WhatsApp today launched Incognito Chat with Meta AI, a mode where conversations are processed in a secure environment that even Meta cannot access, with messages disappearing by default once you close the session.
It's a genuinely bold privacy claim from a company not historically associated with restraint when it comes to user data — and the technical architecture behind it is more sophisticated than the marketing suggests.
This isn't just a "delete after read" gimmick. Private Processing, the underlying system, is built on Trusted Execution Environments (TEEs) — hardware-isolated enclaves where even the server operator cannot inspect what's being computed. Concretely, Meta is running AMD EPYC processors with SEV-SNP (Secure Encrypted Virtualisation-Secure Nested Paging), which encrypts virtual machine memory so that even the hypervisor — the software layer that normally has god-mode access to VMs — is locked out.
Your request travels from your phone through a third-party Oblivious HTTP relay (currently Fastly), which strips your IP address before it ever reaches Meta's infrastructure. An Anonymous Credentials Service authenticates you as a legitimate WhatsApp user without revealing you identity. The result: Meta's own load balancers route your request without knowing it's yours.
Before your device sends a single byte of conversation data, it cryptographically verifies that the server it's talking to is actually running the attested code — a process logged to a third-party transparency log operated by Cloudflare. If the code has been tampered with, your phone refuses to connect.
How Private Processing Works — White Paper
 |
| How Private Processing works |
Here's where it gets interesting — and where most coverage stops short. Meta's own technical white paper acknowledges two meaningful gaps.[PDF]
First, when AI inference requires multiple GPUs (which large language models routinely do), the NVLink interconnect between those GPUs is not encrypted on NVIDIA's Hopper platform. Meta acknowledges this is a potential interception avenue, mitigated mainly by NVLink's high bandwidth, making real-time sniffing difficult with currently available hardware. That's not a theoretical fix — it's a practical one.
Second, web search. When Meta AI needs real-time information, the search query leaves the TEE entirely and is sent to Meta infrastructure, which forwards it to external search providers. Queries are capped at 100 characters and limited to 5 per prompt, and Meta says searches are unlinked from user identity — but that still means data is leaving the privacy bubble. Users can disable web search, but it's on by default.
Prof. Alan Woodward, a cybersecurity expert at Surrey University, raised a concern that the disappearing, unretrievable nature of these chats creates an accountability vacuum — if an AI's response leads to harm, there's no chat history to investigate.
WhatsApp head Will Cathcart acknowledged that the feature is initially text-only and that Meta AI's safety filters will refuse harmful requests more aggressively in this mode than in standard chats. Yahoo!
Cathcart said the mode "will steer the user towards helpful information if it can and then refuse and eventually even just stop interacting with the user completely" for harmful queries — but the inability to audit that process after the fact is a real trade-off users should understand before assuming total safety. ABC News
What's Coming Next
Meta is also building Side Chat with Meta AI, which will let users privately ask Meta AI about an ongoing WhatsApp conversation — summarising threads or answering context-aware questions — without disrupting the main chat. That feature is arriving later this year and is also protected by Private Processing. Engadget
The rollout of Incognito Chat is gradual across WhatsApp and the Meta AI app over the coming months. For users who routinely ask AI about health symptoms, financial decisions, or personal situations, the hardware-level privacy guarantee is meaningful — just not unconditional.