Explore how Apple’s new Apple Intelligence and Siri leak sensitive data—location, app names, and audio metadata—through separate server domains. Learn the science behind on-device vs. cloud models, how to block data egress, and practical steps for individuals and enterprises to protect privacy.
Apple Intelligence: The Inside Story of Siri’s Privacy Leaks
Published by Brav
Table of Contents
TL;DR
- Apple Intelligence launched last September, using a hybrid on-device and cloud AI model structure. Apple Intelligence launch (Apple 2025)
- Siri automatically sends location data, app names, and audio metadata to its dictation server (guzzoni.apple.com) and search service (smoot.apple.com) on every query. Siri, Dictation & Privacy (Apple 2025) AppleStorm blog (Lumina Security)
- Those servers are separate from Apple Intelligence, which focuses on privacy-first on-device processing. Apple Foundation Models (Apple 2024) AppleStorm blog (Lumina Security)
- Apple said it will address the leaks, but users can mitigate risk by disabling location, blocking the servers, and tightening Siri’s privacy settings. Apple Intelligence launch (Apple 2025)
- Enterprise security teams can use device management and network monitoring to see what leaves the device. Apple Storm blog (Lumina Security)
Why This Matters
We all want Siri to feel like a helpful assistant, not a silent data broker. Every time I say “Hey Siri, play the next song,” my phone not only streams the audio but also whispers my location, the names of every app I’ve opened, and even the title of the song I just heard from the now-playing queue. For a privacy advocate, those leaks are a headline-worthy failure of Apple’s promise that Siri is the “most private digital assistant” Apple Privacy Statement (Apple 2025). For an enterprise IT team, it means an unknown data egress path that could expose customer or employee information in a cloud-bound, invisible flow.
Core Concepts
Apple Intelligence’s Dual-Model Architecture
Apple Intelligence is split into two groups:
- On-Device Models – Run directly on the CPU or Neural Engine. No network call is required. This is the privacy-first layer that powers quick responses like “read unread messages” or “summarize a note.”
- Cloud Models (Private Cloud Compute) – When a query exceeds on-device capacity, the request is sent to Apple’s own silicon-powered servers. Apple claims the data is not stored or accessible beyond the request, and the traffic is encrypted end-to-end.
The public documentation says “the cloud model sends only the minimal data required” and that the request is never tied to the Apple Account, using a rotating device-generated identifier instead Apple Foundation Models (Apple 2024).
Siri’s Infrastructure
Siri operates on top of that AI stack but is still its own service:
- Dictation Server (guzzoni.apple.com) – Handles voice-to-text requests. The server receives the raw audio, the app name that invoked Siri, and the device’s location if Location Services is enabled.
- Search Service (smoot.apple.com) – Delivers search results and Siri Suggestions. It receives the query text, the list of installed apps, and device context.
- Certificate Pinning – Siri’s network stack pins the TLS certificate for each domain to prevent a man-in-the-middle attack, but the pinning can be bypassed by a skilled attacker, as a recent research demo showed AppleStorm blog (Lumina Security).
Privacy-First Claims vs. Reality
Apple’s own privacy page states that “Siri may also send information like your audio, Siri setup, contacts, and location to Apple to process your request” and that “only the minimal data is sent to Apple servers” [Siri, Dictation & Privacy (Apple 2025)]. Yet the actual data stream is far richer, as the AppleStorm investigation revealed. The key difference is that the dictation and search services are not part of Apple Intelligence but separate back-ends that still belong to Apple, which means they are not covered by the same privacy-first guarantees Apple promotes for its on-device models.
| Parameter | Use Case | Limitation |
|---|---|---|
| On-device AI model | Quick responses, no network traffic | Limited model size, slower for complex queries |
| Cloud model (Private Cloud) | Heavy-weight tasks, generative AI | Requires network, Apple’s own servers, still subject to policy changes |
| Siri dictation/search servers | Voice-to-text, web search, suggestions | Sends location, app names, audio metadata; separate from Apple Intelligence |
(Sources: Apple Foundation Models, AppleStorm blog)
How to Apply It
Check Your Settings
- Go to Settings → Siri & Search and turn off Allow Siri & Dictation to Learn from Apps.
- Disable Location Services for Siri if you don’t need it for navigation.
- Confirm Listen for “Hey Siri” is set to Off if you want to prevent accidental activations.
Block the Servers
- On macOS or iOS, use a firewall or a VPN that allows domain filtering.
- Add guzzoni.apple.com and *.smoot.apple.com to the block list. The AppleStorm investigation shows these as the only two active domains for Siri traffic.
Use Airplane Mode for Testing
- Enable Airplane Mode and then activate Siri to confirm no data leaves the device.
- If the device still sends data, it’s being routed through the private cloud or a local service.
Monitor Network Traffic
- Use a packet capture tool (Wireshark, Little Snitch, or a mobile equivalent).
- Look for TLS sessions to the domains listed above and note the amount of data.
- A typical Siri request sends 30–50 kB of metadata, including a list of up to 200 app names.
Enterprise Policies
- Deploy a managed Apple device configuration profile that blocks the domains.
- Use MDM logs to flag any outbound traffic to guzzoni.apple.com or smoot.apple.com.
- Educate users that even “offline” Siri may still transmit location data if the setting is enabled.
Pitfalls & Edge Cases
- Apple’s Logo Change – When Apple Intelligence is enabled, the Siri icon switches to a new design. This visual cue can be misleading; the backend traffic remains unchanged.
- Dynamic Domain Changes – Apple may rotate the server domain for dictation or search. A static block list can become outdated. Regularly refresh the block list from the latest AppleStorm post.
- ChatGPT Integration – The AppleChatGPT extension routes requests through apple-relay.apple.com, which is separate from the private cloud. The traffic is encrypted, but it still passes through Apple’s infrastructure.
- Certificate Pinning Bypass – A skilled attacker could intercept Siri traffic by forging a pinning certificate. Apple recommends using a device with a built-in MDM that blocks MITM proxies.
- Location Services – Even with the setting off, some legacy apps may still request location through Siri, especially for emergency or health services.
Quick FAQ
| Question | Answer |
|---|---|
| Why does Siri send my location with every query? | Apple uses location to improve relevance (e.g., “show me nearby restaurants”). The data is sent to the dictation server if the setting is on. |
| What exactly is sent to the dictation server? | The raw audio, the app that invoked Siri, the device’s approximate location, and a device-generated identifier. |
| Can I stop my data from leaving my phone? | Yes – disable location, block the domains, or use Airplane Mode for non-critical use. |
| Does ChatGPT integration leak data to Apple? | The extension communicates with apple-relay.apple.com and also goes through Apple’s private cloud. Data is not sent directly to OpenAI’s servers. |
| Are the dictation server and search service part of Apple Intelligence? | No, they are separate Apple services that operate independently of the Apple Intelligence on-device models. |
| How can enterprises monitor outbound traffic? | Use MDM, network monitoring, and domain-level blocking to see traffic to guzzoni.apple.com and smoot.apple.com. |
| What should I do if I suspect a data leak? | Capture traffic with a packet sniffer, check the domains, and report to Apple or your security team. |
Conclusion
Siri’s promise of “privacy first” is more complicated than it appears. The AI backbone (Apple Intelligence) is built with on-device processing and a private cloud, but the older infrastructure that powers dictation and search still sends rich metadata to Apple-owned servers. For the privacy-conscious user, the most effective mitigations are disabling location, blocking the dictation and search domains, and staying vigilant about the settings that govern “learning from apps.” Enterprise teams should treat those domains as part of the data-exfiltration surface and enforce domain filtering and monitoring. Apple has announced it will patch the leaks, but the short-term reality is that you must take proactive steps to keep your conversations, app list, and location out of the hands of any third-party.
References
- Apple newsroom: Apple Intelligence launch (Apple 2025) – https://www.apple.com/newsroom/2025/09/new-apple-intelligence-features-are-available-today/
- Apple Privacy: Siri, Dictation & Privacy (Apple 2025) – https://www.apple.com/legal/privacy/data/en/ask-siri-dictation/
- Apple Foundation Models (Apple 2024) – https://machinelearning.apple.com/research/introducing-apple-foundation-models
- AppleStorm blog (Lumina Security) – https://www.lumia.security/blog/applestorm
- Apple Intelligence Wikipedia – https://en.wikipedia.org/wiki/Apple_Intelligence
- Apple Privacy Statement (Apple 2025) – https://www.apple.com/newsroom/2025/01/our-longstanding-privacy-commitment-with-siri/