It's TEE time for Brave's AI assistant Leo
(2025/11/22)
- Reference: 1763811906
- News link: https://www.theregister.co.uk/2025/11/22/brave_leo_trusted_execution_environment/
- Source link:
Brave Software has joined the rush to make using cloud-based AI services more private.
The browser maker has begun offering Trusted Execution Environments (TEEs) for the cloud-based AI models made available to Brave users. TEEs provide verifiable guarantees about the confidentiality and integrity of the data processed by a host.
Presently, AI TEEs are limited to users of [1]Brave Nightly , the browser's testing and development build, for DeepSeek V3.1, one of several models available for Leo, the company's browser-resident AI assistant.
[2]
"By integrating Trusted Execution Environments, Brave Leo moves towards offering unmatched verifiable privacy and transparency in AI assistants, in effect transitioning from the 'trust me bro' process to the privacy-by-design approach that Brave aspires to: 'trust but verify'," said Ali Shahin Shamsabadi, senior privacy researcher and Brendan Eich, founder and CEO, in a [3]blog post on Thursday.
[4]
[5]
Brave's [6]Leo supports both local and cloud-based AI models. The most capable AI models currently run in cloud environments, where high-performance GPUs can run inference workloads quickly and can respond fast enough to queries to satisfy impatient users.
The problem with this arrangement is that it's not particularly private. User requests and associated personal data must be unencrypted while being processed by the AI model. And when that information is visible, it invites abuse by first- and third-party vendors and by any intruders able to gain system access.
[7]
It's clear from the unwanted publication of [8]Bard (Gemini) and [9]ChatGPT chat sessions that the dialogue between people and their AI assistants may contain sensitive information. Businesses share that concern – they're not keen to expose their data to third-party cloud services running their AI models and often need to comply with regulations that require certain info to stay private.
[10]You are likely to be eaten by the MIT license: Microsoft frees Zork source
[11]Rhyme is the key to set AIs free when verse outsmarts security
[12]Boffins build 'AI Kill Switch' to thwart unwanted agents
[13]Scientific computing is about to get a massive injection of AI
Tech companies have started to respond to the demand. Apple last year [14]announced its Private Cloud Compute service, promising a way to shield users' requests and personal data that has to be unencrypted to be processed by machine learning models. And Google [15]recently followed suit with its own Private AI Compute.
Speaking at Usenix Security 2025, Shannon Egan, a researcher and founder-in-residence at science startup incubator Deep Science Ventures, [16]said , "Confidential computing is considered the most practical and scalable path to enhance security of entire AI workloads, and that's thanks again largely to existing CPU-based TEE technology, which is widely available in commodity hardware.
"On the other hand, important gaps remain with respect to bringing AI accelerators within the trust boundary, especially when more than one GPU is involved, which today is pretty much always the case."
Nvidia has been on the case since 2023, when it introduced [17]GPU Confidential Computing (GPU-CC) in its Hopper GPU architecture. But as Egan points out, boffins with IBM Research and Ohio State University argued in [18]a recent paper that Nvidia's lack of documentation and transparency about GPU-CC makes it difficult for security professionals to assess the technology's confidentiality commitments.
[19]
Brave has chosen to use [20]TEEs provided by Near AI , which rely on Intel TDX and Nvidia TEE technologies. The company argues that users of its AI service need to be able to verify the company's private claims and that Leo's responses are coming from the declared model.
"The absence of these user-first features in other competing chatbot providers introduces a risk of privacy-washing," say Shamsamadi and Eich, noting that researchers [21]support the deployment of TEEs to counter the possibility of model providers billing for expensive models while secretly serving cheaper models.
This Brave new world should expand to other AI models beyond DeepSeek V3.1 in time. ®
Get our [22]Tech Resources
[1] https://brave.com/download-nightly/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://brave.com/blog/browser-ai-tee/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://brave.com/leo/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/09/28/google_bard_chat/
[9] https://www.theregister.com/2025/08/01/openai_removes_chatgpt_selfdoxing_option/
[10] https://www.theregister.com/2025/11/21/microsoft_zork_source/
[11] https://www.theregister.com/2025/11/21/poetry_llm_guardrails/
[12] https://www.theregister.com/2025/11/21/boffins_build_ai_kill_switch/
[13] https://www.theregister.com/2025/11/18/future_of_scientific_computing/
[14] https://www.theregister.com/2024/10/25/apple_private_cloud_compute/
[15] https://www.theregister.com/2025/11/12/google_touts_private_ai_compute/
[16] https://youtu.be/MLPrgiR5VQM?si=s_omA_hdWNL0l80T&t=239
[17] https://www.nvidia.com/en-us/data-center/solutions/confidential-computing/
[18] https://arxiv.org/abs/2507.02770
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[20] https://docs.near.ai/cloud/
[21] https://arxiv.org/abs/2504.04715v2
[22] https://whitepapers.theregister.com/
The browser maker has begun offering Trusted Execution Environments (TEEs) for the cloud-based AI models made available to Brave users. TEEs provide verifiable guarantees about the confidentiality and integrity of the data processed by a host.
Presently, AI TEEs are limited to users of [1]Brave Nightly , the browser's testing and development build, for DeepSeek V3.1, one of several models available for Leo, the company's browser-resident AI assistant.
[2]
"By integrating Trusted Execution Environments, Brave Leo moves towards offering unmatched verifiable privacy and transparency in AI assistants, in effect transitioning from the 'trust me bro' process to the privacy-by-design approach that Brave aspires to: 'trust but verify'," said Ali Shahin Shamsabadi, senior privacy researcher and Brendan Eich, founder and CEO, in a [3]blog post on Thursday.
[4]
[5]
Brave's [6]Leo supports both local and cloud-based AI models. The most capable AI models currently run in cloud environments, where high-performance GPUs can run inference workloads quickly and can respond fast enough to queries to satisfy impatient users.
The problem with this arrangement is that it's not particularly private. User requests and associated personal data must be unencrypted while being processed by the AI model. And when that information is visible, it invites abuse by first- and third-party vendors and by any intruders able to gain system access.
[7]
It's clear from the unwanted publication of [8]Bard (Gemini) and [9]ChatGPT chat sessions that the dialogue between people and their AI assistants may contain sensitive information. Businesses share that concern – they're not keen to expose their data to third-party cloud services running their AI models and often need to comply with regulations that require certain info to stay private.
[10]You are likely to be eaten by the MIT license: Microsoft frees Zork source
[11]Rhyme is the key to set AIs free when verse outsmarts security
[12]Boffins build 'AI Kill Switch' to thwart unwanted agents
[13]Scientific computing is about to get a massive injection of AI
Tech companies have started to respond to the demand. Apple last year [14]announced its Private Cloud Compute service, promising a way to shield users' requests and personal data that has to be unencrypted to be processed by machine learning models. And Google [15]recently followed suit with its own Private AI Compute.
Speaking at Usenix Security 2025, Shannon Egan, a researcher and founder-in-residence at science startup incubator Deep Science Ventures, [16]said , "Confidential computing is considered the most practical and scalable path to enhance security of entire AI workloads, and that's thanks again largely to existing CPU-based TEE technology, which is widely available in commodity hardware.
"On the other hand, important gaps remain with respect to bringing AI accelerators within the trust boundary, especially when more than one GPU is involved, which today is pretty much always the case."
Nvidia has been on the case since 2023, when it introduced [17]GPU Confidential Computing (GPU-CC) in its Hopper GPU architecture. But as Egan points out, boffins with IBM Research and Ohio State University argued in [18]a recent paper that Nvidia's lack of documentation and transparency about GPU-CC makes it difficult for security professionals to assess the technology's confidentiality commitments.
[19]
Brave has chosen to use [20]TEEs provided by Near AI , which rely on Intel TDX and Nvidia TEE technologies. The company argues that users of its AI service need to be able to verify the company's private claims and that Leo's responses are coming from the declared model.
"The absence of these user-first features in other competing chatbot providers introduces a risk of privacy-washing," say Shamsamadi and Eich, noting that researchers [21]support the deployment of TEEs to counter the possibility of model providers billing for expensive models while secretly serving cheaper models.
This Brave new world should expand to other AI models beyond DeepSeek V3.1 in time. ®
Get our [22]Tech Resources
[1] https://brave.com/download-nightly/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://brave.com/blog/browser-ai-tee/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://brave.com/leo/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2023/09/28/google_bard_chat/
[9] https://www.theregister.com/2025/08/01/openai_removes_chatgpt_selfdoxing_option/
[10] https://www.theregister.com/2025/11/21/microsoft_zork_source/
[11] https://www.theregister.com/2025/11/21/poetry_llm_guardrails/
[12] https://www.theregister.com/2025/11/21/boffins_build_ai_kill_switch/
[13] https://www.theregister.com/2025/11/18/future_of_scientific_computing/
[14] https://www.theregister.com/2024/10/25/apple_private_cloud_compute/
[15] https://www.theregister.com/2025/11/12/google_touts_private_ai_compute/
[16] https://youtu.be/MLPrgiR5VQM?si=s_omA_hdWNL0l80T&t=239
[17] https://www.nvidia.com/en-us/data-center/solutions/confidential-computing/
[18] https://arxiv.org/abs/2507.02770
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSHsJfXfVVPzBb30tLzXswAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[20] https://docs.near.ai/cloud/
[21] https://arxiv.org/abs/2504.04715v2
[22] https://whitepapers.theregister.com/
Re: They don't get it
Dan 55
Or just uninstall Brave. [1]Far too many dodgy things associated with it already .
[1] https://thelibre.news/no-really-dont-use-brave/
Oh, fuck.
JimmyPage
Can anyone recommend a browser without this shite ?
Anyone ?
Re: Oh, fuck.
steelpillow
I have been using Mojeek. Builds its own database, so not very comprehensive, but does offer images. Can't answer for the presence/lack of underhand shite-ology, would be good to hear from anybody who does know.
P.S. I was also using Brave until this thread made me check out its history a bit deeper.
The best use I have found for "AI" bots
Anonymous Coward
is to ask them how to disable other "AI" bots.
ChatGPT detests Gemini, and Copilot hasn't a decent word to say about Deepseek.
They don't get it
And certainly don't understand that we don't want it.
So let's have it offered as a user installable option.
Then we can safely ignore it.