Your conversations with AI feel private. They are not. Every prompt you type into ChatGPT, Gemini, or Claude flows into corporate servers in plaintext, where it can be accessed by employees, handed to lawyers under subpoena, or fed back into future model training. Moxie Marlinspike, the cryptographer who built Signal and made encrypted messaging the global standard, has had enough of that.
On March 17, Marlinspike announced that the core technology behind Confer — his end-to-end encrypted AI chatbot — will be integrated directly into Meta AI. The announcement is a near-exact replay of what he did a decade ago, when he worked with Meta to bake the Signal Protocol into WhatsApp, giving billions of people encrypted messaging without asking them to change anything.
Now he wants to do it again, this time for AI.
"AI chat apps have become some of the largest centralized data lakes in history, containing more sensitive data than anything ever before," Marlinspike wrote on the Confer blog. "We are using LLMs for the kind of unfiltered thinking that we might do in a private journal — except this journal is an API endpoint to a data pipeline specifically designed for extracting meaning and context."
Confer is designed so that nobody, not even Marlinspike himself, can read what users type. Prompts are encrypted on the user’s device before they ever leave it. On the server side, the AI runs inside a Trusted Execution Environment (TEE) — a hardware-isolated vault where even the host machine has no visibility into what is being processed. Responses get encrypted before they leave the TEE. The entire pipeline produces a cryptographic attestation, a verifiable proof that the code running on the server matches what is published open-source. No promises in a terms of service. Math.
The timing is pointed. A US court order in May 2025 required OpenAI to preserve all ChatGPT user logs, including deleted chats. Sam Altman has acknowledged that therapy sessions held on the platform may not stay private. The legal and commercial risks of confiding in an AI are becoming harder to ignore.
Meta is not exactly known for restraint around user data. The company’s entire advertising machine is built on knowing what people think and want. That is what makes Marlinspike’s move interesting: by integrating Confer’s technology, Meta would be building a system that is architecturally incapable of seeing the content of AI conversations. Not "we promise not to look." Can’t look.
Meta has been moving in this direction already. The company adopted NVIDIA Confidential Computing for WhatsApp’s private processing as part of a multiyear infrastructure deal announced in February. NVIDIA and Meta are now working to expand those confidential computing capabilities across more of Meta’s product portfolio. Confer’s integration slots into that broader architecture.
Confer itself remains an independent product. The free tier allows 20 messages per day across 5 active chats, using open-weight models. A paid tier at $34.99 per month unlocks advanced models and unlimited usage — significantly pricier than ChatGPT Plus or Claude Pro, which both run $20 a month. The premium is essentially a fee for not becoming the product.
Cryptography expert Matthew Green noted on X that TEEs alone are not a complete solution, particularly for agentic AI where models interact with the real world. "All the hard parts are on that boundary between private and public," he wrote. Side-channel attacks have historically targeted TEE implementations, and the security community is watching how Confer handles those edges.
Still, the WhatsApp parallel is hard to dismiss. Signal’s protocol was a niche tool until Marlinspike integrated it into a platform with a billion users. WhatsApp’s adoption of E2E encryption changed the default for global messaging practically overnight. If the Meta AI integration holds, the same logic applies: hundreds of millions of people would get encrypted AI conversations without doing anything differently.
Will Cathcart, Meta’s head of WhatsApp, called the announcement "incredibly exciting," noting that AI is increasingly used for deeply personal and confidential information. Andy Greenberg at Wired flagged something worth watching: Meta did not announce this. Marlinspike did, on his own blog. The company that would benefit most from the privacy story stayed quiet.