In late January 2025, Meta Platforms engaged several of NCC Group’s specialty practices to conduct a security and privacy assessment of the WhatsApp Message Summarization Service, which is part of a broader Private Processing system. This service allows WhatsApp users to send a batch of messages to a Meta-operated Large Language Model (LLM), which returns a summarization of the message contents. Several third parties play key roles in the service: Cloudflare maintains transparency logs of signed artifacts, such as Trusted Execution Environment (TEE) images and hashes of LLM prompts, and fastly acts as an Oblivious Relay between WhatsApp users and Meta. The overall system is intended to ensure user data remains private, inaccessible to Meta, not persisted, and not used for any other purposes.
The review was performed remotely as a 115 person-day effort during the first half of 2025 by NCC Group’s Cryptography Services team, Hardware and Embedded Security team, and AI/ML Security team.