Meta’s Private Processing: Secure AI on WhatsApp

Private Processing Explain 

Meta’s Private Processing is a new confidential-computing platform that lets WhatsApp add AI features (like chat summarization or writing suggestions) without reading your messages. In technical terms, your WhatsApp encrypts the selected chat data and sends it to Meta’s cloud, where it is decrypted only inside a Trusted Execution Environment (TEE) – a hardware-based “black box” that even Meta can’t peek into. Meta emphasizes that anything sent to these AI tools “cannot be accessed by anyone (including Meta and WhatsApp)” except the original sender and recipients. In short, Private Processing ensures the AI can operate on your encrypted chats while preserving WhatsApp’s end-to-end encryption guarantees.

AI on WhatsApp without breaking encryption

When you invoke an AI feature (for example, asking for a group-chat summary), only the messages you explicitly send to the AI are involved. Your device encrypts that content and forwards it through the secure channel. Meta’s servers route this encrypted request into a TEE (called a Confidential Virtual Machine, or CVM) that runs the AI model. Inside the enclave, the AI decrypts and processes the data, then produces a response. Crucially, Meta says the input and output “information is deleted from the servers” immediately after processing. In practice, this means only your device and the secure enclave ever see the plaintext; even Meta/WhatsApp cannot decrypt it. Using AI features is entirely optional: you must choose to use them (e.g. by tapping the AI button or mentioning @MetaAI), and WhatsApp’s Advanced Chat Privacy setting lets you mark sensitive chats so they’re never sent to the AI.

Cryptographic techniques

Private Processing employs several layers of cryptography to hide your identity and data even from Meta/WhatsApp:

Oblivious HTTP (OHTTP): Your request is sent through a third-party relay network using OHTTP. This hides your IP address and ensures Meta’s servers can’t link the AI request back to your account or device.

Anonymous credentials & HPKE: WhatsApp proves you are a valid user with anonymous credentials, but doesn’t attach any identifying info. The request is encrypted with Hybrid Public-Key Encryption (HPKE) so that only the chosen TEE’s public key can open it.

Remote Attestation (RA-TLS): Before any data is exchanged, your device performs a hardware-backed attestation handshake with the TEE. The enclave supplies a signed report of its software configuration, which your device checks against a public ledger of approved code. This verifies that the AI is running only Meta’s vetted code. If anything is tampered with, the session will abort.

Trusted Execution Environments (TEEs): The core AI processing happens inside TEEs, such as Confidential Virtual Machines on Meta’s secure cloud. These are CPU/GPU enclaves (analogous to Intel SGX or AMD SEV) that isolate code and data from the rest of the system. All data inside the enclave is encrypted at rest and in memory, so even privileged admins can’t view it. Meta uses these TEEs so that only the hardware-protected environment ever handles your plaintext. Each TEE’s identity and integrity are continuously checked via hardware root-of-trust: before processing your request, the device verifies the enclave’s attestation certificate to ensure the correct, unmodified AI code is running.

Privacy guarantees & data retention:

WhatsApp’s Private Processing is built to minimize data exposure and storage:

Stateless processing: The system does not save your messages after processing. No decrypted chats are written to disk or logged. Meta explicitly notes that “Private Processing does not store messages to disk or external storage” and has no durable access

Forward secrecy: Because the service only holds data briefly in memory, even a full server breach wouldn’t let an attacker recover your past chats. Meta’s design is “forward-secure”: old requests can’t be reconstructed from any logs.

Data minimization: Only the specific messages you sent to the AI (e.g. a handful of chat lines) are included in the request. Other conversations on your phone stay completely isolated. Meta’s implementation “includes only data that is useful for the prompt” (e.g. only the chat you asked to summarize). Once the AI returns an answer, that result (like a summary) is sent back encrypted, and all ephemeral keys and buffers are dis

carded.