Private Cloud Compute: A new frontier for AI privacy in the cloud

I don’t think that’s completely fair. It basically puts Apple in the same bucket as Google or OpenAI. Google obviously tracks everything you do for ads, recommendations, AI, you name it. They don’t even hide it, it’s a core part of their business model.

Apple, on the other hand, has made a pretty serious effort to ensure that no employee can access your data on these AI systems. That’s hugely different! They’re going as far as to severely restrict logging and observability and even building and designing their own chips and operating systems. And ensuring that clients will refuse to talk to non-audited systems.

Yes, we can’t take Apple’s word for it. But I think the third party audits are a huge part of how we trust, and also verify, that this system will be private. I don’t think it’s far to claim that “Apple knows what you’re doing.” That implies that some one, at some level at Apple can at some point access the data sent from your device to this private cloud. That does not seem to be true.

I think another facet of trust here is that a rather big part of Apple’s business model is privacy. They’ve been very successful financially by creating products that generate money in other ways, and it’s very much not necessary or even a sound business idea for them to do something else.

While I think it’s fair to be skeptical about the claims without 3rd party verification, I don’t think it’s fair to say that Apple’s approach isn’t better for your data and privacy than openAI or Google. (Which I think is the broad implication — openAI tracks prompts for its own model training, not to resell, so it’s also “only openAI knows what your doing.”)

unless it's open source and the servers decentralized, you are always trusting SOMEONE

Specifically, open-source and self-hostable. Open source doesn't save you if people can't run their own servers, because you never know whether what's in the public repo is the exact same thing that's running on the cloud servers.

This isn't right.

If you trust math you can prove the software is what they say it is.

Yes it is work to do this, but this is a big step forward.

Unless you personally validate hardware designs, manufacturing processes, and all software, even when running locally you're trusting many, many people.

if wanted.

Or if someone compels them to

They already have your private pictures. What difference is it that it's now running AI?

If one has to use tech one has to trust someone. Apple has focused on the individual using computers since inception. They have maintained a consistent message and have a good track record.

I will trust them because the alternatives I see are scattered and unfocused.

If he really wanted no one to be reading his tweets he’d be using BluSky or Masto…

Thanks for the link.

> As best I can tell, Apple does not have explicit plans to announce when your data is going off-device for to Private Compute. You won't opt into this, you won't necessarily even be told it's happening. It will just happen. Magically.

Presumably it will be possible to opt out of AI features entirely, i.e. both on-device and off-device?

Why would a device vendor not have an option for on-device AI only? iOS 17 AI features can be used today without iCloud.

Hopefully Apple uses a unique domain (e.g. *.pcc.apple.com) that can be filtered at the network level.

nobody can read his tweets without a X account

False; works fine for me logged out or incognito..

Threads also is popular.

Probably the mainstream Twitter alternative at this point?

(I wonder if Matt realizes nobody can read his tweets without a X account? Use BlueSky or Masto man)

He actually has an active Mastodon account, but this particular story is not on there (yet): https://ioc.exchange/@matthew_d_green

"I wonder if Matt realises nobody can read his tweets without a X account?"

https://nitter.poast.org/matthew_d_green/status/180029189724...

Beyond all the hardware complexity, another attack vector is the network infrastructure.

He's not wrong that, given that you want to do this, this is the best way. The alternative would be to not do it at all (though an opt-out would have been good).

Here's the Mastodon thread: https://ioc.exchange/@matthew_d_green/112597849837858606

These two tweets stand out for me:

Ok there are probably half a dozen more technical details in the blog post. It’s a very thoughtful design. Indeed, if you gave an excellent team a huge pile of money and told them to build the best “private” cloud in the world, it would probably look like this.

and

And of course, keep in mind that super-spies aren’t your biggest adversary. For many people your biggest adversary is the company who sold you your device/software. This PCC system represents a real commitment by Apple not to “peek” at your data. That’s a big deal.

I'd prefer things stay on the device but at least this is a big commitment in the right direction - or in the wrong direction but done better than their competitors, I'm not sure which.

Private Cloud Compute servers have no persistent storage so there would be nothing to see upon opening the kimono. You'd need some sort of government requested live wire tap thing to harvest the data out of the incoming requests, which might be a different situation. I'm, of course, just some dude on the internet, thinking up a counter-point to this concern, who knows if I am even remotely in the right ballpark.

Slightly off-topic, "open up the kimono" sounds disturbing and creepy to me as an Asian. I suspect I'm not alone in this.

Warrant canary

What Apple can do (and appears to be doing throughout its products) is not have the data requested. Or not have it in cleartext. NSLs can't request data that doesn't exist anymore.

Their post sure makes it seam like it’s possible. Was there something that stood out to you?

There's a difference between guaranteed privacy and certifiable privacy. Yes, the government can request one's data. However, Apple's system would reveal those intrusions to the public, even if Apple themselves couldn't say it.

It seems to me that this security architecture is a direct response to the hostile regulatory environment Apple finds themselves in wrt USA PATRIOT and the CCP et al.

They already have root. Their software is closed source. There is absolutely nothing stopping them from uploading all of your data right now.

If you don't trust the people making your OS, your problems are much deeper than fretting about off-device AI processing.

Your argument is no different than what Apple could do to your iPhone. The fact that it happens on the server changes nothing. Apple could push a button and have your iPhone upload whatever they want to their servers. In other words, based on your argument, you shouldn't trust anything, including locally run AI. You're probably right, but it isn't practical.

Edit: The final couple tweets from the Matthew Green tweet thread posted in another comment sum it up well:

Wrapping up on a more positive note: it’s worth keeping in mind that sometimes the perfect is the enemy of the really good.

In practice the alternative to on-device is: ship private data to OpenAI or someplace sketchier, where who knows what might happen to it. And of course, keep in mind that super-spies aren’t your biggest adversary. For many people your biggest adversary is the company who sold you your device/software. This PCC system represents a real commitment by Apple not to “peek” at your data. That’s a big deal. In any case, this is the world we’re moving to. Your phone might seem to be in your pocket, but a part of it lives 2,000 miles away in a data center. As security folks we probably need to get used to that fact, and do the best we can to make sure all parts are secure.

Apple needs to differentiate itself, and they have chosen privacy as a way to do that, which I'm all for. The headlines around Microsoft's AI efforts have largely been a nightmare, with a ton of bad press. If the press around Apple's AI is all about how over the top they went with security and privacy, that will likely make people feel a little better about using it.

I'm not a big user of OpenAI's stuff, but if I was going to use any of it, I'd rather use it through Apple's anonymizing layer than going directly to OpenAI.

What if you can't turn it off and this extreme security is the justification for why?

NSA already has all our data and if they don't, they have direct contacts at Meta and Alphabet to get it same-day delivery.

I'm trusting Apple more in this case, they have an incentive to keep things private and according to experts they're doing everything they can to do so.

"Indeed, if you gave an excellent team a huge pile of money and told them to build the best “private” cloud in the world, it would probably look like this." - Matthew D. Green

It's for shareholders. Microsoft and Nvidia have a bigger market cap than Apple now, thanks to the AI investor boom. Apple need to show they can be all about AI, too. But Apple have the institutional culture to maintain privacy.

Me

I don’t care if the government has access to the data. I just don’t want “bad actors” (scammers, foreign governments, ad-tech companies, insurance companies, etc) to have access to my private data. But i also want the power of LLM’s. Does that sound so far fetched?

I’m a realist. I already EXPECT the US govt has all my data. I don’t like the status quos, but it is what is is.

It’s for their competitors who have pushed a narrative that Apple was caught “flat-footed”. Well there is actually a line of LLM and cloud infrastructure at iPhone scale. This is not merely 2 years of work. They push the privacy because it’s expected of them.

Gemini could claim privacy but I think people would assume that if true, it would make it less effective.

Probably everything uploaded after the intercept is in place if you can convince a court to compel it.

One option is to release a malicious software update, sign it, publish the signature on the public chain, and then simply not release the binaries until after whatever associated gag orders there are (if any) expire. Apple gave themselves a 90 day timeline for this before they'd even be in violation of their promises.

Another option is to use the cryptographic keys used to make the hardware that attests to the software running on it, to simply falsely attest to what software is running. Unless Apple's somehow moved those keys outside of the courts jurisdiction (which means outside of Apple's control in the case of most courts) that should be within the courts power. If they can still create new hardware, it seems likely whoever is making that hardware must still have access to the keys...

Both of these attacks are outside the "threat model" proposed, because they are broad compromises against the entire PCC infrastructure. The fact that they are possible and within the legal systems power... well... why are we advertising this as secure again?

The main value of this whole architecture in my mind isn't actually security though, it's that it's Apple implicitly making the promise that they won't under any circumstance use the data, or let anyone else use the data, for business purposes (not even for running the service itself).

I mean it was famously tested in 2015 after the San Bernardino attack. Apple didn’t back down [1] and later sued the company who sold the zero-day to the govt to unlock the phone [2].

[1] https://en.m.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption...

[2] https://www.washingtonpost.com/technology/2021/04/14/azimuth...

Unless their statements regarding the design of these systems are blatantly false, or they are forced to add data collectors on purpose to target individuals, the answer is close to nothing.

You can opt into full E2E encryption [1] which makes it nothing, presumably at the cost of some convenience features.

[1] https://support.apple.com/en-us/108756

The more common use case will be when you're locked out of "your" apple id.

I'm very curious as well because my very limited understanding tells me the answer is nothing. The relay hides your identity. Your phone checks the attestations so it won't send your data to servers not running the published software which ensures encryption keys are ephemeral. Once your session is done, the keys are deleted.

Law enforcement would need to seize the right server among millions while it's processing your request and perform an attack on it to get the keys before they're gone.

My next question is what happens if/when the attestation keys are stolen.

Do you have analogous search terms for Microsoft, Alphabet, Google, and Amazon's approaches?

Your comment makes me curious on how guarantee-to-guarantee looks (and associated architectures).

Perhaps one of these days we'll get a 'jeffbee that realizes that Google is not actually ahead of everyone in everything all the time. But not today, I guess.

This is not true at all. Apple is the first to roll out end to end remote attestation of an enclave that includes an ML accelerator in the root of trust, with public verifiability of the entire stack. They are way ahead.

If you're one of the richest companies in history you can "simply" invest 15 years into developing your own chips instead of buying Nvidia GPUs.

But this is just inference. What did they use to train their foundation models?

Apple doesn't want to pay the Jensen Leather Jacket Fee and has $200 billion in cash it is sitting on to make it happen. If anyone can create an Nvidia substitute for AI chips its Apple and their cash hoard combined with their world-class design team and exclusive access to all of TSMC 3nm and next year 2nm production they could possibly want.

This feels like the biggest part of the news to me

Starts with A and ends with S

Apple’s rich enough to build and own their own datacenters. Savvy enough, too. I’d imagine the chassis are custom Apple-NOC-specific M-chip powered servers.

The have built and operated a growing number of their own data centers for years. Presumably this will go into those.

could be the first time we'll see a big tech company actually provide an auditable security guarantee

AWS Nitro Enclaves [0] come close but of course what Apple has done is productize private compute for its 1b+ macOS & iOS customers!

[0] https://docs.aws.amazon.com/enclaves/latest/user/nitro-encla...

> even if we can't verify that their sanctioned use case is secure, the cloud OS could be a great step forward in secure inference and secure clouds, which people could independently host or build an independent derivative of

Yes, the tech industry loves to copy Apple :)

Asahi Linux has a good overview of on-device boot chain security, https://github.com/AsahiLinux/docs/wiki/Apple-Platform-Secur...

> My main concern right now is that if virtualization is employed in their actual deployment, there could be a backdoor that passes keys from secure enclaves in still-proprietary parts of the OSes running on user devices to a hypervisor we didn't audit that can access the containers.

  We’ll release a PCC Virtual Research Environment: a set of tools and images that simulate a PCC node on a Mac with Apple silicon, and that can boot a version of PCC software minimally modified for successful virtualization.

Could a PCC node be simulated on iPad Pro with M4 Apple Silicon?

Well, a 89-day "update-and-revert" schedule will take care of those pesky auditors asking too many questions about NSA's backdoor or CCP's backdoor and all that.

Feels like an uptime screenshot would be appropriate here

https://en.m.wikipedia.org/wiki/Confidential_computing

This is what they are doing. Search implementations of this to understand more technical details.

This was my take from the presentation as well, immediately thought of your feature. Will be interesting to hear your take on it once the details have been made available and fully understood.

Yeah it seems so, though most of these systems (e.g. Intel SGX, AMD SEV, NVIDIAs new tech) use the same basic building blocks (Apple itself isn't member of the confidential computing consortium but ARM is), for me it's the quality of the overall implementation and system that sets this apart. I'm also quite bullish about trusted computing, seems it gains significant momentum. I would like some technologies to be more open and e.g. allow you to control the whole stack and install your own root certificates / keys on a hardware platform, but even so I think it can provide many benefits. With Apple pushing this further into the mainstream I expect to see more adoption.

Well the options from China's perspective is: Come to the table and meet some/all of our demands or stop doing business here.

Since Apple devices are now on the Chinese Governments poopy list, I assume Apple is only meeting some, not all of China's demands. I assume if Apple did everything the Chinese govt wanted, they wouldn't be on the poopy list. Personally I see being on the Chinese govt poopy list as an endorsement that it's probably a net positive for privacy and security compared to those not on the list. :)

Around WhatsApp, it's probably part of the whole compromise mess above. WhatsApp now does E2E and that's something China is not a fan of, so it's probably China's doing that it's not in the app store in China any more. Apple is just following the laws China forces them to follow.

It should be noted I've never been to China(yet) and have zero 1st hand knowledge.

Yes, the issue is that they are really slow.

They rely on Trusted Execution Environments and the fact that hash functions are one-way functions.

Verifier -> requests a Prover to attest its software state

Prover -> goes into RoT, verifies authenticity of Verifier (and request), computes hash of attested memory region, sends hash digest

Verifier -> receives digest and compares to known hash

What’s stopping remote endpoint always responding “yes” The attestation code is inside of a RoT, so a bad actor shouldn't be able to call this code, only callable by receiving a request from a Verifier

> What’s stopping remote endpoint always responding “yes”

It requires a small, trusted remote observer hardware component, e.g. TCG TPM/DICE, Apple Secure Enclave, Google OpenTitan, Microsoft Pluton.

2021 literature review, https://arxiv.org/abs/2105.02466

2022 HN thread on remote attestation, https://news.ycombinator.com/item?id=32282305

My understanding is that it's similar to TLS authentication.

The remote endpoint has special hardware which keeps secret signing keys (similar to a TLS server's signing keys). The hardware refuses to reveal the private keys, but will sign certain payloads under certain conditions. In addition, Intel or AMD or whoever also has super duper mega secret master keys (similar to a CA's signing keys), which they use to sign the device's signing keys. The certificate signing the device keys is also stored on the device.

So, each time the endpoint is asked to attest its software, it says yes and signs its response with its keys, and it also sends a certificate showing its keys are signed by the master key. That way, the client knows the special hardware really said yes and that Intel or AMD or whoever said that particular special hardware is legit.

According to the article, it would be difficult to tie any request to a user:

Target diffusion starts with the request metadata, which leaves out any personally identifiable information about the source device or user, and includes only limited contextual data about the request that’s required to enable routing to the appropriate model

If this is the case, I wonder how the authentication would work. Is it a security through obscurity sort of situation? Wouldn't it be possible for someone, through extensive reverse engineering, to write a client in Python that gives you a nice free chat API and Apple would be none the wiser?

iOS won’t send requests to it unless that node appears in the transparency log.

If it appears in the transparency log, the whole world will be able to see that a suspicious node has started serving requests.

If Apple changes iOS to remove that restriction, the whole world will be able to see that change because it’s client side.

If Apple tries to deliver a custom version of iOS to a single user, the iOS hardware will refuse to run it unless it has a valid signature.

If it has a valid signature, that copy of the firmware is irrefutable evidence that Apple is deliberately breaking its privacy promises and spying on people in a way they specifically said they wouldn’t, which would be extremely harmful to their business.

Apple seems to be going all-out in binding themselves in a way that makes it as difficult as possible to do what you are suggesting.

There's a thread about the models: https://news.ycombinator.com/item?id=40639506

Yes, basically if you opted out of Apple scraping, your data isn’t used

Privacy is the entire point of this discussion?

Homomorphic encryption is mostly a fantasy at this point.

There’s not a single homomorphic encryption implementation out there which can do real world quantities of computation

Your own infrastructure is definitely less secure than this or even, say, Google. You do not have the capability and teams of SREs to detect intrusions, and an attacker would know that your server processes your data.

It's very encouraging.

Another good step in this direction would be publishing a list of all on-device Apple software (including Spotlight models for image analysis) and details of any information that is sent to Apple, along with opt-out instructions via device Settings or Apple Configurator MDM profiles.

Apple does publish a list of network ports and servers, so that network traffic can be permitted for specific services. The list is complicated by 3rd-party CDNs, but can be made to work with dnsmasq and ipset, "Use Apple products on enterprise networks", https://support.apple.com/en-us/101555

Oof. That's a pretty damn specific (literally) attacker, and it's impressive that made it into their threat model.

How so ? There are any number of state and state sponsored attackers who it should apply it including china, North Korea , Russia , Israel as nation states and their various affiliates like NSO group .

Even if NSA its related entities are going to be notably absent. If your threat model includes unfriendly nation state actors then the security depends on security at NSA and less on Apple, they have all your data anyway.

If nation state actors are interested in you, no smartphone that is not fully open source on both hardware and OS side that has been independently verified by multiple reviewers is worth it, i.e. no phone in the market today, everything else is tradeoff for convenience for risk, the degree of each is quite subjective to each individual.

For the rest of us, the threat model is advertisers, identity thieves, scammers and spammers and now AI companies using it for training.

Apple will protect against other advertisers insofar to grow their own ad platform , they already sell searches to Google for $20B/year and there is no knowing the details of the OpenAI deal on what kind of data will be shared.

Exactly - nothing is for free. They explicitly state that PCC data gets destroyed after a response is returned.

Are the anonymized queries (minus user data context) worth anything?

It’s gotta be some kind of subscription/per query charge model to pay for the servers, electricity, and bandwidth.

Who pays for the costs of private cloud compute, is it free of charge for the iPhone owner (at least until they turn it into a subscription)?

My guess is that this is similar to how iOS upgrades are “free”, how Apple Maps is free, how iMessage is free, how iCloud Mail is free, etc. To a good extent, it’s all paid for by the price paid by the customer for the hardware.

I’d also wager that there will be a paid service/subscription that will get baked into iCloud+ at some point in time (maybe a year from now). This will offer a lot more and Apple will try to attract more customers into its paid services net.

Nitro does measure firmware. If any firmware is unexpected, server will essentially stop being connected to the EC2 substrate network and/or server wiped clean automatically. People will be paged automatically, security will likely be pulled in, etc.

There is no reason to measure hypervisor firmware as it’s not firmware in the case of EC2. The BIOS/UEFI firmware on the mobo is overwritten if it’s tampered with. Hypervisor code (always signed, like all code) is streamed via a verifiably secure system on the server (Nitro cards, which make use of measured boot and/or secure boot).

No idea what the customer facing term “Nitro enclaves” means, but EC2 engineers are literally mobilized like an army with pages when any security risk (even minor ones) is determined. Basic stuff like this is covered. We even go as far as guaranteeing core dumps don’t contain any real customer data, even encrypted

Aws had to do it this way because of their custom silicon, Intel, ARM and AMD do provide firmware/hypervisor level attestation

Attestation will run on the RoT.

While we’re publishing the binary images of every production PCC build, to further aid research we will periodically also publish a subset of the security-critical PCC source code.

I expect that they'll publish the attestation source code.

But, basically what will happen is the Verifier will request a certain memory region to be attested, then that region will be hashed and the digest will be sent back to the Verifier. If the memory is different from what is expected, the hash digest will NOT match.

Inverted acronym?

It’s also because they have a twelve month release cycle.

The problem with that is it’s not possible for you to be the only one to hold the private key and have the cloud run your data against a model.

Apple already runs China-only software on their devices, I suppose it just won't run there.

That phrase distinguishes the internal group responsible for that part of the architecture, don’t think it’s a marketing term.

Apple’s doing this specifically to avoid the possibility of what you’re describing.

The transparency & architecture together are intended to be more than enough to publicly detect any major retooling of the system.