AI has significantly transformed how people interact with technology, enabling automation of complex tasks and delivering deep insights from massive data sets. However, today’s AI systems—especially those powered by large language models—typically run on servers, which means user requests must be visible to the provider. While this is suitable for many scenarios, it presents a challenge when aiming to use AI on private conversations without compromising the privacy protections, like end-to-end encryption, that platforms like WhatsApp offer.
To address this, we’ve developed Private Processing — a new privacy-preserving technology that allows people to benefit from AI features, such as summarizing chats, while ensuring their personal messages remain inaccessible to Meta or WhatsApp.
Key Principles Behind Private Processing:
- Optional Use: Using Meta AI features, including those powered by Private Processing, is entirely optional.
- Transparency: Users will be clearly informed when features rely on Private Processing.
- User Control: For those who require additional privacy, features like Advanced Chat Privacy allow users to prevent their messages from being used in any AI-related functions.
What is Private Processing?
Private Processing is a confidential computing framework built on Trusted Execution Environment (TEE) technology. It creates a secure cloud space where AI features—like message summarization or writing suggestions—can operate without sacrificing WhatsApp’s privacy promises. Only the user and their intended chat recipients can see messages; even Meta or WhatsApp can’t access them.
Privacy and Security Foundation
Private Processing is designed to:
- Process confidentially: Ensures no system—Meta, WhatsApp, or third parties—can access user data while it’s being processed or transmitted.
- Guarantee enforcement: If system protections are compromised, operations halt or are transparently exposed.
- Ensure transparency: Independent audits are enabled so researchers can verify privacy protections.
To further strengthen its defense in a constantly evolving threat landscape, Private Processing adheres to:
- Non-targetability: No user can be individually targeted without compromising the entire system.
- Stateless processing: Once a session ends, all messages are discarded and cannot be retrieved later.
Threat Modeling
Private Processing was built using a robust threat model focused on:
- Assets: Primarily messages (received or drafts) and secondarily TEE hardware, software, and encryption keys.
- Threat Actors: Malicious insiders, compromised vendors, or attackers targeting other users.
- Threat Scenarios: Including prompt injection, zero-day exploits, and physical access attempts.
How Private Processing Works
- Authentication: Anonymous credentials confirm requests are from genuine WhatsApp clients.
- Third-party Routing: Uses OHTTP via external relays to hide users’ IPs.
- Session Setup: Establishes a secure RA-TLS connection between user device and the TEE.
- Encrypted Request: Requests (e.g., summarization) are encrypted end-to-end with keys Meta and WhatsApp can’t access.
- Secure AI Processing: AI models run inside Confidential Virtual Machines (CVMs) that don’t retain any data.
- Encrypted Response: Results are returned encrypted, accessible only to the device and its selected server.
Building Secure Infrastructure
To maintain confidentiality and integrity:
- No remote access is allowed to the processing environment.
- Code isolation limits access to authorized software only.
- Audit trails and multi-party code reviews guard against supply chain attacks.
- Hardware protection: Uses CPUs and GPUs that support confidential computing to guard against software and physical tampering.
Moving Forward
Private Processing is just the beginning. While its first application is message summarization and AI suggestions, the technology can extend to other secure AI use cases. We are committed to transparency and will publish documentation, open up our Bug Bounty program to cover Private Processing, and release a detailed technical paper.