The how, for the people who build it.
Meta's technology staff asked the right question: not why, but how. Here is exactly how π€« Private Agent One plugs into each Meta solution, what Meta gets from every integration, and why it is worth investing in β for Meta, and for the human at the center.
A proposal from public information β Meta is not a partner, shareholder, or investor of ours today.
Every integration rides one consent handshake.
There is exactly one thing to integrate: the Personal Consent Handshake Protocol (PCHP). Learn it once, reuse it on every surface. Data stays with the person; only consented, scoped, receipted signal crosses the wire.
Request a scope
A Meta surface asks the person's π€« Agent One for a specific, minimal scope β e.g. "purchase-intent: home audio, next 14 days" β never a raw data dump.
The human grants
Agent One shows the ask in plain language. The person grants a scoped, time-boxed permission (or denies). Nothing moves without an explicit, revocable yes.
Signal, not data
Agent One returns only the derived signal the scope allows β a consented, first-party interest token β computed on the person's own device/vault. The underlying data never leaves.
A tamper-evident receipt
Both sides keep a cryptographic consent receipt: who asked, what scope, when, for how long. Auditable end to end, revocable in one tap.
Model Context Protocol β how Agent One exposes consented tools and context to any model or surface, provider-neutral. Meta calls a well-scoped tool, not a database.
Agent-to-agent β the customer's Agent One talks to Meta Business Agent directly, each carrying its own consent receipt. Negotiation and fulfilment between two accountable agents.
Agent Payments Protocol β when a scope includes a purchase, payment and delivery prefs release on consent, so an ad can end in a one-tap buy and a local doorstep.
Open rails, provider-neutral by design β so nobody is locked in, and the person stays in control.
How it plugs into each Meta solution.
| Meta surface | How π€« Agent One plugs in | What Meta gets |
|---|---|---|
| Advantage+ & ad ranking | Agent One exposes a consented interest signal over MCP; ranking reads a first-party, receipted token at match time. The person granted the scope, so it is durable under any privacy regime. | Higher relevance and lower waste from signal that is real and owned β not scraped or inferred β and defensible when third-party signal keeps eroding. |
| News Feed & Reels | Ranking blends a consented "what I actually want this week" context from Agent One with existing behavioral signals. The person can dial it up or down from their own agent. | Better sessions and retention, and a feed that feels helpful rather than creepy β because the person is holding the dial. |
| WhatsApp Business + Meta Business Agent | The customer's Agent One and Meta Business Agent transact agent-to-agent (A2A), with a consent receipt on both sides and AP2 for payment. Booking, support, and checkout complete without the person's data leaving their control. | A trusted counterparty for a million business agents, higher completion on commerce and support, and a clean audit trail on every action. |
| Instagram & Facebook creators | A creator's audience contributes owned, consented interest through their own Agent Ones. Brand-match and recommendation models read those first-party signals by scope. | Sharper brand matches and monetization, so creators earn more from signal that is honestly earned β deepening the two flywheels Meta cares about most. |
| Muse Spark 1.1 (Meta Model API) | Agent One is the private context + consent layer; Muse Spark is the reasoning engine. Agent One runs Muse Spark under the person's consent β on hardware they own where possible β and feeds it only permissioned context. | The most capable model becomes the most trusted, and Meta's new model business reaches the people who own the compute it runs on. |
| Meta glasses (Ray-Ban Display + Neural Band) | Agent One is the on-device private layer: it holds the person's world model and runs a screenless consent ceremony by voice and gesture. Muse Spark does wearable inference; Agent One decides what may be shared, and when. | An always-on assistant people actually trust β the missing consent primitive that turns a camera on your face into a companion you let into your life. |
Transparent enough to hand to your own engineers.
This is built on trust, so nothing here is a black box. The whole integration is two message shapes over an open protocol. A Meta engineer can read this, stand up a sandbox, and reproduce it β no dependency on us to get started.
POST mcp://agent-one/tools/consent.request
{
"scope": "purchase-intent:home-audio",
"window": "P14D", // time-boxed
"purpose": "ad-ranking", // stated, narrow
"requester":"meta://advantage-plus",
"minimal": true // signal, never raw data
}{
"receipt_id": "rcpt_β¦",
"scope": "purchase-intent:home-audio",
"purpose": "ad-ranking",
"granted_at": "β¦", "expires_at": "β¦",
"nonce": "β¦", // verifier dedups
"signal": { "category":"home-audio",
"intent":"high" }, // bucketed
"cohort_att": "β¦", // k>=5000, attested
"budget_id": "β¦", // per-requester Ξ΅ debit
"device_key": "dk_β¦", // certified by identity key
"revocable": true, // one tap, anytime
"sig": "ed25519:β¦" // over the canonical receipt
}The consent service verifies sig and the issuer chain once at ingest, then materializes a trusted feature; ranking just reads signalβ no per-candidate crypto. The person's raw data never leaves their device. Revoke, and the receipt is dead β the signal stops. That is the entire contract, on every surface.
Stand up the rail
Meta pulls the Agent One SDK and runs the MCP consent server in a sandbox. Define one scope (e.g. purchase-intent:home-audio) and one purpose (ad-ranking). No production data touched.
Wire one surface
Point Advantage+ ranking at the consented-signal tool for an opted-in cohort. Receipts flow; a matched control group runs alongside. Instrument relevance and conversion.
Read the number, harden
Report the honest lift with the control group. Harden one-tap revocation and the audit trail, add scopes the pilot proved out, and decide to scale β or not β on real data.
If your team decides to build the consent rail yourselves, that is a win for the human either way. We would rather earn the partnership by being the most useful, most trusted layer than by locking anyone in.
What it actually costs at ranking time: almost nothing.
The fair engineering question is βwhat does this add to the hot path, and what breaks when it fails?β The honest answer: sub-millisecond in the ranking path, zero device round-trips, and graceful degradation to today's behavior when a signal is absent. Here is the data flow, the budget, and the failure modes.
Compute on device
Agent One derives features inside the person's vault (phone, laptop, glasses, or π€« Puppy), reduces them to one purpose-bound signal, quantizes it to coarse buckets, and releases the bucket under local differential privacy (randomized response) at a small Ξ΅. Cohort size (k, e.g. β₯ 5,000) is established by a private set-cardinality / aggregator service, not self-asserted. Raw features never leave the device.
Sign & publish a receipt
It signs the canonical receipt (ed25519 over scope, purpose, requester, granted/expiry, signal and a nonce) and writes it to a consent cache β Meta's feature store, or a neutral edge KV β keyed by a pseudonymous id that is stable within the scope's attribution window and rotates across epochs.
Verify once at ingest
On ingest (or cache-fill / signal change), the consent service verifies the signature and issuer chain exactly once, dedups the nonce within the TTL, checks a fresh cohort attestation, and materializes a trusted value into the feature store. The ranking hot path then reads a plain, pre-verified feature β no per-candidate crypto, no device round-trip.
Revoke by invalidation
A revocation invalidates the materialized feature and cache entry (fast path); a bounded revocation list is the backstop for pre-expiry compromise, consulted at ingest. Propagation is bounded by the TTL. Consent stays authoritative on the device.
| Hot-path budget | Cost | Note |
|---|---|---|
| Signature verify (ed25519) | ~50β100 Β΅s Β· at ingest | libsodium/ring on commodity x86, once per receipt on ingest or signal change β not in the hot path, and amortized over every rank that reads it. |
| Hot-path signal read | sub-millisecond | Ranking reads a pre-verified materialized feature β plain feature-store lookup, same tier as any existing signal. No crypto, no device round-trip. |
| Added rank-time cost | β one feature read | The signal is pre-computed, verified once, and cached. Ranking never blocks on the device or on asymmetric crypto. |
| Signal freshness | bounded by TTL | Tunable per scope. Decoupled from receipt liveness: re-sign only on change, so freshness costs no write storm (see scale). |
Fails safe
Cache miss or device offline
The ranker falls back to its existing signals. π€« is strictly additive β never a hard dependency. No consented signal means no regression, not an outage.
Revocation lag
Bounded by the TTL. Worst case is a stale-but-still-consented signal for less than one TTL. Shorten the TTL where a surface needs tighter bounds.
Key compromise
A person-level identity key certifies short-lived per-device signing keys; the verifier trusts a small issuer set, not N device keys. A lost pair of glasses revokes only the glasses cert β blast radius is one device, one scope, not a fleet-wide secret or a data lake.
Replay & cross-surface misuse
Purpose binding stops a receipt minted for ad-ranking from being replayed into another surface. A per-receipt nonce, deduped by the verifier within the TTL, stops same-purpose replay. Within-TTL replay of a still-valid receipt is, by construction, harmless.
Private & provable at scale
Data minimization β honestly stated
Only a derived, purpose-bound signal crosses the wire β never raw features β minimized by quantization and k-anonymity. Be precise: that signal then rests in Meta's feature store, linkable to a pseudonymous id, so it is personal data and governed as such. The guarantee is minimization and purpose-binding, not that Meta holds nothing.
Scale, with the arithmetic
β 3Γ10βΉ people Γ ~5 active scopes Γ ~500 B β 7.5 TB resident β feature-store scale, not a new data centre. The real cost is writes: a naive 10-min TTL would force ~25M re-publishes/sec. So we decouple β receipts carry a longer expiry with a separate revocation channel, and re-sign only on signal change β collapsing writes to the change rate. Verify is O(1); shard by id-hash.
Differential privacy β the right kind at each layer
Local DP (randomized response at Ξ΅_i) protects one person's own released bucket and grounds the per-requester budget; population DP (with a stated Ξ΅) protects cross-user aggregates like a creator's audience-interest distribution; k-anonymity governs cohort membership. Population DP on a single token would be a category error β using the right tool at each layer is the point.
Auditable, and honestly measured
The receipt is the unit of audit β every use traces to a specific grant (who, scope, purpose, when, how long). Defend against self-selection with a randomized holdback (not a matched control alone); tighten the confidence intervals with CUPED variance reduction; report the lift honestly. Scale what the number justifies.
Consistency model: consent is authoritative on the device; the cache is a read-through replica with bounded staleness (TTL). Additive, not load-bearing β so the worst failure is βno lift,β never βan outage.β
The questions a security reviewer asks first.
A signature only proves βsomeone holding a key signed this.β The hard part is who that someone is, and what stops a bad actor. Here is the trust root, and the abuse cases we design against β because at billions of people, you assume the requester is adversarial.
Trust root & keys
What the signature covers
ed25519 signs the canonical receipt β receipt_id, scope, purpose, requester, granted_at, expires_at, signal, and nonce β so no field is malleable. The verifier checks the whole payload, not just that something was signed.
Key β identity, not a bare key
A person-level identity key (in the phone secure enclave or π€« Puppy) certifies short-lived per-device signing keys. Meta trusts a small set of Agent One issuer keys, not billions of raw device keys β the receipt names its device_key and chains to the person.
How the issuer set is trusted
The whole root reduces to that small issuer set, so it is pinned like a CA root and published to a public key-transparency log. Rotation ships as a signed root update; verifiers accept a new issuer key only when it is logged and chains to the prior root. No silent trust, no single unauditable key.
Replay & freshness
A nonce plus verifier-side dedup within the TTL stops receipt replay; issuer-chain + expiry stop forgery and staleness. Revocation is cache invalidation on the fast path, with a bounded revocation list consulted at ingest as the pre-expiry backstop.
Threat model
The requester is untrusted
The minimal flag in a request is the requester asserting its own good behavior β so we never trust it. Agent One evaluates every ask against the person's policy on-device and can narrow, counter-offer, or deny. Minimization is enforced by the holder, not the asker.
No exfiltration by a thousand cuts
A compromised surface that can't ask for a data dump might ask for hundreds of narrow scopes and reassemble a profile. Because each grant is released under randomized response at Ξ΅_i, it carries a real DP cost, so a per-requester budget composes them β say Ξ΅_total β 1.0 per 30-day epoch, Ξ΅_i β 0.1, so ~10 grants exhaust a requester and it is denied. The budget is charged against a requester-scoped, blinded pairwise pseudonym, so accounting survives id rotation without ever giving the requester cross-epoch linkability. Plus rate-limiting and anomaly detection.
Consent fatigue is an attack
Asking a human to approve hundreds of scopes trains them to tap yes. The agent batches, defaults to deny, expires grants, and answers routine asks from standing policy β so meaningful consent survives at scale instead of degrading into habit.
Weeks to a pilot, not quarters.
An SDK + MCP server
Meta integrates against a stable Agent One SDK and an MCP server that speaks consented tools. Weeks, not quarters β no bespoke data pipeline, no new liability surface.
On-device runtime
Agent One runs on the person's phone, laptop, glasses, or π€« Puppy. Context stays local; only consented, scoped signals cross the wire.
Edge inference on the π€« Grid
Where Meta wants distributed inference for Muse Spark, the π€« Grid (Puppy β Factory One) supplies burst compute at the lowest cost per token β a complement to Meta's megacenters.
Low cost of entry by design: one SDK, one protocol, no new data lake, no new liability. The person's device does the private work; Meta receives clean, consented signal.
Why this is worth Meta's capital.
Consent retires the $145B risk
The market's question is return on the AI buildout. Consented first-party signal lifts ad, feed, and commerce ROI while liability goes down β the surest way to make the capex pay without hitting the trust ceiling.
Own the agent era, with trust
Meta is building the model, the business agent, the assistant, and the glasses. π€« is the one layer that makes all of them trusted by design, so the ambition scales instead of stalling on backlash.
A neutral rail, not a walled garden
Agent One is provider-neutral and human-owned. Meta gets better signal without owning the person's data β which is exactly what keeps regulators, and people, on side.
Aligned owners, low-risk entry
We are long-term Meta shareholders. Start with one measured pilot on one surface, with a control group and an honest lift number. Scale what works; learn cheaply from what doesn't.
One honest pilot, one surface, a real number.
Pick one surface β Advantage+ consented signal, a Marketplace one-tap-to-local-delivery flow, or Agent One on glasses. Wire the consent rail, instrument a control group, and read the relevance-and-conversion lift together. Trust first; scale what works. The human has to end up demonstrably better off, or it is not worth doing.
What this is, and isn't.
This is our proposal, assembled from public information β not a claim of partnership, endorsement, sponsorship, or investment by Meta. Meta is not currently a partner of HushOne or Hushh Technologies. Entities and people associated with Hushh are Meta shareholders; no position sizes are stated. Meta, Muse, Advantage+, Ray-Ban Meta, Instagram, WhatsApp, Messenger, and Marketplace are trademarks of Meta Platforms, Inc. MCP, A2A, and AP2 are open agent standards. Any future relationship would be built consent-first, with the person's ownership and control intact.