Thankfully for Apple that's a very low number in a world where people demand tiktok remain legal when shown how their data is being used by foreign actors. People only care about privacy when it's local (don't want mother to find out, neighbours to talk, friend to think a certain way about you or classmate stalking) and that's why ai fakes are much more concern then a company knowing everything you do.

But this product is great for fortune 500 businesses.

From that perspective I really appreciate this effort by Apple.

For now.

The fact that Apple is comfortable shipping a whitelabel ChatGPT is proof that the whole Private Cloud Compute thing is just for show. They're perfectly happy partnering with the Worldcoin guy to sell you something popular if there's money in it for them. Apple knows people expect them to release some haughty whitepaper, so they cook up PCC and claim you can audit it if they think you're worthy of seeing the insides. Now all the privacy nuts can pipe down while Apple plans a longer-term strategy to make their hardware compete in the datacenter.

There is a world where Apple takes their own privacy commitment to the next level through radical transparency. But that's not what PCC is, it's another puppet for the Punch-and-Judy security theater that sells their iCloud subscriptions.

PCC is designed to handle extensive personal data, and the auditing is attested by cryptographic proofs provided to software clients, not just white papers read by humans. It is significantly different from what we’ve seen before in the industry, and highly worth the effort to understand it if you are at all involved in server engineering.

Isn't local processing on Apple devices rooted in the same secure enclave hardware/firmware, attacked and hardened for 10+ years?

As far as local processing goes, though, you're also still fundamentally trusting Apple that the OS binaries you get from them do what they say they do. Since they have all the signing keys, they could easily push an iOS update that extracts all the local data and pushes it to some server somewhere.

Now, I don't think that either of these scenarios is likely to happen if it's down to Apple by itself - they don't really gain anything from doing so. But they could be compelled by a government large and important enough that they can't just pull out. For example, if US demanded such a thing (like it already did in the past), and the executive made a concerted push to force it.

  you have to trust Apple that the server side is running all that stuff

> When a user’s device sends an inference request to Private Cloud Compute, the request is sent end-to-end encrypted to the specific PCC nodes needed for the request. The PCC nodes share a public key and an attestation — cryptographic proof of key ownership and measurements of the software running on the PCC node — with the user’s device, and the user’s device compares these measurements against a public, append-only ledger of PCC software releases.

> compelled by a government

Sadly, the bar is much lower than "compel". Devices are routinely compromised by zero-day vulnerabilities sold by exploit brokers to multiple parties on the open market, including governments. Especially any device with cellular, wifi or bluetooth radios. Hopefully the Apple C1 modem starts a new trend in radio baseband hardening, including PAC, ASLR and iBoot, https://www.reuters.com/technology/apple-reveals-first-custo...

PCC does actually prevent Apple from switching things in between audits to a high degree. It’s not like a food safety inspection. The auditor signs the hardware in a multi party key ceremony and they employ other countermeasure like chassis tamper switches. PCC clients use a protocol that ensures whatever they are connecting to has a valid signature. This is detailed in Apple’s documentation.[1]

See, this is why I think privacy engineering is low key the most cutting edge aspect of server development. Previously held axioms are made obsolete by architectural advancements. I think we’re looking at a once in 15 year leap - the previous ones being microservices and web based architecture.

[1] https://security.apple.com/documentation/private-cloud-compu...

If you're using Apple hardware, it's the same technology in your local device anyway, right?

    > for those who truly care about privacy

At the end of the day, it ultimately still boils down to trust though, yes? Trust that they are running the data centers the way they say they are, trust that their supply chain is what they say it is, and so on? At the same time, using some open source piece of software also entails a great amount of trust: I’m not going through the source code of Signal myself, and I’m also not checking that an open source locally served model isn’t sending traffic/telemetry etc back to some remote server via whatever software is running the model… rather, I’m placing my trust in the open source community that others have inspected and tested these things. I’m sure all sorts of shady PRs into important open source code bases are made on the reg after all. So that’s not to say that trusting Apple is necessarily more or less wise than trusting open source software from a security standpoint… my point is just that it seems like they are aspiring to a zero trust architecture, but at the end of the day, it does still require trust that they are operating in good faith vis-a-vis what they are representing in the white papers right? To me, it seems like a relatively safe assumption that they are for a variety of reasons, but nonetheless, it is an assumption right?

You’re right, security is a matter of degrees not absolutes, but open source software requires considerably less trust than closed source. Right?

PCC applies this principle by making the binaries it runs public and auditable by you or anyone in the security community. (In some cases the source code as well.) The craziness is in the architecture that provides cryptographic proof to clients that the server they’re connecting to is running an audited binary and running on secure hardware. It even does TLS termination at the shard level so you can have high confidence that if the binary isn’t connecting to anything your data will be unreadable by any other server in the org.

So it goes way beyond trusting what the whitepaper says. Data center hardware deployments are audited by a third party that signs the servers in a key ceremony. That ultimately undergirds the cryptographic attestation that servers provide to clients that everything has been audited. And it’s also the element that tighter supply chain control helps shore up.

If you’re new to security the architecture documentation I linked to is a very friendly read and a good intro to some of these threats, countermeasures and rationales.

> The craziness is in the architecture that provides cryptographic proof to clients that the server they’re connecting to is running an audited binary and running on secure hardware.

I definitely missed this concept when skimming the links before posting my comment - very very cool!

> open source software requires considerably less trust than closed source. Right?

Of course… but at the same time, I think the difference in the degree of trust I am placing in say, Signal’s end to end encryption and Apple’s (claims of) end-to-end encryption is not as large as it might cursorily seem. Would I be more surprised to read in the news that Apple had secretly embedded some back door than I would be reading in the news that malicious actor managed to push some hidden exploit through to Signal in an otherwise innocent PR? I’m genuinely not sure which would surprise me more, or which event would be more probable, so can I really make any claim as to which is more secure, given the current knowledge I have? Obviously I could think more deeply about this, but superficially, both are requiring pretty large amounts of trust from me - which I don’t think is misplaced in either… though I do personally trust something like signal more at the end of the day based on… what, intuition? A gut feeling?

I would go out on a limb and say Apple would love to also prove beyond a reasonable doubt that they too as an organization cannot get away with planting a secret back door — not because they have pure angelic hearts, but because this is good for their privacy-differentiated business model. And PCC certainly makes a huge leap in that direction. But it’s not the problem it’s primarily targeting nor an easy one to solve completely.

As another example, Apple has an implementation of OHTTP onion routing[1] called iCloud Private Relay. It’s really cool and easy to use. The point is to make it so nobody but you can tell what website your IP address is connecting to, not even Apple, the operator of the relay. But bottom line, Apple picks who they collaborate with for the gateways and there’s nothing stopping them from colluding out of band to de-anonymize you if that’s what they wanted to do.

Does this defeat the purpose of iCloud Private Relay? No. Its purpose is to better protect you from common privacy attacks, better than a traditional VPN would. It happens to also narrow the trust you need to place in Apple, namely that they would need to collude with another company to defeat the system as opposed to some rogue lone wolf SRE deciding to access your logs. But it wasn’t put in place to make people who fundamentally distrust Apple as a company start trusting them.

[1] https://datatracker.ietf.org/doc/rfc9458/

Isn't that pretty much the story for most every thing though? It comes down to discernment, which is mostly subjective itself.

Same here. Personally, do I trust Apple? I don't have a leaning one way or another about that. What I trust is that Capitalism is gonna capitalize. And Apple doing what it says here, is its Brand. If down the road it comes out later it was all a lie. That Brand has no more standing. No more standing, no more sales. And Apple is in the Brand/product selling business. I trust they won't throw away their trillions because they would rather sell their Brand on white papers over an actual product that the papers describe.

Moscow rules and George Smiley’s tradecraft are probably the only real security… ha!

as usual, Apple's implementation is exceptional, but far from the first. see https://confidentialcomputing.io/ and its long history

  2019 Linux Foundation Confidential Computing
  2015 Intel SGX (Skylake)
  2014 Apple Secure Enclave (A8, iPhone 6)

Might be worth pointing out that SGX was compromised repeatedly and comprehensively by speculative execution attacks, e.g.

https://www.usenix.org/conference/usenixsecurity18/presentat...

https://news.ycombinator.com/item?id=15340729

am i wrong or does this just change the threat from Chinese to US government tampering

and if third-party auditing can detect hardware tampering then why does it matter where the hardware is manufactured

That is however not most users' concern (in fact, I'd guess less than 0.001% of Apple users are concerned with supply chain attacks on Apple's servers); what we're concerned with is Apple itself misusing our data in some way (for example, to feed into their growing advertising business, or to redirect to authorities). PCC does NOT solve any of this and it's in fact an unsolvable solution as long as their server side code is closed source (or otherwise unavailable for self-hosting as binaries). For me, Apple Intelligence stays off on my devices (and when that is no longer an option, I'm jumping ship - I just wish there was something at least passable to jump to).

It is in fact a solvable problem. The binaries are indeed available for self hosting in a virtualized PCC node for research purposes.[1] Auditors can confirm that the binaries do not transmit data outside of the environment. There are several other aspects of the architecture that are designed to prevent use data from leaking outside of the node’s trust boundary, for example TLS terminates at the node level and nodes use encrypted local storage so user data is unreadable to any other node / part of the organization.

[1] https://security.apple.com/documentation/private-cloud-compu...

Doesn't PCC guarantee even more than that? From my reading, Apple can't exfiltrate any data to other servers (even ones that Apple owns) nor can they inject any processing other than what is outlined into that server. Otherwise, what's the point of such a stringent hardware integrity requirement?

The easy fix is to add more vector cores and RAM to the chips and shrink them to use less power, but it takes time and initially these go to power cord systems (first in the kludge, then maybe MacPro and some kind of AI-hub that sits in your living room and vehicle), then..well you wonder why the small form factor iPhone just was dc'ed?

https://aws.amazon.com/ec2/nitro/nitro-enclaves/

At some point it was novel to put a separate hardware root of trust on a PCI-e card but I think that was a while ago, even for Apple!

But there is a major difference that is germane to the topic of Apple’s investment in US server manufacturing: The hardware root of trust. Hardware tampering is the weak point and afaik AWS doesn’t describe any process to certify their supply chain integrity. I think the most they’ve done is commission a review of their architecture document.[1] PCC actually has an auditor sign each server node in the datacenter.

Thank you for mentioning them though. It’s an important advancement in generally available confidential computing infrastructure.

[1] https://aws.amazon.com/blogs/compute/aws-nitro-system-gets-i...

The tarriffs haven't happened overnight. They've been discussed for going on 2 full years now. Anyone who wasn't blinded by their own political preferences saw this coming.