Meta on Tuesday introduced Private Processing, a new optional feature designed to let WhatsApp users process messages using AI in a secure, private cloud environment. The company said this ensures that neither Meta, WhatsApp, nor any third party can access the messages, maintaining end-to-end encryption.
The announcement highlighted how AI has transformed technology interactions by automating tasks and analyzing data. However, traditional AI processing, which relies on server-based large language models, often requires providers to see user requests.
This can challenge privacy, especially for sensitive messages. Meta stated that Private Processing tackles this issue by supporting AI functions, such as summarizing messages or offering writing assistance, while upholding WhatsApp’s commitment to privacy.
Meta outlined three guiding principles for Private Processing:
- Optionality: Using AI features, including Private Processing, is entirely optional.
- Transparency: The company will clearly indicate when Private Processing is in use.
- User Control: Users can block AI features in sensitive chats using WhatsApp’s Advanced Chat Privacy feature.
How Private Processing Works
Private Processing operates within a Trusted Execution Environment (TEE), a secure cloud setup that prevents unauthorized access to data. The process includes:
- Authentication: Anonymous credentials verify WhatsApp client requests.
- Third-Party Routing: HPKE encryption keys are fetched via a third-party CDN, supporting Oblivious HTTP (OHTTP).
- Session Setup: A secure OHTTP connection passes through a third-party relay to conceal the user’s IP from Meta and WhatsApp. A Remote Attestation and Transport Layer Security (RA-TLS) session confirms the TEE operates with trusted code.
- Request Handling: Encrypted requests, like summarizing messages, are sent to the TEE using an ephemeral key only the user’s device and TEE can access.
- Processing: AI models in a Confidential Virtual Machine (CVM) process data without storing it, ensuring no retention after the session.
- Response: Encrypted results are sent back to the user’s device, accessible only by the device and the TEE.
Security and Privacy Features
Meta emphasized that Private Processing meets strict requirements:
- Confidential Processing: No system, including Meta or WhatsApp, can access user data during processing or transit.
- Enforceable Guarantees: Any attempt to bypass privacy measures will either fail or be publicly detectable.
- Verifiable Transparency: Users and researchers can audit the system to confirm privacy claims.
- Non-Targetability: Attackers are unable to isolate individual users without breaching the entire Private Processing framework.
- Stateless Processing: Messages are not stored post-session, ensuring forward security.
Threat Modeling and Security Measures
Meta developed a threat model to identify risks, focusing on:
- Assets: Protecting message content (received or drafted) and system components like the CVM, hardware, and encryption keys.
- Threat Actors: Malicious insiders, third-party vendors, or end users targeting others.
- Threat Scenarios: Potential attacks include exploiting vulnerabilities, extracting data from CVMs, or interfering with hardware.
To counter these, Meta implemented:
- System Software: No remote shell access, code isolation, auditable code changes, and secure build processes.
- System Hardware: CPU-based confidential virtualization and Compute mode GPUs to block host or physical attacks.
- Defense-in-Depth: Encrypted DRAM, physical data center security, and OHTTP relays to prevent targeted attacks.
Transparency and Community Engagement
Meta plans to share Private Processing components publicly, including a security design white paper, and expand its Bug Bounty program to cover this feature. The company will release CVM binary images and source code for attestation verification to support independent research. An in-app log will show users their Private Processing requests and session details.
Future Plans and Availability
Meta expects Private Processing to launch in the coming weeks, initially supporting message summarization and writing suggestions. The company believes this infrastructure could support other AI use cases in the future. Meta welcomes feedback through its Bug Bounty program and will continue sharing updates transparently.