Summary

  • Apple unveils a privacy-focused system, PCC, to process user data securely in the cloud, promising verifiable guarantees for data handling.
  • PCC utilizes stateless computation, limits Apple's access to nodes, and reduces the risk of targeted attacks, focusing on software verification.
  • The commitment to transparent cloud software marks a notable shift towards user data protection in the cloud by Apple, a step forward in privacy protection.

WWDC came with a whole raft of announcements from Apple, ranging from customizable home screens in iOS 18 to new versions of macOS and watchOS. One of the bigger announcements was 'AI' or, as they are using it, 'Apple Intelligence.' It represents a series of iOS features and integrations designed to bring the power of AI to the iPhone. Most of these integrations will run locally, as Apple maintains its laser focus on keeping most AI processing on the device. However, in a tacit admission of the necessity of cloud processing for the iPhones AI integrations to stay competitive, Apple also announced its Private Cloud Compute (or PCC).

Apple Intelligence
You're going to have to wait a while to see the cool Apple Intelligence features from WWDC 2024

Apple had a ton of AI features to show off during WWDC, but once it releases in Q3 2024, a lot of them will be missing in action.

1
By 

PCC is quietly one of the more technically interesting announcements from WWDC. It represents Apple squaring up to one of the biggest ongoing challenges in not just the AI/ML space but with user privacy in general.

What is PCC?

PCC is a privacy-focused system for processing user data in the cloud

Screenshot from Apples PCC blog post.
Source: Apple

Private Cloud Compute is Apple's system for offloading the processing of user data to servers in the cloud (or nodes, as we'll refer to them) to run more complex ML models than would be available on the device. Offloading this processing to the cloud from your phone is necessary. While mobile chips are more powerful than ever, the limitations of a battery-powered device are still present.

This offloading has some difficult challenges for user privacy. In a messaging app, where data does not need to be processed in the cloud, just synced between devices, end-to-end encryption (or E2EE) is now the industry standard for protecting user data. This means that the service provider lacks the means to decrypt and view your private data, even if they want to. For ML workloads, however, this isn't yet possible, as the data needs to be readable by the server for models to compute over it (although theoretically, this might not always be the case with advances in confidential ML and homomorphic encryption).

That's where PCC comes in. PCC is a series of verifiable guarantees from Apple about how your user data will be handled in the cloud. We'll run over these guarantees in more detail, but they generally consist of cryptographic methods (and existing technologies like Secure Enclave) to prevent your data from being stored, shared, or accessed by anyone else - or even from within Apple. While other companies might make similar claims (think VPN providers) Apple is making a serious attempt to not just claim privacy, but also provide proof that it is secure.

How does PCC work?

PCC is a series of verifiable guarantees

Person standing in front of Apple Intelligence presentation
Source: Apple

Apples PCC is built on Apple Silicon, and makes use of several technologies already in use on iPhones and Macs, like Secure Boot and Secure Enclave. There are a few facets to how these guarantees about user privacy work, and they're explained in some more detail in Apple's own blog post overview. We've also been promised more technical details once PCC is running in Beta. To start with though, PCC is just a series of cloud servers that process user data, but with some special steps taken to ensure that user data is handled securely and deleted after the work is done.

PCC-Nodes
Source: Apple

Stateless computation means no data is saved on the node

The first element of PCC that Apple highlights is a push towards stateless computation. This means that no user data is retained on the cloud node once the computation is finished. The PCC offloading process starts with a request triggered by your phone, which provides only the user data required to process this request. This data is encrypted with keys published by the PCC node in use, and transmitted securely to the node. Apple has designed this method of transmission so that no intermediary devices - even with Apples infrastructure, such as load balancers or caches - have access to the user data.

Once on the node, the data is processed as requested and then returned to the user. Once a response has been returned, any user data on the node is deleted. Apple is making use of Secure Enclave to ensure that all requests to the node are securely encrypted, and using Secure Boot and code signing to ensure that only approved code can run on the node. There are no dynamic runtime languages here either, with Apple using Swift in its software stack in order to ensure memory safety and mitigate runtime attacks. Finally, the disk encryption keys in use are randomized by the Secure Enclave at every reboot, so even if user data does persist on the disk it'll be irretrievable after the node is rebooted.

There are some other bits Apple is doing here for stateless computation, so we'd recommend you skim their blog posts if you're interested in learning more.

PCC-stateless-computing
Source: Apple

Apple is limiting its own access

Another big privacy move that Apple is making on its PCC nodes is to limit its own access. This is a historically difficult problem to solve. The ongoing challenge of balancing developer access for debugging, incident response, and development, along with the security and privacy needs of users, is something the whole tech industry deals with constantly.

With PCC though, Apple is taking the extreme step of removing even its own access to the nodes. No PCC nodes will have any remote shell or debugging functionality present, and won't feature a 'break-glass' emergency access method common across the industry. Logging security is being taken seriously as well, with Apple refraining from adding a central logging functionality to the nodes, and requiring that logs be audited for personal data before being allowed to leave the node. Logs must also conform to a pre-described schema. Apple hasn't committed to publishing these schemes nor entered into more detail on the implications of having no central logging system, which makes it hard to guess how effective this will all be.

It really seems to be a step in the right direction for Apple. Limiting its own access in this way will likely make its operations more difficult, and make incident response harder if there is an outage with PCC. But it appears to be the right thing to do.

Apple is reducing the risk of targeted attacks

Apple is mitigating the risk of attackers with physical access to nodes in a couple of ways, by requiring stronger standards for the Apple Silicon hardware which is verified both in manufacturing and once it's arrived at the data center. All new hardware must then be cryptographically activated by Apple, ensuring that no phone will ever send requests to a node that has not been activated and managed by Apple.

Our threat model for Private Cloud Compute includes an attacker with physical access to a compute node and a high level of sophistication — that is, an attacker who has the resources and expertise to subvert some of the hardware security properties of the system and potentially extract data that is being actively processed by a compute node.

A set of techniques Apple calls 'target diffusion' is then used to prevent channeling a specific user's requests to specific nodes. This includes a separately encrypted metadata request to Apple's load balancers which does not contain user data, to enable routing, as well as the implementation of a third-party OHTTP relay to prevent compromised load balancer routing attacks based on source IP address. This is a bit complicated, but the effect is that an attacker would need to control multiple distinct elements of Apple's infrastructure, as well as potentially the third-party OHTTP node, in order to effectively steer a specific user's traffic to a compromised node. Hopefully, this scenario will be rendered impossible by their protocols.

PCC is focusing on software verification

Apple is making big steps towards publicly verifiable cloud software

The final, and arguably most important, step Apple is taking towards user data protection in the cloud is a commitment to verifiable transparency for the software running on PCC nodes. This means that Apple will publish all production images of software running on each PCC node, and provide phones with a cryptographic way to verify that the software image running on a node is published by Apple and available for inspection by researchers. We're keeping the detail light here, as this is a complicated system, but it uses a combination of Secure Enclave and Code Signing to ensure that no unauthorized code is running on a node, and then provides a cryptographic way of proving this to an external device, again utilizing Secure Enclave functionality. This ensures that your phone can verify that a node is running publicly released and verifiable software, and that it hasn't been tampered with.

This is a big deal in itself, but Apple will also publish source code of some critical areas of the PCC nodes security setup, though these haven't been released yet, as well as plaintext versions of its iBoot and sepOS firmware. This is another massive step forward that's relatively unprecedented for anyone, let alone Apple.

This is an extremely rare process for any kind of deployment of this scale. It isn't foolproof, despite Apple's generous bug bounty programs (which will continue with PCC), this will still require a vast amount of work by security researchers to deconstruct binaries and truly start inspecting these nodes. But it's definitely a serious step forward from the normal 'black box' user data handling of many service providers.

Apple is serious about user privacy

Whether you're an Apple user or not, the company's track record of protecting user data and privacy, both on devices and in the cloud, is industry-leading. The effect of all of these guarantees and methods for verification is that researchers, developers, and users can themselves inspect the cloud services they're interacting with and verify their safety. While this isn't a guarantee that services aren't compromised, this system of community verification underpins all open-source software. We'll have to wait and see whether Apple's commitment to user-security for ML in the cloud continues into the long term, but the overall design of the PCC system is extremely promising.