[jesseendahl]

This part of their requirements for how PCC is architected directly addresses your concern:

“Verifiable transparency. Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees. But this last requirement, verifiable transparency, goes one step further and does away with the hypothetical: security researchers must be able to verify the security and privacy guarantees of Private Cloud Compute, and they must be able to verify that the software that’s running in the PCC production environment is the same as the software they inspected when verifying the guarantees.”

[brianmcnulty]

They do this by allowing you to download all of the components (minus data cryptexes containing the model weights) and run it on your own Apple silicon chip (you can put your computer in recovery mode and use csrutil to enable research guest operating systems)

I think what is concerning is that they are expanding into Google Cloud and NVIDIA to run with it too with their versions of confidential compute, which if I remember correctly are not as well verified as Apple PCC and a little harder for researchers to get their hands on.

Apple uses a key ceremony process where no single party has access to all the keys required to sign hardware, meaning in theory they can’t just sign malicious hardware. However, I’m not sure how Google and NVIDIA play into this and I don’t think they’ve provided much detail on it. I think it seems a little rushed to get the features out since they fucked up with initial Apple Intelligence release.

[tguedes]

From my understanding of the architecture, Apple and Google have basically developed a fork of Gemini that is built to run on Apple's PCC. There is no data being sent to any Google servers.

From this MacRumors article:

"The new architecture centers on Apple Foundation Models co-developed with Google, which Apple says are adapted to run both on-device and on servers through its existing Private Cloud Compute infrastructure."

And

"The company reiterated that Apple Intelligence relies on on-device processing and Private Cloud Compute, with a promise that user data is only used to execute the immediate request and is not accessible to Apple or third parties. Apple added that outside experts can verify those privacy guarantees "at any time.""

[brianmcnulty]

That seems to conflict with the recent security blog that says they are using Google Cloud infra and NVIDIA GPUs with PCC now [0].

They are allowing it to run on Intel and NVIDIA and Google chips meeting certain requirements now too instead of just Apple silicon because they think they’re secure enough now, but I suspect this decision might have been pushed by the need for Siri to be useful.

I still definitely think it’s better than what every other company is trying to do (like running a variant of OpenClaw 24/7 forwarding data to Anthropic, OpenAI, Google, and every other provider they can support).

[0] https://security.apple.com/blog/expanding-pcc/

[tguedes]

Ah thank you for that, the MacRumors article was misleading to not even have mentioned this.

[the_mar]

pardon my ignorance, but why does compute hardware pose any security concerns?

[tguedes]

It's not the compute hardware itself. PCC used to be data centers owned and operated by Apple, running on chips designed by Apple.

With this announcement, Apple is expanding the definition of PCC to Google Cloud data centers. Theoretically, this is Google Cloud, not Google servers, so there should be a separation of access there.

From the Apple security blog:

> Originally built exclusively on Apple silicon with our world-class software security technologies, PCC set a new bar for AI privacy in the cloud, and continues to power the most demanding Apple Intelligence features. Since then, the wider industry has been working to provide a set of confidential inference primitives that could theoretically be combined to reach the security level of PCC. However, until today, those primitives have never been integrated into a comprehensive, end-to-end confidential inference pipeline capable of operating at global scale. That’s what we’ve done with PCC on Google Cloud, which incorporates PCC’s exceptional security and privacy properties at every stage, including the industry’s most comprehensive transparency guarantees that allow external security researchers to verify our privacy commitments.

[criley2]

What does verify mean?

Can they verify the private cloud is completely immune to nationstate actors, has no zero-day vulnerabilities, is completely bulletproof in a court of law and can never be compelled to secretly share info with government(s), etc?

I think the users fear here is real. "We did good due diligence at the consumer level" and "we're completely immune to nationstate hackers and clandestine legal cases" are very different things.

[brookst]

You should read the paper.

Like any good security paper, it doesn’t assert immunity to particular parties. Instead, covers things like how PCC attests that the running software image is identical to the publicly-available, forensically-studied one.

Fear is real for sure, but don’t let fear be an excuse to lose rigor in thinking.

[TalkingCodeMonk]

What if the CA certs are compromised, as was alluded to for GCP in the Snowden leaks?

All server security measures are irrelevant if every client req/res is dragnet siphoned off to NSA servers in plaintext. It would also afford the corporation deniability even if they were aware or involved.

This is why everything than can feasibly be E2EE (or performed locally) should be, unless the data is explicitly public. There are too many opportunities for compromise even when the provider has the best of intentions, and ruling class psychopaths aren't intentionally destroying democracy or implementing big brother.

[brookst]

I’m having a hard time parsing that.

Are you suggesting that PCC specifically is sending things in plaintext, or that the security promises in the server and arch are false, or that a compromised CA means… IDK what?

I’m with you on the big principles, but are you implying more specific attack vectors or just kind of maybe everything could be compromised somehow?

[TalkingCodeMonk]

> In an NSA presentation slide on “Google Cloud Exploitation,” however, a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data reside. In hand-printed letters, the drawing notes that encryption is “added and removed here!”

http://web.archive.org/web/20140101231153/https://www.washin...

https://blog.cryptographyengineering.com/2013/09/06/on-nsa/

[brookst]

So still just innuendo, nothing specific to how PCC works?

[criley2]

This is a non-answer, and in fact, a statement like "don't let fear be an excuse to lose rigor in thinking" in response to my question "how verifiable are their claims" is insulting and sloppy. Rigor in thinking includes human discussion and humans asking questions, but yet you shot that down.

ChatGPT, do what this user wouldn't, and answer the dang question:

> No, Apple cannot verify that Private Cloud Compute is completely immune to nation-state actors, contains no zero-days, or could never be subjected to secret legal compulsion. Nobody can honestly establish those absolutes for a complicated, evolving computer system operating across multiple jurisdictions.

> What Apple has done is more meaningful than ordinary corporate “due diligence,” however. PCC is specifically engineered to make clandestine access—whether by hackers, insiders, or governments—technically difficult, difficult to target, and more likely to leave externally detectable evidence...

> Against ordinary attackers, rogue employees, conventional cloud administrators and routine government data requests, PCC appears exceptionally strong for a cloud AI service.

> Against a targeted nation-state willing to combine zero-days, supply-chain compromise, endpoint exploitation, legal pressure and secrecy, the right description is: Highly resistant, deliberately difficult to target, and unusually auditable—but not immune.

Thanks ChatGPT. Don't know why I bother to ask humans anymore, it's StackOverflow the whole way down.

[chipotle_coyote]

"I did not like your answer, therefore I will use the 100% reliable, bullet-proof method of having an algorithm generate the statistically most likely words that form a plausible answer to my question."

[saagarjha]

How are security researchers going to have access to the Nvidia GPUs that will be running this?