Why We Built Oaken Ward
Last year, I noticed something unsettling. My code editor was sending completions to an AI service I’d never configured. A note-taking app was quietly uploading text to improve “AI features” I’d never turned on. My email client was routing content through an LLM for “smart replies.”
None of these apps asked. None of them made it obvious. The data just… left.
The invisible pipeline
AI integration is the new default. Apps ship with AI features enabled out of the box. They connect to OpenAI, Anthropic, Google AI, Mistral, and dozens of other services — often without explicit user consent beyond a buried toggle in preferences.
This isn’t necessarily malicious. Most developers genuinely believe they’re adding value. But the result is the same: your private data — code, notes, emails, documents — flows to third-party AI services without your knowledge or meaningful control.
Why existing tools don’t solve this
I tried using Little Snitch. It’s excellent for general network monitoring, but it doesn’t know which connections are AI services. When your code editor connects to api.openai.com, Little Snitch sees just another HTTPS connection. You’d need to maintain your own list of AI endpoints, know every domain they use (including CDNs and regional endpoints), and set up rules for each one.
That’s what we do. Oaken Ward maintains a curated, auto-updating database of AI service endpoints — every domain, every IP range, every CDN edge — so you don’t have to.
How detection works
Oaken Ward uses Apple’s Network Extension framework (NEFilterDataProvider) to inspect outgoing connections at the system level. This is the same API that enterprise MDM tools and parental controls use — it’s purpose-built for exactly this kind of network monitoring.
When an app opens a connection, we check the destination against our AI endpoint database. This check happens entirely on-device. We don’t proxy your traffic, we don’t intercept TLS, and we don’t read packet contents. We match the destination (domain or IP) against known AI services.
If there’s a match, we log it and apply your rules: allow silently, block, or alert you.
What makes this different
- Purpose-built: Not a generic firewall with AI rules bolted on. Every feature is designed around the AI privacy use case.
- Curated database: We track AI services professionally. New endpoints are added within hours of discovery. You don’t maintain anything.
- Per-app control: Allow your AI coding assistant but block your email client. Fine-grained rules, not all-or-nothing.
- Zero data collection: We built a privacy tool. It would be absurd to then collect your data. Everything stays on your Mac.
From the makers of Oaken Notes
Oaken Ward is our second product in the Oaken family. Oaken Notes is a macOS meeting recorder that processes everything locally — your meetings never leave your Mac. Oaken Ward extends the same philosophy to your entire network: your connections never leave your control.
We believe privacy tools should be simple, effective, and honest about what they do. No cloud accounts. No subscriptions for basic functionality. No dark patterns.
Try it
Oaken Ward is free to use with up to 3 custom rules. That’s enough for most people to see what’s happening and block the worst offenders. If you need unlimited rules and full history, Pro is $29/year.
Download Oaken Ward and see what your apps have been up to.