Privacy of Photos.app’s Enhanced Visual Search

Partly for reasons like this, and partly for how buggy they are, I no longer use Apple services. It's less convenient, certainly, but I simply don't trust them. I don't trust anyone. I'm at the point now where I self-host practically everything I use. I'm not enthusiastic about this at all. That's time I'd rather spend doing something else and outsource those services to someone trustworthy. But there is no one trustworthy.

Oh how I miss using a computer in 2010. Back then I could just do stuff on my Mac, it could work the way I wanted it to, it was elegantly designed and worked great, and everything hadn't gotten completely bogged down and buggy by being service driven.

Another annoyance: This setting has to be turned off on each device individually (maybe this is different if Photos is hooked up to iCloud?).

If we put aside whether Apple is to be trusted or not (I’m in the “not” team) when it comes to privacy, is there anything in the EULA that allows them to do that?

I find Jeff's writing to be a bit sensationalist, and Apple has an alert fatigue problem here. People are simultaneously complaining that macOS keeps introducing more "Worblz would like to reticulate splines. Allow or Deny?" dialogs, but also complaining that users don't have enough opportunity to give consent. Yes, this feature should be opt-in, but making it opt-in means a) people are annoyed about yet another dialog on startup, or b) people don't realize the feature exists at all. (Add to that the entirely self-inflicted complexity this year that nobody can even tell which feature launched with which release; was it 15.0? 15.1? Is it coming with 15.3? Punted this release cycle altogether? Who knows! I'm also unclear why, in macOS 15.3 Beta (24D5034f), the Photos version is Version 10.0 (740.0.160). Does that mean Photos is unchanged since 15.0? Does it mean 15.3 introduces a major upgrade to Photos? Very strange.)

But, as Michael points out, the other issue — and that's on Apple, too — is poor documentation. All over the place. There's no consistent (and typically, no comprehensive) way to find what has changed in recent versions. There's no comprehensive explanation of what actually happens with this Visual Search thing. What data gets transmitted? To whom? How is it encrypted? How does it or doesn't it identify me? This annoys me especially with Apple Pay, where, _as I understand it_, the architecture is quite privacy-preserving in that each actor (you, the bank, the merchant, and Apple) has _relatively_ little information from each other — but I wish Apple made little sequence diagrams to make that clearer. Who transmits what to each other? How long is it stored?

But more simply, I'm unsure what the feature even _does_, and again, that's on Apple. Photos already have location data. Why does there need to be some ML model to match them to visual landmarks? It's obvious from the location whether they're of a landmark or not. Is the feature purely for features that _lack_ location data?

>The issues mentioned in Apple’s blog post are so complex that Apple had to make reference to two of their scientific papers, Scalable Private Search with Wally and Learning with Privacy at Scale, which are even more complex and opaque than the blog post. How many among my critics have read and understood those papers? I’d guess approximately zero.

I'm not even sure what point he's making here. Is the implication that Apple's papers are a mirage? Snake oil?

Because best as I can tell, Apple is approaching it that way because it's about as good as it gets, for now. Yes, you can say "just don't do the feature at all" is sometimes the better approach (and that's what they wound up doing with CSAM), but I don't think "this is very complex" is a meaningful complaint. Technology is complex; therefore, we shouldn't do it?

>In effect, my critics are demanding silence from nearly everyone. According to their criticism, an iPhone user is not entitled to question an iPhone feature.

That's quite the strawman.

No, my issue with Jeff's assertion is that they're reductive, starting with the headline ("Photos phones home" IMHO conjures up all kinds of images like "every time you make a photo, Apple knows of its location") and continuing throughout the text (""What happens on your iPhone, stays on your iPhone." That was demonstrably a lie." — sure, that's extremely simplistic on Apple's part, but Jeff isn't actually making the case that personally created data or personally identifying information ends up on Apple's servers, just that this feature _might_ have a bug that _might_ lead to Apple's servers getting such data).

So, my main issue here isn't the feature per se, or worries about catastrophic bugs (seems to me they've put in multiple safeguards to make those unlikely) so much as that Apple once again documented this poorly, starting with the OOBE (whatever version of Photos introduced this should have some form of UI to let users make an informed choice) and going all the way through with explaining the technical details.

>is there anything in the EULA that allows them to do that?

I don't think the EULA factors in.

Nor do I think the GDPR factors in: if the feature is as explained by Apple, there is no personally identifying information; therefore, they don't need the user's consent. But IANAL. Perhaps someone who has experience with how differential privacy relates to GDPR can chime in.

> I'm not even sure what point he's making here. Is the implication that Apple's papers are a mirage? Snake oil?

I was merely responding to the many extremely condescending internet comments on my article: "My critics appear to argue that either I've neglected to do basic research or that I'm not qualified to raise questions about Enhanced Visual Search if I don't fully understand the technical details."

> That's quite the strawman.

Funny, because you just turned me into a strawman, as I quoted above.

Sören, the professional cryptographer I quoted was as bothered as I was that Apple enabled the feature by default. He didn't say that Apple's scientific papers prove that it's private. To the contrary, he said that this needs external validation. You know, peer review. I don't know why you aren't worried about vulnerabilities, because Apple software ships vulnerabilities all the time.

@remmah

I use iCloud Photo Library and turning it off on one device did not sync that preference to other devices so I had to disable it manually on all of them.

@Rui Carmo

The similarity to the CSAM scanning situation is my concern. We didn't want Apple to build that scanning of our photo libraries because if they build it to detect CSAM a government can then force Apple to also search for terrorism, people seeking abortions, political views they don't like, etc.

This landmarks search works differently in that presumably you get the results and your account isn't "reported" because you have a photo of a landmark, but they have built a photo library scanning technology which is what we all rebelled against a few years ago and puts us back on that slippery slope that we had hoped Apple had abandoned.

The existence of that scanning technology can invite governments to force Apple to spy for them because they already built it, they just have to change what they are looking for and how it is reported. It's existence makes it more difficult for Apple to not comply with such a request. Turning off this preference doesn't protect us from that as they can implement a scan that doesn't have a preference and that they don't tell us about.

We know Apple has compromised on iCloud security for China, VPNs in Russia, etc. We have to trust our own Governments not to force Apple to spy on us, and silently adding this feature doesn't help us trust Apple.

I noticed the same. And promptly turned it off. However, the damage is done, namely something gets sent without my consent. This is also quite likely another 'off' 'button' that will without a shred of doubt turn itself back on at some juncture. I am very happy devs like Jeff Johnson are out there, pointing these things out. He does it in plain english, and while the tide is against those that care, I want him to persist. The naysayers, even here, are part of the bigger problem and always cause me to scratch my head thinking - why criticise someone for pointing this out? Long live Jeff.

Needing to opt out on each device makes it easy to mistakenly have it be re-enabled. You disable it on your iOS 18 phone now but you are running an older OS on your laptop. Will you remember to disable it when you update the laptop in six months?

Steve Jobs had a great quote about why this is wrong, at the D8: All Things Digital Conference in 2010:

“We’ve always had a very different view of privacy than some of our colleagues in the Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you’re going to do with their data.”

https://allthingsd.com/20100601/steve-jobs-session/

Wow. Just to clarify, in case anyone misreads my post as a defense of Apple's misbehavior here - I meant that the Steve Jobs quote clearly explains why what Apple did with "Enhanced Visual Search" was a violation of user privacy. It's only been 14 years since that quote, and Apple representative have repeatedly flogged this idea as being something they still claim to follow.
This default opt-in to a system that analyzes our data and uploads something without asking us is an unambiguous violation of this principle.

"People are simultaneously complaining that macOS keeps introducing more "Worblz would like to reticulate splines. Allow or Deny?" dialogs, but also complaining that users don't have enough opportunity to give consent"

They're both valid complaints. Apple should ask consent for stuff like this, and consent should not be asked by constantly throwing up dozens of stupid dialog boxes, often with inscrutable texts that most people will not understand, and often repeatedly because the conssent given by the user expires.

One drastic improvement on the "too many dialogs" front would be Apple taking an idea from web browsers and giving apps the opportunity to state all the privileges they need up front, with the option for the user to grant those privileges right then and there, either all at once or individually.

Right now I have an app that requires accessibility, automation, screen recording and system extension privileges and I have no choice but to annoyingly ask for each one separately, each one with a different dialog, some of which allow granting the privilege in that dialog, and the others requiring the user to dig into the right spot in System Settings to flick the switch. It's a nightmare and a source of tons of support tickets, because users often get it wrong without realizing it.

It is possible to create a custom made dialog that *kind of* improves this situation, but it still's a mess because you can't just add a button in your own dialog to grant the permission, only triggering Apple's dialog to appear and then trying your best to shepherd your users through the error prone process. And that's to say nothing of when TCC bugs out and the permissions simply don't work.

Even better, though, would be something other than dialog prompts. I don't know what, honestly, and I've spent some time thinking about it. But I'd love for someone to come up with a new UI paradigm for handling notifications and alerts that doesn't require these sorts of on screen interruptions and distractions.

DO NOT WANT.

I guess the same drift will happen with neural implants too. You want to take public transport? You'll be needing the latest neural implant OS for that. Oh? It trawls matches your thoughts and dreams in a purely anonymized fashion, for your safety, and you don't want that? I guess you'll have to walk to work then.

So this sounds like Apple here is saying that your info is private and so we’re going to enable thing feature because we’re confident about its privacy.

Other folks are saying that “hey, that sounds great and all but there could be a privacy leak. Prove it.. and your refusal proves you’re not trustworthy.”… (actually, it sounds more like clickbaity headlines basically saying ‘Apple probably turned this on to steal your data’…. the Verge did that recently)

So do we (again) ask for source code for the operating systems so we can audit it? (let’s be serious — who’s really competent to do so? Far better it to use that audit to find bugs and use them as zero-day exploits) Are we expecting them to give source code to us? Security through obscurity has always been Apple’s modus operandi.

Should we trust them? What’s their track record? Has iMessage’s encryption been cracked? Their other encryptions? Differential privacy been debunked?

Apple’s brand is that their north star is user privacy, and while they fall short of expectations sometimes (the recent settlement offer re:accusations of Siri’s inadvertent ‘wiretapping’ (and the sensationalist coverage implying that Apple settled with the accusations that it sold that info to ad firms… like, what??), law enforcement warrant-requried access to your iMessages), I think that their record has been pretty good, all-said, and getting better as the public is more aware of privacy issues (see the CSAM scanning) and Apple has had its hand slapped (batterygate, the new privacy/analytics dialogues during setup, etc.).

So I’m not saying that I can prove they’re actually private (though track record points towards it), but how about some actual proof that they’re not doing this in a private way? I mean… Apple literally states it’s being done in a private way, so they’d be open to class action lawsuits if it actually isn’t.

Also, just like with their aborted CSAM-scanning, if those locations were stored or scanned in some Apple database, the same issues would come up — “Hey government has proof you were at this location”. Apple’s not going to do that. (more likely, they have a lookup table of rooflines… the same one that powers their and Google Map’s wave your phone around the city skyline and we’ll figure out where you are)

I’m sorry but this sounds like connecting dots that could make sense… if it was Google or Facebook, but much less so if it’s Apple.

Actual proof, please.

Their privacy track record is so strong that we shouldn’t question them, and we have to look back all the way to yesterdays news to see that trust violated isn’t really the strong argument you think it is.

Presumably this feature still works if you have Advanced Data Protection enabled, but it seems to violate the promise of that feature.

“Advanced Data Protection uses end-to-end encryption to ensure that a majority of your iCloud data can only be decrypted from your trusted devices.”
- https://www.apple.com/legal/privacy/data/en/advanced-data-protection/

They go on to describe mail, contacts, calendars, and sharing such as a shared note to someone without ADP as exceptions. Photos being analyzed for landmarks happens on device and then data is sent to Apple about the photos, but that is just the sort of thing someone who signed up for ADP is expecting to not happen. They aren’t accessing the photos on iCloud servers, but the promise that no one including Apple can access your photos feels broken by the landmarks search.

@Bri Yes, there needs to be some way to do a combined prompt.

@Someone else No one’s asking for source code. We just want them to tell us what they’re doing and let us choose to opt in (or not). Otherwise they’re going against both of the Steve Jobs principles, as previously mentioned. We’ve discussed iMessage here several times; that’s a case where (a) Apple’s marketing was misleading, and (b) the metadata about who and when you were messaging was not secure. So that track record is not great.

@Eric Enhanced Visual Search has nothing to do with iCloud, AFAIK, so I wouldn’t expect ADP to affect it.

I understand they aren’t accessing photos in iCloud, but on device. It doesn’t violate the promise that they can’t access the data in iCloud, but rather violates the spirit of that promise by accessing the data anyway directly on device and sending data to their landmarks servers.

@Eric I haven’t read the technical papers, but I guess they are claiming that (due to the homomorphic encryption) Apple’s servers are able to process the data even though they can’t decrypt it. So I think this is within the spirit of ADP.

To simplify: neural networks use dot products as a basic operation. Dot products measure whether two vectors are aligned. The Homomorphic encryption Jeff mentions preserves the ability to compute dot products (within some error) when the image is encrypted. Therefore you should be able to algorithms based on dot products to recognize things like "there's a cat in the picture" even if the picture itself is encrypted.

Obviously there is a point where you can describe the picture so well that the fact the image is encrypted is irrelevant. Secondly, this whole argument presumes that there are no failures in Apple's implementation. Seeing the source code doesn't really help in the sense that you're still trusting Apple isn't using something else on their devices and servers. It does help in the sense that you might find errors in their implementation that you can tell them about and they will then (perhaps) fix.

Given that I'm seeing Apple is going to pay $95 million to settle a lawsuit for Siri "eavesdropping" on conversations, rather than defend their reputation... I find all the comments above defending Apple's intentions pretty cultish.

@OUG Apple Settles Siri Spying Lawsuit

I understand Apple's papers on homomorphic encryption and differential privacy, the implementation is very clever but that does not excuse Apple turning the feature on without consent.

Basically Apple is analyzing your photos on-device to see if there is something that looks like a landmark, calculating a hash/fingerprint vector that encodes the shape of the landmark, encrypting it (for homomorphic encryption), and adding noise (for differential privacy) and sending it to Apple's servers where their FHE scheme allows looking up the fingerprint in a database of landmarks without revealing to Apple or anyone else what the landmark is.

There are two issues with this, even before considering possible bugs in Apple's implementation, or side-channels leaking information:

1) as with the CSAM scanning case, they are creating a precedent that will allow authoritarian governments to require other scanning

2) uploading the hash/fingerprint reveals to someone surveilling the network that someone has taken a photo. A whistleblower taking photos of wrongdoing in a specific location would be exposed, for instance.

As to people complaining about pop-up fatigue, this is used for a frankly trivial and largely useless feature, identifying landmarks in your photos. The permission can be asked for when you actually try to use the feature (someone mentioned TipKit, which is designed for this).

The people arguing Apple deserves the benefit of doubt are completely delusional or suffering from Stockholm Syndrome. Apple is an ad company, increasingly so as the category euphemistically called "Services" (mostly the App Store tax and Advertising) is critical to their revenue growth. No advertising company can be given the benefit of doubt on tracking, as MJ clearly demonstrates in his links to Apple doublespeak on the subject.

In a previous breach of trust and consent, they also turned on without consent in Safari the Topics API (Orwellianly called "privacy-preserving analytics/attribution" when it is nothing but an infringement of privacy by tracking your interests in the browser itself). Even Google, the most voyeuristic company on the planet, actually asked for permission to do this (albeit with deliberately misleading wording in the request, because Google).

It is quite easy to see how governments will order Apple to abuse this feature in future, *without* any need to sabotage or compromise any Apple-supplied homomorphic-encryption / private-query / differential-privacy / ip-address-anonymizing security* features:

1. Some government (any one big enough to influence Apple) wants to find suspicious people (this does not have to relate to CSAM-- could be folks with photos of political targets like Alice Weidel or "bad things" like firearms).

2. That government instructs Apple to match "landmark" searches against (non-landmark) images (archetypes) which the government cares about. (Apparently this will require salting the data provided to the image analyzer on each client device as well as the cloud, but so what? By design that data is updated all the time anyway, and it can be regionally-varied by Apple.)

3. When a match is found, Apple sets a "call the secret police" flag in the search response to the client device (iPhone, Mac, whatever). This is trivial: for the new service, Apple tells us it may send back "Eiffel Tower" or "Not Sure," so Apple can just as well send back "tell the user 'not sure' but also quietly call the BfV and report image of Alice Weidel." (A call-the-cheka flag can easily be obfuscated in the reply message; just for example it could be the computed parity of some not-really-random cryptographic nonce. Also a flag can be per-government, since, for example, the German and British governments might be interested in different "bad things.")

4. Apple's software on the client device sees that "call the secret police" flag set, then sends a non-anonymous, not-privacy-differentialized, not IP-obscured message (with full GPS, wireless-environment, and device-identification data, plus almost certainly a goodly sample of local camera, microphone, and sensor feed) to the secret police.

5. Snoopy government gets exactly what it wanted-- a message clearly identifying each device exposed to anything that government considers suspicious, which also identifies the user(s) in virtually all cases. Plus location, network, and device data to help the government spy upon (or arrest) the user.

Everyone can analyze the heck out of the Apple anonymous search scheme-- but it doesn't matter whether it is secure or not. No government will care. Governments will be quite satisfied when Apple just quietly decorates responses to fully-anonymous searches with "call the secret police" flags-- and Apple will "truthfully" boast that it never rats out any users, because the users' own iPhones or Macs will handle that part of it.

* Maybe Apple's privacy/security scheme will both be implemented correctly and securely *and* will hold up to cryptanalysis. That is possible (though it would only take a small bug or design flaw to compromise the system). As we can see, though, the theoretical security of the query scheme is irrelevant, because Apple controls the rest of the software on the device as well as the cloud servers, so Apple can send arbitrary messages to devices and have them react in arbitrary ways whenever an image matches a target known to Apple, whether or not it is a picture of a "landmark."

The fact that Apple is aggressively forcing this obviously-low-value "find landmarks in images" feature onto users pretty much proves that Apple intends to abuse the feature. Few or no customers need help to recognize landmarks in the photos they take while making tourist visits to those selfsame landmarks. This feature wastes the user's battery and mobile data allowance to provide almost zero value to the user. An on-demand tap-image-to-identify-a-landmark-or-something (flowering plant? mushroom species?) service might be valuable, but no one is asking for a "tell me what I already know by scanning all my images" service. It is obvious that Apple is really deploying a "scan all user images on behalf of hostile spy agencies" feature.

I wish these new features defaulted to, "Off."
This week I discovered my phone was filtering my incoming mail by what it thought was important.
I also found Google Maps in my car deciding for me to avoid highways. That was turned on in two different places.
WTF? Give me an Apple Stupid button as an alternative to Apple Intelligence.
And don't let's get started about Siri's mal-dictation.

How it works:

https://9to5mac.com/2025/01/14/enhanced-visual-search-apple-privacy/

Multiple levels of digital chafe and mingling/mixing. I’m no crypto-gopher but seems pretty private to me. non-attributable, and one-way to me.

This is much worse: open an image containing a "landmark" in the Preview app, then open the Inspector. An icon will appear which, when clicked, will popup information about the landmark. Verified with a JPEG with no GPS metadata. Take a screenshot of the opened image, the same works in the screenshot. This is system level and turning it off in the Photos app has no effect.

Imagine when this is turned on in Safari...

@Bogdan It’s not intuitive at all, but there is an opt-out for that Visual Look Up feature: go to System Settings ‣ Spotlight and uncheck Siri Suggestions.

@Michael Thank you, thank you! I was just freaking out when looking at an image with a panda and this popped up again. The capability thus exists to remotely fingerprint any image viewed on the Mac and this is turned on by default.