BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Apple Extends Private Cloud Compute to Google Cloud for the First Time

Apple Extends Private Cloud Compute to Google Cloud for the First Time

Listen to this article -  0:00

Apple chose Google Cloud to run Private Cloud Compute (PCC) outside its own data centers for the first time. Announced at WWDC 2026, the collaboration stacks three layers of hardware trust on top of each other: NVIDIA Confidential Computing on Blackwell GPUs, Intel TDX on the CPUs, and Google's Titan chip anchoring the root of trust.

Apple describes the result as:

The first time these primitives have been integrated into a comprehensive, end-to-end confidential inference pipeline capable of operating at a global scale.

PCC handles AI workloads too demanding for on-device models: agentic tool use, complex reasoning, and the next generation of Apple Foundation Models that Apple and Google built together using technologies behind Google's Gemini family. Until recently, every PCC request ran exclusively on Apple silicon in Apple-controlled data centers. The Google Cloud expansion means Apple's most privacy-sensitive cloud AI workloads will now execute on infrastructure that Apple does not own or operate.

Apple's core PCC requirements carry over unchanged: stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, and verifiable transparency. In addition, Apple went further than a standard Confidential Computing deployment, as every component from firmware through host and guest OS stacks to application code is part of the trusted computing base. Moreover, all PCC binaries running on Google Cloud nodes will be publicly available for inspection, and Apple's Security Bounty program extends to the Google Cloud-hosted infrastructure.

Two implementation details reveal how deeply Apple distrusts the infrastructure it's renting. First, Apple maintains a cryptographically verifiable, append-only ledger of all Google Cloud hardware in the PCC fleet, tracking every physical component independently rather than relying on Google's own attestation. Second, software attestation for any component that could exfiltrate user data is rooted in at least two separate roots of trust from independent vendors, meaning compromising a single vendor, whether Intel, NVIDIA, or Google, is not sufficient to break the verification chain. No other cloud customer maintains this level of independent hardware tracking on a provider's infrastructure.

The choice of Google Cloud specifically is not random. The collaboration builds on a multi-year agreement signed in January 2026 covering Google's AI models and cloud infrastructure for Apple consumer devices. Apple has used Google's TPUs to train AI models since 2024, and the next generation of Apple Foundation Models uses technologies behind Google's Gemini family. Running PCC on the same infrastructure where the models were built avoids the latency and complexity of cross-provider inference.

Jonathan Sandhu, a defense and enterprise systems architect, offered a blunter reading on LinkedIn:

The reason this happened isn't privacy architecture. It's that Google built the foundation models powering the next generation of Apple Intelligence. Apple needed Google's inference capability and had to figure out how to run it without destroying their privacy narrative. This document is the engineering solution to a business dependency problem.

Sandhu also raised the unresolved jurisdictional question:

What happens to the privacy guarantees when Google's infrastructure has a compliance obligation to a government request that Apple's wouldn't? Apple has fought those battles in court. Google has a different history.

On Hacker News, one commenter framed the trust question practitioners will ask:

If Apple handles the Google-Apple boundary right, this will be an elegant move on their part, otherwise it will feel like Apple Intelligence with just a privacy-polished frontend for Gemini.

A practitioner on Reddit laid out the three tiers of cloud inference that make the competitive picture concrete:

There are three modes: Eyes on with retention (they can see everything, train on it etc). ZDR — zero data retention (no logs are kept at all). ZOA — zero operator access (a Secure Enclave is used that has attestation and encryption. It's impossible for a human to see the data at any point — this is like Apple Private Compute).

That framework clarifies where each hyperscaler sits. Bedrock's previous model was ZDR: the provider never saw your data. Claude Fable 5 on Bedrock moved closer to eyes-on with mandatory 30-day retention. Apple PCC on Google Cloud is ZOA: cryptographic proof that no operator, including Google, can access inference data at any point.

The competitive context matters. Google Cloud wins the most privacy-demanding customer in the industry. AWS and Azure were not chosen. The open-source Prompt Encryption SDKs that Google released alongside the collaboration let any customer build the same end-to-end encrypted inference pipeline: prompts encrypted from client to TEE, responses encrypted back.

Alongside the Apple collaboration, Google announced Confidential G4 VMs with NVIDIA RTX PRO 6000 Blackwell GPUs in preview, democratizing confidential AI beyond expensive H100-based instances. DigiCert is providing independent third-party attestation as a neutral root of trust beyond Google's own verification.

The rollout is ramping through summer 2026 as a preview. Apple keeps its own Apple silicon PCC infrastructure running in parallel. Moreover, this is an expansion, not a migration. Financial terms, capacity commitments, and which Google Cloud regions are involved remain undisclosed. An updated PCC Security Guide and expanded research program documentation are planned for later in 2026.

About the Author

Rate this Article

Adoption
Style

BT