In July 2023, Meta released Llama 2 and declared it “open source.” Within 72 hours, the term was being repeated across every technology publication on the planet. By February 2024, Llama had been downloaded over 350 million times. The narrative crystallized: Meta had democratized AI. Anyone could run a frontier-class model on their own hardware. Privacy was solved – just self-host.

This narrative is wrong on almost every count. And the distance between the narrative and reality is where the actual privacy analysis lives.

The Terminology Problem: Open Source vs. Open Weight

The first and most consequential misconception about Llama is that it is open source. It is not. Not by the Open Source Initiative’s definition, not by any rigorous technical definition, and not by the standards of the open-source software movement that has operated for over 30 years.

Llama is open-weight. The distinction matters enormously:

Open source means the complete source code, training data, training methodology, and resulting artifacts are available under a license that permits unrestricted use, modification, and redistribution. Linux is open source. PostgreSQL is open source. The entire pipeline from source to binary is transparent and reproducible.

Open weight means the model weights (the numerical parameters resulting from training) are publicly available. The training data is not. The training code may or may not be. The data curation pipeline, the RLHF annotation dataset, the safety fine-tuning methodology, and the compute infrastructure details are proprietary.

Llama’s license (the “Meta Llama Community License”) includes several restrictions that are antithetical to open-source principles:

  1. Monthly active user threshold: Applications with more than 700 million monthly active users must obtain a separate license from Meta. This is not an academic threshold – it effectively excludes Meta’s direct competitors (Google, Apple, Amazon, Microsoft) from unrestricted use.
  2. Acceptable use policy: The license incorporates Meta’s acceptable use policy, which prohibits specific categories of use. Licensees who violate the policy lose their license.
  3. No training data: The datasets used to train Llama are not released. Without the training data, the model cannot be independently reproduced or audited for data provenance.

The Open Source Initiative formally stated that Llama does not meet the Open Source Definition. The debate generated significant friction within the AI community, but the technical conclusion is clear: Llama is a proprietary model with publicly available weights, not an open-source project.

Why does this matter for privacy? Because the “open source” label implies a level of transparency, auditability, and user control that Llama does not actually provide. You can run the weights. You cannot verify what data trained them.

Meta’s Data Collection for AI Training

Meta operates four of the most data-intensive platforms on earth: Facebook (3.07 billion monthly active users as of Q4 2024), Instagram (2+ billion MAU), WhatsApp (2+ billion MAU), and Messenger. Collectively, these platforms generate exabytes of user data annually – text, images, audio, video, behavioral signals, relationship graphs, and location data.

In September 2023, Meta updated its privacy policy to explicitly state that user data from Facebook and Instagram would be used to train AI models. The relevant language covers:

  • Posts and comments: Public and, in some cases, non-public text content from Facebook and Instagram.
  • Photos and videos: Visual content uploaded to Meta’s platforms, used to train multimodal AI models.
  • Interactions: Likes, shares, reactions, and engagement patterns.
  • Messaging metadata: While Meta has stated that private message content from end-to-end encrypted WhatsApp chats is not used for training, messaging metadata (who messaged whom, when, how often) is collected.
  • Third-party data: Information collected through Meta Pixel, the Meta SDK, and advertising partnerships on millions of external websites and apps.

The scale is staggering. Meta’s 2024 10-K filing disclosed AI-related capital expenditures of $37 billion, with a significant portion allocated to the training infrastructure that processes this data. The company explicitly positioned its social media data advantage as a competitive moat – in a 2024 earnings call, Mark Zuckerberg described Meta’s data corpus as giving the company the ability to train models that external competitors could not replicate.

The European Pushback

Meta’s AI training data practices triggered significant regulatory action in Europe:

  • Ireland’s DPC: In June 2024, the Irish Data Protection Commission (Meta’s lead EU supervisor) requested that Meta pause its plan to train AI models on European users’ Facebook and Instagram data. Meta complied, delaying the European rollout of its AI training pipeline.
  • Noyb complaints: The European privacy advocacy organization noyb (founded by Max Schrems) filed complaints in 11 EU member states challenging Meta’s legal basis for using personal data for AI training.
  • The “legitimate interest” question: Meta initially claimed “legitimate interest” as the GDPR legal basis for training on user data. European regulators pushed back, arguing that the massive scale and permanence of AI training (data becomes encoded in model weights and cannot be meaningfully deleted) was incompatible with legitimate interest as a legal basis.

As of early 2026, Meta’s ability to train on European user data remains restricted. This has created a geographic asymmetry: users in the US, Latin America, and Asia-Pacific have their data flowing into Meta’s AI training pipeline, while European users enjoy (for now) regulatory protection.

Using Meta AI: The Hosted Experience

Meta AI, the company’s consumer AI assistant (accessible through Facebook, Instagram, WhatsApp, and meta.ai), operates under Meta’s standard privacy policy. When you interact with Meta AI:

  1. Your prompts are stored on Meta’s servers and associated with your Meta account.
  2. Conversations may be used for training. Meta’s terms allow the use of Meta AI interactions to improve AI models.
  3. Human review occurs. Meta employs teams that review AI conversations for safety, quality, and training purposes.
  4. Cross-platform context applies. If you interact with Meta AI through Instagram, Meta correlates that interaction with your Instagram profile, activity history, and social graph.
  5. Advertising infrastructure proximity. Meta AI interactions occur within the same infrastructure that serves Meta’s $131.9 billion advertising business (2024 revenue). While Meta has not explicitly stated that AI interactions inform ad targeting, the data exists within the same ecosystem.

The privacy profile of Meta AI is, in many respects, the most concerning of any major AI assistant – not because its policies are uniquely bad, but because Meta’s existing data infrastructure is uniquely comprehensive. Google has a similar integration problem, but Meta’s social graph data adds a dimension that Google’s search and productivity data does not capture: your relationships, your social dynamics, and your emotional life as expressed through social media.

Self-Hosting Llama: The Privacy Calculus

The privacy case for Llama rests almost entirely on self-hosting. If you download the model weights and run inference on your own hardware, your prompts never leave your infrastructure. No data reaches Meta. No retention policy applies. No human reviewer reads your conversations.

This is a genuine and significant privacy benefit. Self-hosted AI eliminates the provider from the data flow entirely. For organizations with the technical capacity and infrastructure to operate self-hosted models, Llama (and other open-weight models like Mistral, Falcon, and Yi) offers a category of privacy that no hosted API can match.

But the self-hosting calculus has costs that the “just run it yourself” narrative consistently underestimates:

Hardware Requirements

Running Llama 3 70B (the flagship model as of early 2025) at reasonable inference speeds requires:

  • GPU memory: Approximately 140 GB of VRAM for full-precision inference (2x NVIDIA A100 80GB or equivalent). Quantized versions (4-bit) reduce this to approximately 35-40 GB, achievable on a single A100 or high-end consumer GPU.
  • System RAM: 64-128 GB recommended.
  • Storage: 130+ GB for the full-precision model weights alone.
  • Cost: A single NVIDIA A100 80GB GPU retails for approximately $15,000-$20,000. A dual-A100 inference server runs $30,000-$50,000. Cloud GPU rental (AWS p4d instances) costs approximately $32/hour.

For the smaller Llama 3 8B model, requirements are more accessible: a single NVIDIA RTX 4090 ($1,600-$2,000) can run quantized inference at acceptable speeds. But the 8B model is significantly less capable than the 70B variant, and the capability gap matters for production applications.

Operational Complexity

Self-hosting a model is not a one-time setup. Ongoing requirements include:

  • Security patching of the inference infrastructure
  • GPU driver updates and compatibility testing
  • Load balancing and scaling for production workloads
  • Monitoring and logging (ironically, you need to implement your own privacy-respecting logging)
  • Model updates as new versions are released
  • Power and cooling for GPU-intensive hardware

The Capability Gap

As of early 2026, self-hosted open-weight models lag behind frontier hosted models (GPT-4o, Claude 3.5 Opus, Gemini Ultra) on most benchmarks. The gap has narrowed significantly – Llama 3 405B is competitive on many tasks – but the largest and most capable models remain proprietary and API-only.

This creates a privacy/capability tradeoff: you can have maximum privacy with self-hosted models or maximum capability with hosted APIs. The goal of architectures like Stealth Cloud is to eliminate this tradeoff by using hosted APIs through zero-knowledge infrastructure that preserves privacy without sacrificing model quality.

Llama’s License: What You Can and Cannot Do

The Meta Llama Community License deserves close reading because it creates obligations and restrictions that affect privacy-adjacent decisions:

What the License Permits

  • Running inference on the model weights for any purpose below the MAU threshold
  • Fine-tuning the model on your own data
  • Distributing the weights to others (who must also agree to the license)
  • Commercial use (below the MAU threshold)
  • Creating derivative models

What the License Restricts

  • 700M MAU cap: Applications exceeding 700 million monthly active users require a separate license negotiation with Meta. Meta can refuse.
  • Acceptable use policy: The license incorporates Meta’s AUP, which prohibits certain categories of use. Violation of the AUP terminates the license.
  • Attribution requirements: Derivative models must include Meta’s attribution notice.
  • No use to train competing models (Llama 2 license): The Llama 2 license explicitly prohibited using model outputs to train other language models. The Llama 3 license relaxed this restriction but maintained others.

Privacy Implications of the License

The license itself does not create direct privacy obligations for users running the model locally. However:

  • Meta requires license acceptance, which creates a contractual relationship and provides Meta with metadata about who is using the model (email address, organizational affiliation).
  • The acceptable use policy gives Meta grounds to revoke access if they determine a use case violates their terms – creating a dependency on Meta’s ongoing approval.
  • The absence of training data means users cannot audit what personal data may be encoded in the model weights. Research has demonstrated that LLMs can memorize and reproduce training data under certain conditions. Without training data transparency, the extent of this risk for Llama is unknowable.

The Data Provenance Gap

This is the least discussed and most significant privacy issue with Llama and all other open-weight models.

Meta has not disclosed the full composition of Llama’s training data. Public descriptions reference “publicly available online data,” books, and other text corpora, but the specific sources, proportions, and curation criteria are proprietary.

This matters for privacy because:

  1. Your data may already be in the model. If you have ever posted publicly on the internet – blog posts, forum comments, social media posts, code contributions, product reviews – that text may have been included in Llama’s training data. You have no mechanism to verify this and no mechanism to request removal.
  2. Memorization risk is unauditable. Without knowing the training data, it is impossible to assess the risk that the model will reproduce specific personal information from its training set. Research groups have demonstrated memorization of names, phone numbers, and addresses in other models trained on web data.
  3. Copyright and consent questions are unresolved. Multiple ongoing lawsuits (including actions by authors, news organizations, and individuals) challenge whether web scraping for AI training constitutes fair use. The resolution of these cases will affect the legality of the data pipeline that produced Llama’s weights.

For organizations evaluating Llama for self-hosted deployment, the data provenance gap means you are running a model that may contain personal information about your users, your competitors, your industry peers, or your own employees – and you have no way to know.

Meta AI vs. Self-Hosted Llama: A Privacy Comparison

DimensionMeta AI (hosted)Self-hosted Llama
Prompt data reaches MetaYesNo
Training on your promptsPossibleNo
Human review of promptsPossibleNo
Metadata collectionExtensiveNone (to Meta)
Cross-platform data linkingYesNo
Infrastructure costFree$2,000-$50,000+
Model capability (late 2025)Frontier-competitiveCompetitive but lagging
Operational complexityZeroHigh
Data provenance transparencyNoneNone
Advertising ecosystem proximityDirectNone

The table reveals the core dynamic: self-hosted Llama offers genuinely superior privacy for your prompts, but it does not solve the data provenance problem, requires significant infrastructure investment, and sacrifices some capability relative to frontier hosted models.

The Third Path: Zero-Knowledge Relay

The binary framing of “hosted API (convenient but exposed) vs. self-hosted (private but complex)” omits a third architectural option: using hosted APIs through infrastructure that the user controls and the provider cannot see into.

This is the Stealth Cloud approach:

  1. PII stripping removes identifying information from the prompt before it leaves the client.
  2. Client-side encryption ensures the relay infrastructure cannot read the payload.
  3. Ephemeral processing in edge workers (zero-persistence architecture) ensures no data is written to disk.
  4. The AI provider receives a sanitized prompt from a relay IP, with no metadata linking it to the original user.

This architecture works with any hosted model – including Meta AI’s API, OpenAI, Anthropic, or European providers. It provides the convenience and capability of hosted inference with the privacy properties of self-hosting, without the $50,000 hardware investment or the operational burden.

For organizations that want Llama-class capability with genuine privacy, the choice is not between Meta’s hosted service and a rack of GPUs in a closet. There is a third option, and it is architectural.

The Stealth Cloud Perspective

Meta’s release of Llama weights was a significant contribution to the AI ecosystem, but “open-weight” has been systematically conflated with “privacy-preserving” in ways that do not survive scrutiny. The model carries unknown training data provenance, Meta’s hosted AI service feeds the same data infrastructure as a $131 billion advertising business, and self-hosting requires capital and expertise that most users lack. Stealth Cloud offers the missing option: use any model, including Llama-based hosted APIs, through zero-knowledge infrastructure where identifying data never reaches the provider – combining hosted convenience with self-hosted privacy guarantees.