If you’ve been working with AI for a while, you’re probably an LLM/agent/chat user. But have you ever asked yourself how these tools will be trained in the near future, and what will happen if we have already exhausted the data needed to train our models? Many theories say that we are running out of high-quality human-generated data to train our models.
While it’s true that new content is added every day, an increasing proportion of the content added each day is itself generated by AI. Therefore, if you continue to train on public web data, you will eventually end up training on the output of your own predecessors. A snake eating its tail. Researchers call this phenomenon “model collapse,” in which an AI model starts learning from errors in its predecessors until the entire system becomes meaningless.
But what if I told you that we’re not actually missing data? We’re just looking in the wrong places.
This article details the key insights from this excellent paper.
The web we already use and the web that matters
Most of us think of the web as a unique source of information. There are actually at least two.
Surface Web is a public, indexed world like the ones found on Reddit, Wikipedia, and news sites. This is something we have already been scraping and overusing for years to train today’s mainstream AI models. Then there’s what we call the deep web, and I’m not talking about the “dark web” or anything illegal here.
The deep web is simply everything behind a login or firewall. This refers to anything online that is not publicly indexed. It could be a hospital’s patient portal, a bank’s internal dashboard, a corporate document archive, a private database, or the age-old email behind the login screen. Plain and boring, but incredibly valuable data.
Many studies suggest that the deep web is orders of magnitude larger than the surface web. More importantly, the quality of the data will be much higher. Compare that to surface web content, which can be noisy, full of misinformation, and heavily SEO-optimized. They also increasingly contain content that is intentionally designed to mislead or negatively impact AI models. Deep web data, such as medical records, verified financial documents, and other internal databases, tends to be clean, authenticated, and organized by those who value its quality.
problem? As you can probably guess, this is a private matter. You can’t extract a million medical records without considering all the legal and ethical havoc this will cause.
PROPS framework
This is where a new framework comes into play called PROPS (Protected Pipelines). Introduced by Ari Juels (Cornell Tech), Farinaz Koushanfar (UCSD), and Laurence Moroney (former Google AI lead), PROPS acts as a bridge between this sensitive data and the AI models that require it.
The great thing about PROPS is that you don’t have to “hand over” your data. Instead, use oracles that protect your privacy. Think of an oracle as a “trusted intermediary” that can examine the data, verify that it is real, and tell the AI model what it needs to know without showing the raw information to the model.
The concept of these props may sound like magic, as they can solve many of the data availability problems that AI models face today. But how exactly does this work? Consider the example of a healthcare company that wants to train its diagnostic tools on real health records. Under the PROPS framework:
- permission: As a user, you log into your health portal and authorize certain uses of your data.
- Oracle: Think of Oracle as your digital notary. Access a private portal (such as a hospital database) to ensure the data is authentic. Instead of copying files, you simply tell the AI system, “I saw the original documents and I certify that they are real.” Providing evidence of truth without handing over personal data itself. Tools already exist for this. Deco. it’s a protocol This allows users to prove that they retrieved specific data from a web server over a secure TLS channel.
- Secure enclave: This is a “black box” within the computer hardware where the actual training takes place. Put your AI models and personal data inside and “lock the door.” Neither humans nor developers can see what’s going on inside. The AI “learns” from the data and leaves behind only the weights of the model. Raw data remains locked internally until the session ends.
- result: The model will be trained based on the data within that box. Only updated “weights” (learning) are output. Raw data can never be seen by the human eye.
Contributors know exactly what they’re agreeing to and can be rewarded for participating in ways tailored to how valuable their particular data actually is. The relationship between data owners and AI systems is completely different.
But why bother using this instead of synthetic data?
You might ask, “Why go through all this complicated setup when I can just generate synthetic data?”
The answer is that synthetic data inhibits diversity. By definition, synthetic data generation strengthens the middle of the bell curve. If you have a rare medical condition that only affects 0.01% of the population, a synthetic data generator will likely filter it out as “noise.”
Models trained on synthetic data become increasingly difficult to handle outliers. PROPS solves this problem by creating a secure way for real people with rare conditions and special backgrounds to “opt in.” Transform data sharing from a privacy risk to a “data marketplace.” Where your valuable data gets the compensation it deserves.
Not only training is important, but also reasoning
Although most discussions focus on training, PROPS has equally interesting applications on the inference side.
For example, getting a loan today requires submitting a number of documents, including bank statements, pay stubs, and tax returns. PROPS-based systems propose the use of a loan decision model (LDM).
- Allows LDM to communicate directly with banks.
- The bank verifies your balance through a privacy-protected oracle.
- LDM makes the decision.
- result? The lender receives a “yes” or “no” authorization without touching your personal documents. This eliminates the risk of data leakage and makes it nearly impossible to use fraudulent Photoshopped documents.
What is actually stopping this from happening in 2026?
It’s simply a matter of scale and infrastructure.
The most robust versions of PROPS require training to occur within a secure, hardware-backed enclave (such as Intel SGX or NVIDIA’s H100 TEE). While these work well on a small scale, making them work on the large GPU clusters required by Frontier LLM is still an open engineering problem. Fully encrypted synchronization requires a large cluster to work.
The researchers are clear that PROPS is not yet a finished product. It’s a convincing proof of concept. However, a lightweight version is currently available for deployment. Even without a full hardware warranty, you can build a system that provides meaningful warranty to your users. This is already an improvement over asking someone to email a PDF.
my own final thoughts
PROPS is not really a “new” technology. It is a new application of an existing tool. Privacy-preserving oracles have been used in the blockchain and Web3 space (e.g. Chainlink) for many years. The insight here is the realization that the same tools can solve the AI data crisis.
A “data crisis” is not a lack of information. It’s a lack of trust. We have enough data to build the next generation of AI, but it’s locked behind the doors of the deep web. Snakes don’t need to eat their tails. I just need to find a better garden.
👉 LinkedIn: Sabrine Bendimerad
👉 Medium: https://medium.com/@sabrine.bendimerad1
👉 Instagram: https://tinyurl.com/datailearn
