Private Cloud Compute

Private Cloud Compute (PCC) is a cloud intelligence system designed to extend the privacy and security of Apple devices into the cloud. With PCC, personal user data remains inaccessible to anyone but the user. PCC leverages custom Apple silicon and a specially hardened operating system, setting a new standard for cloud AI security. PCC is used for Apple Intelligence.

Privacy

An emphasis on-device processing to ensure user data remains secure and private. Data stored solely on user devices is not vulnerable to centralised attacks. For cloud services, Apple will employ state-of-the-art security measures, including end-to-end encryption where feasible. For scenarios where end-to-end encryption isn’t viable, Apple will use ephemeral data processing or uncorrelated identifiers to maintain user privacy.

Private Cloud Compute Design

Core Requirements

Stateless Computation ensures that user data is processed solely to fulfill the user’s request and is not retained post-processing. Enforceable Guarantees require that all components of PCC contribute to the system’s overall privacy and security promises, with no external dependencies undermining these core assurances.

No Privileged Access is allowed on PCC nodes, preventing any privileged access from bypassing the privacy guarantees. Non-targetability means that attacks cannot target specific user data without compromising the entire system. Lastly, Verifiable Transparency allows security researchers to independently confirm that PCC meets its privacy and security commitments.

Introducing PCC Nodes

PCC nodes are custom-built servers integrating Apple silicon’s security features, including the Secure Enclave and Secure Boot. The system is based on a hardened operating system derived from iOS and macOS, tailored to support Large Language Model (LLM) inference workloads while minimising attack surfaces.

Core Features

Private Cloud Compute ensures privacy through several key mechanisms. Stateless Computation means that user data is processed exclusively for the user’s request and deleted immediately after processing. Secure Data Handling guarantees that data remains on PCC nodes only until the request is fulfilled, after which it is deleted, user data is never accessible to Apple.

Encrypted Requests are transmitted from user devices directly to PCC nodes, ensuring end-to-end encryption. Runtime Integrity is maintained through Secure Boot and Code Signing, which ensure that only authorised code is executed on nodes, preventing any code alteration during runtime. Additionally, No Remote Debugging is allowed on PCC nodes, with stringent privacy safeguards applied to logging and metrics.