Private Cloud Compute: A new frontier for AI privacy in the cloud

The thing with cloud and with anything related to it, anything that connects to the internet somehow... is that, unless it&#x27;s open source and the servers decentralized, you are always trusting SOMEONE. Sure, Apple might make their best to ensure nobody – but them – have access to your data... but Apple controls all the end points. It controls the updates your iPhone receives, it controls the servers where this happens. Like, they are so many opportunities for them to find what you are doing. It reminds me of this article &quot;Web-based cryptography is always snake oil&quot;<p><a href="https:&#x2F;&#x2F;www.devever.net&#x2F;~hl&#x2F;webcrypto" rel="nofollow">https:&#x2F;&#x2F;www.devever.net&#x2F;~hl&#x2F;webcrypto</a><p>And to be fair, this doesn&#x27;t apply only to this case. Even the data you have stored locally, Apple could access it if they wanted, they sure have power to do it if they so wish or were ordered by the government. They might have done it already and just didn&#x27;t told anyone for obvious reasons. So, I would argue the best you could say is that it&#x27;s private in the sense that only Apples knows&#x2F;can know what you are doing rather than a larger number of entities .<p>Which, you could argue it&#x27;s a win when the alternatives will leak your data to many more parts... But still far away from being this unbreakable cryptography that it&#x27;s portrayed it to be.

Some good comments on this from cryptographer Matt Green here: <a href="https:&#x2F;&#x2F;x.com&#x2F;matthew_d_green&#x2F;status&#x2F;1800291897245835616?t=CcBMWojQZYI0RnnS_gVWzA&amp;s=19" rel="nofollow">https:&#x2F;&#x2F;x.com&#x2F;matthew_d_green&#x2F;status&#x2F;1800291897245835616?t=C...</a><p>(I wonder if Matt realizes nobody can read his tweets without a X account? Use BlueSky or Masto man)<p>Edit: here&#x27;s his thread combined <a href="https:&#x2F;&#x2F;threadreaderapp.com&#x2F;thread&#x2F;1800291897245835616.html?utm_campaign=topunroll" rel="nofollow">https:&#x2F;&#x2F;threadreaderapp.com&#x2F;thread&#x2F;1800291897245835616.html?...</a>

Read through it all, it still comes down to &quot;trust us&quot;. Apple can sign and authorise an update at any time that will backdoor it, and the government is the stroke of a pen away from forcing them to, all completely silently.<p>I get that there&#x27;s benefit to what they are doing. But the problem of selling a message of trust is you absolutely have to be 100% truthful about it, and them failing to be transparent that people&#x27;s data is still subject to access like this poisons the larger message they are selling.

Wow! This is incredibly exciting.<p>Apple&#x27;s Private Cloud Compute seems to be conceptually equivalent with System Transparency - an open-source software project my colleagues and I started six years ago.<p>I&#x27;m very much looking forward to more technical details. Should anyone at Apple see this, please feel free to reach out to me at stromberg@mullvad.net. I&#x27;d be more than happy to discuss our design, your design, and&#x2F;or give you feedback.<p>Relevant links:<p>- <a href="https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;blog&#x2F;system-transparency-future" rel="nofollow">https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;blog&#x2F;system-transparency-future</a><p>- <a href="http:&#x2F;&#x2F;system-transparency.org" rel="nofollow">http:&#x2F;&#x2F;system-transparency.org</a> (somewhat outdated)<p>- <a href="http:&#x2F;&#x2F;sigsum.org" rel="nofollow">http:&#x2F;&#x2F;sigsum.org</a>

&gt; In a first for any Apple platform, PCC images will include the sepOS firmware and the iBoot bootloader in plaintext, making it easier than ever for researchers to study these critical components.<p>Yes!<p>&gt; Software will be published within 90 days of inclusion in the log, or after relevant software updates are available, whichever is sooner.<p>I think this theoretically leaves a 90-day maximum gap between publishing vulnerable software and potential-for-discovery. I sincerely hope that the actual availability of images is closer to instant than the maximum, though.

It is not possible for this to be fully private in the United States because the government not only can force Apple to open up the kimono, it can also forbid it to talk about it. There’s not really anything Apple can do to work around this “limitation”. Thank your “representative” for extending the PATRIOT Act when you get a chance.

I have a big question here.<p>Who is this for? Dont get me wrong I think it&#x27;s a great effort. This is some A+ nerd stuff right here. It&#x27;s speaking my languge.<p>But Im just going to figure out how to turn off &quot;calls home&quot;. Cause I dont want it doing this at all.<p>Is this speaking to me so I tell others &quot;apple is the most secure option&quot;? I don&#x27;t want to tell others &quot;linux&quot; because I don&#x27;t want to do tech support for that.<p>At this point I feel like an old man shouting &quot;Dam you keep your hands off my data&quot;.

I&#x27;m interested in how this compares to AWS nitro enclaves, which they mention briefly.<p>The main difference seems to be verifiability down to the firmware level.<p>Nitro enclaves does not provide measurements of the firmware[0], or hypervisor, furthermore they state that the hypervisor code can be updated transparently at any time[1].<p>Apple is going to provide images of the secure enclave processor operating system(sepOS), as well as the bootloader.<p>It also sounds like they will provide the source code for these components too, although the blog post isn&#x27;t clear on that.<p>[0]: <a href="https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;enclaves&#x2F;latest&#x2F;user&#x2F;set-up-attestation.html" rel="nofollow">https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;enclaves&#x2F;latest&#x2F;user&#x2F;set-up-atte...</a>.<p>[1]: <a href="https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;pdfs&#x2F;whitepapers&#x2F;latest&#x2F;security-design-of-aws-nitro-system&#x2F;security-design-of-aws-nitro-system.pdf" rel="nofollow">https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;pdfs&#x2F;whitepapers&#x2F;latest&#x2F;security...</a>

I really want to see this OS, and have cautious optimism that this could be the first time we&#x27;ll see a big tech company actually provide an auditable security guarantee!<p>I think depending on how this plays out, Apple might manage to earn some of the trust its users have in it, which would be pretty cool! But even cooler will be if we get full chain-of-custody audits, which I think will have to entail opening up some other bits of their stack<p>In particular, the cloud OS being open-source, if they make good on that commitment, will be incredibly valuable. My main concern right now is that if virtualization is employed in their actual deployment, there could be a backdoor that passes keys from secure enclaves in still-proprietary parts of the OSes running on user devices to a hypervisor we didn&#x27;t audit that can access the containers. Surely people with more security expertise than me will have even better questions.<p>Maybe Apple will be responsive to feedback from researchers and this could lead to more of this toolchain being auditable. But even if we can&#x27;t verify that their sanctioned use case is secure, the cloud OS could be a great step forward in secure inference and secure clouds, which people could independently host or build an independent derivative of<p>The worst case is still that they just don&#x27;t actually do it, but it seems reasonably likely they&#x27;ll follow through on at least that, and then the worst case becomes &quot;Super informative open-source codebase for secure computing at scale just dropped&quot; which is a great thing no matter how the other stuff goes

&gt; And finally, we used Swift on Server to build a new Machine Learning stack specifically for hosting our cloud-based foundation model.<p>Interesting to see Swift on Server here!<p><a href="https:&#x2F;&#x2F;www.swift.org&#x2F;documentation&#x2F;server&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.swift.org&#x2F;documentation&#x2F;server&#x2F;</a>

Many people in this thread are extremely cynical and also ignorant of the actual security guarantees. If you don’t think Apple is doing what they say they’re doing, you can go audit the code and prove it doesn’t work. Apple is open sourcing all of it to prove it’s secure and private. If you don’t believe them, the code is right there.

This is Confidential Computing <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Confidential_computing" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Confidential_computing</a><p>with another name. Intel, AMD and Nvidia have been working for years on this. OpenAI released a blog some time ago where they mentioned this as the &quot;next step&quot;. Exciting that Apple went ahead and deployed first, it will motivate the rest as well.

Here&#x27;s the answer to the &quot;what&#x27;s taking Apple so long to get on the LLM train?&quot; folks. Per usual, they lag a bit and then do it better than anyone else.

&gt; The Secure Enclave randomizes the data volume’s encryption keys on every reboot and does not persist these random keys, ensuring that data written to the data volume cannot be retained across reboot. In other words, there is an enforceable guarantee that the data volume is cryptographically erased every time the PCC node’s Secure Enclave Processor reboots.

&gt; The Secure Enclave randomizes the data volume’s encryption keys on every reboot and does not persist these random keys, ensuring that data written to the data volume cannot be retained across reboot. In other words, there is an enforceable guarantee that the data volume is cryptographically erased every time the PCC node’s Secure Enclave Processor reboots.<p>I wonder if there is anything that enforces an upper limit on the time between reboots?<p>Since they are building their own chips it would be interesting to include a watchdog timer that runs off an internal oscillator, cannot be disabled by software, and forces a reboot when it expires.

&gt; The Apple Security Bounty will reward research findings in the entire Private Cloud Compute software stack — with especially significant payouts for any issues that undermine our privacy claims.<p>Let the games begin!

What are the longer term implications that Apple is doing this on their own hardware and not Nvidia? This seems like a big thing to me, an idiot.

This entire platform is the first time I&#x27;ve strategically considered realigning the majority of my use to Apple.<p>Airtag anonymity was pretty cool, technically speaking, but a peripheral use case for me.<p>To me, PCC is a well-reasoned, surprisingly customer-centric response to the fact that due to (processing, storage, battery) limitations not all useful models can be run on-device.<p>And they tried to build a privacy architecture <i>before</i> widely deploying it, instead of post-hoc bolting it on.<p>&gt;&gt; <i>4. Non-targetability. An attacker should not be able to attempt to compromise personal data that belongs to specific, targeted Private Cloud Compute users without attempting a broad compromise of the entire PCC system. This must hold true even for exceptionally sophisticated attackers who can attempt physical attacks on PCC nodes in the supply chain or attempt to obtain malicious access to PCC data centers.</i><p>Oof. That&#x27;s a pretty damn specific (literally) attacker, and it&#x27;s impressive that made it into their threat model.<p>And neat use of onion-style encryption to expose the bare minimum necessary for routing, before the request reaches its target node. Also [0]<p>&gt;&gt; <i>For example, the [PCC node OS] doesn’t even include a general-purpose logging mechanism. Instead, only pre-specified, structured, and audited logs and metrics can leave the node, and multiple independent layers of review help prevent user data from accidentally being exposed through these mechanisms.</i><p>My condolences to Apple SREs, between this and the other privacy guarantees.<p>&gt;&gt; <i>Our commitment to verifiable transparency includes: (1) Publishing the measurements of all code running on PCC in an append-only and cryptographically tamper-proof transparency log. (2) Making the log and associated binary software images publicly available for inspection and validation by privacy and security experts. (3) Publishing and maintaining an official set of tools for researchers analyzing PCC node software. (4) Rewarding important research findings through the Apple Security Bounty program.</i><p>So binary-only for majority, except the following:<p>&gt;&gt; <i>While we’re publishing the binary images of every production PCC build, to further aid research we will periodically also publish a subset of the security-critical PCC source code.</i><p>&gt;&gt; <i>In a first for any Apple platform, PCC images will include the sepOS firmware and the iBoot bootloader in plaintext, making it easier than ever for researchers to study these critical components.</i><p>[0] Oblivious HTTP, <a href="https:&#x2F;&#x2F;www.rfc-editor.org&#x2F;rfc&#x2F;rfc9458" rel="nofollow">https:&#x2F;&#x2F;www.rfc-editor.org&#x2F;rfc&#x2F;rfc9458</a>

I wonder if they will ever make this available to developers - I can think of many products that would be nice to have at least part of the cloud infra being hosted in a trusted provider like this, e.g indoor cameras for health metrics: sounds awesome but I would never trust a startup to handle private data this sensitive.

We don&#x27;t need &quot;a new frontier&quot;. I want to be the only one who holds the private key to my encrypted data. I think it&#x27;s pretty lame to sell privacy when it&#x27;s not.

I wonder who Apple will be colocating with for data centers.<p>And what the PCC chassis looks like for these compute devices (will it be a display-less iPad)?

Outside of all the security aspects which look to be handled quite well on the surface I do enjoy that the client mainframe architecture is still a staple of computing.

What I haven’t heard from the announcement is whether the private cloud has external network access. Presumably it wouldn’t otherwise the guarantees of your request staying in your cloud is meaningless. Conversely, a lot of trivial network stuff can be involved (eg downloading the model). Anyone know which balance Apple is choosing to strike initially?

I would love to be able to run a PCC node locally on my M2 MacBook or similar for my iPhone to offload to, even if it’s only for doing what 15 Pro iPhones can do on-device.<p>There’s precedent for this sort of thing as well, like Apple TVs or iPads acting as HomeKit hubs and processing security can footage on-device.<p>Maybe they’ll open that up in the future.

The only way to trust this is them selling &quot;cloud compute&quot; servers that folks can deploy and monitor in their own infrastructure. Nothing else can be guaranteed to not include malicious code to exfiltrate the data.<p>Or better yet, make the APIs public and pluggable so that one can choose an off-device AI processor themselves if one is needed.

The only way, besides trusting the cloud provider, is encryption. Homomorphic encryption allows you to run calculations on encrypted data without decrypting it. However, besides the performance penalty, it leaks information.

This thread reads like a whole bunch of sour grapes. Hopefully this challenges other companies to do better

All of this is interesting, but how easy is this to circumvent? When Apple changes their mind for whatever reason, don&#x27;t they just return a key to a fake PCC node, which would bypass all of their listed protections? Furthermore, what prevents Apple from doing this for specific users?

Did Apple say anything about what training data they used for their generative image models?

I think the best AI business model is charging you to keep the data away from data collection. It&#x27;s brilliant.<p>Or &quot;Professional&quot; version of software that removes all those annoying &quot;AI&quot; features.

Can some ELI5 how remote attestation is supposed to work? It feels like asking a remote endpoint “are you who you say you are”. What’s stopping remote endpoint always responding “yes”

Who pays for the costs of private cloud compute, is it free of charge for the iPhone owner (at least until they turn it into a subscription)?<p>What about second hand iPhone users?

Let’s not be too picky. This is a good thing.

What I&#x27;m most curious about here is if a state actor comes to Apple with a subpoena and compels them to release information on an individual, what would Apple be able to release?<p>... I suppose this is ultimately a question that will be tested sooner or later in the US.

Is it possible to have zero knowledge AI?

I wonder how they will do this in china?

I was sceptical of the announcement, but this actually sounds really well thought out.<p>One key part though will be the remote attestation that the servers are actually running what they say they&#x27;re running. Without any access to the servers, how do we do that? Am I correctly expecting that that part remains a &quot;trust me bro&quot; situation?

Did Apple need to license the phrase Core OS like iOS?

not trusting any of the privacy&#x2F;security mumbo-jumbo when their icloud free tier still allows for a paltry 5 gigs, when even google offers thrice as much for their public service.<p>i am happy for those who see the positives here, but for the skeptic a toggle to prevent any online processing would be more satisfactory.

Most ironic thing is they abbreviate this as &quot;PCC&quot;. (reads chinese communist party in many languages)<p>The absolute worst acronym for anything even remotely related to personal privacy.

I trust Apple

Sounds good. Still won’t send anything sensitive there but I appreciate the effort and direction, especially when current industry trend seems to be fuck you were rewriting our TOS to take your data.

Even if you don&#x27;t like Apple&#x27;s monopolistic approaches, you have to admire how they go an extra mile to stay true to their mantra of selling privacy.<p>This is clearly a company with an identity, unlike Microsoft and Google who are very confused.

[Deleted]

Complete horseshit marketing speak.<p>Was the cloud non-private before? Was it not secure in the first place? Do my Siri searches no longer end up as google ads metadata now? Are the feds no longer able to get rubber stamp access to my i C L O U D now?<p>You are a naive idiot for believing that this is anything but security theater to adress the emotional needs of AI anxiety in and outside the company.<p>Just my opinion.

It&#x27;s sad to see so many discussions on security and so little on privacy. How about solutions that could combine both, such as homomorphic encryption for AI?

Fyi this is the same company that has been accused of showing people&#x27;s photos and videos in stranger people&#x27;s devices by accident.<p><a href="https:&#x2F;&#x2F;discussions.apple.com&#x2F;thread&#x2F;252459254?sortBy=best" rel="nofollow">https:&#x2F;&#x2F;discussions.apple.com&#x2F;thread&#x2F;252459254?sortBy=best</a>

A lot of this sounds like Apple has been 10-20 years behind the state of the art and now wants to tell you that they partially caught up. Verifiable hardware roots of trust and end-to-end software supply chain integrity are things that have existed for a while. The interesting part doesn&#x27;t come until the end where they promise to publish system images for inspection.