{"id":22434,"date":"2025-04-29T10:15:00","date_gmt":"2025-04-29T17:15:00","guid":{"rendered":"https:\/\/engineering.fb.com\/?p=22434"},"modified":"2025-05-05T09:02:40","modified_gmt":"2025-05-05T16:02:40","slug":"whatsapp-private-processing-ai-tools","status":"publish","type":"post","link":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/","title":{"rendered":"Building Private Processing for AI tools on WhatsApp"},"content":{"rendered":"<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">We are inspired by the possibilities of AI to help people be more creative, productive, and stay closely connected on WhatsApp, so we set out to build a new technology that allows our users around the world to use AI in a privacy-preserving way.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">We\u2019re sharing an early look into Private Processing, an optional capability that enables users to initiate a request to a confidential and secure environment and use AI for processing messages where no one \u2014 including Meta and WhatsApp \u2014 can access them.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">To validate our implementation of these and other security principles, independent security researchers will be able to continuously verify our privacy and security architecture and its integrity.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">AI has revolutionized the way people interact with technology and information, making it possible for people to automate complex tasks and gain valuable insights from vast amounts of data. However, the current state of AI processing \u2014 which relies on large language models often running on servers, rather than mobile hardware \u2014 requires that users\u2019 requests are visible to the provider. Although that works for many use cases, it presents challenges in enabling people to use AI to process private messages while preserving the level of privacy afforded by end-to-end encryption.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We set out to enable AI capabilities with the privacy that people have come to expect from WhatsAp<\/span><span style=\"font-weight: 400;\">p, so that AI can deliver helpful capabilities, such as summarizing messages, without Meta or WhatsApp having access to them, and in the way that meets the following principles:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Optionality:<\/b><span style=\"font-weight: 400;\"> Using Meta AI through WhatsApp, including features that use Private Processing, must be optional.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Transparency: <\/b><span style=\"font-weight: 400;\">We must provide transparency when our features use Private Processing.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>User control:<\/b><span style=\"font-weight: 400;\"> For people\u2019s most sensitive chats that require extra assurance, they must be able to prevent messages from being used for AI features like mentioning Meta AI in chats, with the help of WhatApp\u2019s <\/span><a href=\"https:\/\/blog.whatsapp.com\/introducing-advanced-chat-privacy\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Advanced Chat Privacy<\/span><\/a><span style=\"font-weight: 400;\"> feature.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">Introducing Private Processing<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">We\u2019re excited to share an initial overview of Private Processing, a new technology we\u2019ve built to <\/span><span style=\"font-weight: 400;\">support people\u2019s needs and aspirations to leverage AI in a secure and privacy-preserving way. This confidential computing infrastructure, built on top of a Trusted Execution Environment (TEE), will make it possible for people to direct AI to <\/span><span style=\"font-weight: 400;\">process their requests \u2014 like summarizing unread WhatsApp threads or getting writing suggestions \u2014 in our secure and private cloud environment. In other words, Private Processing will allow users to leverage powerful AI features, while preserving WhatsApp\u2019s core privacy promise, ensuring <\/span><b>no one except you and the people you\u2019re talking to can access or share your personal messages, not even Meta or WhatsApp.\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">To uphold this level of privacy and security, we designed Private Processing with the following foundational requirements:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Confidential processing:<\/b><span style=\"font-weight: 400;\"> Private Processing must be built in such a way that prevents any other system from accessing user\u2019s data \u2014 including Meta, WhatsApp or any third party \u2014 while in processing or in transit to Private Processing.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Enforceable guarantees:<\/b><span style=\"font-weight: 400;\"> Attempts to modify that confidential processing guarantee must cause the system to fail closed or become publicly discoverable via verifiable transparency.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Verifiable transparency: <\/b><span style=\"font-weight: 400;\">Users and security researchers must be able to audit the behavior of Private Processing to independently verify our privacy and security guarantees.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">However, we know that technology platforms like ours operate in a highly adversarial environment where threat actors continuously adapt, and software and hardware systems keep evolving, generating unknown risks. As part of our <\/span><a href=\"https:\/\/engineering.fb.com\/2022\/07\/28\/security\/five-security-principles-for-billions-of-messages-across-metas-apps\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">defense-in-depth<\/span> <span style=\"font-weight: 400;\">ap<\/span><span style=\"font-weight: 400;\">p<\/span><span style=\"font-weight: 400;\">roach<\/span><\/a><span style=\"font-weight: 400;\"> and best practices for any security-critical system, we\u2019re treating the following additional layers of requirements as core to Private Processing on WhatsApp:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Non-targetability:<\/b><span style=\"font-weight: 400;\"> An attacker should not be able to target a particular user for compromise without attempting to compromise the entire Private Processing system.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Stateless processing and forward security:<\/b><span style=\"font-weight: 400;\"> Private Processing must not retain access to user messages once the session is complete to ensure that the attacker can not gain access to historical requests or responses.<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Threat modeling for Private Processing<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Because we set out to meet these high-security requirements, our work to build Private Processing began with developing a threat model to help us identify potential attack vectors and vulnerabilities that could compromise the confidentiality, integrity, or availability of user data. We\u2019ve worked with our peers in the security community to audit the architecture and our implementation to help us continue to harden them.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Building in the open<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">To help inform our industry\u2019s progress in building private AI processing, and to enable independent security research in this area, we will be publishing components of Private Processing, expanding the scope of our <\/span><a href=\"https:\/\/bugbounty.meta.com\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Bug Bounty program<\/span><\/a><span style=\"font-weight: 400;\"> to include Private Processing, and releasing a detailed security engineering design paper, <\/span><b>as we get closer to the launch of Private Processing in the coming weeks.\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">While AI-enabled processing of personal messages for summarization and writing suggestions at users\u2019 direction is the first use case where Meta applies Private Processing, we expect there will be others where the same or similar infrastructure might be beneficial in processing user requests. We will continue to share our learnings and progress transparently and responsibly.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">How Private Processing works<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Private Processing creates a secure cloud environment where AI models can analyze and process data without exposing it to unauthorized parties.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here&#8217;s how it works:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Authentication: <\/b><span style=\"font-weight: 400;\">First, Private Processing obtains <\/span><a href=\"https:\/\/engineering.fb.com\/2022\/12\/12\/security\/anonymous-credential-service-acs-open-source\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">anonymous credentials<\/span><\/a><span style=\"font-weight: 400;\"> to verify that the future requests are coming from authentic WhatsApp clients.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Third-party routing and load balancing:<\/b><span style=\"font-weight: 400;\"> In addition to these credentials, Private Processing fetches HPKE encryption public keys from a third-party CDN in order to support <\/span><span style=\"font-weight: 400;\">Oblivious HTTP<\/span><span style=\"font-weight: 400;\"> (OHTTP).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Wire session establishment: <\/b><span style=\"font-weight: 400;\">Private Processing establishes an OHTTP connection from the user\u2019s device to a Meta gateway via a third-party relay which hides requester IP from Meta and WhatsApp.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Application session establishment:<\/b><span style=\"font-weight: 400;\"> Private Processing establishes a Remote Attestation + Transport Layer Security (RA-TLS) session between the user\u2019s device and the TEE. The attestation verification step cross-checks the measurements against a third-party ledger to ensure that the client only connects to code which satisfies our verifiable transparency guarantee.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Request to Private Processing: <\/b><span style=\"font-weight: 400;\">After the above session is established, the device makes a request to Private Processing (e.g., message summarization request), that is<\/span><span style=\"font-weight: 400;\"> encrypted end-to-end between the device and Private Processing with an ephemeral key that Meta and WhatsApp cannot access. In other words, no one except the user\u2019s device or the selected TEEs can decrypt the request.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Private Processing:<\/b><span style=\"font-weight: 400;\"> Our AI models process data in a confidential virtual machine (CVM), a type of TEE, without storing any messages, in order to generate a response. CVMs may communicate with other CVMs using the same RA-TLS connection clients use to complete processing.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Response from Private Processing: <\/b><span style=\"font-weight: 400;\">The processed results are then returned to the user\u2019s device, encrypted with a key that only the device and the pre-selected Private Processing server ever have access to. <\/span><span style=\"font-weight: 400;\">Private Processing does not retain access to messages after the session is completed.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">The threat model<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In designing any security-critical system, it is important to develop a threat model to guide how we build its defenses. Our threat model for Private Processing includes three key components:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Assets<\/b><span style=\"font-weight: 400;\">: The sensitive data and systems that we need to protect.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Threat actors<\/b><span style=\"font-weight: 400;\">: The individuals or groups that may attempt to compromise our assets.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Threat scenarios<\/b><span style=\"font-weight: 400;\">: The ways in which our assets could be compromised, including the tactics, techniques, and procedures (TTPs) that threat actors might use.<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Assets<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">In the context of applying Private Processing to <\/span><span style=\"font-weight: 400;\">summarizing unread messages or providing writing suggestions at users\u2019 direction, <\/span><span style=\"font-weight: 400;\">we will use Private Processing to protect messaging content, whether they have been received by the user, or still in draft form. We use the term \u201cmessages\u201d to refer to these primary assets in the context of this blog.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition to messages, we also include additional, secondary assets which help support the goal of Private Processing and may interact with or directly process assets: the Trusted Computing Base (TCB) of the Confidential Virtual Machine (CVM), the underlying hardware, and the cryptographic keys used to protect data in transit.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Threat actors<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">We have identified three threat actor types that could attack our system to attempt to recover assets.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Malicious or compromised insiders with access to our infrastructure.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A third party or supply chain vendor with access to components of the infrastructure.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Malicious end users targeting other users on the platform.<\/span><\/li>\n<\/ol>\n<h3><span style=\"font-weight: 400;\">Threat scenarios<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">When building Private Processing to be resilient against these threat actors, we consider relevant threat scenarios that may be pursued against our systems, including (but not limited to) the following:<\/span><\/p>\n<h4><span style=\"font-weight: 400;\">External actors directly exploit the exposed product attack surface or compromise the services running in Private Processing CVMs to extract messages.<\/span><\/h4>\n<p><span style=\"font-weight: 400;\">Anywhere the system processes untrusted data, there is potentially an attack surface for a threat actor to exploit. Examples of these kinds of attacks include exploitation of zero-day vulnerabilities or attacks unique to AI such as prompt injection.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Private Processing is designed to reduce such an attack surface through limiting the exposed entry points to a small set of thoroughly reviewed components which are subject to regular assurance testing.<\/span><span style=\"font-weight: 400;\"> The service binaries are hardened and run in a containerized environment to mitigate the risks of code execution and limit a compromised binary\u2019s ability to exfiltrate data from within the CVM to an external party.<\/span><\/p>\n<h4><span style=\"font-weight: 400;\">Internal or external attackers extract messages exposed through the CVM.<\/span><\/h4>\n<p><span style=\"font-weight: 400;\">Observability and debuggability remains a challenge in highly secure environments as they can be at odds with the goal of confidential computing, potentially exposing side channels to identify data and in the worst case accidentally leaking messages themselves. However, deploying any service at scale requires some level of observability to identify failure modes, since they may negatively impact many users, even when the frequency is uncommon. We implement a log-filtering system to limit export to only allowed log lines, such as error logs.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Like any complex system, Private Processing is built of components to form a complex supply chain of both hardware and software. Internally, our CVM build process occurs in restricted environments that maintain provenance and require multi-party review. Transparency of the CVM environment, which we\u2019ll provide <\/span><span style=\"font-weight: 400;\">through publishing a third-party log of CVM binary digests and CVM binary images<\/span><span style=\"font-weight: 400;\">, will allow external researchers to analyze, replicate, and report instances where they believe logs could leak user data.<\/span><\/p>\n<h4><span style=\"font-weight: 400;\">Insiders with physical or remote access to Private Processing hosts interfere with the CVM at boot and runtime, potentially bypassing the protections in order to extract messages.<\/span><\/h4>\n<p><span style=\"font-weight: 400;\">TEE software exploitation is a growing area of security research, and vulnerability researchers have repeatedly demonstrated the ability to bypass TEE guarantees. Similarly, physical attacks on Private Processing hosts may be used to defeat TEE guarantees or present compromised hosts as legitimate to an end user.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To address these unknown risks, we built Private Processing on the principle of defense-in-depth by actively tracking novel vulnerabilities in this space, minimizing and sanitizing untrusted inputs to the TEE, minimizing attack surface through CVM hardening and enabling abuse detection through enhanced host monitoring.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Because we know that defending against physical access introduces significant complexity and attack surface even with industry-leading controls, we continuously pursue further attack surface hardening. In addition, we reduce these risks through measures like encrypted DRAM and standard physical security controls to protect our datacenters from bad actors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To further address these unknown risks, we seek to eliminate the viability of targeted attacks via routing sessions through a third-party OHTTP relay to prevent an attacker\u2019s ability to route a specific user to a specific machine.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Designing Private Processing<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Here is how we designed Private Processing <\/span><span style=\"font-weight: 400;\">to meet these foundational security and privacy requirements against the threat model we developed. <\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">(Further technical documentation and security research engagements updates are coming soon).<\/span><\/i><\/p>\n<h3><span style=\"font-weight: 400;\">Confidential processing<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Data shared to Private Processing is processed in an environment which does not make it available to any other system. This protection is further upheld by encrypting data end-to-end between the client and the Private Processing application, so that only Private Processing, and no one in between \u2013 including Meta, WhatsApp, or any third-party relay \u2013 can access the data.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To prevent possible user data leakage, only limited service reliability logs are permitted to leave the boundaries of CVM.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">System software<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">To prevent privileged runtime access to Private Processing, we prohibit remote shell access, including from the host machine, and implement security measures including code isolation. Code isolation ensures that only designated code in Private Processing has access to user data. Prohibited remote shell access ensures that neither the host nor a networked user can gain access to the CVM shell.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We defend against potential source control and supply chain attacks by implementing established industry best practices. This includes building software exclusively from checked-in source code and artifacts, where any change requires multiple engineers to modify the build artifacts or build pipeline.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As another layer of security, all code changes are auditable. This allows us to ensure that any potential issues are discovered \u2014 either through our continuous internal audits of code, or by external security researchers auditing our binaries.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">System hardware<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Private Processing utilizes CPU-based confidential virtualization technologies, along with Confidential Compute mode GPUs, which prevent certain classes of attacks from the host operating system, as well as certain physical attacks.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Enforceable guarantees<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Private Processing utilizes CPU-based confidential virtualization technologies which allow attestation of software based in a hardware root of trust to guarantee the security of the system prior to each client-server connection. Before any data is transmitted, Private Processing checks these attestations, and confirms them against a third-party log of acceptable binaries.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Stateless and forward secure service<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">We operate Private Processing as a stateless service, which neither stores nor retains access to messages after the session has been completed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, Private Processing does not store messages to disk or external storage, and thus does not maintain durable access to this data.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As part of our data minimization efforts, requests to Private Processing <\/span><span style=\"font-weight: 400;\">only include data that is useful for processing the prompt \u2014 for example, message summarization will only include the messages the user directed AI to summarize.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Non-targetability<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Private Processing implements<\/span><span style=\"font-weight: 400;\"> the OHTTP protocol to establish a secure session with Meta routing layers. This ensures that Meta and WhatsApp do not know which user is connecting to what CVM. In other words, <\/span><span style=\"font-weight: 400;\">Meta and WhatsApp do not know the user that initiated a request to Private Processing while the request is in route, so that a specific user cannot be routed to any specific hardware.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Private Processing uses anonymous credentials to authenticate users over OHTTP. This way, Private Processing can authenticate users to the Private Processing system, but remains unable to identify them. Private Processing does not include any other identifiable information as part of the request during the establishment of a system session. <\/span><span style=\"font-weight: 400;\">We limit the impact of small-scale attacks by ensuring that they cannot be used to target the data of a specific user.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Verifiable transparency<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">To provide users visibility into the processing of their data and aid in validation of any client-side behaviors, we will provide capabilities to obtain an in-app log of requests made to Private Processing, data shared with it, and details of how that secure session was set up.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In order to provide verifiability, we will make available the CVM image binary powering Private Processing. We will make these components available to researchers to allow independent, external verification of our implementation.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In addition, to enable deeper bug bounty research in this area, we will publish source code for certain components of the system, including our attestation verification code or load bearing code.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We will also be expanding the scope of our existing <\/span><a href=\"https:\/\/bugbounty.meta.com\/\"><span style=\"font-weight: 400;\">Bug Bounty program<\/span><\/a><span style=\"font-weight: 400;\"> to cover Private Processing to enable further independent security research into Private Processing\u2019s design and implementation.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Finally, we will be publishing a detailed technical white paper on the security engineering design of Private Processing to provide further transparency into our security practices, and aid others in the industry in building similar systems.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Get Involved<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">We&#8217;re deeply committed to providing our users with the best possible messaging experience while ensuring that only they and the people they\u2019re talking to can access or share their personal messages. Private Processing is a critical component of this commitment, and we&#8217;re excited to make it available in the coming weeks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We welcome feedback from our users, researchers, and the broader security community through our security research program:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">More details: <\/span><a href=\"https:\/\/bugbounty.meta.com\"><span style=\"font-weight: 400;\">Meta Bug Bounty<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"mailto:bugbounty@meta.com\"><span style=\"font-weight: 400;\">Contact us<\/span><\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>We are inspired by the possibilities of AI to help people be more creative, productive, and stay closely connected on WhatsApp, so we set out to build a new technology that allows our users around the world to use AI in a privacy-preserving way. We\u2019re sharing an early look into Private Processing, an optional capability [&#8230;]<\/p>\n<p><a class=\"btn btn-secondary understrap-read-more-link\" href=\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/\">Read More&#8230;<\/a><\/p>\n","protected":false},"author":51,"featured_media":22441,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[47],"tags":[1687],"class_list":["post-22434","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-whatsapp","fb_content_type-article"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v19.3 (Yoast SEO v19.12) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Building Private Processing for AI tools on WhatsApp - Engineering at Meta<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chris Wiltz\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/\"},\"author\":{\"@id\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#author\",\"name\":\"\"},\"headline\":\"Building Private Processing for AI tools on WhatsApp\",\"datePublished\":\"2025-04-29T17:15:00+00:00\",\"dateModified\":\"2025-05-05T16:02:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/\"},\"wordCount\":2750,\"publisher\":{\"@id\":\"https:\/\/engineering.fb.com\/#organization\"},\"keywords\":[\"WhatsApp\"],\"articleSection\":[\"Security &amp; Privacy\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/\",\"url\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/\",\"name\":\"Building Private Processing for AI tools on WhatsApp - Engineering at Meta\",\"isPartOf\":{\"@id\":\"https:\/\/engineering.fb.com\/#website\"},\"datePublished\":\"2025-04-29T17:15:00+00:00\",\"dateModified\":\"2025-05-05T16:02:40+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/engineering.fb.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Building Private Processing for AI tools on WhatsApp\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/engineering.fb.com\/#website\",\"url\":\"https:\/\/engineering.fb.com\/\",\"name\":\"Engineering at Meta\",\"description\":\"Engineering at Meta Blog\",\"publisher\":{\"@id\":\"https:\/\/engineering.fb.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/engineering.fb.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/engineering.fb.com\/#organization\",\"name\":\"Meta\",\"url\":\"https:\/\/engineering.fb.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/engineering.fb.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/engineering.fb.com\/wp-content\/uploads\/2023\/08\/Meta_lockup_positive-primary_RGB.jpg\",\"contentUrl\":\"https:\/\/engineering.fb.com\/wp-content\/uploads\/2023\/08\/Meta_lockup_positive-primary_RGB.jpg\",\"width\":29011,\"height\":12501,\"caption\":\"Meta\"},\"image\":{\"@id\":\"https:\/\/engineering.fb.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Engineering\/\",\"https:\/\/twitter.com\/fb_engineering\"]},[]]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Building Private Processing for AI tools on WhatsApp - Engineering at Meta","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/","twitter_misc":{"Written by":"Chris Wiltz","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#article","isPartOf":{"@id":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/"},"author":{"@id":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#author","name":""},"headline":"Building Private Processing for AI tools on WhatsApp","datePublished":"2025-04-29T17:15:00+00:00","dateModified":"2025-05-05T16:02:40+00:00","mainEntityOfPage":{"@id":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/"},"wordCount":2750,"publisher":{"@id":"https:\/\/engineering.fb.com\/#organization"},"keywords":["WhatsApp"],"articleSection":["Security &amp; Privacy"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/","url":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/","name":"Building Private Processing for AI tools on WhatsApp - Engineering at Meta","isPartOf":{"@id":"https:\/\/engineering.fb.com\/#website"},"datePublished":"2025-04-29T17:15:00+00:00","dateModified":"2025-05-05T16:02:40+00:00","breadcrumb":{"@id":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/engineering.fb.com\/2025\/04\/29\/security\/whatsapp-private-processing-ai-tools\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/engineering.fb.com\/"},{"@type":"ListItem","position":2,"name":"Building Private Processing for AI tools on WhatsApp"}]},{"@type":"WebSite","@id":"https:\/\/engineering.fb.com\/#website","url":"https:\/\/engineering.fb.com\/","name":"Engineering at Meta","description":"Engineering at Meta Blog","publisher":{"@id":"https:\/\/engineering.fb.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/engineering.fb.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/engineering.fb.com\/#organization","name":"Meta","url":"https:\/\/engineering.fb.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/engineering.fb.com\/#\/schema\/logo\/image\/","url":"https:\/\/engineering.fb.com\/wp-content\/uploads\/2023\/08\/Meta_lockup_positive-primary_RGB.jpg","contentUrl":"https:\/\/engineering.fb.com\/wp-content\/uploads\/2023\/08\/Meta_lockup_positive-primary_RGB.jpg","width":29011,"height":12501,"caption":"Meta"},"image":{"@id":"https:\/\/engineering.fb.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Engineering\/","https:\/\/twitter.com\/fb_engineering"]},[]]}},"jetpack_featured_media_url":"https:\/\/engineering.fb.com\/wp-content\/uploads\/2025\/04\/v2_Blog_PrivateProcessing.png","jetpack_shortlink":"https:\/\/wp.me\/pa0Lhq-5PQ","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/posts\/22434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/users\/51"}],"replies":[{"embeddable":true,"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/comments?post=22434"}],"version-history":[{"count":2,"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/posts\/22434\/revisions"}],"predecessor-version":[{"id":22437,"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/posts\/22434\/revisions\/22437"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/media\/22441"}],"wp:attachment":[{"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/media?parent=22434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/categories?post=22434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/engineering.fb.com\/wp-json\/wp\/v2\/tags?post=22434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}