Confer AI is the most technically credible privacy-first chatbot on the market. Real architecture, not a marketing promise. But at $34.99/month, you’re paying $15 more than ChatGPT Plus and Claude Pro — and what you’re buying isn’t smarter AI. It’s an AI that structurally cannot read your conversations. Whether that’s worth it depends entirely on what you’re putting in the chat window.
TL;DR — Key Takeaways
|
The Problem Moxie Saw That Nobody Else Wanted to Fix
Every mainstream AI chatbot runs on the same implicit deal: share your information, get useful outputs. Most users accept it without thinking twice. Brainstorming a birthday party? Fine. Drafting a sensitive legal memo or sharing proprietary code? That’s where the deal gets uncomfortable fast.
Moxie Marlinspike — the cryptographer behind Signal — launched Confer in December 2025 to challenge this at the architecture level. Not “we promise not to look.” Not an opt-out buried in settings. An AI service where the provider’s access to your conversations is technically prevented, cryptographically verifiable, and auditable before a single word of your prompt is sent.
That’s a completely different engineering problem than building the smartest model. It produces a completely different product.
How Confer AI Actually Works
Passkey Encryption — Seamless on Apple, Fragmented on Windows
Instead of passwords, Confer generates cryptographic keys tied to your device’s biometric authentication — Face ID, Touch ID, Android biometrics, or a hardware security key. On macOS and iOS, this routes through the Secure Enclave and works cleanly. Genuinely frictionless.
Windows is a different story. Due to inconsistent WebAuthn PRF (Pseudo-Random Function extension) support across Windows Hello hardware configurations, users regularly hit authentication failures at onboarding. The fix — a YubiKey or a passkey-compatible password manager like 1Password — is manageable if you’re already in that ecosystem. If you’re not, it’s a wall you’ll hit before sending your first message.
Trusted Execution Environments — The Core of the Privacy Promise
All AI inference runs inside a hardware-isolated enclave on the server. The host operating system cannot cross that boundary. Server admins running processes on the same physical machine cannot read what’s being processed inside.
Confer runs open-weight foundation models inside these enclaves rather than proprietary ones. Marlinspike has deliberately declined to name which specific variants are active at any given time — same philosophy Signal applies to cryptographic cipher selection. The platform manages those decisions so users don’t have to track model versions.
Remote Attestation — Trust You Can Actually Verify
Before processing begins, your browser receives a cryptographic attestation quote from the server’s enclave. It validates the signature against a public transparency log, confirming that the expected unmodified code is running. You’re not taking Confer’s word for it. You’re verifying it.
This is what separates Confer from every AI service with a privacy policy. A policy is a promise. Attestation is proof.
The Security Gap Nobody Else Is Talking About
Here’s what should be in every Confer review and isn’t.
The TEE protects everything server-side. But if Confer’s web client ever served compromised JavaScript to your browser, the TEE wouldn’t help — because that script could read your plaintext prompt before encryption begins. The Noise Protocol handshake hasn’t fired yet. The enclave is irrelevant at that point. Your text is already exposed.
This isn’t theoretical. It’s the same attack vector that compromised Polyfill.io and has hit financial services platforms repeatedly since. For an AI whose entire pitch is “we architecturally cannot read your conversations,” the pre-encryption browser layer is the honest asterisk on that claim. Anyone thinking seriously about how generative AI intersects with real cybersecurity risk should start here.
This doesn’t kill the product. It means the security model is strongest in a native app and weakest in a web client with external dependencies. Worth knowing before you trust it with something genuinely sensitive.
What each layer of Confer’s privacy stack actually covers:
| Layer | What It Protects | What It Doesn’t Cover |
|---|---|---|
| WebAuthn / Passkeys | Account access, key derivation | Nothing if JS is compromised first |
| Noise Protocol Handshake | Encrypted channel to TEE | Pre-handshake browser layer |
| Trusted Execution Environment | Server-side inference processing | Client-side prompt capture |
| Remote Attestation | Verifies server code integrity | Cannot verify client integrity |
Prompt Quality: How Confer Actually Performs
Confer does not position itself as a frontier-model competitor. Signal founder Moxie Marlinspike has consistently emphasized that the product’s primary goal is privacy and data protection rather than pushing state-of-the-art AI reasoning.
For everyday tasks such as writing assistance, summarization, email drafting, and general content creation, Confer appears well-suited to professional use. The platform is designed to handle common workplace workflows without requiring users to trade convenience for privacy.
More demanding analytical tasks are a different story. Confer is not currently marketed as a replacement for the most advanced reasoning-focused models available from leading AI providers. Users whose work depends on deep multi-step analysis, complex research synthesis, or advanced problem-solving may find dedicated frontier models more capable.
Where Confer stands out is in sensitive professional communication. The platform is built around confidential conversations, making it particularly relevant for journalists, lawyers, executives, researchers, and others who routinely work with information that requires stronger privacy protections.
For coding and technical work, Confer can assist with routine programming tasks and general development questions, but it is not positioned as a specialized coding platform.
The key takeaway is straightforward: Confer’s value proposition is not maximum AI intelligence. Its differentiator is privacy. For users who prioritize confidential conversations and data control, that tradeoff may be more important than having access to the most advanced reasoning model available.
What the Hacker News Launch Thread Revealed
When Confer launched in December 2025, the HN thread surfaced user observations that don’t appear anywhere in the official documentation or marketing.
The most consistent signal: power users in privacy and security communities found the attestation model credible but flagged the browser client surface immediately — same concern raised in the security section above. This wasn’t a fringe critique. It was the first technical objection in the thread, and it went largely unaddressed by the team in their responses.
The second notable pattern: Windows users documented onboarding failures in detail, with several citing specific Windows Hello hardware configurations that triggered the WebAuthn PRF issue. The workarounds (YubiKey, 1Password passkeys) were confirmed effective, but the friction was real and reproducible.
What wasn’t there: complaints about output quality or privacy architecture integrity. The criticism was almost entirely about platform gaps — no API, no enterprise tier, no team plans, no mobile app — rather than the core privacy promise. For a product at this stage, that’s a meaningful signal.
Confer AI Pricing (2026)
Free tier: 20 messages/day, 5 active chats, base model access. Same encryption guarantees as paid — Confer doesn’t offer “privacy lite” on the free plan. Enough to evaluate the interface and output quality, but not enough to rely on it for regular work.
Premium — $34.99/month: Unlimited messages, more capable model access, expanded personalization. No annual discount currently listed.
The number that matters: $34.99 vs. $20 for ChatGPT Plus or Claude Pro. That $15 gap isn’t buying better reasoning. It’s the operational cost of running open-weight models inside hardware enclaves at scale — TEE infrastructure isn’t cheap, and the pricing reflects that honestly rather than hiding it in vague enterprise tiers.
Full Feature Comparison: Confer AI vs. ChatGPT vs. Claude vs. Gemini
| Feature | Confer AI | ChatGPT Plus | Claude Pro | Gemini AI Pro |
|---|---|---|---|---|
| Monthly price | $34.99 | $20 | $20 | $19.99 |
| Free tier | 20 msg/day, 5 chats | Limited GPT-4o | Limited Sonnet | Limited Gemini |
| Privacy model | TEE + WebAuthn + attestation | Standard cloud | Standard cloud | Standard cloud |
| Trains on conversations | No — architecturally prevented | Opt-out required | Opt-out available | Opt-out available |
| Encrypted inference | Yes — hardware enclave | No | No | No |
| Verifiable attestation | Yes — cryptographic proof | No | No | No |
| Context window | ~250k tokens | 128k (GPT-4o) | 200k | Up to 1M |
| Model transparency | Open-weight, version undisclosed | GPT-4o / GPT-4.1 | Claude Sonnet/Opus | Gemini 2.0/2.5 |
| File uploads | Limited | Yes | Yes | Yes |
| Web search | No | Yes | Yes | Yes (native) |
| Voice mode | No | Yes | No | Yes |
| Image generation | No | Yes (DALL-E) | No | Yes (Imagen) |
| Code interpreter | Basic | Yes | Yes | Yes |
| Memory | Limited | Yes | Yes | Yes |
| API access | No | Yes | Yes | Yes |
| Team/enterprise plans | No | Yes | Yes | Yes |
| Mobile app | Web only | iOS + Android | iOS + Android | iOS + Android |
| Windows compatibility | Fragmented WebAuthn PRF | Full | Full | Full |
| Third-party integrations | Minimal | Extensive | Growing | Deep Google Workspace |
| Agentic capabilities | None | Yes (Operator) | Limited | Yes |
| Best for | Sensitive professional use | General productivity | Long-form analysis | Google Workspace |
For a deeper capability breakdown between the mainstream options, the Claude vs. ChatGPT comparison covers that ground in detail.
Confer AI Alternatives
Confer fills a specific niche. Here’s what to consider depending on why it doesn’t fit.
Maximum Privacy, No Subscription: Local LLM
The local LLM space has matured enough that tools like Ollama with Llama 3 variants are genuinely usable for professional work. Zero-trust by definition — nothing leaves your device. The trade is hardware: running anything competitive above 13B parameters needs real GPU memory and some technical comfort. If you have both, this is the highest-privacy option, and it’s free.
Privacy-First Conversational AI: Encrypted AI Companion Platforms
The encrypted AI companion category is emerging as a distinct market. Several platforms are building privacy-first AI for sensitive personal and professional conversations. None currently matches Confer’s attestation model for technical rigor, but they offer better interface polish and more conversational features for users whose threat model is less demanding.
Capability First, Reasonable Privacy: Claude Pro
For professional writing, analysis, and research where confidentiality is a preference rather than a hard requirement, Claude Pro at $20/month offers the best balance of model capability and data minimization among mainstream options. Opt-out is available; the architecture isn’t privacy-first, but the data practices are more conservative than most.
Enterprise Context: Wait
Confer has no team plans, no API, and no compliance documentation currently. For organizations with actual compliance requirements, this isn’t ready. Revisiting in late 2026 makes more sense than forcing the current product into an enterprise deployment.
Why Confer’s Architecture Matters More As AI Gets More Agentic
Right now, Confer is a chat interface. In 2026, that feels modest compared to what OpenAI and Perplexity are shipping — autonomous agents that browse, read documents, execute multi-step tasks, and persist memory across sessions.
Those agents create a dramatically expanded attack surface. A compromised agent loop can exfiltrate data mid-task. Prompt injection can redirect agent behavior entirely. Session memory stored in standard cloud infrastructure becomes a long-term liability in a way a single conversation turn never was. The gap between AI agents and chatbots isn’t just about capability — it’s about how much more there is to go wrong.
Confer’s TEE-plus-attestation stack is architecturally relevant here. An AI agent that can cryptographically prove it’s running unmodified code inside an isolated enclave is a fundamentally different trust proposition than one that can’t. Confer isn’t building agents yet. But it’s laying the infrastructure that would make a genuinely privacy-preserving agent possible. That’s probably more significant in 2027 than it looks today.
Should You Buy Confer AI?
Buy Confer If:
Your work regularly involves information with real consequences if it leaks. Journalists protecting sources. Attorneys with privileged materials. Executives drafting board-level strategy. Developers under NDA. Researchers handling pre-publication data. For these users, Confer’s architecture offers protections no mainstream AI service attempts — and $34.99/month is a professional expense, not a luxury subscription.
You’re already security-conscious. If you use a password manager, carry a hardware security key, and use Signal for sensitive communications, Confer’s onboarding won’t feel like friction. It’ll feel familiar.
You’re on macOS or iOS. The passkey experience is genuinely smooth on Apple hardware. This is where Confer is best optimized right now.
Don’t Buy Confer If:
You need integrations, agents, or multimodal features. ChatGPT and Claude win here, and it’s not close.
You’re on Windows without a YubiKey or compatible password manager. The authentication friction is real and unresolved.
You’re expecting frontier reasoning. Confer is capable of writing, summarization, and professional assistance. It’s not competing with GPT-4 or Claude Opus on complex analysis or coding.
You need enterprise-grade deployment. No team plans, no API, no compliance docs.
Best Alternative If You Pass:
For maximum privacy without platform limitations — local LLM via Ollama. For capable AI with reasonable data practices at $20/month — Claude Pro.
Is Confer AI Worth It in 2026?
Confer isn’t trying to win the AI race. It’s trying to redefine what the race is about.
The technical stack is real. The remote attestation is verifiable. The TEE-based inference is a genuine architectural departure from how every mainstream AI service operates. These aren’t marketing claims — they’re design decisions with cryptographic teeth, built by someone who has done this before at Signal and made it stick.
The gaps are also real. Client-side JavaScript remains a pre-encryption surface. Windows onboarding is fragmented. Model capability doesn’t match frontier systems. The platform is early.
But what Marlinspike is building looks less like a chatbot and more like the foundational infrastructure of a privacy-first AI category — the same thing he built for messaging. The broader AI privacy landscape has almost nothing to compare it to. If AI becomes as central to professional life as email, the question of who can read your conversations becomes a question worth paying to answer correctly.
FAQS
Q. Is Confer AI actually secure?
Yes. Confer AI uses trusted execution environments (TEEs), WebAuthn passkeys, remote attestation, and the Noise Protocol. The main limitation is the browser layer, which operates before encryption begins.
Q. Is Confer AI safe to use?
For most professionals, yes. Confer AI offers stronger privacy protections than mainstream AI chatbots. However, no cloud AI service should be treated as risk-free for highly classified information.
Q. Is Confer AI encrypted?
Yes. Conversations are processed inside hardware-isolated enclaves, authentication uses passkeys, and server integrity can be verified through cryptographic attestation.
Q. How much does Confer AI cost?
Confer AI offers a free plan with 20 messages per day and five active chats. Premium costs $34.99 per month.
Q. Is Confer AI worth it?
Confer AI is worth considering if privacy is your top priority. If you primarily want the strongest AI capabilities, ChatGPT or Claude typically provide more value for the price.
Q. Is Confer AI better than ChatGPT?
Not overall. ChatGPT is stronger for coding, research, agents, and productivity. Confer AI focuses on privacy and security rather than model capability.
Q. What are the best Confer AI alternatives?
The strongest alternatives include Ollama for local AI, Claude Pro for advanced reasoning, and privacy-focused encrypted AI companion platforms.
Q. Can Confer AI read my conversations?
Under normal operation, no. Confer AI’s architecture is designed so conversations remain inaccessible to the provider while processing occurs inside secure enclaves.
Q. Does Confer AI train on my data?
No. Confer AI states that user conversations are not used for model training, and its architecture is designed to prevent routine access to conversation content.
Q. What AI model does Confer AI use?
Confer AI runs open-weight foundation models inside trusted execution environments. The company does not publicly disclose the exact model variants in use.
Q. Is Confer AI good for coding?
It handles basic coding tasks well. For complex debugging, software architecture, and advanced development workflows, ChatGPT and Claude generally perform better.
Q. Does Confer AI have an API?
No. Confer AI does not currently offer a public API.
Q. Is Confer AI better on Mac or Windows?
Yes. Confer AI generally works more smoothly on macOS and iOS. Some Windows users report passkey and WebAuthn setup issues during onboarding.
Q. Does Confer AI work on iPhone?
Yes. Confer AI supports iPhone and is generally considered one of the most reliable platforms for passkey-based authentication and privacy-focused AI usage on iOS.
Related: Using ChatGPT as a Therapist: What the Research Says About the Benefits and Risks (2026)
| Disclaimer: This article is independent and is not sponsored by, affiliated with, or endorsed by Confer AI. We make every effort to keep our reviews accurate and current, but products evolve quickly, and information can change. We recommend double-checking the latest features, pricing, and security details through official sources before making any decisions based on this content. |
