What plausible deniability means in our architecture
We named the company after a phrase. Most privacy products sell hiding; we sell unreliability. What that buys, where it lands, and the bright lines we won't cross to ship it.
Field Notes
Notes from the build floor.
The thesis behind the work on privacy, infrastructure, and shipping — sanitized so we can talk about it without exposing client systems.
Why we're building Thundercrab
Modern consumer mail clients replaced an open, auditable filtering standard with opaque ML categorization that users can't see, edit, or carry between providers. We're building the local-first GUI for transparent mail rules — and writing about why nobody else has.
Provable-by-construction privacy
Two ways to promise to protect data: a policy you trust, or a property the type system enforces. We try to pick the second whenever the engineering allows. What that changes about audits, incident response, and the trade-offs people accept.
How a written-down doctrine changes what "shipping" means
We wrote our taste down. Every public function carries a BUG ASSUMPTION annotation; every defense-in-depth carries a SECURITY annotation; CI enforces both. Why we think this is the right pace.
Federated rule learning, without ever reading your mail
How sorting rules can get smarter from the collective without any provider — including us — seeing message content. A note on what we built and why we think it matters.