This week at WWDC 2024, Apple announced an ambitious AI-based personal intelligence system, Apple Intelligence, enabling generative AI for iPhones, iPads, and Macs. I was particularly impressed with their approach to ensuring private AI, even when data needs to leave the user’s device. In this blog I’ll discuss how you can build the same kind of system in the public cloud today.
Apple's Approach to Generative AI
Apple has long prioritized privacy for its customers, from refusing the FBI’s request to unlock an iPhone in 2015 to the recent release of Advanced Data Protection that enabled end-to-end encryption for iCloud.
But the rise of generative AI, popularized by companies like OpenAI and Anthropic, brings new challenges. These new AI models are larger than ever and require significant compute power to train and run. Apple’s devices, especially the iPhone and iPad, are rather underpowered - for example, Meta’s open-source Llama 3 model with 7 billion parameters (7B) requires 16 GB of GPU VRAM, but the iPhone Pro Max 15 only has 8 GB of RAM shared by the CPU and GPU.
As a result, Apple is running a significantly smaller model on-device, with only 3 billion parameters. For smaller requests, this means data never needs to leave the device. Larger requests are directed to a larger and more powerful model hosted in Private Cloud Compute (PCC), a cloud-based system for private AI.
How does Apple ensure private AI?
Apple’s Private Cloud Compute enables trustworthy cloud-based AI based on secure system design, transparency, and verifiability through the use of Confidential Computing technology. Their security blog post dives into the details, but I will summarize the key points here.
Private Cloud Compute is secure by design:
- No user data is stored persistently.
- Data is protected in use (during processing) using Apple’s Secure Enclave.
- Apple staff has no “backdoor” to bypass security controls and view user data as it is being processed.
- The system is designed to be self-contained, to easily understand and confirm its security properties.
- The system is designed with defense-in-depth, including memory safety, sandboxing, “target diffusion” to prevent attacker-biased request routing, and hardware supply chain hardening.
These are strong security claims already, and Private Cloud Compute ensures that they are verifiably present at runtime using transparency and Confidential Computing:
- Every production build is publicly available for security researchers, who can audit it for security and privacy correctness. The software measurements are stored in a transparency log.
- The software runs with Secure Boot, Code Signing, and Secure Enclave to ensure the confidentiality and integrity of code, cryptographic keys, and user data.
- Client devices like iPhones perform cryptographic remote attestation to ensure a PCC node is running the expected software.
- After successful attestation, clients encrypt data with a public key for the PCC node. The PCC node public keys are ephemeral, so they are not persisted after reboot.
The end result is an AI system running in the cloud securely and privately, thanks to secure system design and Confidential Computing. For Apple customers, this means they’ll receive better AI-powered services than the on-device models are capable of providing.
Confidential Computing empowers businesses, and it is widely available today
Confidential Computing and remote attestation sometimes have a bad reputation for consumers, since it can be used for DRM to limit what we do on our own devices. But now, the script is flipped - when Confidential Computing is used on the server-side like Apple’s Private Cloud Compute, it gives us the power to control how our own data is used, even when it is processed in the cloud.
Apple’s PCC is based on Apple Silicon deployed in their own datacenters, which might sound like a barrier. In fact, similar Confidential Computing technology is available in all major clouds, based on technology from Intel, AMD, NVIDIA, and AWS - and Anjuna makes it easy to use.
At Anjuna, our customers have already been using patterns similar to PCC to enable underpowered edge devices to offload computation to the cloud. Their end users get better, faster user experiences without compromising security or privacy. As I wrote in a blog post last year, Confidential Computing enables truly verifiable remote services, where clients can establish trust in the cloud.
Why is it important, and why now?
The last two years have been shaped by two major trends: huge progress in generative AI, and increased regulation and consumer awareness of data privacy. From the early days of ChatGPT, you might recall when Samsung banned its use, wary of leaking data; in fact, last year ExtraHop reported 32% of enterprises had banned the usage of generative AI tools due to data exposure risks. And speaking of “Recall”, Microsoft just backpedaled on its release plans for the Windows Recall AI tool, thanks to widespread privacy-related concerns.
Apple is right to consider user privacy, and regulators around the world agree. Besides the EU GDPR and California’s CCPA, several other countries and US states have passed privacy regulation, and we are on track for Gartner's prediction that privacy regulation will protect 75% of the world’s population by the end of 2024. In the world of AI, the EU AI Act, Colorado AI Act (CAIA), and Canada’s upcoming Artificial Intelligence and Data Act (AIDA) are just the beginning of AI-specific regulation as well.
Neither of these trends are going away. Enterprises can significantly improve their products and end user experience using AI, but they need to consider security and privacy. Confidential Computing is a key technology that enables secure and private AI. Edge-to-cloud architectures like PCC are not the only way to achieve this. Confidential Computing also enables patterns like AI model protection, enabling proprietary AI models or code to be deployed into customer cloud environments while protecting intellectual property.
How to get started with Confidential Computing?
Anjuna Seaglass makes Confidential Computing easy, so that any enterprise can build systems like Apple Intelligence that are secure and private. While Confidential Computing hardware is available in all major clouds, it can be difficult and time-consuming to write secure applications and integrate remote attestation; there are many low-level technical details that are both tricky and security-sensitive. Our customers choose Anjuna to abstract away the complexity of Confidential Computing, so that they can focus on building value for their own customers.
Anjuna Seaglass, the Universal Confidential Computing Platform, enables you to “lift-and-shift” any existing or new application to run in Confidential Computing on all major clouds. Remote attestation is built in out-of-the-box, so your clients can verify the running application. You can try Anjuna Seaglass through our free trial, or contact sales for more information.
For data collaboration, Anjuna Seaglass AI Clean Rooms is a solution on top of Anjuna Seaglass to make it easy to combine datasets and run trusted computations with partners. To learn more about the private preview program, contact me directly: bobbie.chen@anjuna.io.
End users want security and privacy. Are you ready to earn their trust?
Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.
Start Free