Posts Archive
Technical and litigation notes
Audio Data Security — Voice Notes in Transit and at Rest
the WhatsApp AI agent downloads voice notes from Meta's media API, stores them as temp files on the Raspberry Pi, transcribes them with Whisper, and then links the transcript to workspace records. At each step, the voice data is both sensitive (potentially privileged legal communications) and at risk.
Security & ComplianceSSH Key Management in Production Systems
The www-data SSH key used by the webhook server to call AI services is a production credential. Compromise of that key means an attacker can call your AI services, potentially exfiltrate conversation data, or use your resources for unintended purposes.
Security & ComplianceSecuring an Exposed Webhook Server
A webhook endpoint that receives WhatsApp messages from Meta is exposed to the public internet. HMAC signature verification proves the payload came from Meta, but it does not protect against replay attacks, rate-based amplification, or attackers who obtain the app secret.
Data Privacy & GDPRSelf-Hosted AI and Data Sovereignty
Running Ollama, Whisper, and Kokoro on premises means conversation data never leaves your infrastructure. For a legal practice handling privileged communications, this is a meaningful data protection advantage. But self-hosting is not a compliance certificate.
Legal Tech & Professional EthicsRelay Agents and Lawyer Supervision
the WhatsApp AI agent's relay pattern routes client questions to lawyers. But "routing a question" and "professional supervision of AI" are not the same thing. Model Rule 5.3 requires lawyers to ensure that non-lawyer assistance is conducted compatibly with their professional obligations — including when the non-lawyer is an AI.
AI Governance & RegulationIntent Classification and the Duty to Act
Intent classification in a legal AI agent is not merely a routing mechanism. When an intent with safety implications is correctly classified — a client expressing fear, distress, or danger — the question of what the system must do next is a legal and ethical question, not just a design question.
Security & ComplianceWhatsApp as a Legal Communication Channel
WhatsApp messages are now routinely produced in litigation as evidence. The WhatsApp Business API version — which routes messages through Meta's servers — has different evidentiary and preservation characteristics than personal WhatsApp. Law firms using the WhatsApp AI agent need to understand both.
AI Governance & RegulationAI Agents Sending Audio — Disclosure and Impersonation
the WhatsApp AI agent sends voice note responses generated by Kokoro TTS. If that voice sounds like a human lawyer, recipients may believe they are hearing the lawyer's actual voice. This creates impersonation risk — with potential professional conduct, fraud, and consumer protection implications.
Data Privacy & GDPRRecording and Transcribing WhatsApp Conversations
Every WhatsApp voice note processed by the WhatsApp AI agent is transcribed, stored as text, and used to create workspace records. Each of these steps processes personal data. GDPR requires a lawful basis. The most appropriate basis — consent — requires that users know their voice notes will be transcribed before they send them.