Comment by JimDabell
10 days ago
> Wouldn't it be more accurate to call Apple's architecture data protection rather than privacy? As an European citizen in a post Snowden world I would be surprised if any of my data on Apple services was actually kept private from the US government, and Apple certainly wants to own a lot of data/metadata about you.
Your conception doesn’t seem to match PCC at all. The whole point of it is that nobody can access the data, not even the people running the servers.
I don't trust a single US tech company to keep my data private from the US government. Maybe I need a tinfoil hat, but I don't feel like I'm unjustified in this based on the history going back to echelon. Not that this is a particular jive at the USA, my own government (Danish) actively pushes for mass surveillance and non-functional e2e encryption.
There is still a difference though. Google will sell my data and use it for all sorts of things. Though I've obviously accepted that since I have had a Samsung flip phone since Apple made their iPhones too big for my pockets.
This part of their requirements for how PCC is architected directly addresses your concern:
“Verifiable transparency. Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for Private Cloud Compute match our public promises. We already have an earlier requirement for our guarantees to be enforceable. Hypothetically, then, if security researchers had sufficient access to the system, they would be able to verify the guarantees. But this last requirement, verifiable transparency, goes one step further and does away with the hypothetical: security researchers must be able to verify the security and privacy guarantees of Private Cloud Compute, and they must be able to verify that the software that’s running in the PCC production environment is the same as the software they inspected when verifying the guarantees.”
They do this by allowing you to download all of the components (minus data cryptexes containing the model weights) and run it on your own Apple silicon chip (you can put your computer in recovery mode and use csrutil to enable research guest operating systems)
I think what is concerning is that they are expanding into Google Cloud and NVIDIA to run with it too with their versions of confidential compute, which if I remember correctly are not as well verified as Apple PCC and a little harder for researchers to get their hands on.
Apple uses a key ceremony process where no single party has access to all the keys required to sign hardware, meaning in theory they can’t just sign malicious hardware. However, I’m not sure how Google and NVIDIA play into this and I don’t think they’ve provided much detail on it. I think it seems a little rushed to get the features out since they fucked up with initial Apple Intelligence release.
6 replies →
What does verify mean?
Can they verify the private cloud is completely immune to nationstate actors, has no zero-day vulnerabilities, is completely bulletproof in a court of law and can never be compelled to secretly share info with government(s), etc?
I think the users fear here is real. "We did good due diligence at the consumer level" and "we're completely immune to nationstate hackers and clandestine legal cases" are very different things.
8 replies →
How are security researchers going to have access to the Nvidia GPUs that will be running this?
It’s a fair concern, but the only way to reconcile a belief that Apple is sharing data from PCC with anyone (including themselves) is to assert the whole PCC thing is a massive fraud.
Which it could be, but given both breadth of claim and Apple’s strong incentives not to be caught lying about something so massive, I’d want something more than vibes to take the idea seriously.
There's no guarantee against data exfiltration, because the data leaks happens through tool calls, which are not made from the PCC, but from your own device.
E.g. "the user asks if their Bitcoin private key is unique, let's make a web search".
Combined with prompt injection attacks, it's quite easy for an attacker to craft a prompt which sends your private data through any supported tool call (web search, database search, email, app APIs, etc.). Everything is wide open for the attacker / or yourself accidentally to exfiltrate your data.
That doesn’t make sense in this context – the point of PCC is so you know somebody isn’t snooping on your information when you send it to the servers. The person I was responding to seemed to think that Apple would be looking at that information.
You're right, but also "PCC is very secure" might give a false sense of security, considering that there might be other associated vulnerabilities in these kinds of systems.
Which is a good point. set a Bitcoin wallet private key in an obvious place on your system, and then setup a monitor (on another system) to notify you if its contents gets stolen.
Doesn't prevent the exfiltration but at least you'll know when it does.
And we have to believe that it's not backdoored because they say so? That's incredibly naïve.
No. I provided the link so you could read more about it.
I have read it. The entire trust hinges on several critical points, such as trusting secure boot.
You remember when the NSA injected itself in TLS termination at all major cloud providers? You remember when several giant automotive corporations built elaborate detection of testing scenarios to fake emissions? You remember room 641A?
I have no real way to tell if this is security Theater or meaningful protection. None of us has,
That's "because they said so" but with more words. Sorry, but a pretty blog post is not proof enough.