix of public and synthetic data. Incomplete labels in the public dataset were supplemented with model-assisted annotations, and synthetic examples were generated to cover diverse formats and contexts. OpenAI is already using a fine-tuned version of this model in its own privacy-protection workflows.

What Developers Can Do Right Now

The biggest shift is local execution. Privacy Filter runs entirely on the user's machine — no data is sent to an external server for masking. This eliminates the risk of sensitive information leaking before it is filtered. Developers can run the model in their own environment and fine-tune it for specific use cases. Integration points include training pipelines, indexing, logging, and review pipelines.

Installation is straightforward. Clone the repository, download the model weights, and run the inference script. OpenAI has indicated plans to support additional languages and privacy categories in future releases.

bash
git clone https://github.com/openai/privacy-filter
cd privacy-filter
pip install -r requirements.txt
python run_inference.py --input "your text here"

This model does not replace regex libraries and external API calls entirely. But for pipelines that require context-aware filtering, it delivers far fewer false positives than existing tools.

The era of blind pattern matching for PII is ending.