{"id":293302,"date":"2026-01-20T03:38:11","date_gmt":"2026-01-20T03:38:11","guid":{"rendered":"https:\/\/www.europesays.com\/ie\/293302\/"},"modified":"2026-01-20T03:38:11","modified_gmt":"2026-01-20T03:38:11","slug":"confer-keeps-coded-data-secret-with-user-key","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ie\/293302\/","title":{"rendered":"Confer Keeps Coded Data Secret With User Key"},"content":{"rendered":"<p><img decoding=\"async\" class=\" top-image\" src=\"https:\/\/www.europesays.com\/ie\/wp-content\/uploads\/2026\/01\/1768880291_727_0x0.jpg\" alt=\"Security concept\" data-height=\"2077\" data-width=\"2770\" fetchpriority=\"high\" style=\"position:absolute;top:0\"\/><\/p>\n<p>file_thumbview_approve.php?size=1&amp;id=20042572<\/p>\n<p>getty<\/p>\n<p>How do you know your personal data is private online?<\/p>\n<p>Most tech-savvy people, encountering this question, would probably just scoff and tell you that you don\u2019t have a reasonable expectation of privacy. Absent some kind of special walled garden, your data is largely out there to be pilfered, pondered, scrutinized, and fed to AI engines for training.<\/p>\n<p>Enter Moxie Marlinspike, one of the most colorfully named voices in tech today and someone I had never heard of until I was told that this person\u2019s key management system promises the ultimate cryptographic protection for personal data that\u2019s used in AI schemas.<\/p>\n<p>Turns out Marlinspike was also the brain behind the Signal app that supports secure and private messaging.<\/p>\n<p>Now, this illustrious engineer has made something called Confer that is supposed to help users to navigate chats securely, without exposing their information to governments, scammers, service providers, or, well, anybody.<\/p>\n<p>How it Works<\/p>\n<p>In a way, the engineering behind Confer is profoundly simple: the private key is kept with the user, so after the data is encrypted at the point of departure, it can\u2019t be viewed by any other party.<\/p>\n<p>Like the<a href=\"https:\/\/www.wolframscience.com\/nks\/notes-10-10--history-of-cryptography\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-ga-track=\"ExternalLink:https:\/\/www.wolframscience.com\/nks\/notes-10-10--history-of-cryptography\/\" aria-label=\"old book-and-number schemes\"> old book-and-number schemes<\/a> of the ancient analog days, it\u2019s foolproof \u2013 to an extent.<\/p>\n<p>\u201cUser data will never be accessed by the chatbot and stored on their servers to be used for AI training of the models,\u201d crows Isaiah Richard at Tech Times. \u201cThis also means that users will not be part of tracking, especially as ads are now coming to AI platforms. Confer encrypts messages via the WebAuthn passkey system and then employs the Trust Execution Environment (TEE) for the inference processing on its servers.\u201d<\/p>\n<p>I like this term, Trust Execution Environment (TEE), even though it sorts of reeks of techspeak.<\/p>\n<p>Experts describe the TEE as a kind of \u201cpanic room\u201d for data, where even if the larger environment is breached, the TEE can provide sanctuary.<\/p>\n<p>And again, it\u2019s the key use strategy that provides this safety.<\/p>\n<p>As a sidebar, here\u2019s what GPT considers the \u201cthree essential principles of key management:\u201d<\/p>\n<ul>\n<li><strong>Generate keys securely<\/strong> (strong randomness, approved algorithms, right key sizes).<\/li>\n<li><strong>Protect keys at rest and in use<\/strong> (HSM\/TEE where possible, encryption, least privilege, separation of duties).<\/li>\n<li><strong>Manage the full lifecycle<\/strong> (distribution, rotation, backup\/escrow if needed, revocation, and secure destruction + audit logs).<\/li>\n<\/ul>\n<p>In a world where privacy is hard to come by, Confer changes the game. Here\u2019s how Marlinspike characterizes the difference in an<a href=\"https:\/\/arstechnica.com\/tech-policy\/2026\/01\/judge-orders-annas-archive-to-delete-scraped-data-no-one-thinks-it-will-comply\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-ga-track=\"ExternalLink:https:\/\/arstechnica.com\/tech-policy\/2026\/01\/judge-orders-annas-archive-to-delete-scraped-data-no-one-thinks-it-will-comply\/\" aria-label=\"article at Ars Tecnica by Dan Goodin\"> article at Ars Tecnica by Dan Goodin<\/a>:<\/p>\n<p>\u201cThe character of the interaction is fundamentally different because it\u2019s a private interaction,\u201d Marlinspike said. \u201cIt\u2019s been really interesting and encouraging and amazing to hear stories from people who have used Confer and had life-changing conversations, in part because they haven\u2019t felt free to include information in those conversations with sources like ChatGPT or they had insights using data that they weren\u2019t really free to share with ChatGPT before but can using an environment like Confer.\u201d<\/p>\n<p>The Power of Remote Attestation<\/p>\n<p>The software also solves another set of potential problems by doing something like a hash check on systems before sending secrets through the platform.<\/p>\n<p>My original question, and an important one, was this: if big providers, government, or whoever, are faced with the daunting prospect of monitoring communications over Confer, and they\u2019re really hellbent on getting this stuff, couldn\u2019t they just install keyloggers and image captures on the user\u2019s device, and get the same data at the point of origin?<\/p>\n<p>That leads us to something called \u2018remote attestation\u2019 that\u2019s also a part of the Confer build.<\/p>\n<p>\u201cOn Confer, remote attestation allows anyone to reproduce the bit-by-bit outputs that confirm that the publicly available proxy and image software\u2014and only that software\u2014is running on the server,\u201d Goodin reports in the<a href=\"https:\/\/arstechnica.com\/tech-policy\/2026\/01\/judge-orders-annas-archive-to-delete-scraped-data-no-one-thinks-it-will-comply\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-ga-track=\"ExternalLink:https:\/\/arstechnica.com\/tech-policy\/2026\/01\/judge-orders-annas-archive-to-delete-scraped-data-no-one-thinks-it-will-comply\/\" aria-label=\"above Jan. 13 piece\"> above Jan. 13 piece<\/a>. \u201cTo further verify Confer is running as promised, each release is digitally signed and published in a transparency log. Native support for Confer is available in the most recent versions of macOS, iOS, and Android. On Windows, users must install a third-party authenticator.\u201d<\/p>\n<p>Okay, so the remote attestation may solve that issue, by doing a preliminary check. If you\u2019re confused as to how this works, here\u2019s a simplified example that I got from GPT, verbatim here:<\/p>\n<p>\u201cA bank ships an app meant to run inside a TEE: \u2018PaySafe v1.2.\u2019 When it starts, the TEE produces an attestation that includes a measurement (think: a cryptographic \u2018fingerprint\u2019) of the exact app code + key settings. \u2018Genuine\u2019 means: the attestation is signed by the real hardware\/firmware keys, so the bank knows it\u2019s an actual TEE on a real device (not a fake program pretending). \u2018Unmodified\u2019 means: the fingerprint matches the bank\u2019s known-good fingerprint for PaySafe v1.2.<\/p>\n<p>How could a system be \u201cmodified\u201d?<\/p>\n<p>\u201cAn attacker patches the code to skip PIN checks or send keys out. They swap in a \u2018look-alike\u2019 build (same name\/UI) with an extra backdoor function. They change key configuration (e.g., allow debug mode, or weaken security flags) so secrets are easier to extract. If any of that happens, the measurement changes, and the bank refuses to send secrets (like signing keys or account tokens).\u201d<\/p>\n<p>So I guess the key strategy, plus the remote attestation, does give a pretty good protection from prying eyes.<\/p>\n<p>Library Wars<\/p>\n<p>As a little addendum here, I was also reading about some of the kerfuffle between various archives and \u201cshadow libraries\u201d operating on the web: in particular, the fight between WorldCat and something called \u201cAnnie\u2019s Archive,\u201d where the latter is accused of \u201cscraping\u201d the former\u2019s data. You can read about it<a href=\"https:\/\/arstechnica.com\/tech-policy\/2026\/01\/judge-orders-annas-archive-to-delete-scraped-data-no-one-thinks-it-will-comply\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-ga-track=\"ExternalLink:https:\/\/arstechnica.com\/tech-policy\/2026\/01\/judge-orders-annas-archive-to-delete-scraped-data-no-one-thinks-it-will-comply\/\" aria-label=\"here\"> here<\/a>, but it exemplifies the kinds of struggles that emerge when IP or anything else is not secured and protected from unauthorized use.<\/p>\n","protected":false},"excerpt":{"rendered":"file_thumbview_approve.php?size=1&amp;id=20042572 getty How do you know your personal data is private online? Most tech-savvy people, encountering this question,&hellip;\n","protected":false},"author":2,"featured_media":293303,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[34480,18,35669,19,17,824,82],"class_list":{"0":"post-293302","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-consumer-tech","9":"tag-eire","10":"tag-enterprise-tech","11":"tag-ie","12":"tag-ireland","13":"tag-privacy","14":"tag-technology"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@ie\/115925346717705521","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/293302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/comments?post=293302"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/293302\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media\/293303"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media?parent=293302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/categories?post=293302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/tags?post=293302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}