Security

Apple WWDC Announces Privacy Leap Off a Cliff

Leave a comment

Step one: Apple took its private cloud compute (PCC), a privacy story that it built on its own silicon, and moved its most capable model onto NVIDIA GPUs in Google’s cloud.

Step two: Apple repeated the identical privacy promise, as if step one didn’t happen.

The trust stack that Apple is talking about now is based on non-Apple nodes, which come from NVIDIA Confidential Computing, Intel TDX, and Google’s Titan. In other words Apple’s own Secure Enclave is not in it. Apple still keeps the signing key and an append-only ledger of hardware it doesn’t build. Fine. But there’s no reproducible build, so nobody outside Apple can confirm the published source is what’s actually running on the node.

That’s a problem. Not a new one either.

Trail of Bits (TOB) audited the same stack on WhatsApp and rated eight findings HIGH, every one a way to pass attestation while the measurement was incomplete. Apple’s reproducible-build gap sits on top of that: with no reproducible build, no outside party can confirm the published source is the binary that runs.

Apple put this on stage as innovation. Apple’s own words for PCC are a generational leap over traditional cloud security.

Leap off a cliff?

Apple launched an architecture with the same reproducible-build gap Trail of Bits logged on Meta as TOB-WAPI-18, on the same TEE stack where they rated eight other findings HIGH. (August 2025: PDF)

External researchers need to reproduce and examine the CVM images to verify the system. TOB admit this isn’t a TEE flaw, it’s an implementation and deployment issue. And on top of that, Apple’s own admission is their Google nodes don’t have the full protections yet, because “ramping throughout the summer.”

Great, a ramp before the cliff.

Apple is on the big stage pushing a future promise on top of a past vulnerability. Two things to watch. Whether the summer ramp ever reaches the protections Apple already promised. And whether anyone outside Apple can verify the build once it does. Until both land, the privacy promise is the marketing, not the architecture.

Clap.

Clap.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.