Apple's new Siri can run your digital life. You'll have to take its privacy on faith.To run errands across apps, Apple’s upgraded assistant needs deep access to personal data the company has walled off for yearsBy Eric Sullivan edited by Claire CameronAt its developer conference, Apple debuted an upgraded Siri that can act across apps, though the new assistant is not expected to become available until the fall. David Paul Morris/Bloomberg via Getty ImagesDuring Monday’s keynote at Apple’s Worldwide Developers Conference (WWDC), a presenter asked Siri to plan a watch party for a World Cup match. The virtual assistant pulled the tournament schedule from the Internet, dug through the user’s Messages history to find a mention of coconut cookies, drafted an invitation featuring the recipe, and prepared to send it to a group chat. Siri carried out this choreography without the user ever touching an app.The proactive assistant Apple has promised—and repeatedly delayed—for two years has, it seems, finally arrived. But to pull off this kind of digital errand-running, Siri needs deep access to personal data Apple has spent years walling off: your mail, photos, messages and calendar. Each new capability expands the territory the company’s privacy architecture must cover. At WWDC, Apple’s keynote speakers kept returning to the same privacy claims: user requests to Siri stay private, data is not retained after processing, and outside researchers can inspect the system.Florian Schaub, who studies usable privacy at the University of Michigan, says Apple’s openness to outside scrutiny is welcome—but limited. “Consumers often lack the expertise to inspect code,” he says, but by publishing specifications and letting researchers and regulators examine its systems, Apple “at least facilitates external validation of their claims.”On supporting science journalismIf you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.The new Siri relies on an architecture Apple calls the System Orchestrator, a layer that coordinates data flowing among Spotlight’s Semantic Index, onscreen information and an App Toolbox that carries out actions inside apps. Siri’s underlying reasoning rests on a new generation of Apple Foundation Models, including a top-tier cloud model the company calls AFM Cloud Pro, which is custom-built for Apple hardware and refined from Google’s Gemini frontier AI models. When a request is too complex for a phone, Apple says Private Cloud Compute handles it on servers that do not retain user data and can be inspected by outside researchers. The largest of these models was reportedly derived from a specialized version of Gemini with about 1.2 trillion parameters, according to Bloomberg, which Google has licensed to Apple for about $1 billion a year. Ahead of Monday’s keynote, The Information reported that some of that cloud processing might run on Nvidia chips inside Google’s data centers.Apple executives have distinguished the deployment from Google’s consumer AI stack and model-serving infrastructure. Yet until Apple opens this hybrid cloud arrangement to the outside inspection it invites for Private Cloud Compute, the data-routing security of these models rests largely on the company’s word.Encryption protects data in storage and in transit, but it cannot stop an assistant like Siri from misusing the access it has been given. Text from an e-mail, webpage or shared document can reach the model in the same stream as the user’s instructions. To the software, that outside text may function as a command, even if the user never meant it that way. Researchers call this indirect prompt injection. Programmer Simon Willison describes the risk as the “lethal trifecta”: any assistant that can read private data, ingest untrusted content and transmit information can be tricked into handing that private data to a stranger. A phone assistant with Siri’s new abilities brings all those elements together.“Autonomous agents significantly expand the attack surface for prompt injection,” says Natalie Shapira, a security researcher at Northeastern University who studies AI agents. “The challenge is the chain of permissions and actions that connects the model to multiple applications and services.”Last year, researchers at Aim Security found exactly this opening in Microsoft 365 Copilot. They named it EchoLeak, a zero-click attack on a production AI assistant. A single e-mail planted instructions that the software carried out later, when the recipient asked it something unrelated. The stolen data slipped out through an image the software loaded on its own, with no link to click and nothing on screen. Microsoft patched the vulnerability before anyone was known to have used it. Apple’s Safari demo at WWDC showed how this same structural risk reaches beyond Siri: the browser will be able to generate custom extensions via vibe coding.Apple says Siri AI will not reach iPhones or iPads in the European Union at launch (though it will run on Macs and other devices there), blaming the continent’s Digital Markets Act, the bloc’s competition law for large digital platforms. (In China, the new features await regulatory approval.) Citing security researchers, Apple argued the EU law would force it to give rival AI assistants the same deep access to user data. The company insists its architecture contains risks that a competitor’s might not—but no independent researchers have tested the new Siri in the wild. Apple did not immediately respond to a request for comment.The public release is planned for this fall. Once it arrives, security researchers and ordinary users alike will experience Siri’s reach beyond Apple’s carefully staged demos.It’s Time to Stand Up for ScienceIf you enjoyed this article, I’d like to ask for your support. Scientific American has served as an advocate for science and industry for 180 years, and right now may be the most critical moment in that two-century history.I’ve been a Scientific American subscriber since I was 12 years old, and it helped shape the way I look at the world. SciAm always educates and delights me, and inspires a sense of awe for our vast, beautiful universe. I hope it does that for you, too.If you subscribe to Scientific American, you help ensure that our coverage is centered on meaningful research and discovery; that we have the resources to report on the decisions that threaten labs across the U.S.; and that we support both budding and working scientists at a time when the value of science itself too often goes unrecognized.In return, you get essential news, captivating podcasts, brilliant infographics, can't-miss newsletters, must-watch videos, challenging games, and the science world's best writing and reporting. You can even gift someone a subscription.There has never been a more important time for us to stand up and show why science matters. I hope you’ll support us in that mission.