Apple Private Cloud Compute: What It Means for Your Privacy

At the annual developer conference (WWDC), the iPhone maker announced Apple Intelligence, an AI system that brings impressive AI features and experiences. Most of the AI features are processed locally, on the device. However, to handle complex requests, Apple Intelligence offloads them to Apple’s cloud, known as Private Cloud Compute.

Apple has built its own Private Cloud Compute (PCC), a cloud server for secure AI processing. It hosts Apple’s large server models whereas locally, Apple devices run a 3B parameter model. Apple’s server models are said to rival OpenAI’s GPT-3.5-Turbo and Mixtral-8x22B models.

It’s clear that Apple is trying to assure users that none of the user’s personal data is sent to third-party cloud servers. Many companies rely on cloud services like Microsoft Azure and Google Cloud to process AI requests. With in-house Apple servers, and the company’s longstanding history in protecting user privacy, users are likely to trust Private Cloud Compute with their personal data.

What is Apple’s Private Cloud Compute?

In simple terms, Apple’s Private Cloud Compute (PCC) is a cloud server, built entirely from scratch by Apple to process AI requests securely and privately. From hardware to software, Apple has built the entire PCC stack on its own. With PCC, Apple aims to bring user data privacy similar to on-device processing.

To build Private Cloud Compute, the company has used its custom Apple silicon, leveraging the CPU, GPU, and Neural Engine to quickly process AI requests. Besides that, Apple says that your personal data is not stored on the cloud server, and it’s only processed temporarily. Not even Apple or its administrative staff can access your data.

And all of this is verifiable by security researchers to maintain transparency and assess the privacy guarantees of Private Cloud Compute. Apple will publish PCC software images publicly for security experts to validate and verify software running the PCC system.

Apple on its blog says:

Every production Private Cloud Compute software image will be published for independent binary inspection — including the OS, applications, and all relevant executables, which researchers can verify against the measurements in the transparency log.

How Apple Designed Private Cloud Compute?

First of all, Apple says that Private Cloud Compute offers stateless computation, meaning no personal data is retained, even during active processing. And it’s not accessible to Apple or its staff. Apple goes a step further and says none of the personal user data are stored for logging or debugging purposes.

When a user makes a request, it’s encrypted and cryptographically certified for end-to-end encryption. After the request is fulfilled, the data is deleted from the PCC system. Apple concludes by saying, “we want a strong form of stateless data processing where personal data leaves no trace in the PCC system.”

Further, Apple has designed security and privacy guarantees that are technically enforceable. PCC doesn’t depend on external components for core security and privacy promises. Next, there is no privileged runtime access which means Apple staff working at the site can’t bypass the built-in PCC protection. Even during an outage, Apple’s staff can’t load additional software on the PCC system.

Private Cloud Compute also brings non-targetability, which is designed to prevent attempts to specifically target a single user. Finally, Apple is promising verifiable transparency so that security researchers can inspect and verify the PCC system. All software images running on the PCC system are attested so that only authorized and verified code runs on the system.

On the hardware front, PCC nodes support hardware security features like Secure Enclave and Secure Boot.

Overall, it appears Apple’s privacy-centric cloud server is designed with a lot of thought and security promises. Unlike other cloud AI services, access controls like SSH and remote shell are not available on PCC. Private Cloud Compute doesn’t allow such entry points to prevent potential attacks.