Since Private Cloud Compute needs to be able to access the data in the user’s request to allow a large foundation model to fulfill it, complete end-to-end encryption is not an option. Instead, the PCC compute node must have technical enforcement for the privacy of user data during processing, and must be incapable of retaining user data after its duty cycle is complete.
We designed Private Cloud Compute to make several guarantees about the way it handles user data:
A user’s device sends data to PCC for the sole, exclusive purpose of fulfilling the user’s inference request. PCC uses that data only to perform the operations requested by the user.
User data stays on the PCC nodes that are processing the request only until the response is returned. PCC deletes the user’s data after fulfilling the request, and no user data is retained in any form after the response is returned.
User data is never available to Apple — even to staff with administrative access to the production service or hardware.
And what is that supposed to guarantee? Who ever owns the hardware of unencrypted data owns it. There’s no way to pass tokens to LLM without unencrypting the content. Whatever path is made to obfuscation is fundamentally incapable of security.
Apple addressed that exact issue:
And what is that supposed to guarantee? Who ever owns the hardware of unencrypted data owns it. There’s no way to pass tokens to LLM without unencrypting the content. Whatever path is made to obfuscation is fundamentally incapable of security.