The Google Pixel 6 and Pixel 6 Pro have a new Private Compute Core, and here’s what we know about it
Android 12 brought with it a ton of new features, and one of the most mysterious is the addition of the Private Compute Core. It’s essentially a place where sensitive data can be processed on-device, away from where everything else is happening. It powers Google Pixel 6 exclusive features such as Now Playing, Live Caption, and Smart Reply, but there’s not a whole lot of information about how it works. And Google hasn’t been too forthcoming with information either.
Google says it will open-source the code for Private Compute Services so that independent security researchers can audit it. However, there’s no timeline on when the code will be publicly released. Private Compute Services is said to provide a privacy-preserving bridge between the Private Compute Core and the cloud, making it possible to deliver new AI models and other updates to sandboxed machine learning features over a secure path. Google says communication between features and Private Compute Services happens over a set of purposeful open-source APIs, which removes identifying information from data and applies privacy technologies like Federated Learning, Federated Analytics, and Private information retrieval.
Nobody really knows what the Private Compute Core is
But what exactly is the Privacy Compute Core? Our best-educated guess is that it either makes use of or will make use of an Android VM dubbed “microdroid“. Microdroid is a stripped-down version of the generic Android system image (GSI). The GSI is already a barebones build of open-source Android, but microdroid seems to be even more trimmed down. The goal of this project may be to allow for running a minimal version of Android on top of a hypervisor in order to allow for virtualizing an individual Android app rather than providing a full secondary desktop environment.
In order to manage these virtual machines, Google has been adapting the Chrome OS VMM (crosvm), which is used to run Linux apps on Chrome OS, for Android. This is reliant on the Generic Kernel Image, which launched in Android 12. Android 12 has a “development preview” of it according to Mishaal Rahman, and Android 13 is planned to include the first protected kernel-based virtual machine (pKVM) hypervisor release. The pKVM is designed to enable data confidentiality in a virtual machine, even when the OS is compromised.
The above diagram comes from Google at I/O, and it seems that Android System Intelligence runs inside of the Android Private Compute Core, which in turn appears to be the virtual machine with reduced overheads. In essence, it’s a sandbox for features that might process sensitive information. Smart Reply obviously scans your messages, while Live Caption listens to whatever is being played. Now Playing also listens to audio around you.
For example, when typing in a conversation, Google explains that Gboard will ask Smart Reply to make suggestions based on the conversation on screen. Smart Reply then processes the conversation in the Private Compute Core, securely and confidentially. Sensitive data is not shared with the app, the keyboard, or Google, and all Gboard gets in response is a list of suggested replies.
Anything processed inside of the Compute Core can also only access the network through interacting with Private Compute Services. Private Compute Services strips out identifying information and uses privacy technologies including Federated Learning, Federated Analytics, and Private Information Retrieval. This abstracts the internet connection permission away from sensitive functions and will only work through “very narrow, purposeful APIs” to do things like “download models, use federated learning, and more.” Google has not released much more information about this and has not open-sourced anything relating to it yet.
But is the Private Compute Core active on Android smartphones in the way that Google has explained it will be? Nobody can really say. My gut feeling is that the “development preview” that exists is for very specific functionality that Google wanted to use it for and nothing more, as it’s advertised as being active even on the official Android 12 website. This would also make sense if it’s why it hasn’t been open-sourced yet, as it seems it may only work for a set of proprietary Google features. This is further supported by the fact that Now Playing can bypass the microphone indicator because it runs through the Compute Core. What we don’t really know is whether or not the Private Compute Core exists as a virtual machine in its current state.
Data stored and processed within this sandbox isn’t exposed to other apps unless intended by the user. For example, a Smart Reply suggestion will remain hidden from your keyboard and the app you’re typing into until you tap on it. Private Compute Services not only bridge the gap between the Private Compute Core and your smartphone but also keep those features updated with new AI-based models and changes.
Is the Private Compute Core a Pixel exclusive?
This is where things get really complicated.
The Private Compute Core has never been explicitly marketed as a Pixel exclusive feature. It’s on the official Android website, microdroid is a part of AOSP, and Google’s talks surrounding Android 12 have made reference to it in the context of Android 12 — not in the context of Pixels. So there’s a chance that Private Compute Core is an Android feature and not Pixel-exclusive — it just could be gated behind a timed exclusivity like how monet is.
Having said all of that, monet itself is technically a Pixel-exclusive in its current iteration, and the same can be said of that, too. The only difference is that Google said that monet would be pushed to AOSP in a future release of Android. Given that Google also likes to talk about the Private Compute Core in the context of Google-exclusive features like Now Playing and Live Caption, it’s entirely possible that this is something Google intends on keeping to itself.
From what I can tell, all of this seems to be in some kind of beta that Google is testing. It’s hard to tell if it’s actually active on a Pixel 6 device unless you really look for it, and even then, it’s hard to say for certain in what way it’s currently in use. After all, Google has said that it will open-source it, but it hasn’t yet. It’s always possible that OEMs will take inspiration and implement their own versions, particularly if they are also processing sensitive, private data on devices that then needs to be sent to the cloud.
The Private Compute Core has the potential to be great
To be honest, it’s hard to say how useful any of this will really be, but the potential sure is high. We would love for Google to make information more readily available in relation to the Private Compute Core and how it protects user privacy, as only that will truly help gauge how mature and useful the technology really is. The idea behind it is good and it can be a useful asset in protecting smartphone users, especially those who may use their devices for enterprise but are disturbed by more “invasive” features such as Now Playing and Smart Reply. We’ll be waiting to see the source code that Google releases in the future to learn more.