The glow of the screen illuminated his face as he typed, each word a brick in the wall he was building between his thoughts and the prying eyes of algorithms. He paused, a shiver tracing its way down his spine. What if the very tools meant to liberate us become instruments of our own confinement?
Moxie Marlinspike, the founder of Signal, has been quietly working on Confer: a fully end-to-end encrypted, open-source AI chatbot designed to keep your conversations under your control. Marlinspike has made it clear through a series of blog posts that while he appreciates large language models, he’s concerned about the current state of privacy afforded to users.
Marlinspike argues that a chatbot’s interface should accurately reflect what’s happening behind the scenes, just like Signal. Signal presents itself as a private conversation because, in reality, that’s exactly what it is. Tools like ChatGPT and Claude might feel like safe spaces for intimate thoughts, but your conversations can be accessed and used for training.
If a chatbot gives you the impression of privacy, Marlinspike insists it should be functionally private, too. It’s a matter of integrity in design. This becomes especially important because LLMs represent the first major tech medium that “actively invites confession.” As people engage with these systems, they share intimate details about their thought processes and uncertainties.
Marlinspike warns that this kind of information could be weaponized against users. He envisions advertisers exploiting these insights to sell products or influence behavior, turning our deepest vulnerabilities into targeted ads. His proposed solution is Confer, an AI chatbot that encrypts both prompts and responses so that only the user can access them.
“Confer is designed to be a space where you can explore ideas without the risk of your thoughts conspiring against you; a service that breaks the cycle of your thoughts becoming targeted ads, becoming thoughts; a service where you can learn about the world – without data brokers and future training runs learning about you instead,” Marlinspike wrote.
Signal, founded in 2014 with similar principles, saw its open-source encrypted messaging protocol eventually adopted by Meta’s WhatsApp. Could Meta and other tech giants adopt Confer’s technology? Time will tell.
How Confer Works
Think of your digital life as a house. Right now, most AI chatbots have windows that anyone can peer through. According to Marlinspike, Confer is designed so that your conversations are encrypted before they ever leave your device, just like Signal.
Prompts are encrypted on your device and sent to Confer’s servers in that form. Then, they’re only decrypted within a secure data environment to generate a response.
How does Confer use encryption keys?
Confer uses a mix of security tools. Instead of passwords, it uses passkeys, such as Face ID, Touch ID, or a device unlock PIN on verified devices, to derive encryption keys. It’s like having a unique digital signature for every interaction.
When it comes time for the AI to respond, Confer uses what it calls confidential computing, where hardware-enforced isolation is used to run code in a Trusted Execution Environment (TEE).
“The host machine provides CPU, memory, and power, but cannot access the TEE’s memory or execution state,” Marlinspike explained. It’s a virtual vault where data is processed without being exposed.
With the LLM’s “thinking,” or inference, running in a confidential virtual machine, the response is then encrypted and sent back to the user.
What does “attestation” mean?
The hardware also produces cryptographic proof, known as attestation, that allows your device to verify that everything is running as it should. It’s like a digital seal of approval, confirming the integrity of the process.
Why is data security important?
All of this is done to keep your data secure and prevent it from being sent to what Marlinspike calls “a data lake specifically designed for extracting meaning and context.” The goal is to keep your thoughts yours and not fodder for algorithms.
Ultimately, Confer aims to give users control of their data. Is privacy a luxury, or should it be the default setting for our digital interactions?