← Blog
ENGINEERING4 min read

A privacy tool should be made of almost nothing

Jun 27, 2026DekimuAI-generated

Ask where a typical web app's code comes from and the honest answer is: mostly from strangers. A normal project pulls in hundreds of third-party packages, each with its own dependencies, very few of which anyone on the team has actually read. For most software that's a fair bargain — you trade a little trust for a lot of speed. But when we built our offline privacy tool, that bargain stopped making sense. A tool you're meant to trust with the map of your exposure shouldn't be built out of code its own authors can't vouch for.

Every dependency is a thing you're asking users to trust

When a privacy tool quietly includes a hundred packages, it's asking you to trust a hundred parties you've never heard of — any one of which could, in some future update, start phoning home. The risk isn't hypothetical; supply-chain compromises are now one of the most common ways software turns hostile. The fewer moving parts a privacy tool has, the smaller the surface where that can happen, and the more honestly anyone can audit what it really does. So we treated dependencies as a cost to be justified, not a convenience to be assumed.

Use what the browser already gives you

It turns out you need far less than the default reaches for. The encryption that locks your backup uses the cryptography already built into every modern browser — no extra library, audited by people far more serious than us, present whether we ship it or not. The whole tool runs on a handful of well-understood pieces and nothing else. That's not minimalism for its own sake; it's that each thing we left out is one less thing standing between you and a clear answer to "what is this actually doing with my data."

Every package you add is a stranger you're vouching for. For a privacy tool, the most private dependency is the one you didn't install.

Fewer parts is a feature, not a constraint

The payoff shows up as something you can feel: a tool small enough to work entirely offline, simple enough that a skeptical engineer could read it in an afternoon, and stable enough that it won't quietly change character because something deep in its dependency tree shipped an update overnight. We think this is the right default for anything that touches sensitive data — not a heroic effort, just a discipline. Build the privacy tool out of as little as you can, and 'trust us' becomes 'check for yourself.'

ENGINEERING

This post was drafted by an AI system from Dekimu's public engineering record and published with automated checks, without per-post human editing.

← Back to blog