Wouldn't it be more accurate to call Apple's architecture data protection rather than privacy? As an European citizen in a post Snowden world I would be surprised if any of my data on Apple services was actually kept private from the US government, and Apple certainly wants to own a lot of data/metadata about you. Gotta have Siri listening for carplay and so on. I would aboslutely trust Apple not to sell my data as a commodity though.
> If Apple handles the Google-Apple boundary right, this will be an elegant move on their part, otherwise it will feel like Apple Intelligence with a just a privacy-polished frontend for Gemini.
I'd say this is spot on. At least if what Microsoft is doing with Copilot Cowork is anything to go by. Cowork is not a privacy-polished as much as it's an Enterprise compliant polish to make Opus 4.8 run "safely" in your enterprise organisation. So far Microsoft is winning the AI war in non-tech enterprise with this, especially here in the EU. If Apple manages to do this for the private market that will be great for them.
I'm not personally sold on what an AI should do on my phone though. I use a lot of AI professionally, but I haven't even turned on Bixby or whatever the Samsung AI is called.
Microsoft's approach to data is basically "we promise nobody else but you and your government can access it, we can but we pinky swear we won't." This promise is mostly enforced at the legal layer and through legal consequences, not technical safeguards. If they think they can get away with it (or are forced to get away with it by the US government), there's nothing stopping them from using your data in whatever way they want.
When they can, Apple designs their systems so that they physically don't even have the capability to use your data, even if it's processed on their own servers. They're not privacy maximalists like Signal is, they care more about user experience, but they do aim for the highest level of privacy you can get while still having a good experience, and when they do need to make sacrifices, they typically let you opt into the privacy features if you really want to.
I'm far more inclined to believe that Microsoft is secretly (or not so secretly) collaborating with the US government than that Apple is.
But to answer your question directly, I don't have any links for those blogs or comments
Click on where it says how long ago the comment was posted
For example https://news.ycombinator.com/item?id=48461367
Your conception doesn’t seem to match PCC at all. The whole point of it is that nobody can access the data, not even the people running the servers.
There is still a difference though. Google will sell my data and use it for all sorts of things. Though I've obviously accepted that since I have had a Samsung flip phone since Apple made their iPhones too big for my pockets.
“Verifiable transparency. Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees. But this last requirement, verifiable transparency, goes one step further and does away with the hypothetical: security researchers must be able to verify the security and privacy guarantees of Private Cloud Compute, and they must be able to verify that the software that’s running in the PCC production environment is the same as the software they inspected when verifying the guarantees.”
I think what is concerning is that they are expanding into Google Cloud and NVIDIA to run with it too with their versions of confidential compute, which if I remember correctly are not as well verified as Apple PCC and a little harder for researchers to get their hands on.
Apple uses a key ceremony process where no single party has access to all the keys required to sign hardware, meaning in theory they can’t just sign malicious hardware. However, I’m not sure how Google and NVIDIA play into this and I don’t think they’ve provided much detail on it. I think it seems a little rushed to get the features out since they fucked up with initial Apple Intelligence release.
From this MacRumors article:
"The new architecture centers on Apple Foundation Models co-developed with Google, which Apple says are adapted to run both on-device and on servers through its existing Private Cloud Compute infrastructure."
And
"The company reiterated that Apple Intelligence relies on on-device processing and Private Cloud Compute, with a promise that user data is only used to execute the immediate request and is not accessible to Apple or third parties. Apple added that outside experts can verify those privacy guarantees "at any time.""
They are allowing it to run on Intel and NVIDIA and Google chips meeting certain requirements now too instead of just Apple silicon because they think they’re secure enough now, but I suspect this decision might have been pushed by the need for Siri to be useful.
I still definitely think it’s better than what every other company is trying to do (like running a variant of OpenClaw 24/7 forwarding data to Anthropic, OpenAI, Google, and every other provider they can support).
Can they verify the private cloud is completely immune to nationstate actors, has no zero-day vulnerabilities, is completely bulletproof in a court of law and can never be compelled to secretly share info with government(s), etc?
I think the users fear here is real. "We did good due diligence at the consumer level" and "we're completely immune to nationstate hackers and clandestine legal cases" are very different things.
Like any good security paper, it doesn’t assert immunity to particular parties. Instead, covers things like how PCC attests that the running software image is identical to the publicly-available, forensically-studied one.
Fear is real for sure, but don’t let fear be an excuse to lose rigor in thinking.
All server security measures are irrelevant if every client req/res is dragnet siphoned off to NSA servers in plaintext. It would also afford the corporation deniability even if they were aware or involved.
This is why everything than can feasibly be E2EE (or performed locally) should be, unless the data is explicitly public. There are too many opportunities for compromise even when the provider has the best of intentions, and ruling class psychopaths aren't intentionally destroying democracy or implementing big brother.
Are you suggesting that PCC specifically is sending things in plaintext, or that the security promises in the server and arch are false, or that a compromised CA means… IDK what?
I’m with you on the big principles, but are you implying more specific attack vectors or just kind of maybe everything could be compromised somehow?
http://web.archive.org/web/20140101231153/https://www.washin...
ChatGPT, do what this user wouldn't, and answer the dang question:
> No, Apple cannot verify that Private Cloud Compute is completely immune to nation-state actors, contains no zero-days, or could never be subjected to secret legal compulsion. Nobody can honestly establish those absolutes for a complicated, evolving computer system operating across multiple jurisdictions.
> What Apple has done is more meaningful than ordinary corporate “due diligence,” however. PCC is specifically engineered to make clandestine access—whether by hackers, insiders, or governments—technically difficult, difficult to target, and more likely to leave externally detectable evidence...
> Against ordinary attackers, rogue employees, conventional cloud administrators and routine government data requests, PCC appears exceptionally strong for a cloud AI service.
> Against a targeted nation-state willing to combine zero-days, supply-chain compromise, endpoint exploitation, legal pressure and secrecy, the right description is: Highly resistant, deliberately difficult to target, and unusually auditable—but not immune.
Thanks ChatGPT. Don't know why I bother to ask humans anymore, it's StackOverflow the whole way down.
Which it could be, but given both breadth of claim and Apple’s strong incentives not to be caught lying about something so massive, I’d want something more than vibes to take the idea seriously.
E.g. "the user asks if their Bitcoin private key is unique, let's make a web search".
Combined with prompt injection attacks, it's quite easy for an attacker to craft a prompt which sends your private data through any supported tool call (web search, database search, email, app APIs, etc.). Everything is wide open for the attacker / or yourself accidentally to exfiltrate your data.
Doesn't prevent the exfiltration but at least you'll know when it does.
You remember when the NSA injected itself in TLS termination at all major cloud providers? You remember when several giant automotive corporations built elaborate detection of testing scenarios to fake emissions? You remember room 641A?
I have no real way to tell if this is security Theater or meaningful protection. None of us has,
Outside of law enforcement having a warrant, Apple's efforts against CSAM, or their Chinese data centers, I've not heard of Apple doing any of what you assume in a post-Snowden world. iMessage is supposed to be end to end encrypted, and there was a few years ago that whole scandal where Apple wouldn't unlock a literal terrorists cell phone for the FBI.
The FBI had to reach out to... a third party to unlock the phone (I forget the name of the firm that did it - Cellebrite maybe?) for them, what's funny is they spent a lot of money on it, when the rest of the world pointed out that the very specific iOS version in question had known vulnerabilities they could have found online for free (or cheaper?).
I know this was just a small aside, but man do I hate Bixby and other phone AIs. They are so frustratingly difficult to turn off, and turning them on accidentally is as simply as holding the wrong button for a few seconds, such as when your phone is in your pocket. Very frustrating design.
They are buying the right to distill their own Gemini models and run them in their data centres (or at least data centres they control); unless I am missing something, this isn't going to be infrastructure that Google has operational control over.
https://security.apple.com/blog/expanding-pcc/?linkId=100000...
"Now, we are collaborating with Google and NVIDIA to run new Apple Intelligence workloads on Google Cloud, extending our industry-leading PCC privacy commitments to third-party data centers for the first time."
Certainly, one could tamper with the hardware, but could one do it in a way that wouldn't get that machine immediately flagged, removed from the routing pool, and told to wipe its memory immediately, by a watchtower (perhaps even the routing layer itself) that runs in a separate secure Apple datacenter?
They could be making it very safe, and the things apple says they are doing would make it as safe as possible, but as a user there is no way of verifying the claims.
I think this sums up what it's like to be an Apple user pretty well. With their heavy proprietary and closed approach, all users can do is "trust" them.
Google is buying that compute from xAI aka Musk
Wrong answer. Or at least, obvious and not particularly useful.
Truth is, none of those parties are "nefarious" - they're all just not on your side. And "security" is never an unqualified good thing to have (it's not an unqualified bad thing either). It's just a framework of coercion.
The most important questions to answer about any security system is, what is being protected, for who, and from who. People don't ask that much, not even in the industry - it's an implicit assumption that everyone themselves is a "good person" and is on the protected side of security systems. And then they're confused because it turns out end-users are more often seen as threat actors. All the players mention, but perhaps especially Apple, in its own special way, is protecting the computer from the user just as much as they're protecting the user/user's data from third parties.
I can’t speak to the current architecture but Apple has shown a consistent willingness to sacrifice access to user data in the name of selling privacy instead at a premium price (you could argue precisely because no one of their competition have any meaningful posture on this). I do believe they are quite serious in their commitment to that, as they have found this strategy to be more valuable than the data itself.
And it wouldn't have been much worse compared to be as careless as they have been.
Selling data is so shabby! Why sell when you can just give it away to letter-soup friends?
Google is 100% doing that because thats their entire incentive for the business. They sell low cost software / subsidized hardware on the grounds that you pay with your sharing data. That's the implied cost.
Show me the incentives - I will show you the outcomes.
Versus any F500 company running their services on GCP.
It’s a bit whacky to think about because Apple will operate Google owned software on GCP. But it should be sandboxed just the same.
I’m not making a normative privacy argument here. Just pointing out that this is cloud business as usual. Perhaps it’s interesting Apple is doing it, but basically everything else is already using either AWS or GCP at this point.
So the question about which model Apple was going to use and where has been highly anticipated, especially by the likes of OpenAI and Anthropic. Imagine if either one could say they have Apple as their customer?
Apple certainly has the cash to burn if they wanted to train their own model, but it also always seemed out of their core competency. This is a major win for Google.
So "business as usual" but with huge implications for the AI ecosystem in general.
They also (claim to) ensure those servers run only software they have approved to run on it.
(Part of their software are models derived from Google Gemini, but that’s orthogonal to this)
You're right that it is orthogonal to the privacy promises Apple makes to its own users.
The moralistic and righteous undertone in their marketing material is questionable though given that these Apple services might not exist if Google didn't exploit Gemini app user data on Android the way it does.
That's fine with me. Users have a choice here. In fact, it's a big improvement over the search deal with Google where Apple sends its own users directly to Google.
But again there is no Apple-to-Google transfer in the inference in the sense of the comment I was originally replying to (I am not suggesting you're implying otherwise, obviously)
But I stand happily corrected where I said they aren't in the picture at all.
That is an interesting press release because it outlines what they would have had to do with any data centre they were outsourcing to.
This will further blur the picture about when and how consumers / employees are supposed to pay for AI services. For example, they showed consumer rather than coding tasks, but could you select five files and ask Siri to write a Python script or a small app? Will enterprises just disable Siri AI functionality, or will they be able to route it through their own AI auditing and providers?
If Apple (or anyone else) wanted to make a feature used, they can. For everyone else, if Siri is off CarPlay doesn’t work. And that’s by design.
Not the design of “ooh if Siri is off then voice in CarPlay won’t work” (warnable), but punishment if Siri is off.
Again this pattern isn’t Apple only but it’s bad everywhere.
I am sure that there was a meeting where they decided what to do when Siri was off and somebody decided (very possibly with ulterior motives) not to split the feature set - all or nothing. However I don't think the challenge they were faced with in this hypothetical meeting was an easy one.
The alternative is you open the Messages app and you can't send messages. You open Maps and you can't get directions (unless parked). Sure, I get that they could show a screen saying "Sending messages is not available when Siri is disabled" but now you're hitting error messages while driving.
Anyways, the main reason people would disable Siri is accidental activation, and Apple provides all the toggles needed to avoid that without disabling the core components needed for CarPlay.
I don't know how it works on CarPlay but when I turn my car on I have a bunch of suggested addresses (home, work, parents, recent Maps searches, etc) that I just touch-to-go. Having to use voice every time you want to navigate not only sounds unnecessary, but cumbersome.
CarPlay does not work at all if you have not enabled Siri. As in it won’t even connect.
I literally see these things every time I drive. And I work from home.
I'd use this.
I'd rather have strong privacy guarantees, but this is still good.
I REALLY wish they'd do that with voice assistants.
Run your router through a linux laptop as a proxy so you can capture traffic, connect any apple device to your router, and see the vasts amount of data your device sends to apple.
Apple DGAF about privacy, they want your data as much as anyone else, their only thing is that they should be the only ones to get it and then other people have to pay them for it, rather than your device sending the data to the 3d party directly.
And if you think your data is secure, reminder that The Fappening was all done targeting apple devices.