Google proposes private analytics without one point of trust

Google Research described a private analytics approach for on-device AI. It combines a new cryptographic secure aggregation protocol with the transparency of TEEs and aims to reduce trust in any single entity.

Google wants to measure on-device models without accessing individual content

The post by Adrià Gascón and Mariana Raykova explains why on-device AI needs measurement without collecting individual content. Google cites SafetyCore, Pixel Recorder and Gboard as examples where teams need to understand how a model behaves across millions of devices.

The proposed solution uses secure aggregation, designed to reveal only anonymized aggregate insights about a population to Google. It also adds trusted execution environments, or TEEs, for attestation and transparency about which code processes the data.

Without measurement, local models are hard to improve

On-device AI moves data closer to the user, but it does not automatically solve product blindness. A team still needs to know whether a model is drifting, whether it fails in a specific region or whether users ignore a Smart Reply style feature because the suggestions are socially awkward.

For AI products, this is a governance problem. Without measurement, local models are hard to improve. With bad measurement, the privacy promise becomes a marketing label. Google is trying to build a route between those two bad options.

TEEs are not a perfect shield and adoption brings operational costs

TEEs are not a magic shield. Google itself notes that researchers regularly find side-channel vulnerabilities that can weaken their guarantees. That is why the combination of hardware isolation and cryptography matters, rather than blind faith in an enclave.

The second limit is adoption. Cryptographic protocols can bring operational cost, complexity and device availability requirements. A research-elegant system has to survive mobile reality: battery, network, latency and heterogeneous hardware.

Production deployments and independent audits will be decisive

Watch whether Google shows production deployments beyond selected internal examples and publishes concrete performance parameters. Independent audits of the protocol and threat model will also matter.

If a layer like this becomes standard, it will affect more than Google. Every on-device AI vendor will have to explain how it measures quality without turning the local model into quiet data collection.

Lilith's verdict

This is less flashy than a new model, but more important for deployment. Somewhere in a user's pocket an AI system is running, and Google wants to know what it does without looking over their shoulder.