The generative AI boom has, in many ways, been a privacy bust thus far, as services slurp up web data to train their machine learning models and users’ personal information faces a new era of potential threats and exposures. With the release of Apple’s iOS 18 and macOS Sequoia this month, the company is joining the fray, debuting Apple Intelligence, which the company says will ultimately be a foundational service in its ecosystem. But Apple has a reputation to uphold for prioritizing privacy and security, so the company took a big swing. It has developed extensive custom infrastructure and transparency features, known as Private Cloud Compute (PCC), for the cloud services Apple Intelligence uses when the system can’t fulfill a query locally on a user’s device.
The beauty of on-device data processing, or “local” processing, is that it limits the paths an attacker can take to steal a user’s data. The data never leaves the computer or phone, so that’s what the attacker has to target. It doesn’t mean an attack will never be successful, but the battleground is defined and constrained. Giving data to a company to process in the cloud isn’t inherently a security issue—an unfathomable amount of data moves through global cloud infrastructure safely every day. But it expands that battlefield immensely and also creates more opportunities for mistakes that inadvertently expose data. The latter has particularly been an issue with generative AI given the unintended ways that a system tasked with generating content may access and share information.
With Private Cloud Compute, Apple has developed an array of innovative cloud security technologies. But the service is also significant for pushing the limits of what is an acceptable business proposition for a cloud service, seemingly prioritizing secure architecture over what would be most technically efficient or economical.
“We set out from the beginning with a goal of how can we extend the kinds of privacy guarantees that we’ve established with processing on-device with iPhone to the cloud—that was the mission statement,” Craig Federighi, senior vice president of software engineering at Apple, tells WIRED. “It took breakthroughs on every level to pull this together, but what we’ve done is achieve our goal. I think this sets a new standard for processing in the cloud in the industry.”
To address the challenges and vulnerabilities associated with cloud computing, Apple has concentrated on a strategy where “security and privacy guarantees are the strongest when they are completely technically enforceable” instead of being policy-based, according to their developers.
This approach compares to having no temptation of cupcakes by moving to a location without bakeries, removing your kitchen, and severing all potential purchasing methods, thereby eliminating any chance of accessing or accidentally hoarding cupcakes.
Apple has constructed specialized servers equipped with Apple processors exclusively for its Private Cloud Compute (PCC) and introduced a custom server OS that is a simplified blend of iOS and macOS. This architecture integrates hardware and software security technologies that have been evolving within Apple’s ecosystem for Macs and iPhones over the last twenty years.
These PCC servers are designed to be minimalistic, lacking features like “persistent storage” to avoid retaining processed data after shutdown. They utilize Apple’s Secure Enclave for managing dedicated hardware encryption keys and randomize the encryption key for each file system upon every startup. Consequently, when a PCC server is reset, it does not retain any data, and the entire system volume becomes cryptographically irreparable, only to restart with a fresh encryption key.
PCC servers also utilize Apple’s Secure Boot for verifying operating system integrity, equipped with a code verification utility introduced in iOS 17, named Trusted Execution Monitor. Unlike its standard usage for supervisory roles, PCC employs it in a significantly stricter variant wherein after the server reboots and completes the boot sequence, the system locks and forbids any new code loading. Essentially, all necessary software undergoes rigorous checks and validations before being sealed off ahead of processing user requests and data.
Apple has notably revamped its typical server management tools for PCC. Common cloud platforms contain policies and controls to deter unauthorized entries, including emergency access provisions for trusted system administrators to address issues quickly. However, mirroring Apple’s preference for technically enforceable over policy-based guarantees, PCC eliminates privileged access and severely restricts remote management capabilities.
In a significant move for ensuring security, Apple has offered users end-to-end encryption for iCloud backups, where it simply maintains customer data on its cloud setup without the means to decrypt it. The introduction of such robust encryption is unfeasible for generative AI systems that must process input data to deliver outputs. For instance, if you require a summary from Apple Intelligence on your recent texts and emails, accessing these messages is essential, which end-to-end encryption would challenge.
Despite challenges, Apple is devoted to maximizing the extent of Apple Intelligence processing done on devices. For instance, the new iPhone 16 equipped with an A18 chip can handle more AI operations locally compared to an iPhone 15 that has an A16 chip. Yet, Apple is likely to continue significant AI processing in the cloud, thus motivating the development of PCC. In iOS 18.1, users can check the Settings > Privacy & Security > Apple Intelligence Report to see the log of requests processed on the device versus those handled on the cloud.
“What was really unique about the problem of doing large language model inference in the cloud was that the data had to at some level be readable by the server so it could perform the inference. And yet, we needed to make sure that that processing was hermetically sealed inside of a privacy bubble with your phone,” Federighi says. “So we had to do something new there. The technique of end-to-end encryption—where the server knows nothing—wasn’t possible here, so we had to come up with another solution to achieve a similar level of security.”
Still, Apple says that it offers “end-to-end encryption from the user’s device to the validated PCC nodes, ensuring the request cannot be accessed in transit by anything outside those highly protected PCC nodes.” The system is architected so Apple Intelligence data is cryptographically unavailable to standard data center services like load balancers and logging devices. Inside a PCC cluster, data is decrypted and processed, but Apple emphasizes that once a response is encrypted and sent on its journey to the user, no data is retained or logged and none of it is ever accessible to Apple or its individual employees.
Apple says the overarching vision for PCC is that an attacker should have to compromise the entire system—a difficult thing to do at all much less without being detected—in order to target a specific user’s personal data. Even if an attacker could physically compromise an individual live PCC node, the system is devised with an anonymous relay feature so the queries and data on any one node can’t be connected to individual users.
It all sounds pretty groovy, but the notoriously secretive company seems to be aware that professing to do all of these things and claiming to offer technical guarantees is ultimately only compelling with proof and transparency. So PCC includes an external auditing mechanism that serves a crucial dual purpose.
Apple has decided to make every production PCC server build accessible for public inspection, enabling individuals not associated with Apple to confirm both the claims about PCC and its correct implementation. Each of these PCC server builds is documented in a cryptographic attestation log, a secure record of signed claims, with each log entry providing a URL for downloading the corresponding build. Designed by Apple, PCC requires each server to be logged before deployment, enhancing transparency and serving as an important safeguard to deter the setup of unauthorized PCC nodes and traffic redirection. Should a server build remain unlogged, iPhones will not communicate any Apple Intelligence queries or data with it.
PCC is included in Apple’s bug bounty program, which means that discovered vulnerabilities or configuration errors may qualify for financial rewards. Despite the accessibility of the iOS 18.1 beta since late July, no flaws in PCC have yet been identified according to Apple, though only a limited group of researchers have had access to the necessary tools for evaluating PCC.
Several security experts and cryptographers have told WIRED that the Private Cloud Compute initiative looks promising, although they have not yet thoroughly assessed it.
Federighi highlighted the innovative aspects of their approach, remarking, “Building Apple silicon servers in the data center when we hadn’t any before, and crafting a custom OS for this purpose was monumental. Moreover, establishing a trust model wherein your device will reject any request to a server that doesn’t have its software’s signature recorded in a transparency log is not only unique but crucial for the trust model.”
To address inquiries about Apple’s collaboration with OpenAI and the incorporation of ChatGPT, Apple clarifies that such partnerships are independently managed outside of PCC and are initially inactive. Users need to activate these features manually. If Apple Intelligence deems a request suitable for handling by ChatGPT or similar platforms, it seeks user consent each time before proceeding. Additionally, these functionalities can be utilized either by logging into a partner service like ChatGPT or directly through Apple without separate authentication. In June, Apple announced its plans to integrate with Google’s Gemini as well.
In recent news, Apple announced the expansion of Apple Intelligence services, initially available in United States English, to additional English-speaking nations like Australia, Canada, New Zealand, South Africa, and the United Kingdom in December. The company also plans to add support for other languages such as Chinese, French, Japanese, and Spanish next year. The compliance of Apple Intelligence with the European Union’s AI Act, and its availability in China while adhering to local regulations, remains uncertain.
Federighi expressed Apple’s ambition to extend its advanced features globally, adhering to regulatory requirements. “Our aim is to leverage everything at our disposal to enhance our capabilities for users worldwide, though we need to navigate through regulatory uncertainties in certain regions to make these tools available at the earliest. We are putting efforts into it,” he stated.
He further mentioned that enhancing on-device processing of Apple Intelligence might serve as an alternative strategy in some markets.
Those who gain access to Apple Intelligence can utilize significantly enhanced capabilities compared to previous iOS iterations, including advanced writing tools and photo analysis features. Federighi shared that his family used a new Apple Intelligence-generated GenMoji to celebrate their dog’s recent birthday, which was reportedly very adorable, according to WIRED. Although Apple’s AI aims to be both highly efficient and seamlessly integrated, the security of its supporting infrastructure remains critically important. Federighi described the deployment of Private Cloud Compute with one word: “delightfully uneventful.”