Toward provably private analytics and insights into GenAI use

TL;DR

This paper introduces a federated analytics system leveraging Trusted Execution Environments to ensure verifiable privacy and security guarantees for processing data in large-scale, real-world GenAI applications.

Contribution

It presents a novel TEE-based federated analytics architecture with verifiable privacy guarantees, supporting flexible workloads including unstructured data and differential privacy.

Findings

Successfully deployed in production for real-world GenAI insights

Provides verifiable privacy guarantees through TEE technology

Supports processing unstructured data with LLMs and differential privacy

Abstract

Large-scale systems that compute analytics over a fleet of devices must achieve high privacy and security standards while also meeting data quality, usability, and resource efficiency expectations. We present a next-generation federated analytics system that uses Trusted Execution Environments (TEEs) based on technologies like AMD SEV-SNP and Intel TDX to provide verifiable privacy guarantees for all server-side processing. In our system, devices encrypt and upload data, tagging it with a limited set of allowable server-side processing steps. An open source, TEE-hosted key management service guarantees that the data is accessible only to those steps, which are themselves protected by TEE confidentiality and integrity assurance guarantees. The system is designed for flexible workloads, including processing unstructured data with LLMs (for structured summarization) before aggregation into differentially private insights (with automatic parameter tuning). The transparency properties of our system allow any external party to verify that all raw and derived data is processed in TEEs, protecting it from inspection by the system operator, and that differential privacy is applied to all released results. This system has been successfully deployed in production, providing helpful insights into real-world GenAI experiences.