Signal’s Creator Is Helping Encrypt Meta AI

For over a decade, end-to-end encryption (E2EE) has become a foundational security feature, safeguarding billions of daily chat messages sent through applications like Signal, Meta’s WhatsApp, and Apple’s Messages. E2EE ensures that only the sender and intended recipient can read their communications, making it cryptographically impossible for tech companies, internet service providers, hackers, or governments to snoop on conversations. This robust privacy framework has cemented its place as a user expectation for sensitive digital interactions.

However, the explosive growth of generative AI platforms has introduced a new frontier for data privacy challenges. Users are now engaging in billions of daily interactions with AI chatbots, yet these conversations typically lack the protection of end-to-end encryption. This design choice inherently allows AI firms to readily access and analyze the content of user dialogues, posing significant privacy risks.

The prevalent model in the AI industry often prioritizes data collection, as companies aim to train their sophisticated AI models on the broadest possible range of user data to enhance performance and capabilities. Consequently, platforms have frequently made it challenging for users to opt out of having their information utilized for training purposes. This approach, while beneficial for AI development, creates a critical privacy gap. As chatbots and more autonomous AI agents grow in sophistication and integrate deeper into daily life, a growing chorus of technologists and companies are advocating for and actively developing more constrained, privacy-centric AI systems.

Marlinspike, a long-standing champion of digital privacy, articulated these concerns in a blog post published on Tuesday, which detailed the collaboration with Meta. “As LLMs continue to be able to do more, we should expect even more data to flow into them,” he wrote. He underscored the inherent vulnerability of unencrypted AI interactions: “Right now, none of that data is private. It is shared with AI companies, their employees, hackers, subpoenas, and governments. As is always the case with unencrypted data, it will inevitably end up in the wrong hands.” This stark warning highlights the urgent need for privacy solutions in the AI space.

Under the terms of the collaboration, Marlinspike stated that he would “work to integrate Confer’s privacy technology so that it underpins Meta AI.” He further emphasized that Confer, which made its debut at the beginning of this year, would maintain its operational independence from Meta. The overarching goal of the Confer project, as Marlinspike explained, is to offer a technological solution that “allows everyone to get the full power of AI along with the full privacy of an encrypted conversation.” This vision aims to reconcile the immense utility of advanced AI with the fundamental right to private communication.

This isn’t Marlinspike’s first significant collaboration with Meta, formerly Facebook. In 2016, he played a pivotal role in working with WhatsApp, which Meta owns, to roll out end-to-end encryption to over a billion accounts simultaneously. This monumental achievement transformed WhatsApp into one of the world’s most secure messaging platforms. However, in the past year, WhatsApp has introduced a Meta AI chatbot directly into its application. Crucially, interactions with this integrated AI chatbot are not shielded from the company in the same way individual user-to-user chats are, creating a dichotomy within the app’s privacy landscape.

Will Cathcart, the head of WhatsApp, publicly acknowledged the importance of this privacy initiative. On Wednesday, he posted on the social media platform X about the Confer collaboration, stating, “People use AI in ways that are deeply personal and require access to confidential information. It’s important that we build that technology in a way that gives people the power to do that privately.” This statement reflects a growing recognition within major tech companies of the imperative to address AI privacy.

The field of encrypted AI is still in its nascent stages. The cryptographic schemes that effectively implement end-to-end encryption for traditional digital communications, such as messaging, are not easily or directly transferable to the complex, data-intensive operations of generative AI models. Confer itself is a relatively new project, and Marlinspike’s blog post did not elaborate on the specific technical details of how the collaboration with Meta would work, nor did it outline precise integration goals or timelines. Both Marlinspike and Meta declined to provide additional comment to WIRED ahead of publication, indicating the early and potentially sensitive nature of the discussions.

Despite the lack of granular detail, experts in the field are recognizing the profound significance of this partnership. Mallory Knodel, a cryptography researcher at New York University, expressed optimism, stating it would be “great for people using chatbots that use Meta AI to have confidentiality and privacy within that exchange.” She clarified a crucial implication of such an integration: it would mean Meta would be unable to access AI chat data for training purposes, a major shift from current practices. Knodel, who recently co-authored a study on end-to-end encryption and AI, emphasized, “I really hope more AI chatbots adopt this approach.” Her preliminary assessments of Confer, detailed in a separate analysis, indicate that while the platform may not be perfect, it stands as an important example of how to construct a private AI chatbot.

Cryptographer JP Aumasson, who serves as the chief security officer at the cryptocurrency platform Taurus, shared similar positive initial conclusions about Confer. “Confer is probably the best private AI solution, all things considered,” he told WIRED. While acknowledging its strengths, Aumasson also pointed out some current limitations: “It’s not perfect, of course. It lacks documentation of its architecture, threat model, and supply chain.” However, he quickly added, “But Moxie knows what he’s doing and has a solid track record.” This sentiment highlights a cautious optimism, balancing the technical challenges with the credibility of the project’s founder.

A significant hurdle in developing encryption for AI platforms lies in the sheer complexity and computational demands. Much of the privacy work in AI to date has centered on accessible open source models or on creating “privacy layers” that sit between large AI companies and end users, obfuscating data without fully encrypting it. As Marlinspike explained on Tuesday, Confer’s technology was initially “built on top of open weight models.” While these models offered privacy, he noted that "many people love using Confer for a wide variety of tasks, others have missed the frontier capabilities from proprietary models.”

The collaboration with Meta offers a unique opportunity for Marlinspike and Confer to directly engage with these powerful, closed-source proprietary models. “Meta is building advanced frontier models, so this will combine the most private AI chat technology in the world with the most capable AI models in the world,” Marlinspike wrote, underscoring the potential for a groundbreaking synergy.

Regardless of whether the project ultimately achieves all of these ambitious superlatives, researchers consistently emphasized to WIRED that the collaboration itself represents a momentous development. Taurus’s Aumasson further elaborated on the technical approach: “Moxie’s proposal of using trusted computing, a concept dating back at least to the 1990s, is sound to me.” He added, “The underlying assumptions and limitations are well understood. Again, it’s not perfect, but probably sufficient for most users.” The primary challenge, Aumasson concluded, remains “to support models that are as good as the latest frontier models from Anthropic and Google and OpenAI,” indicating the high bar for performance that private AI solutions must meet.

This partnership between a leading privacy advocate and one of the world’s largest tech companies signifies a potential turning point in the discussion around AI ethics and user data protection. As AI continues its rapid advancement and integration into daily life, the demand for privacy-preserving solutions will only intensify. The efforts by Confer and Meta could lay crucial groundwork for a future where users can harness the full power of artificial intelligence without compromising their fundamental right to privacy.