In the summer of 2024, Apple made a clear and comforting announcement about Private Cloud Compute. When your data is sent to the cloud for AI processing, Apple’s proprietary hardware—powered by specially designed Apple silicon—runs it. The security architecture is so complex that even Apple employees are unable to access it. It was the kind of claim that typically elicits doubt. However, the architecture held up fairly well under scrutiny, which surprised many people who follow security research closely. Two years later, a big change has occurred, and the plot is becoming much more intricate.
Beyond its own data centers, Apple has extended PCC. With NVIDIA GPUs, Intel CPUs with TDX, and Google’s own Titan security chip, processing for Apple Intelligence—particularly the more difficult tasks like agentic reasoning and sophisticated tool use—now operates on Google Cloud. For a company that based its AI privacy case on having complete control over its own hardware stack, this is a significant change. As this develops, it seems like Apple is attempting to balance two concepts at once: that privacy is a fundamental principle and that providing services to hundreds of millions of users worldwide necessitates infrastructure that it just does not own.
This image gains texture from the Houston angle. Months ahead of schedule, Apple started shipping custom AI servers earlier this year from a 250,000-square-foot facility in Houston. Apple’s hardware portion of the PCC story is represented by those servers, which are purportedly built on Apple’s M2 Ultra chip with up to 196 gigabytes of unified memory. The shipments were confirmed by Apple COO Sabih Khan, who presented them as a component of a larger $600 billion U.S. investment commitment. With its physical location, American workers, and tangible machines heading toward data centers, the factory, which employs some people through partnerships with Houston City College, has an almost antiquated feel to it. It’s simple to forget that there is a building somewhere with servers humming in air-conditioned rooms behind every AI query.
Apple’s use of PCC on Google Cloud goes beyond simple vendor agreements. Apple devices will only connect to nodes that Apple has cryptographically approved because the company maintains what it refers to as total control over PCC software. Every piece of Google Cloud hardware that enters the PCC fleet is recorded in a verifiable, append-only ledger, providing a supply chain security measure that goes beyond what most cloud deployments consider necessary. Apple’s 2024 core requirements—stateless computation, no privileged runtime access, non-targetability, and verifiable transparency—remain the same. Security researchers will probably be questioning whether those promises hold up when they come into contact with infrastructure that Apple does not physically own for months.
Whether most users will ever consider any of this is still up for debate. Although a hidden export option in privacy settings logs cloud requests if you know to look, the Apple Intelligence experience on a phone does not reveal when a request leaves the device or which data center handles it. There is a good case to be made that this is how things ought to be: privacy is protected in the background and complexity is handled discreetly. Another valid argument is that when users’ data enters infrastructure that is shared with one of the biggest data brokers in the world, they ought to receive a clearer signal. Both points of view appear to be tenable.
It is important to recognize this technical ambition. Prior to this expansion, the industry had a variety of confidential computing primitives, but no one had put them together into a cohesive, end-to-end private inference pipeline that was truly global in scope. Together, Apple and Google are claiming to have created that. Security researchers will now be able to examine this truly unique configuration thanks to Apple’s bounty program and public binary releases, which combine NVIDIA’s proprietary computing stack with Google’s Titan hardware and Intel’s TDX.
It’s difficult to determine whether this is a one-off result of Apple’s strange privacy obsession or the start of a larger trend with other AI companies implementing similar frameworks. The industry seems to be keeping a close eye on things. Apple has consistently outperformed most in making privacy understandable to the general public. The same level of technical and communicative precision that initially made the original PCC respectable will be needed to accomplish that while assigning workloads to Google.
