Friday, December 17, 2021

Apple Removes References to Controversial CSAM Scanning Feature

Tim Hardwick (Hacker News):

Apple has quietly nixed all mentions of CSAM from its Child Safety webpage, suggesting its controversial plan to detect child sexual abuse images on iPhones and iPads may hang in the balance following significant criticism of its methods.

John Gruber (tweet):

I wouldn’t read too much into this. […] I think the CSAM fingerprinting, in some form, is still forthcoming, because I suspect Apple wants to change iCloud Photos storage to use end-to-end encryption. Concede for the moment that CSAM identification needs to happen somewhere, for a large cloud service like iCloud. If that identification takes place server-side, then the service cannot use E2E encryption — it can’t identify what it can’t decrypt. If the sync service does use E2E encryption — which I’d love to see iCloud Photos do — then such matching has to take place on the device side. Doing that identification via fingerprinting against a database of known and vetted CSAM imagery is far more private than using machine learning.

[…]

Put another way, if governments, authoritarian or otherwise, were able to force Apple (or Google, or Microsoft) to add secret snooping features — like say finding photos of Tank Man on Chinese users’ devices and reporting them to the CCP — to our operating systems, the game is over.

They don’t need to force Apple to do anything because Apple never sees the photos in the CSAM databases, only the fingerprints. They would need to compromise two of the databases and infiltrate Apple’s human reviewers.

Jeff Johnson:

You can already upload illegal photos to iCloud Drive, and have Apple host them, as long as you encrypt the files yourself first on disk. Nobody can do anything about that, including Apple.

[…]

It doesn’t seem like they’re even interested in catching criminals, because they already publicly announced you can “opt out” by simply not using iCloud Photos.

Consequently, the real goal must be to trick everyone else into giving up their legal rights and their principles.

And once the “opt out” allows all or most of the criminals to avoid getting caught, is this going to be a bait and switch where they say, “Well, we didn’t catch anyone, so we have to get rid of the opt out and scan everyone”?

Or perhaps the real goal is to avoid wittingly hosting illegal photos. No one is going to blame Apple for hosting encrypted content that it can’t read.

Jeff Johnson:

There’s not even any reason why there can’t be end-to-end encrypted iCloud without scanning, either on device or on the server. It could have and should have happened already.

John Gruber:

I don’t disagree with you on (almost) any of this. But, politics is a reason. I think Apple considers it politically unfeasible to do E2EE for photo syncing without throwing some sort of bone to the crowd who think civil liberties should not override CSAM concerns.

Jeff Johnson:

Which crowd? I haven’t heard a single politician of either party even mention it. Not an issue in the public debate, until Apple made it one.

The most important crowd ought to be the half billion Apple customers. Who weren’t clamoring for it either.

John Gruber:

Politics is hard because it’s such a soft science. You can’t prove anything. But here’s one optimistic spitball: maybe Apple tossed this CSAM proposal out, as a concession to the anti-CSAM die hards. It went over like a lead balloon. Now, they’re like fine, we’ll wait.

[…]

And so now they don’t say they’re going to do it, but don’t say they’re not going to do it either. They have political cover from both sides so long as it remains in limbo.

[…]

My read is that they know they fucked up by not designing all of iCloud to be E2EE like iMessages from the get-go. But feel like they can’t put that genie back in the bottle.

Previously:

Update (2021-12-17): See also: Jeff Johnson, Glenn Fleishman.

4 Comments RSS · Twitter


Kevin Schumacher

Jeff Johnson:
> Which crowd? I haven’t heard a single politician of either party even mention it.

How many links to news stories can I list before my comment gets tossed as spam?

Are you freaking kidding me? Mr. Johnson and I have frequently not...let's say...seen eye-to-eye in the past, but this is right out the window as the most ridiculous, absurd, head-buried-in-the-sand thing he's ever said. And it's objectively wrong, not even subjectively.

Literally nearly every politician who has ever heard the word "encryption" (most of whom who don't understand what it actually means or how it works, even on a basic level) demand backdoors "for the children, won't you think of the children," with "terrorism, y'all" a close second.

So to try to head off politicians screaming about backdoors into E2EE, Apple tries to do what it considers a logical compromise, scanning photos headed for the cloud before they get uploaded.

So which crowd, you ask? The most important crowd, in terms of people who can put the screws to Apple in a way few others can, politicians. The fact you are oblivious to this is very troubling, indeed, especially since you are making out of whole cloth much more dire endgames (conspiracy theory-level bunk about Apple using this as an excuse to then turn around and scan everything on all devices).

@Michael
> They don’t need to force Apple to do anything because Apple never sees the photos in the CSAM databases, only the fingerprints. They would need to compromise two of the databases and infiltrate Apple’s human reviewers.

It's unclear to me why you think they need to do any of that. They pass a law with a gag attached, force Apple to comply in secret, and that's it. Or not necessarily even with a gag attached to it.

I've been arguing since day one of this whole brouhaha that there is literally nothing stopping any government in the world from demanding whatever it wants from Apple. Apple's choice would then be to comply or abandon that market. Apple doesn't need to have CSAM scanning built in order for China to demand scanning of all photos on a user's device (headed for iCloud or not) for Tank Man.

People seem to think that Apple building what has subsequently been dubbed a half-assed shot at fingerprinting is this revolutionary technological advancement that only three people in Cupertino have seen the source code for and, without Apple, the world will never have the ability to do this. That is pure, unadulterated bullshit.

I will say it again. There is literally nothing stopping any government in the world from demanding whatever it wants from Apple, and it doesn't need something built before they demand it. Anyone who argues otherwise is willfully delusional.

Also ditto Gruber's point about the fact that Photos already uses machine learning on your pictures to make search of images possible. I've brought that up repeatedly, too, but everybody's so hung up on "OMG ON-DEVICE SCANNING!!!!!!!111!!!"


@Kevin Schumacher

"there is literally nothing stopping any government in the world from demanding whatever it wants from Apple"

This is incorrect. The constitution, existing law, international law such as investor rights all limit the power of most governments that participate in international trade. In democratic states, the power of governments is even more constrained.


@OUG: that's technically true, but I think Kevin is right that there is frighteningly broad consensus in multiple countries that the government needs backdoors. I also don't think most constitutions protect against this. Thus, neither the constitution nor other existing law nor any trade agreements are surefire ways to protect against such a law.

Apple preempting the discussion by throwing a relatively small bone may be our best shot.


Kevin Schumacher

@OUG: That is theoretically true. In practice, it is surprisingly easy to take even a democratic-leaning government and slowly (or not-so-slowly) subvert it to an autocracy or worse. Look at Hungary (last paragraph of the overview of the linked section).

Also, ditto what Sören said.

Leave a Comment