The New York Times ran a piece this month on a small phenomenon turning into a real one. Corporate lawyers are starting their virtual meetings the same way nightclubs do: by kicking out anyone who shouldn’t be there. The unwanted guest is the AI note-taker.
Jeffrey Gifford, a corporate lawyer in San Antonio, told the paper that he opens every call with a roll call. “Hey, Mike, Jim, Barbara, I see the AI note-taker popped up. I’m going to turn it off and kick it out of the meeting.” Everybody and their mother, he said, is using these things. Executives, board members, in-house counsel. And every one of those tools is quietly chewing through the corporate immune system.
Two legal time bombs in one product category
The article spells out two distinct risks that have lawyers waking up at 3am.
The first is discovery. A board call doesn’t normally have minutes that record every aside. Minutes are curated; they capture decisions, not the moments before decisions. An AI transcript captures everything: the joke that should never have made the record, the half-formed proposal that was withdrawn ten seconds later, the executive saying their product will “dominate the category” in a sentence they meant as encouragement and a regulator will read as antitrust evidence. Once that transcript exists, it’s a document. And documents are discoverable.
The second is privilege. Attorney-client communications get a special protection in the law, but they lose it if the conversation is shared with an outside party. That’s the rule that has lawyers nervous about AI note-takers in legal meetings. The note-taker is a vendor. The transcripts go to the vendor’s servers. The vendor’s terms of service let the vendor do various things with them. If a court treats the vendor as a third party for privilege purposes – and there is now a federal opinion that says some such vendors are exactly that – then sharing the meeting with the bot is the same as sharing it with someone outside the privilege circle. Privilege evaporates. The conversation that was meant to be protected becomes evidence.
What Judge Rakoff actually said
In February of this year, U.S. District Judge Jed S. Rakoff ruled in the Southern District of New York that transcripts a defendant generated by asking Claude for legal advice were not protected by attorney-client privilege. The reasoning matters more than the outcome. Two facts about the vendor relationship did the damage.
One: the model was trained on user inputs. The defendant’s side of the conversation was, in principle, fuel for the next version of the product.
Two: the vendor’s privacy policy included disclaimers about its ability to share user data with third parties, including “governmental regulatory authorities.” The defendant, the judge held, could have no reasonable expectation of privacy when the vendor itself had reserved the right to disclose.
That is the precedent that has corporate lawyers spooked. It is also a precedent that turns on two architectural and contractual facts about the vendor, not on anything intrinsic to the technology of large language models. Which means the precedent can be designed around. You just have to build a product that doesn’t have those two properties.
What we built
Ostler RemoteCapture is the meeting and call recorder that ships with the Ostler Hub. It does the same job as Otter and Fathom and Granola and Read.ai. It listens to the audio, makes a transcript, summarises the conversation, and files the result. Functionally, you would not be able to tell them apart in a demo.
Architecturally, they are not in the same product category.
RemoteCapture runs the transcription on the customer’s own Mac. There is no vendor server in the pipeline. We use WhisperKit, Apple’s on-device implementation of OpenAI’s Whisper model, the same speech-to-text engine that ships inside macOS. The audio never leaves the device. The transcript never leaves the device. The summary is generated by the local language model that customers run on their own Hub. Creative Machines – the company that makes Ostler – never sees a single word of your meeting.
That is not a marketing claim. It is a property of where the bytes go. You can verify it with the macOS network firewall. You can verify it with Little Snitch. You can disconnect from the internet entirely and the recording, transcription, summarisation, and filing all keep working. We don’t have a server in this pipeline because the architecture does not need one.
That property is not incidental. It is the entire point. It is what makes the two facts that did the damage in Rakoff impossible to repeat:
1. We do not train on your meetings. Not because we promise not to. Because the data does not exist on any system we control. There is no upload step in which it could be intercepted, no logging step in which it could be retained, no training step in which it could be ingested. The data exists on your machine, in a directory you own, that you can delete.
2. We have no policy allowing third-party disclosure of your meetings, because we have no meetings to disclose. Subpoena us all you like. We have nothing to hand over. The customer’s machine still holds whatever it holds, and that machine is reachable only through the customer themselves. Which is exactly where the legal process is supposed to land.
The consent log – what it is, and what it isn’t
There is a second piece worth being specific about, including the limit of what it does. RemoteCapture maintains a tamper-evident consent log on the customer’s machine. Every recording session is logged with the legal basis the customer selected, the jurisdiction’s recording-consent rules, and a cryptographic chain that makes after-the-fact tampering visible. The database is SQLCipher encrypted at rest. The chain is HMAC-linked block by block.
What the log records is the customer’s declaration, not a verified fact. When the customer indicates “all-party consent” before starting a recording, what gets logged is that the customer claimed all-party consent. The log cannot independently verify whether every participant actually agreed. That part is the customer’s responsibility.
This cuts two ways. If the customer genuinely obtained consent, the log helps establish that the recording was a deliberate, attested decision rather than an accident, paired with whatever real-world contemporaneous evidence the customer has. If the customer did not obtain consent and ticked the box anyway, the log will show what they did. We don’t believe a product should help anyone secretly record people while pretending otherwise.
What this means in practice:
- One-party-consent jurisdictions (most US states, others): the customer’s own consent is sufficient. The log simply documents what was done.
- All-party-consent jurisdictions (UK, EU, California, ~11 other US states): the customer must actually obtain consent from every participant before relying on the log as part of any defence. Ticking the box is not a substitute for getting consent. If you tick the box dishonestly and the recording is later disputed, the log shows that you did so.
- In any jurisdiction: the log lives on the customer’s device. It is not shared with us, and we cannot produce it under subpoena because we never have it. Discovery against the device is still possible; discovery against Ostler is not.
Consent is a real legal question. Ostler’s job is to provide the architectural primitives – local capture, tamper-evident logging, no vendor disclosure – and to keep the choice in the customer’s hands. The legal and ethical content of that choice stays with the customer. If you’re recording calls in your professional life, you should know the rules of your jurisdiction. The product cannot decide that for you.
The honest limits
It is important to be straight about what local-first does and does not get you.
Local-first does not mean “your meeting will never appear in litigation.” If a court orders the device produced and the transcript is on the device, the transcript is produced. The protection here is not from discovery against the customer. It is from discovery against the vendor, from accidental third-party exposure, and from waiver of privilege that arises when conversations are shared outside the privileged circle. Those are the failure modes that have lawyers worried in the Times piece. Those are the failure modes that local-first removes by construction.
Local-first does not mean “you do not need a record-retention policy.” You do. The transcript on your machine is still a document. It still belongs in your records-management lifecycle. The Times article’s discovery worry – that AI captures everything including the things you wish were never written down – is mitigated, not eliminated, by where the recording lives.
What local-first does mean is that the privilege risk in Rakoff does not apply. The architectural facts that made the ruling go against the defendant are absent in our product, by design.
What we’d advise lawyers to do
If you are a lawyer being asked by a client whether they should use an AI note-taker, three questions are worth asking:
Where does the audio go? If the answer is “a vendor server,” the privilege calculation is the Rakoff calculation. If the answer is “the customer’s own device,” it isn’t.
Is the vendor in the privilege circle? A vendor that holds your transcript is a third party. A piece of software on your client’s machine that holds the transcript on the same machine is not. The legal category is different.
Did the recording party actually have consent? A tamper-evident on-device log documents what the customer declared at the time, which is useful evidence either way. But it does not substitute for actually obtaining consent in all-party jurisdictions. If the customer ticked the box without securing consent, the log will faithfully show that they did so.
The broader point
The AI productivity wave is real. Cloud AI note-takers are not going to disappear because the New York Times wrote a worried article. They are too convenient and too cheap to vanish on a privilege argument that most users have never heard of.
But the gap between “cheap and convenient” and “safe to use in a regulated profession” is exactly the gap that local-first products fill. Lawyers, board members, executives, doctors, anyone whose conversations have legal weight – that is the customer who needs the architecture, not the marketing. The architecture is the policy. The architecture is the privilege calculation. The architecture is the thing the New York Times article is, indirectly, telling those customers to demand.
Ostler RemoteCapture ships with the v1.0 Hub, available today at ostler.ai. The Hub is $99 once. Your meetings stay on your Mac.
Thoughts, questions, or pushback to [email protected].