Your Phone Heard Everything

The Billion-Dollar Handshake

To understand the stakes of the Apple-Google deal, you first need to understand the architecture. When you ask the new Siri a complex question, your device determines whether it can handle the request locally. Simple tasks remain on the iPhone. But anything requiring deeper reasoning, summarisation, or multi-step planning gets routed to Apple's Private Cloud Compute infrastructure, where the Gemini model now sits at the core.

Apple's previous cloud-based models used 150 billion parameters. The jump to 1.2 trillion represents not just an increase in scale but a qualitative shift in what the system can do with your data.

Apple has built Private Cloud Compute around five core principles:

• Stateless computation - no data is stored after the task completes
• Enforceable guarantees - only designated code touches user data
• No privileged access - not even Apple employees can see requests
• Non-targetability - requests cannot be traced to individuals
• Verifiable transparency - security researchers can inspect the system

The servers run on Apple silicon, use the same Secure Enclave architecture found in iPhones, and process data ephemerally in memory only. Apple has opened its Private Cloud Compute software to external researchers and offered significant security bounty payouts for anyone who can demonstrate a privacy breach.

On paper, this is formidable. Apple has published a comprehensive security guide, released source code for key components, and created a Virtual Research Environment that allows anyone with a Mac to test the system. No other major technology company has offered anything comparable in terms of transparency around cloud AI processing. The system is, by any reasonable measure, the most sophisticated privacy architecture ever deployed for cloud AI at scale.

But paper guarantees and real-world guarantees are different things entirely.

The structural tension in the deal is inescapable. Google, whose core business depends on data collection and targeted advertising, is now providing the intelligence layer for the world's most privacy-focused consumer technology company. Apple insists that Siri interactions sent to Gemini are anonymised and that data is never stored or used to train Google's future models. Google has confirmed it will not receive Apple user data under the arrangement. Cook himself stated during the earnings call that Apple is "not changing our privacy rules."

Security experts remain sceptical. The concern, articulated by multiple researchers in the weeks following the announcement, centres on what has been called the "weakest link problem." Private Cloud Compute is only as private as its most vulnerable component. If Google retains any pathway to usage data, whether for model improvement, debugging, or quality assurance, the privacy guarantee fundamentally breaks down.

And crucially, Apple has declined to release the full details of its agreement with Google. Cook confirmed during the same earnings call that Apple would not be "releasing the details" of the deal to the public. For a company that has made transparency a cornerstone of its privacy messaging, the refusal to disclose the terms of its most significant AI partnership is a striking omission.

There is also a subtler concern about what researchers have termed "behavioural sovereignty." Once Siri's cognitive engine comes from Gemini, the question shifts from where data sits to who controls the behaviour of the model that hundreds of millions of people talk to every day. Apple does not control the biases embedded in Google's model architecture, the training data Google used, or the value judgements encoded in the model's responses. This creates what one analysis described as a potential for "problematic experiences that do not align with Apple's core values."

When the model that shapes how your phone responds to your most personal questions was built by a company whose business model depends on knowing everything about you, the architecture of privacy matters less than the architecture of incentives.

The irony is not lost on privacy advocates. Apple regularly runs advertising campaigns contrasting its approach to privacy with competitors who monetise user data. It has updated its App Store guidelines to require apps to disclose and obtain user permission before sharing personal data with third-party AI systems. Yet its most significant AI partnership is with the very company that epitomises the data-driven advertising model Apple claims to oppose.

Apple also already pays Google approximately 20 billion dollars per year to be the default search engine on iPhones. The Gemini deal deepens an entanglement that privacy advocates have long viewed with suspicion.

What Your Voice Actually Reveals

The privacy risks of AI assistants extend far beyond the question of whether your specific query reaches a particular server. The deeper issue is what AI systems can infer from the patterns of your behaviour, even when individual requests appear innocuous.

A landmark study published in 2025 by researchers at Northeastern University and the University of Southern California, titled "Echoes of Privacy: Uncovering the Profiling Practices of Voice Assistants," examined exactly this question. Led by Northeastern's Mon(IoT)r Research Group, the research team conducted 1,171 experiments involving nearly 25,000 voice queries over 20 months across Google Assistant, Amazon Alexa, and Apple's Siri. They created fresh user accounts, trained them with curated sets of voice queries designed to simulate various user personas, and then examined what profiling labels each platform assigned.

The lead authors, Tina Khezresmaeilzadeh and Elaine Zhu, along with their colleagues, published their findings in the Proceedings on Privacy Enhancing Technologies, Volume 2025, Issue 2.

The findings were striking in their divergence:

• Google Assistant exhibited the most aggressive profiling behaviour, compiling information on users based on their queries, including inferred gender, age range, relationship status, and income bracket. Profiling occurred even without direct user interactions, with arbitrary and sometimes inaccurate labels appearing at different times for identical queries.
• Amazon Alexa showed more moderate profiling, though the researchers found that Amazon provided no tools for users to selectively remove or correct mislabelled profiling data. When users opted out of profiling on Amazon's platform, it worked as expected and limited further label creation, but existing labels could not be rectified.
• Apple's Siri produced no profiling labels whatsoever, making it the least invasive platform in the study.

But even Apple's relatively clean record on profiling does not eliminate risk. Voice assistants continuously listen for their wake words. Despite assurances that devices only record after detecting the trigger phrase, instances of accidental activation have been well documented, resulting in the capture of private conversations that users never intended to share.

And the data that voice assistants do collect intentionally is remarkably revealing. Siri's "request history" includes transcripts, audio for users who have opted in to the Improve Siri programme, contact names, names of installed apps, device specifications, and approximate location. Each of these data points, individually unremarkable, creates a mosaic of personal information when aggregated over weeks and months.

The economic value of this data is immense and growing. Google's advertising revenue per user has increased by approximately 1,800 per cent since 2001, from $1.07 to $36.20 by 2019, and the figure has climbed further since. According to multiple surveys conducted in 2025, 92 per cent of internet users are tracked by Google's behavioural data collection systems. And as Consumer Reports noted in a 2025 analysis, Google's privacy controls affect data sharing between platforms, not collection itself. The settings restrict targeting precision, not profiling capability. Many data streams do not require "Web and App Activity" to be enabled; they form the baseline substrate on which Google's entire business model depends.

The shift to trillion-parameter models makes this dynamic significantly more concerning. Earlier AI assistants could handle only simple pattern matching and keyword routing. A model with 1.2 trillion parameters can draw inferences across vast contextual landscapes. It can connect a medical query from Tuesday morning with a pharmacy search that afternoon and a life insurance question the following week. It can identify emotional states from word choice and sentence structure. It can infer relationships, financial situations, and health conditions from the texture of ordinary conversation.

The International AI Safety Report, published in January 2025 by 96 experts led by Yoshua Bengio and commissioned by the 30 nations attending the 2023 Bletchley Park AI Safety Summit, explicitly identified these inference capabilities as a significant privacy risk, noting that "several harms from general-purpose AI are already well established, including privacy violations" and that "no combination of techniques can fully resolve them."

A Ledger of Broken Promises

The history of AI assistant privacy violations reveals a pattern that should give any user pause.

In July 2019, a whistleblower revealed that Apple employed third-party contractors to review Siri audio recordings as part of a quality evaluation process called the Voice Grading Programme. The contractors, the whistleblower told journalists, "regularly hear confidential medical information, drug deals, and recordings of couples having sex." The recordings were accompanied by user data showing location, contact details, and app data. Apple had not disclosed this practice in its consumer terms and conditions.

Apple suspended the programme, issued a formal apology, and laid off more than 300 contractors who had been working on Siri grading in Europe. The company implemented new policies requiring explicit user opt-in for audio review and restricted the work to Apple employees rather than third-party contractors.

But the damage was lasting. In January 2025, a federal judge approved a 95-million-dollar class action settlement in the case of Fumiko Lopez v. Apple. The plaintiffs alleged that Siri had been activated without the "Hey Siri" trigger, recording private conversations and sharing data with advertisers. Two plaintiffs reported receiving targeted advertisements for products they had only discussed verbally, including Air Jordan trainers and Olive Garden restaurants. A third said he received adverts for a surgical procedure he had discussed privately with his doctor.

Apple denied wrongdoing but agreed to permanently delete all individual Siri audio recordings collected before October 2019. The settlement covered approximately 138.5 million potentially eligible devices, though 97 per cent of eligible users never filed a claim.

A separate case under Illinois's Biometric Information Privacy Act, with a class of 2.6 to 3.9 million users, was certified in January 2026 and remains ongoing. That law provides statutory damages of 1,000 to 5,000 dollars per violation.

Amazon's track record is similarly troubled. In May 2023, the Federal Trade Commission and the US Department of Justice charged Amazon with violating children's privacy laws by retaining Alexa voice recordings indefinitely and using them to improve its algorithms, even after parents explicitly requested deletion. The FTC found that when parents requested data deletion, Amazon deleted files in some databases while maintaining them in others, keeping the information available for the company's own purposes. Amazon paid a 25-million-dollar civil penalty. In a separate case, Amazon paid an additional 5.8 million dollars over