Google on Tuesday announced a new privacy-enhancing technology called “Private AI Compute” that processes artificial intelligence (AI) queries on a secure platform in the cloud.
The company said it built Private AI Compute to “maximize the speed and power of the Gemini cloud model for AI experiences, while ensuring the privacy of your personal data and making it inaccessible to others, not even Google.”
Private AI Compute is described as a “secure, hardened space” for processing sensitive user data in a manner similar to on-device processing, but with enhanced AI capabilities. Leveraging Trillium Tensor Processing Units (TPUs) and Titanium Intelligence Enclaves (TIEs), the company can use frontier models without sacrificing security and privacy.
In other words, the privacy infrastructure is designed to leverage the computational speed and processing power of the cloud while maintaining the security and privacy guarantees that come with on-device processing.
Google’s CPU and TPU workloads (also known as trusted nodes) rely on the AMD-based hardware Trusted Execution Environment (TEE), which encrypts and isolates memory from the host. The tech giant noted that only authenticated workloads can run on trusted nodes, and administrative access to the workloads is blocked. Furthermore, the nodes are protected against potential physical data leakage attacks.
This infrastructure also supports peer-to-peer attestation and encryption between trusted nodes, ensuring that user data is only decrypted and processed within a secure environment and protected from the broader Google infrastructure.
“Each workload requests and cryptographically verifies the other workload’s credentials to ensure mutual trust within a protected execution environment,” Google explained. “Workload credentials are only provisioned if the node’s certificate is successfully validated against an internal reference value. Failed validation prevents the connection from being established, protecting user data from untrusted components.”
The overall process flow works as follows. The user client establishes a Noise Protocol encrypted connection with the front-end server and establishes two-way attestation. The client also uses Oak end-to-end encryption certified sessions to verify the server’s identity and ensure that the server is genuine and has not been modified.
Following this step, the server sets up an Application Layer Transport Security (ALTS) encrypted channel with other services in the scalable inference pipeline to communicate with the model server running on the hardened TPU platform. The entire system is “temporary by design”. This means that inputs, model inference, and calculations are discarded as soon as the user session completes, so an attacker who gains privileged access to the system cannot retrieve historical data.
Google Private AI Computing Architecture
Google also touts various protections built into its system to maintain its security and integrity and prevent unauthorized modification. These include –
Minimize the number of components and entities that must be trusted to ensure data confidentiality Use of Confidential Federated Compute to gather analytics and aggregate insights Encryption of client/server communications Binary authentication to ensure that only signed, authorized code and verified configurations are executed across the software supply chain Isolation of compromised user data to virtual machines (VMs) Memory encryption and input/output memory management units (IOMMUs) Protects the system against physical leaks with protection Shell access on a zero-TPU platform Tunnels all incoming traffic into the system using a third-party operated IP blinding relay, obfuscating the true origin of the request Separates system authentication and authorization from inference using anonymous tokens
NCC Group, which conducted an external assessment of private AI computing between April and September 2025, announced that it was able to discover a timing-based side channel within an IP blinding relay component that can be used to “unmask” a user under certain conditions. However, due to the fact that the multi-user nature of the system introduces “a lot of noise” and makes it difficult for attackers to associate queries with specific users, Google has determined that the system poses a low risk.
The company also said it has identified three issues in its implementation of the authentication mechanism that can lead to denial of service (DoS) conditions and various protocol attacks. Google is currently working on mitigations for all of these.
“While the entire system relies on proprietary hardware and is centralized on Borg Prime, […] “Google has resolutely limited the risk of user data being exposed to unintended processing or outside parties unless determined to do so by the organization as a whole,” it said. “Users will benefit from a higher level of protection from malicious insiders.”
This development mirrors similar moves by Apple and Meta, which released Private Cloud Computing (PCC) and Private Processing to offload AI queries from mobile devices in a privacy-preserving manner.
“Remote authentication and encryption are used to connect devices to a hardware-protected, sealed cloud environment, allowing Gemini models to securely process data within a dedicated, protected space,” said Jay Yagnik, vice president of AI innovation and research at Google. “This ensures that sensitive data processed by Private AI Compute is only accessible to you and no one else, including Google.”
Source link
