I just published a piece on Apple Intelligence at TidBITS that I’m pretty excited to release. I wrote it (literally sitting poolside on vacation) to try and explain why this matters to someone even if they don’t know anything about AI or security.

For those of us in cloud security, some really interesting things are going on:

  • This is confidential computing, but designed for a very specific purpose, which gives Apple more latitude in how they design controls.
    • Think AWS Nitro (because this is deeper than SGX) with some metrics/monitoring to detect tampering.
    • Apple can model and measure their workloads, and even architected a system to publicly share results, so individual devices can validate that the code is running at expected.
  • Apple designed the system with the assumption that an advanced adversary will gain physical access to servers. That’s one hell of a threat model, and… exactly the kind of adversary Apple faces (hello, governments).
  • The non-targeting defenses are excellent. I really appreciate two aspects:
    • Apple can’t track requests back to individual users. They added a third-party intermediary so they never see the traffic source.
    • If an attacker compromises a server/node, they can’t steer a user to it.
  • This is trust but verify on steroids. Apple built a system for continuous external validation. I don’t think I’ve seen anything like it before — certainly not at scale.
  • Lotta crypto. Like, down to the chips and digital certificates in the Secure Enclave on your phones.
  • On the AI side, there’s some cool stuff around how they are optimizing for devices, different models, and using transformers. I also suspect they may be using RAG to interface with the on-device semantic index, but I could be wrong there.

Anyway, it was a ton of fun to write. Sorry it’s so long. Read it here!