Moxie Marlinspike's Confer: Bringing Signal-Level Privacy to AI Conversations

In a landscape dominated by data-hungry AI giants, Moxie Marlinspike — the visionary cryptographer and founder of the encrypted messaging app Signal —has unveiled Confer, a groundbreaking AI service aimed at revolutionizing privacy in artificial intelligence interactions.

Confer promises to deliver the same end-to-end encryption ethos that made Signal a beacon for secure communication, ensuring that user prompts, AI responses, and all associated data remain unreadable to anyone except the account holder — even the platform's operators Launched in late 2025, Confer promises to deliver the same end-to-end encryption ethos that made Signal a beacon for secure communication, ensuring that user prompts, AI responses, and all associated data remain unreadable to anyone except the account holder — even the platform's operators.

This open-source chatbot, accessible via https://confer.to/, addresses growing concerns over AI privacy by preventing data leaks, corporate surveillance, or government subpoenas from compromising personal conversations with large language models (LLMs).

The Privacy-First Architecture: Passkeys and Trusted Execution Environments

For the inference process — where prompts are processed on powerful GPUs — Confer employs Trusted Execution Environments (TEEs) to maintain confidentiality. At the heart of Confer's design is a seamless integration of passkey-based encryption, leveraging the WebAuthn standard to generate a keypair authenticated via biometrics like Face ID or Touch ID. Users derive a 32-byte secret from their private key using the WebAuthn PRF extension, which serves as durable root key material stored securely on devices and synchronized across them without ever exposing it to the service. This enables client-side encryption and decryption of chats, mirroring Signal's approach where servers cannot access message content.

For the inference process — where prompts are processed on powerful GPUs — Confer employs Trusted Execution Environments (TEEs) to maintain confidentiality. Prompts are encrypted on the user's device and sent directly into the TEE via Noise Pipes, a protocol providing forward secrecy through ephemeral session keys.

Inside the TEE, the LLM conducts stateless inference in a hardware-isolated confidential VM, preventing the host machine (including Confer's servers) from accessing plaintext data. Remote attestation allows clients to verify that the TEE runs publicly auditable code, with cryptographic measurements of the kernel, filesystem, and components ensuring no tampering. This setup uses reproducible builds via tools like Nix and mkosi, with signatures logged in a transparency log for added accountability.

Unlike standard AI services such as ChatGPT or Gemini, where providers can log, train on, or monetize user data, Confer's model fundamentally blocks such access. Marlinspike has likened traditional AI usage to "confessing to a data lake," highlighting risks from hackers, employees, or legal demands—a vulnerability Confer eliminates by design.

Echoes of Signal and Parallels with Apple

Confer draws direct inspiration from Signal's innovations, such as sealed sender protocols that obscure metadata like recipient identities. Confer draws direct inspiration from Signal's innovations, such as sealed sender protocols that obscure metadata like recipient identities. In Signal, servers process encrypted messages without decrypting them or knowing full communication details; similarly, Confer's servers handle inference without ever seeing unencrypted prompts. This extends Marlinspike's decade-long crusade for privacy, which began with Signal's launch in 2014 and has influenced global standards for secure messaging.

A notable parallel exists with Apple's Private Cloud Compute (PCC), introduced in 2024 for handling AI features like enhanced Siri integrations with models such as Google's Gemini. PCC uses custom Apple silicon servers with Secure Enclave technology to process requests in a stateless manner, ensuring data is encrypted in transit, used only for the immediate task, and immediately deleted without retention or access by Apple staff.

Like Confer's TEEs, PCC enforces hardware-based isolation and lacks privileged access points, minimizing risks from subpoenas or breaches. This "less you know, the better" philosophy aligns with Marlinspike's vision, where providers voluntarily limit their data exposure to enhance user trust.

However, skepticism persists regarding TEE hardware from vendors like Intel and AMD, given historical vulnerabilities and potential backdoors—issues amplified by past NSA collaborations and zero-day exploits. Despite these concerns, experts note that TEEs offer orders-of-magnitude better protection than unencrypted cloud services, with ongoing advancements in verifiable computing mitigating risks.

Accessibility, Pricing, and the Broader AI Privacy Landscape

Confer represents a pivotal step toward "truly private AI," challenging the status quo where convenience often trumps security. Confer supports multiple leading LLMs, including open-source options, and is designed for seamless cross-device use, though Windows and Linux users may need password managers supporting passkeys. Pricing is straightforward: a free tier allows up to 20 messages per day, while the premium plan costs $35 monthly for unlimited access. Users can try it at https://confer.to/, with setup requiring a passkey-enabled device for optimal security.

This launch comes amid a resurgence in local AI processing, driven by hardware advancements like laptops with 64GB+ RAM and NPUs, enabling offline LLMs without cloud dependency. Yet, for resource-intensive models, cloud remains essential — echoing the mainframe era of the 1960s-70s, when centralized computing dominated before personal devices democratized access. In China, where users face the Great Firewall and limited hardware options, such privacy-focused services are particularly appealing, though adoption requires VPNs or proxies to bypass restrictions.

Confer represents a pivotal step toward "truly private AI," challenging the status quo where convenience often trumps security. As Marlinspike extends his legacy from messaging to machine learning, it underscores a growing demand for tools that empower users without exploiting their data — potentially reshaping how we interact with AI in an increasingly surveilled digital world.