Conversing with an AI assistant is no longer just a productivity tool. For millions of users, it has become a space for reflection, confession, and even therapy. We write in these chats as if talking to a friend: sharing fears, planning important decisions, revealing health or personal relationship details. And as this interaction becomes more natural, the question grows more intense: who’s listening?
This is where Confer comes in, the new project by Moxie Marlinspike, the cryptographer and digital activist best known for co-creating Signal, the gold standard in encrypted messaging. With Confer, Marlinspike isn’t just launching another chatbot. He’s proposing a new paradigm: an AI that cannot spy, cannot remember, and by design, cannot betray.
What is Confer and why now
Confer presents itself as a conversational assistant with the same fluidity as ChatGPT or Claude, but with a radical difference: not even the Confer team can read your messages. Not due to policy, not promises, but architecture. It’s the first AI assistant to implement end-to-end encryption (E2EE) at the chat and inference level—a leap that could redefine what “privacy” means in the AI world.
This launch is no coincidence. In 2026, while companies like OpenAI and Google explore business models based on advertising and hyper-segmented personalization, the tension between utility and privacy has reached a critical point. Marlinspike summarizes this in a blog post for the project: “We are confessing to data lakes.” And if those lakes are managed by companies dependent on attention and data, the risk of abuse is inherent.
Confer emerges as a technical response to that paradox: how to have a useful assistant without turning privacy into a product?
How it works: encryption, enclaves, and cryptographic verification
Confer does not rely solely on good intentions. Its architecture combines three technological pillars to guarantee real privacy:
1. Passkeys as master keys
When registering with Confer, you use a passkey (like Face ID, Touch ID, or a security key). This not only authenticates you: Confer uses the WebAuthn PRF extension to derive encryption keys directly from your passkey. These keys never leave your devices, and everything your chat history is encrypted with is secured by them. Not even Confer can access it.
2. Private inference in secure environments
When you send a message, it is encrypted directly to a Trusted Execution Environment (TEE)—a hardware-protected enclave—using the Noise protocol. Inside this environment, the model inference takes place. The server hosting the TEE cannot see the plaintext content, nor store or reuse it. It’s like speaking in an acoustically isolated room: the computer listens and responds but doesn’t record.
3. Cryptographic verification: “trust but verify”
Perhaps the most innovative aspect is the remote attestation with verifiable transparency. Before sending any data, your device cryptographically verifies what software is running inside the TEE. This verification is compared with a public transparency log (based on Sigstore), where the server’s code is reproducible and audited. If someone tries to tamper with the system, the fingerprint changes and you know. It’s not trust: it’s math.
The model, pricing, and access
Confer does not rely on a single closed model. Instead, it uses various open-source models depending on the task, allowing it to adapt without compromising privacy. It offers a context window of 250,000 tokens and its knowledge is current up to July 2025.
The service has two plans:
- Free (Guest): 20 messages daily, up to 5 saved chats.
- Premium: $34.99 per month, with unlimited messages, unlimited chats, and customization features. Includes a 2-day free trial.
This premium price is deliberate: privacy has a real computational cost. The use of TEEs, end-to-end encryption, and remote verification requires expensive infrastructure. Instead of monetizing data, Confer monetizes computing power. The user pays for the service, not with their privacy.
Platforms and limitations
Currently, Confer functions as a web application at confer.to. The full encryption experience is available on:
- macOS 15+ with Safari 18+ or Chrome
- iOS/iPadOS 18+ with Safari 18+
- Android with Chrome
- Windows/Linux: requires a password manager supporting the passkey PRF extension
The iOS version is in development, indicating that mobile integration will be a key focus moving forward.
Implications for the future of AI
Beyond being a product, Confer is a proof of concept: it demonstrates that AI assistants can be built without turning conversations into commercial assets. For sectors like health, law, or finance, where confidentiality is mandatory, this architecture could be a game-changer.
And while Confer doesn’t aim to compete at the scale of giants like OpenAI, its impact could be indirect: pushing the industry to adopt higher standards. Like Signal normalized encryption in messaging, Confer could become the catalyst that prompts others to follow: “If they can do it, why can’t we?”
FAQs (based on official data)
Can Confer use my conversations to train models?
No. Your chats are never used for training. They are not even available in plaintext.
What does “verifiable” mean in practice?
Your device automatically verifies that the server is running the correct software, published in a public registry. If tampering occurs, the connection is rejected.
Why is the price so high?
Because the business model is based on infrastructure, not data. Encryption, TEEs, and remote attestation are costly but essential for privacy.
Can I use Confer in my company?
While there’s no dedicated enterprise plan yet, the verification architecture and no-data retention approach make it ideal for regulated environments. Companies could audit the system without relying solely on privacy promises.
Conclusion: a stand for digital dignity
Confer is more than just a chatbot. It’s a statement: privacy shouldn’t be a luxury, but if not built-in by design, it becomes a privilege. Moxie Marlinspike, once again, isn’t trying to win a commercial race. He’s setting an ethical and technical benchmark others will have to cross.
In a world where every word can be tracked, analyzed, and sold, Confer reminds us that there’s another way: an AI that listens but doesn’t judge, store, or exploit. And perhaps, that’s exactly what we needed to speak honestly again.
Want to try it? Visit confer.to. And if you do, remember: this time, no one is taking notes.