Ask HN: What Apple alternatives are you switching to?

529 points by ByteWelder ↗ HN
Due to the controversy around Apple's CSAM backdoor plans, it seems like quite a few people are wondering what kind of alternatives are available. Let's share them!

My choices:

- Desktop: Manjaro Gnome, because it feels like macOS. It even does the 3 finger swipe up to see all your apps with Apple's Touchpad. My wireless Apple Keyboard also works fine.

Screenshot: https://imgur.com/a/UYPfgkC

To install it on my older MacBook Pro from 2014, but I had to use Android internet tethering to install the WiFi driver. To install it on my super new desktop, I had to use an ISO with a newer Kernel (5.13) due to the Radeon 6700 XT graphics card. I got that one from https://github.com/manjaro/release-review/releases/ instead of the Manjaro main website.

- Phone: I considered a Pixel with CalyxOS, but ended up buying a OnePlus 8T with microG variant of LineageOS from https://lineage.microg.org

Alternatively a Pixel phone would also run this version of LineageOS. MicroG (https://microg.org/) re-implements some parts of Google Play Services, while safeguarding your privacy, like push notifications. It also has some other Google-specific features re-implemented. I have over 40 apps and only found 1 that didn't work so far (which is Uber Eats, because they seem to require Google Advertisement ID). I pushed a modified Google Camera app to it (from https://www.celsoazevedo.com/), so my camera is better supported. I think only 3 out of 4 cameras are working, but I don't care.

- Watch: Amazfit GTR 2e with the official app. Alternatively it should work with Gadgetbridge if you don't want to use the offical app ("Zepp"). Amazfit GTR 2 is a better option if you want it to have WiFi and want to store music on it. Alternatives I considered: OnePlus Watch and Fossil Hybrid.

Apple features that I gave up:

- Apple Carplay: Because I don't want to use the Google ecosystem, Android Auto is not an alternative. I'll use my car's own GPS system, or I'll end up using my phone's offline maps.

- Apple Pay: My bank luckily has a contactless payment app for my phone, but I won't be making payments with my watch anymore.

492 comments

[ 2.9 ms ] story [ 350 ms ] thread
Main reason I'm using apple devices is for their quick security updates. I don't trust Samsung phone because they even run ads on $1500 phone. I am thinking to go with Pixel phone.
I'm an Android developer myself, and Samsung is universally hated among devs due to the bloatware/adware.

Manjaro Linux has rolling releases, so you get updates more swiftly than with other Linux flavours. LineageOS (regular or microG variant) get weekly updates if I recall correctly.

Pixel is a solid hardware choice in my book.

Afaik Lineage for microG is twice monthly, but still much better than many OEMs.
(comment deleted)
Apple also runs ads everywhere on its really expensive phones, mind. They're ads for other Apple products.

https://mjtsai.com/blog/2020/02/17/the-paywalled-garden-ios-...

A Google Pixel has far fewer ads than an iPhone these days.

(comment deleted)
I have never seen the iOS show me an ad. I've seen some third party apps, but not the OS or core apps.
The linked post has plenty of evidence, it might be worth going through it.
Put GrapheneOS on that Pixel. I run it on a 3a. It's pretty easy to install and updates itself very regularly, can recommend.

https://grapheneos.org/

Yeah I am considering switching to an iPhone.

A big kicker was opening the default Weather app on my Samsung Galaxy S9 and seeing an inappropriate ad that took up 1/3 of the screen. Absolutely shameful that they would be so desperate for cash to include such ad space in their flagship phone.

Although the recent news about Apple has me questioning the switch...

I’m testing how much I can move from services before switching devices and don’t have everything mapped out just yet.

- cloud backups: testing iMazing Wi-Fi daily backups to NAS. Tested a clean restore to an iPad that was perfect. The daily backups aren’t running consistently yet but likely has to do with power save settings.

- Photos: syncing with Synology Photos. Backup seems fine (40k of 65k pictures so far). The app leaves a lot to be desired vs Apple Photos.

Will test Calyx / Graphene on a Pixel at some point but not likely to pass the wife test.

Not switching TBH! Most people don't care!
(comment deleted)
With my phone I won’t accept any more updates, at least the ones I can resist, and I’ll switch to Android when there’s no other option. CSAM is a line crossed too far and I feel like Apple is telling me I’m just not holding it right again, and that makes me unhappy.
I'm looking for an alternative Android phone mostly because I'm annoyed by the lack of control over the computer I use the most. Any suggestions?
PinePhone or another device that you can run mainline Linux on
I ditched my last Apple products in 2013 due to lack of control. I daily drive Linux (Fedora 34) on desktop and Android on my phone (Pixel 4). I use Plex and a home server to control my media.
I think you need an "Ask HN" in the title.
I'm questioning whether I even need a phone at all so I'm considering making the switch to... a landline. I think I can give it a try for a month and see how it goes.
Honestly I'm planning on moving FROM android TO Apple...

I feel like that's still more secure than the other options / effort involved. I still think privacy wise Apple is the better play vs all non custom alternatives.

I'm with you. Going it alone is so inconvenient, very much reminds me of the 1990's where one needed to compile your own linux kernel. It just ends up being a big hobby with all the time implications attached to that.

I use Apple because I have other things to do with my life now, and it's the best of the big ones. They still are.

I’ve been working on my pinephone. But it’s really underpowered imo.

I’m considering a Librem 5. Which has more cpu power and battery.

The appeal to me is really getting off any major tech platform. Further, you can disconnect the components via switches — iE unplug the microphone. That being said, I can’t even use Signal on them without some major configurations.

https://forum.pine64.org/showthread.php?tid=13728

I have also considered the “freedom phone”. But my understand is it’s just Graphene + process isolation on a slightly modified hardware. Until it’s heavily vetted I wouldn’t use it though.

And ugh yeah, that’s about it.

You are aware that the Librem 5, in real-world testing, has terrible battery life... and is a brick in thickness. That's why I can't switch yet. :(
Around 6 hours of active usage and around 16 hours of idle time (exact values depend on what's kept enabled and the signal strength of course). Currently it does not suspend to RAM at all, which is how PinePhone achieves longer idle times.
> That being said, I can’t even use Signal on them without some major configurations.

Sadly bridging Signal into a matrix home-server and just using a matrix-client from the PinePhone/Librem is probably the simplest option.

> I have also considered the “freedom phone”. But my understand is it’s just Graphene + process isolation on a slightly modified hardware.

No, it's not. You may be confusing it with another company with a similar name selling devices with GrapheneOS and various apps installed. Both are not associated with GrapheneOS, by the way.

I've been using CalyxOS on a Pixel 4a 5G for like 4 months now and love it. Came from another stock Android phone though, not iOS. If anyone has any questions feel free to ask!
For those studying MacBook alternatives, I think the most underrated “serious” notebook computer in the world is the Panasonic Letsnote SX/SV.

Matte screen that actually works outdoors, removable long-life battery, unassuming vintage design (“let’s not rob that guy, he can’t even afford a new computer”). I haven’t investigated the Linuxability of this thing yet, but it’s super-light and impressive as a mosh terminal (especially with built-in 4G LTE!). Tough magnesium body, super comfy keyboard that’s easy to swap out if you beat it up. Made in Japan!

I have a fully loaded MacBook Pro, and couldn’t imagine doing design work on anything else, but I somehow end up getting lots of work done on the Letsnote. It’s at a point where I don’t think I’ll be excited about the long-awaited new 14-inch MacBook Pro, as I doubt it’ll have a matte screen and a durable exterior (and, I much prefer to look like a sad worker stuck with a dorky computer from 2006, than a moneyed tech guy).

Sounds awesome! I've had huge problems with some recent ThinkPads so it seems that it will be a choice between Panasonic and Fujitsu. Thanks for the recommendation.
It’s pretty much a staple item in Corporate Japan, which probably explains why Panasonic hasn’t offshored production as everyone else did.

I think it’d be great to see more overseas business pick up for these computers — it’s one of those classic bits of Japanese technology that looks hopelessly outdated until you use it, and then you hope it never changes. My label for such things is “In-N-Out Burger Technology,” for reasons that should be obvious to my fellow Californians...

Is the trackpad comparable to a macbook? I've yet to see an equal or anything remotely close.
Their trackpad is bad for me because they stick with circler form on most models. It's bad just because very small. It support scrolling by tracing circle edge, but not much worth.

Meanwhile they also stick with old fashioned non-isolated keyboard. It's great.

> think the most underrated “serious” notebook computer in the world is the Panasonic Letsnote SX/SV.

Oh man, I kinda wish I felt different, but this thing gets a hard no just for its aesthetics. Notebooks are both way to omnipresent in my life and manifold to revisit something mid-90s. I do not want my home & life to feel like an old X-Files episode.

The great irony is, your 90s throwback nightmare is now the Gen Z dream. Everything is a cycle if you wait long enough!
>your 90s throwback nightmare is now the Gen Z dream

Only ironically. See: vaporwave.

Can you even get one of those Panasonic laptops outside of Japan?

Checked Amazon.co.jp and doesn't seem like they ship to Europe. I'm actually interested in trying one of these out.

This will probally be my next laptop.

I like the retro look. I had a Panasonic years ago and adored it. It was huge, but did everything, even had a tv tuner. And it was easy to work on. Used it 10 plus years.

Looks like a japan only model. I should have known by the name, Let's _____ is a really common Japanese product trope. You should try "Let's Corn!" sometime. Its uhhh, japanese.

How do you suggest getting one of these things or getting support for it? I'm not against foreign market hardware but they can be a real pain in the ass for many. Last japanese laptop I had was almost 20 years ago, an ultraportable Sony. It was interesting but finding drivers online back then was a challenge.

You can probably buy a laptop with a certain generic form-factor with a rugged case that snaps onto the body. Panasonic, unfortunately, can't get economies of scale like LG, Lenovo, Apple.
Hardware-wise I've been in the Pixel, ThinkPad camp for a while.

There are decent custom ROMs for Pixel already mentioned, and the ThinkPad line even ships with full Linux support now so not too bad at all there.

As for cloud services, I'm still stuck on Google. I've been putting off switching because it's a lot of work.

I'm thinking of getting one of these: https://frame.work/

Any people here with experience with one?

this one looks terrific! I saw the review made by Linus : https://www.youtube.com/watch?v=0rkTgPt3M4k - totally got me convinced. I left Apple to System76 2 years ago, but that'd likely be my choice if I'd be doing this today...
I was waiting to read a trustworthy review, so just watched the video. Glad to hear that it's pretty good. Build quality was what I was worried about but it sounds generally good.

My only other question is Linux driver support. There was a brief mention about fingerprint scanner in Linux, but I really appreciate that Thinkpads under something like Fedora just work out of the box. Hopefully Framework will have similar support - it seems like the sort of laptop linux hackers would like to be using!

The latest Fedora 34 respins (and soon Fedora 35) work out of the box with everything including the fingerprint reader. Ubuntu 21.04 supports everything but the fingerprint reader, which needs libfprint 1.92.0. There is a pretty active community of Framework Laptop users now providing tips on how to set up different distros: https://community.frame.work/c/diy-edition/linux/91
If you look up the Linus tech tips review, he gave it a stunning review.
I ordered one, currently on a 2019 16” MacBook Pro. I just got an email saying they’ll start shipping my batch soon so I’m very excited.

My plan is to use it as my daily-non-work development computer. I just started playing around with NixOS on the server side and will likely use NixOS on my Framework laptop.

It’s an exciting concept and appears to be well executed. I’ll reserve full judgement til I’ve used it for a while.

I had tried configuring one a couple of weeks ago, but the website was having problems.

I haven't owned a PC laptop in several years - the last one I tried was a System76 with an abysmal keyboard. Turns out I need to type to have a functional laptop!

I ordered one of these Framework machines today, should ship in September. Seems promising. I am hoping that things just work after I install Linux on it and I can get down to writing code with minimal setup and configuration.

> I am hoping that things just work after I install Linux on it

Apparently Linux runs everything out of the box except the fingerprint reader. It's still unknown whether there'll be an official fix and when.

Happy to see discussions like this - hope it will affect MBP prices!
To be honest... None.

It's a choice. You might wholly disagree, but recent events aren't enough to get me to switch yet, because I think the competition has too many tradeoffs.

I can get my photos scanned against a CSAM database... or I can have Google tracking my location constantly regardless of what they say (as they've been proven to be misleading in the past)... or I can use a Linux phone and say goodbye to battery life and useful apps I need. I'll pick CSAM Scanning over my Location data being in the hands of Google, sorry.

And as for my laptop, macOS doesn't scan, and the M1 is too impressive and has me spoiled. And I have too many horror stories with both Linux and Windows and can't stand either of them. (Don't tell me switch to Linux - I've tried over a dozen distributions over the last decade. It's just not there yet.)

AOSP/FDroid would be a middle ground for your requirements, no?
I've tried that too. But I work from home and not having the ability to use Banking apps on AOSP without a ton of patching and hacks that could fail anytime afterwards is an issue. Also the camera performance on AOSP is noticeably worse in my experience, and I'm not alone.

To make AOSP "usable" for my life, I need to install the Play Store. At which point I've already lost and would prefer an iPhone for my privacy.

> To make AOSP "usable" for my life, I need to install the Play Store. At which point I've already lost and would prefer an iPhone for my privacy.

To be fair you don't need to, I use Aurora Store, they have a guest mode where you don't need to register any account.

There are plenty of Android flavours that don't have Google apps, like https://lineage.microg.org/ In my limited experience so far, LineageOS works much better than it used to on my HTC Desire. Battery life has been better than any of my iPhones (3G, 4S, 5S, 7 and XS) ever had.

That said, if I had to chose between a Google Android phone and an Apple phone, I'd still pick the Apple one. Luckily there are more choices these days.

android is no where near competitive with apple’s user XP. i was a long term android user until 3ish years ago. i’ll never go back to a fragmented device ecosystem again if i can help it.
(comment deleted)
It's like QWERTY vs Dvorak. The best one is the one you're used to. I personally find Windows and iOS frustrating, but I know it's because I'm used to Linux and Android.
that’s not true. i just gave an example of switching from what i was used to, to something new that i thought was superior.
Why would fragmentation be a problem as an Android user?
google doesn't control for device screen sizes, software that other vendors load on, or the CPU/ram/storage on the phone, watch, or tablet. they also allow 3rd party app stores. this creates an experience that is out of google's control and in a lot of cases is sub optimal for the user. it's not as stream lined or polished as it could be.
Any example? I've been using both iOS and Android devices of all shapes and form factors since both launched (and I work at a mobile app editing co) and have no idea of the inconvenience for end users.
pagerduty on a nexus 5 brought the phone completely to it's knees due to low ram, and probably some amount of responsibility on the pagerduty app not doing something gracefully. this was the google flagship phone at the time, pals with the current iphone didin't have that problem so i switched.
To each their own. I switched to an iPhone early this year after always having used Android before, and I won't be buying another one. Apple nails the big picture stuff, but they have really dropped the ball on some of the details in their UX. Just a few arbitrary gripes off the top of my head:

* The Clock app doesn't let you set a snooze length? Seriously?!

* Not having a notification LED or some other indicator really sucks. I might set my phone on the counter while I'm doing other things, and with Android, it was nice to be able to look up and see if I've gotten something without walking up to the phone and checking. (I know Apple will likely never implement this because it's a great pitch for their watch.)

* Face ID is slow and inconsistent compared to a fingerprint reader (especially during COVID), and I'm bummed that Apple ditched the latter. It works well about 80% of the time, and the other 20% I'm that crazy-looking person that's making faces at his phone trying to get it to unlock.

* If you had any sort of media app open previously and then connect some Bluetooth headphones, the media controls for that app open up and take up most of the lock screen, and there is no way to swipe them away; you have to kill the app to get them to disappear.

* I miss the inline notification controls. On Android, apps can give their notifications extra buttons, so you can do things like delete an email right from the notifications bar without having to open the app.

* My friend and I regularly send each other voice memos. First of all, the built-in voice memo feature in iMessage is atrocious (no seek and you have to restart from the beginning if you leave the screen), so we use the Voice Memos app to send each other audio files. Except, when you play an audio file inline through either iMessage or Mail, the screen will still turn off and lock, which pauses the file. You have to save it to Files, then open it via the Files app to ensure that it continues playing in the background. How are you supposed to know this?!

* If your iCloud storage is close to full, Apple will continually notify you every few days via your phone and email, and there is no way to disable these notifications.

* Needing a special charger sucks. Everything else I own is either USB-C or microUSB at this point, but my iPhone needs its own charging cable that nothing else uses.

* All of the special treatment that only Apple's apps get is frustrating. For instance, why does only Apple's Clock app get a special timer UX on the lock screen, and everyone else's has to use a notification? Why does only Safari support ad blockers? And why is the camera button on the lock screen limited to the built-in Camera app? They really push their own apps with these artificial benefits, which detracts from the plethora of apps in the App Store.

* Syncing files (in both directions) without iCloud is a pain, and I'm not going to pay for an iCloud subscription. There are lots of different ways to achieve this, but none of them are as easy as simply using SyncThing on Android.

Even though Android is lacking in certain areas, I find the UX to be a lot more consistent than that of iOS, and I would take the consistency and flexibility of Android over all of Apple's corner cases and attempts to predict how I will use my device. But again, that's my personal preference, and to each their own.

(Sorry, this turned out to be much longer than I expected. I guess I'm more frustrated by iOS than I realized!)

microG is still sending information to Google in order for apps and services to work. It does NOT free you from Google.
I haven't used Android as a daily phone since the EVO (I know, its been a while). One issue I had with Android and custom firmware was the time involved. Being on a computer all day, and often times at night, having to deal with tech support issues on my device is a hard stop (for me, personally, plenty of people love it).

That's the nice part of Apple's ecosystem - its pretty simple and requires minimum intervention.

To be fair, once you get past the initial setup, everything mostly Just Works™. But still, I completely understand not wanting to deal with installation and the potential consequences if something goes wrong. (I nearly bricked a device from a botched installation once, so I know how stressful that is.)
I don't doubt that it just works nearly as well as an iPhone, but I want someone else to be responsible if things do go wrong.

For similar reasons, I don't self-host important services like email despite having my own domain. If shit goes wrong, I want the company I'm paying to have their people take care of it. I don't want to have to rush to fix it myself.

As someone who had an Evo with custom FW back in the day, I can attest the process is much simpler in recent years. If you do your research and ensure the device you are purchasing has official lineage support, the entire setup procsss takes less than an hour. Lineage includes built in update support as well, although to upgrade between major versions you still need to use a computer if I remember correctly.

I purchased my first iPhone since the 3G this year, and it is currently for sale on swappa. I am willing to compromise on a slightly less polished UI and subpar camera to get the UX of android back; at least for me, iOS was lacking many features I could consider essential.

Plus, in the same use case (photos in the cloud), they’re still being scanned for CSAM and probably piracy and whatever else Google scans for.
Google has been scanning photos for CSAM for... what, almost a decade now?

Also, as an iPhone user, contrary to the recent Hacker News fight, I actually view this CSAM scanning with a sign of hope, because this hints that we could get end-to-end encryption on iCloud Storage. The CSAM scanning is rumored to be just a prerequisite to get the government to shut up with their biggest critique of E2E, so that Apple can then turn it on.

If I can get E2E storage from iCloud but accept CSAM scanning on my device to satisfy the law... I'm OK with that choice. You might not, in which case, Android (and I'll probably buy a backup Android phone "just in case").

Oh yes, I'm sure the FBI will be satisfied with using the backdoor to only find CSAM, they definitely will not use the access for 'anti-terrorism' and drug enforcement. That sounds just like the FBI.

What good is E2E encryption when they can scan your client with a backdoor? All Apple is doing with this hashing is giving themselves plausible deniability when this access gets abused down the road. "Oh we didn't know they would use those hashes to arrest those protesters, we couldn't have foreseen this"

E2E with some scanning at the onramp is still much better than no E2E. If iCloud was compromised, your data is still safe, among many other reasons. If the US Military physically raided the data center and carted out all the hard drives, my data would still be secure. It's still a better alternative. It's not perfect by any stretch, but it's better than what we have now.

Also you are aware Google Photos, Facebook, etc. do scanning anyway and have for almost a decade?

(comment deleted)
Yes, we are one warrant away from just sending all data to the FBI using this system.
But this was already true! I don't get why this is the thing that's made people realize that they have zero control over their phones and that Apple could have any time in the last decade just uploaded all of your data to the FBI if compelled to.
There is no privacy on the internet and on your phone. People really need to get over this.
I won’t get over it. You need to get over people not getting over it.
Doesn’t Apple have a front door to change your phone at the FBI behest? Weren’t they already able to upload data (telemetry etc)? It doesn’t make sense to pretend that there was an existing state where Apple couldn’t get data off your phone if the FBI ordered surveillance.
macOS has been announced to scan just like iOS
Incorrect. It will use a generic model to warn children that they could be exposed to nudity, but that runs on-device and sends nothing to Apple. (It's just a generic nudity detection model).

On iOS and iPadOS, they will implement the iCloud Photos CSAM scanning, but Apple left out macOS as having that for now. Rumoredly according to GitHub reverse-engineers of the system, it's due to the mathematical precision of the NeuralHash algorithm being processor-dependent on ARM and not Intel.

From https://www.apple.com/child-safety/ :

> These features are coming later this year in updates to iOS 15, iPadOS 15, watchOS 8, and macOS Monterey.

In that case, I'm not sure. The people reverse-engineering the algorithm say they aren't quite sure if that's because the system hasn't shown up in MacOS Developer Previews yet (where it has in iOS and iPadOS), or if that's because they are referring to the generic nudity detection instead of the database matching system.

For now, the security experts looking at this say that the nudity detection model is on all platforms, but the database matching in iCloud Photos is only on iOS and iPadOS and it's unclear whether it will come to macOS.

That's at the end of a summary of all 3 features. Each one has the specific OSs listed though:

> iOS and iPadOS will use new applications of cryptography to help limit the spread of CSAM online

It's a bit confusing; 2 paragraphs above that line:

"Next, iOS and iPadOS will use new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy."

That implies macOS isn't getting the CSAM scanning stuff (yet?).

> Rumoredly according to GitHub reverse-engineers of the system, it's due to the mathematical precision of the NeuralHash algorithm being processor-dependent on ARM and not Intel.

If true, it's highly probable that Apple can just port it to macOS and have it work especially for the Apple Silicon line up rather than Intel.

But only Apple knows. But so far, it seems like ignoring the M1 hype was the smart thing do.

(comment deleted)
Exactly, I think people are just getting a little too worked up over this whole thing. Apple computes a hash of each image you upload to iCloud then check it against a list of CP hashes.

Of all the things in the world to get worked up over, this is ridiculous.

I get it, the mechanism they're using has apparent flaws, and maybe some whacko could somehow get access to your phone and start uploading things that trick the algorithm into thinking you have CP.

But, that alone is such a ridiculous phobia, if someone has that level of access to your phone, they could upload real CP and maybe even upload it to your Facebook for good measure.

Also, all of the "situations" where this could be abused are already applicable on all other platforms. There's no reason your Ex couldn't upload CSAM to your Google Photos account, or to your Facebook account. Google Photos and predecessors have scanned since, what, 2013?, and would detect it, and would report it to law enforcement.

Despite this having been a possibility for almost a decade... there's a suspicious lack of headlines of this attack occurring.

Apple hashes all of your photos offline and then pinky promises to only check the hashes against the official on phone database when the user initiated an upload. The problem isn’t about wackos it’s about governments forcing Apple to do things with this new weapon
Every other cloud storage provider has implemented scanning since 2011-2013.
I haven't seen a single person concerned about Apple scanning photos in iCloud. The problem is entirely that the scan is happening on your personal phone with apparently some janky implementation that in one week has already shown to have serious flaws.
> Apple hashes all of your photos offline [...]

No, only the ones designated for upload to iCloud.

> [...] it’s about governments forcing Apple to do things with this new weapon

Governments can already force Apple to do any kind of scanning, "weapon" being built already or not.

Says who? Apple? How much is that worth?
If Apple were going to lie about this process, they didn't need to announce it and go into so much detail at all. They could have just kept it quiet the way the current server side CSAM scanning is done by others already. The legal and market impacts of Apple lying would be severe.
> > Apple hashes all of your photos offline [...]

> No, only the ones designated for upload to iCloud.

How do you verify that?

If you turn off iCloud, the hash list will never get downloaded on your phone. No scanning will take place in that case.
How do you verify that? :) You're just quoting what apple says. Which may be all they're allowed to say due to the national security letter thing.
I'm trusting in the hacker community with this.

If Apple really is trying to sneak in a CSAM database on your phone with iCloud disabled, someone WILL catch it and raise so much hell we'll all hear it.

This kinda of sounds like "let them put a camera in my living room, I'm not doing anything wrong".

The biggest complaint here is clearly this is not where it'll end, and it's not a unique hash, so there will be false positives. And since it's publicly announced, this is very unlikely to catch any producers of CP, and would only catch the dumbest consumers. So it's an invasion of privacy with very little chance of having a noticeable impact.

> I think people are just getting a little too worked up over this whole thing.

They aren't, but the blame is misguided. This isn't a problem with Apple. What is Apple going to do if they do detect something identified as CSAM on your device? Refuse to sell you another? Oh well. The real worry is what other parties will do if they get ahold of the information. That is what needs to be fixed. Apple is exposing the underlying problem, not causing the problem themselves.

Apple have said what they're going to do. If the number of hash hits reaches 30, then they'll scale the image down and send it off to their manual review team. If they confirm it's CP, then they call the police.
Exactly. They're not going do much of anything. It is what happens after the final step outlined that actually concerns people, and that is where the real problem lies. Apple is simply exposing the problem; or perhaps more accurately bringing the problem we all understand exists into the limelight. Had Apple not implemented this feature, or implemented it differently (scanning server-side, for example), the problem would still be there.
If a pedophile takes their computer (loaded with CP) to a repair shop and they find CP they call the police.

If a pedophile uploads CP to the internet and the host finds CP they call the police.

Both seem like reasonable responses to me.

Again, it is what happens after that which has people worried. Apple is simply bringing attention to it.
The police investigate the matter and a case might be brought to trial?
As it turns out, people don't like having to deal with police, nor do they like the idea of potentially losing a trial (especially in the court of public opinion).
Then it sounds like you should be arguing for for a repeal of CP laws. A controversial stance.
I have no feelings towards the topic. I am merely summarizing what the consensus is writing on places like HN towards what Apple is doing.

The general sentiment does appear to be that the laws are misguided. That does not necessarily mean repeal is necessary. Augmentation may also provide a solution that satisfies their concerns. However, that is moving well beyond the topic at hand. There is no indication I can find that some kind of change is controversial. There is clear worry about the status quo based on the potential outcome of what information Apple may glean.

What remains is that Apple isn't anyone's real concern. An inanimate corporation can't do much to you. Apple is simply bringing attention to what actually concerns people, which is something that was already there all along.

Totally reasonable response. I would like Apple to notify me so that I can call the police after my threshold of one NCMEC and other child-safety organization image identifier matches on my personal computer systems.

This will violate my IT device usage policy! Apple is not my IT department!! We have a ZERO TOLERANCE IT device usage policy. By not calling the local police department after one violation, we violate the policy. There is also a form which must be signed before HR (Girlfriend) so they can be present on the call to LE or else be subject to disciplinary action up to and including termination.

Again, how can you verify that's what they'll do?
Apple's using my electricity and my silicon to call the cops on me. We have no idea what hashes they're checking images against; we can't see the raw data, and we can't see the hashes, and we can't see what they're sending to their servers.

There is no technical reason why this needs to exist. If they want to scan iCloud photos for something, they can do that on their servers. iCloud is not end-to-end encrypted. Law enforcement can do whatever they want with the data you send there. Since they chose the client-side route, they have to be up to something, and it all smells very fishy. Today, they say it's for CSAM. Tomorrow, it will be for any discontent against whatever government wants to oppress its people this week -- and as time goes forward, that is not just third-world countries where you don't live, it could be your own.

Do you really want to explain to the police at your door at 3:30 in the morning why you read a website called Hacker News? This is the first step towards that reality.

Imagine I wrote a program that contained the phone numbers of people I don't like. The database is encrypted, and the only way to see if you're on that list is to install the app on your phone. The app does two things -- nothing if you're not on my list, or it sends me your location (at your expense!) if you are. Would you install that app? Absolutely not, that would be crazy. But that is basically what is bundled into iOS now.

I really like my iPhone and iPad Pro. I like how Apple handles privacy in general. But I can't accept this. It's a step too far. You don't have to draw the line there, but I draw the line there.

> iCloud is not end-to-end encrypted

Yet. Have you considered that this might be a necessary precursor to making iCloud e2e?

Scanning people's on-phone photos clearly has nothing to do with being a precursor to e2e encryption. The photos get transferred either way, so one has nothing to do with the other.
Except for giving the authorities a way in to replace the one they're losing.
That's not what was being argued, but you made an excellent point.
What was being argued was exactly this.
I know what I was arguing, and it was specifically mentioned, so no it was not what was being argued.
> Scanning people's on-phone photos clearly has nothing to do with being a precursor to e2e encryption

This is what you were arguing. It is false.

Followed by this, "The photos get transferred either way, so one has nothing to do with the other."

It was clearly a technical statement not a privacy statement, so only superficial reading might lead one to believe it meant something that it did not.

That is why I replied that the person who replied to my comment, where I said I had argued something different, but that what he wrote was an excellent point.

So, what on earth are you so invested in that you feel the need to argue minutiae that don't apply?

> "The photos get transferred either way, so one has nothing to do with the other."

That doesn’t change anything. It may be a pre-requisite from the perspective of their business. You replied to me and I didn’t constrain my point to just technicalities.

> So, what on earth are you so invested in that you feel the need to argue minutiae that don't apply?

It does apply. I’m simply pointing out that what you said is not correct.

(comment deleted)
If the goal was to make iCloud e2e, why not release both features at the same time so people can see that they're codependent (in Apple's eyes)? Without any kind of announcment or promise of e2e iCloud, we're just speculating for possible reasons why this might be OK. Might as well guess that this is going to allow Apple to give us free iCloud storage, too, while we're coming up with wishlist features.
> we're just speculating for possible reasons why this might be OK.

Sure. All the statements about why it’s not ok are also just speculation.

> why not release both features at the same time

That’s not how Apple typically works. They release a feature, try to make sure it works as expected and only then release the features that depend on it.

Then doesn't that seem hypocritical to you to defend dropping Apple right now for the imagined future possibility that all local photos could be scanned (instead of just the uploads)?
There’s little point in E2E encryption if snooping is moved outside of either end. This measure is only necessary for implementing E2E in iCloud insofar as it allows the feds to do the very thing I want E2E to prevent them from doing in the first place.

It’s as if USPS invented a new type of envelope that is physically impossible to open for anyone whose name is not written on the outside of it. Just one caveat: before they’ll give you any of these envelopes, you must allow them to read the letters being put inside.

If your concern is someone intercepting your mail before it gets to its intended recipient, this is great news. If your threat model involves federal agencies reading your mail, you’re no better off than you would be without these fancy new envelopes.

> if snooping is moved outside of either end

Yes, but this isn’t snooping.

They’re scanning users’ data on users’ devices. What do we call that if not snooping?
Necessary ... for the US government? Definitely not for me.
Apple could scan on the cloud. Rumor is that Apple wants to use E2E on iCloud, and this is a necessary step to shut up the government's biggest critique of E2E and deploy it before the government can figure out a different excuse. We'll see if that pans out.
> Apple's using my electricity and my silicon to call the cops on me.

Okay.

> We have no idea what hashes they're checking images against; we can't see the raw data, and we can't see the hashes, and we can't see what they're sending to their servers.

Apple is getting the entire image regardless, this happens as part of the iCloud upload process.

> There is no technical reason why this needs to exist. If they want to scan iCloud photos for something, they can do that on their servers. iCloud is not end-to-end encrypted. Law enforcement can do whatever they want with the data you send there. Since they chose the client-side route, they have to be up to something, and it all smells very fishy.

It's a hell of a lot cheaper to distribute the load onto the device than to do it on GCP. However, this whole line of thinking is ridiculous, iOS is your operating system, it can send what it likes where it likes without you knowing about it. Why does this particular thing cause concern?

> Tomorrow, it will be for any discontent against whatever government wants to oppress its people this week -- and as time goes forward, that is not just third-world countries where you don't live, it could be your own.

> Do you really want to explain to the police at your door at 3:30 in the morning why you read a website called Hacker News? This is the first step towards that reality.

https://www.txstate.edu/philosophy/resources/fallacy-definit...

> Imagine I wrote a program that contained the phone numbers of people I don't like. The database is encrypted, and the only way to see if you're on that list is to install the app on your phone. The app does two things -- nothing if you're not on my list, or it sends me your location (at your expense!) if you are. Would you install that app? Absolutely not, that would be crazy. But that is basically what is bundled into iOS now.

Again, your overlooking the fact that this app is already coming from Apple the company that made iOS. They already control your phone, why would they need some additional app?

From the Slippery Slope page, their first example of a false slippery slope: "We can't permit the sale of marijuana by doctor's prescription, because that will lead people to believe it's an acceptable drug; this will open the floodgates to the complete legalization of the drug for use by every pothead in the country."

Umm... that happened.

> iOS is your operating system, it can send what it likes where it likes without you knowing about it. Why does this particular thing cause concern?

Then I guess it's not my operating system after all.

> But I can't accept this. It's a step too far.

So turn off iCloud photos?

For now. We see the direction apple is moving.
The direction of not letting people store child porn on their servers? That's pretty much what everyone in the cloud space is doing already.

This service exists so Apple can E2EE your data while still placating DOJ.

Totally missed the point. The direction of scanning everyone's phone for 'prohibited content', pushed on them by various governments. Be it political, fine in one country but not in another (adult homosexual), etc. And a future where the content scanning applies AI and reports you for doing such things such as taking pictures of police or protests.

It's a cop in your phone.

If that's your position, you cannot own a closed source device with binary updates. Because the device provider _could_ always do anything.

What they actually do is what is important. And what they actually do is publicly disclosed so you can make your choice appropriately.

Why should Apple let pedophiles store CSAM on iPhones just because they’re not uploading it to iCloud Photo Library? It’s morally reprehensible to not disable that flag when it’s such a simple thing they can do to catch so many more criminals!
This is obviously sarcasm but I'd preface it with an explanation since HN is multicultural and not not everyone here is brought up to catch it effortlessly.

Edit: The point here is that even if Apple tries very hard to make this be only about photos about to be uploaded to the cloud, if the percentage of phones that turns off iCloud storage increases as a response to this new "snitch-on-me" feature that will be a very good argument for law enforcement to ask for a list of IMEIs that are not using iCloud, and it will also tempt them to demand that Apple start scanning all files.

You own your iPhone. Apple owns iCloud servers.

It's very simple. You want to upload images to iCloud? Then let your phone scan it and upload it. You don't want your images scanned? Don't upload them to iCloud.

As skinkestek kindly pointed out, the point of my sarcastic comment was that now that the precedent of scanning the contents of users’ devices - as opposed to the contents of Apple’s servers - has been set, deciding whether to do so based on the state of a single “Store photos in iCloud?” toggle is going to start looking awfully arbitrary.
Your line is the maybe pennies of electricity over the lifetime of the phone? Weird. I can totally understand your line being the CSAM scanning itself but you seem to be fine with the exact same scanning being done with even more opaqueness and less transparency because it's done server side.

I also get the slippery slope thing since you don't really have any control over what your device does but that's been true since forever. Running some scan() method and posting matches to a URL is something that literally could have been done in the last 10 years. It's not like this tech is magically enabling something that wasn't possible before.

And I do get the using your resources argument but iPhones have had integrated DRM since forever.

The thing I don't get is why now? Surely you should have left ages ago?

> This is the first step towards that reality.

You know, I could respect your opinion that this is where you draw the line, but you ignore all of Apple's history if you think this is the first step. This isn't the first step, this isn't the first chapter, this is at best the middle of the book where the plot twist happens.

No, this is clearly no the first step. This is the first step you chose to see the reality of the situation. You'll look back and you'll see how everything was paved with good intentions and how people sounding the alarm were ignored.

This isn't the first step.

> Exactly, I think people are just getting a little too worked up over this whole thing. Apple computes a hash of each image you upload to iCloud then check it against a list of CP hashes.

If that is what is supposed to happen, then it makes no sense for any new code to run on the device!

> Of all the things in the world to get worked up over, this is ridiculous.

Well, it is not crazy to get worked up over Apple saying they will check uploads to iCloud by checking what's on your phone - instead of simply adding code to iCloud. That seems obvious not ridiculous.

> If that is what is supposed to happen, then it makes no sense for any new code to run on the device!

The new code calculates the hash as part of the upload process. The comparison of the hash against known CP hashes happen on the server.

> Well, it is not crazy to get worked up over Apple saying they will check uploads to iCloud by checking what's on your phone - instead of simply adding code to iCloud.

They're still doing the checks in iCloud, but the hash is being computed on the client.

You simply repeated back to me what I wrote without addressing any of it.
Okay, well they're likely doing it to save money. I work in data engineering and I can tell you calculating the hash of every iCloud upload wouldn't come cheap.

Mystery solved?

You are completely missing the point. The answer to a privacy and security question shouldn't be, "it is easy for us to do things this way." You are inadvertently making the point that you are arguing against.
Going back to your original point, what makes you think checking for CP in images uploaded to iCloud is more private or secure when Apple's servers analyse the entire image, rather than having the client generate a hash of the image and having Apple's servers analyse that instead?

I work in data engineering and I can tell you what I'd rather do. Having Apple's servers check hashes rather than the entire image means you can segregate the original images from the CP-checker data processing pipelines. That's a much simpler and more secure security scenario.

> if someone has that level of access to your phone, they could upload real CP and maybe even upload it to your Facebook for good measure.

Many messengers, including Whatsapp, save all the incoming pics into camera roll by default.

And if you have iCloud Photos turned on, those images are already being uploaded and then CSAM-scanned on Apple’s servers. The chain is just being configured differently, but this risk is already active.
The actual problem is not CSAM scanning.

The actual problem is that they've created a great surveillance tool which will inevitably get broader capabilities and they are normalising client-side data scanning (we need to eradicate terrorism, now we need to eradicate human trafficking, and now we need to eradicate tax evasion, oh, we forgot about gay russians, hmm, what about Winnie memes?).

But this was already true. There is no reason the governments couldn't have required this tool to be built at anytime all along. Remember EARN IT where Senators said figure something out (like this CSAM tool) or they'll do it for Apple? The EU is similar, with upcoming draft legislation saying they have to do it if they don't figure something (like this) out.
You still may donate to liberty and FOSS NGOs, switch to ungoogled Android and drop macOS in favour of Linux. Also you have your rights and opportunities for activism and peaceful protest. This is not illegal yet (effectively illegal in Russia/China though).
Back during the FBI/Apple fiasco where the government was lobbying Apple to install a backdoor to unlock phones, Apple argued that their 1st Amendment Rights were being violated, that the government could not force them to write software (since software is speech, and the government cannot force you to say something against your will)

One random article of many: https://money.cnn.com/2016/02/25/technology/apple-fbi-respon...

Edit: but through regulations they could probably say 'you're not allowed to sell phones without x backdoor' but maybe the government didn't want to spell out specifically what capabilities are required.

Which is why CSAM is possibly a really interesting compromise/counter-argument. Supposedly, the only actual crime that the FBI has repeatedly sent warrants to Apple about have been child pornography/trafficking and it's an interesting stance for Apple to take here: "we'll address the actual and specific crime you seem most interested in, but will still not give you a generic backdoor".

Many of the arguments/fears about CSAM is that it can be widened to be a generic backdoor, but as you point out in the arguments Apple has already argued in court Apple doesn't seem to think a generic backdoor is a good idea and have strongly fought against it and CSAM seems to be entirely designed to not be capable as backdoor, and especially not a generic backdoor.

I absolutely understand the fears of false positives and whatever processes the FBI and other TLAs choose to do with the results from CSAM (though many of those concerns apply to everything the TLAs do regardless of what technical tools they have at their disposal), but I'm not sure that I understand all the fears that CSAM is a generic backdoor (in the making) given what Apple have revealed about how it is built and what Apple's quite explicit reasons seem to be to build it to entirely avoid building a generic backdoor and that everything about it seems a "thumb your nose at the FBI by doing what they ask explicitly for but not what they really want to build" by entirely building something that can't be used as a generic backdoor and is very specifically built to only a tiny explicit use case the FBI has asked for. At least from what I've seen so far.

> I get it, the mechanism they're using has apparent flaws, and maybe some whacko could somehow get access to your phone and start uploading things that trick the algorithm into thinking you have CP.

Whatsapp by default adds all received images into Photos. So all it takes is to send you few dozens of pictures while you're sleeping.

What happens if someone with access to the database maliciously crafts innocent-looking images that collide with of the registered images?

Maybe include children so that on first glance the reviewer will just forward to the authorities.

You get these images, store it, then you get flagged.

Now what? What’s your recourse when the FBI insists that you’re guilty, and your reputation is ruined?

There absolutely is a problem of pedophiles, but the process that Apple is using seems ripe for abuse.

>Apple computes a hash of each image you upload to iCloud then check it against a list of CP hashes.

I don't think it computes a hash of the image, it's a tad more involved than that.

Simple hashing is easily evaded. They must be computing an identifier from the contents of the images in the CSAM database. This requires computational analysis on the handset or computer. If that's all that were happening that would be no problem, but of course there are management interfaces to the classifer/analyzer, catalog, backend, &c

The contents of the identifiers are purposefully opaque to prevent spoofing of the identifier database. I don't know what is included in the images; what if I take a picture at Disneyland with a trafficked person in the frame? Will that make it into the qualifier database? What is added to the CSAM signature database and why? What is the pipeline of hashesfrom NCMEC and other child-safety organizations->Apple's CSAM image classifer alarm?

>I get it, the mechanism they're using has apparent flaws, and maybe some whacko could somehow get access to your phone and start uploading things that trick the algorithm into thinking you have CP.

The CSAM analyzer could be subverted in any number of ways. I question how the CSAM identifiers are monitored for QA (I actually shudder thinking there are already humans doing this :( how unpleasant.) and the potential for harmful adversaries to repurpose this tool for other means. One contrived counterfactual: Locating pictures of Jamal Kashoggi in people's computer systems by 0-day malware. Another: Locating images of Edward Snowden. A more easily conceived notion: Locating amber alert subjects in people's phones, geofenced or not.

To my eyes, it appears we will soon have increased analysis challenges. Self analysis of device activity and functions for image scanning malware (for example) is slightly harder, we have added a blessed one with unknown characteristics running on the systems. Does this pose a challenge to system profiling? How/does this interact with battery management? Is only iCloud scanning, or is everything scanned and then only checked before being sent to iCloud? (this appears to be the case[X])

There should be user notification too. If some sicko sends me something crazy somehow, I would surely want to know so I can call the cops!!

All in all this makes me feel bad. There is not a lot of silver lining from my perspective. While the epidemic of unconscionable child abuse continues, I question the effectiveness of this approach.

I would not consider jailbreaking my iPhone but for this kind of stuff. I would like to install network and permissions monitoring software on my iPhone such as Bouncer[0], Little Snitch[1], although these are helpfully not available for iOS.

I feel grateful that I am unlikely to be affected by this image scanning software, I'm planning to continue my personal policy of never storing any pictures of any people whatsoever. I don't even store family photos this way. My Life is not units in a data warehouse.

[0] - https://play.google.com/store/apps/details?id=com.samruston....

[1] - https://www.obdev.at/products/littlesnitch/index.html

[X] - Apple's Whitepaper: https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...

Maybe consider that CP is just the excuse for the backdoor.

So apart from every Apple user being treated like a proven-until-innocent owner of CP, at all times, this will (yes, a matter of time) be used for political purposes, to find and silence activists, journalists, to discredit opposition leaders, to prosecute Uyugur/Muslims/women/palestinians etc.

Do we really believe that CP owners store their collections in iCloud / google cloud / Dropbox and view them on their phones? And that this is an issue on a massive scale?

Please.

These are the most expensive phones on the market, with an incredible profit margin for Apple. The part of these devices that we actually own is a shrinking territory.

Why not have the mics on all the time in case “someone says something related to a CP ring?”

(comment deleted)
(comment deleted)
> I can get my photos scanned against a CSAM database... or I can have Google tracking my location constantly

That's a false dichotomy. There are competitors offering various levels of maturity and functionality. Jolla exists, PinePhone, Xiaomi, Librem 5, dumb phones, POTS landline, no phone...

And yes, Linux on the desktop is also a valid choice. It most likely won't track you either.

There's a reason why that's 98%+ of the market. There is a dichotomy between the two camps in the smartphone market, everyone else is fringe. On the fringe, good luck using banking apps, transit apps, vehicle rental apps, or other apps increasingly necessary and useful.

I don't think you know what you are talking about when you mentioned Xiaomi as an option. That would be among the dumbest options you could possibly choose.

Linux on the desktop is a valid choice, but as I said above, don't tell me to switch to it, it's just not practical in my life. I've tried over a dozen distributions since 2011 and probably over fifty releases of them, and Linux isn't there.

> On the fringe, good luck using banking apps

Tried that yesterday on CalyxOs with anonymous MicroG account and my banking app works fine. No problem with contactless nfc payments.

Aren't anonymous microG accounts illegal though? (Or at least a violation of the TOS.)

Also you can't use any paid apps with this method.

Maybe a violation of TOS, but I guess it's one of these things that would not be enforced at all. Same way as Oracle can't do much about Google using Java or Microsoft doesn't do anything about Wine.

Regarding the second point - that's true. I've heard there are some plans to add payments to the Aurora store/F-Droid (which are alternative app stores) but right now you can't use paid apps.

I consider this to be a plus though - gives me a chance to switch to open-source / self-hosted apps.

There isn't always an open-source alternative to what you need. Especially for people who use their computers for work.
True. That's why for work I still use a MBP. But I decided to separate work equipment/data/apps. That's a good thing to do anyway because of many reason.
> Linux on the desktop is a valid choice, but as I said above, don't tell me to switch to it, it's just not practical in my life.

For Desktop, if I have to choose between macOS CSAM spyware of paying users or the Linux ecosystem and its tiny userbase of unpaid users I would go for using and targeting the paid users since they are the ones paying the bills and thats where the money is.

For smartphone alternatives, the phones themselves are still immature as well as the Linux phone software ecosystem which is again still light years behind. If they can't even run the same Android apps on modern Android devices, then it is close to no chance.

If they don't hurry up, Google Fuchsia will steam-roll them silently.

> I've tried over a dozen distributions since 2011 and probably over fifty releases of them, and Linux isn't there.

Likewise, with the GUI software I'm writing, 'Defining Linux support' is something that is not worth doing given that there are tons of distros out there and by selecting one or two distro's there will always be an endless amount of people asking to support X distro or Y distro.

> Likewise, with the GUI software I'm writing, 'Defining Linux support' is something that is not worth doing given that there are tons of distros out there and by selecting one or two distro's there will always be an endless amount of people asking to support X distro or Y distro.

There was a major game developer (sadly forgetting the name) who decided to support Linux as a test around 2018ish. The Linux users were only a few percent of their users but ~20% of the support tickets. They said never again.

> That would be among the dumbest options you could possibly choose.

You don't get to dismiss others' concerns by saying "it's a choice", and at the same time dismiss choices others present...

Surprised to see Xiaomi on your existence list of maturity.
I'm not sure why, because: a) it exists, and b) it exists on a maturity scale :)
I'm reasonably confident that Google listens to every conversation I have within earshot of my phone. It isn't uncommon to find things in my news feed that are related to things I have no interest in but a friend or coworker had just mentioned to me in passing.
What do you say about the people who have tested this and found nothing?
Maybe Google heard them say that they were going to test!
There's a good chance I'm wrong, but it certainly seems like that's what's going on. I haven't seen anyone's testing of this, but it is also possible their methodology is flawed.
At work you have the same IP. Your coworker may have googled what he was taking about. This is a much easier explaination than a constant mic monitoring for arbitrary phrases
There are a lot of people at this company, and my news feed doesn't diverge enough to account for all of their varied google searches.
No, but it would be easy to tell that you associate with your co-worked by correlating Bluetooth beacons, which many apps do for exactly this purpose.
More realistically, your co-worker googled it on their phone. They also email/chat/sms/call you once in a while, so they know you're connected.

Now, it's only logical that you may share certain interests, so why not show ads for things they bought/googled for to their contacts?

Don’t people have data caps where they’d notice if a ridiculous amount of audio was sent to a server?
If you did all of the analysis on device, even quite cheaply, you could just transcribe key words and phrases into a text file and upload that. That would only be a few kilobytes of data tops per day of unique words and phrases, I should think. And if you've ever tried to monitor data usage on an Android phone, you'll know that the monolith of Google Play Services phones home all the time with all kinds of pings and datapoints, so it wouldn't be hard at all to upload that data.
and you'd have no battery inside an hour.

watch words are simple to listen for, generalised transcription is far harder.

Doesn't your phone stay on charge sometimes?
The conspiracy that never dies. I think it's so sticky because people feel very uncomfortable when they realize how much Google knows about you without having to listen.
It is not conspiracy. There is literally an option on your Google account to stop using mic for collecting data. On older accounts, it is enabled by default.
Are you referring to the voice assistant telemetry? That's not passively recorded according to Google, but if you have evidence to the contrary I can think of a number of news outlets (and prosecutors in 2 party consent states) that would love to have it.
The option was there before voice assistant existed in 2013 or something. That is when I figured it out myself. I don't know how the description of that is changed during the years.
I doubt they are listening - What is more likely is Google can use your lat/lng and knows that you and your co-worker work near each other, etc and is making recommendations based of proximity.
(comment deleted)
It's plausible, but I still don't buy it because I don't see divergent things when I, say, sit next to a complete stranger in the break room cafeteria.
you don't need to listen at every conversation. Your friend was tagged with those topics, and there is a connection to you. It's simple enough to "copy" those topics over to you, cause you're maybe also intrested. :)
Yeah I can't decide on this one. Part of me thinks this can't be happening, and that someone would have realised. But there's been a couple of occasions that go beyond the "creepy coincidence" ads to something that I was speaking with my wife about that day and neither of us had put into the internet, suddenly we get ads for it.
People really aren’t capable of conceptualizing how intimate normal data collection and analytics are capable of being. You think your phone is listening because you assume that’s the only way the ads can know so much, and ironically the truth is far more invasive.
Have you considered an even scarier alternative: that Google simply has such an enormous amount of data about yourself and the people around you that they can make incredibly accurate predictions like this?
https://news.ycombinator.com/item?id=28118619

macOS does _something_ related to this system. It's unclear what though.

I agree with how impressive the M1 is. I've replaced my 16" fully specced i9 with a 13" M1 Air. The only thing I sometimes miss is the larger screen but not by much.

I find it funny how many people pick a random Chinese phone in their bid for privacy (???)
That’s not a bid for privacy, it’s a bid for spite.

Picking a Chinese phone based on financial circumstances, however, is understandable IMO.

I think it's less about privacy and more about what the invading actor will/can actually do. People are less concerned about the Chinese government's reach vs. the NSA or other three letter agencies in the US. I suppose if you are important enough to the Chinese government whatever they have on you could be used as blackmail, but most 'regular' people don't fall into that category.
> People are less concerned about the Chinese government's reach vs. the NSA

Wait what? You’re 180 degrees wrong.

He is right. US has complete power over people on their soil and basically in Europe and Asia as well. They do a LOT of extraditions of other countries citizens when they go traveling or to business trips from their citizenship countries.

China, on the other hand, does not seem to give a single f* about foreigners, only about their own citizens. Most people are not so are not really endangered even if chinese spyers do know what they handle on their phones. So in battle between US spyers/China spyers I'd better give my data to Chinese, if I don't have a choice not to share my data at all.

China, as well, don't try to make extraterritorial laws (like financial regulations), so it's harder to even be targeted by CCP if your are a foreigner.

Of the two, which government do I think is more evil? China's. Which government do I, a permanent resident of America, think could more immediately make my life harder by being able to invade my privacy? America's.
Well, as somebody who has travel to China for business, I would not touch any Chinese hardware or OS at all. In the US and EU you have a working legal system.
Thats moving the goalposts a bit though. The question wasnt in the context of those that go to, travel through or deal with Chinese government on the regular.

But rather in the context of those in America that largely only deal with American government officials and those outcomes.

And to my knowledge. China isnt abducting people or conduction renditions on american soil.

As I said, I am not such a person. Most of the English-speaking world consists of the same.

As I said - I agree that China's government is worse. In fact my previous employer had a policy that company devices just didn't cross that border, even when traveling for work. But it's still not a factor in which devices I purchase myself.

> Of the two, which government do I think is more evil?

But that's not what the original comment said.

I didn't say they said that. It's also not my whole comment. Not sure what you're getting at.
I think the point is that the average person who resides in the US is more concerned with Orwellian overreach from the NSA than the CCP surveillance apparatus.

The Chinese secret police don’t present a threat to me, whereas the NSA has the means, motive (at the leadership level) and opportunity to violate my natural rights.

Depends on the person. Those of us with ties to lands within Chinese sphere of influence are rightly more cautious. Others just don’t care.
If one of the US TLAs has decided to target you you’re fucked. No amount of switching phones and OS is going to help you, short of completely disconnecting from the internet and not using any sort of financial infrastructure.
Likewise, if the criminal underworld has decided to target you, you are equally fucked.
By "random Chinese phone", are we talking about PINE, or the various OEMs that make android phones?
The Pinephone seems good as far as being mostly open, cheap, physical switches but... I guess the modem is not open. Anyway have I personally tested that the switches actually work/no soft switch somewhere no... I'm mostly after the potential emerging market (apps) over privacy.

I have a KDE edition Pinephone that I intend to use more overtime but primarily an Android user.

Also I get super annoyed when Android bundles stuff on your phone. I realize you can get rid of it/the cheap phone has to get paid somehow... but like having notifications that you can't slide away... things like that. Want more control over I realize Linux phones are lacking in software, pretty bad... Plasma looked really nice, Phosh not so nice (home screen) but it works out of the box though particularly detecting external screens. Anyway I'm looking forward to it improving over time, a cheap Samsung Dex-like experience is my desire.

> I guess the modem is not open

The Pinephone modem is partially open already:

https://linuxsmartphones.com/hackers-develop-open-source-fir...

Ahh that's nice yeah I think the keywords were "proprietary blobs" or something like that, anyway that's cool

Edit: another thing to my parent comment, ads in your voicemail... the visual voicemail app in Android. Omg that annoys me so much, thankfully I have not been getting many voicemails anymore.

That would be... literally all phones available today, wouldn't it? With the possible exception of the $2000 Librem 5 USA.

However, as one who's moved from an iPhone to a Nokia 8110 with KaiOS, which I in no way argue is as secure as iOS:

It has less on it. It has far less on it. It has my phone calls, a handful of text messages, and while it has email access right now, I'm experimenting with if I actually need that, or can remove it (leaning towards removing it). And my calendar.

The camera is horrible, so I just carry a pocket digital camera with me now if I care to take photos, which don't end up on the phone.

If I don't give it wifi privileges (which it currently has, but I've been running with wifi off and cell data off to see how that works, and the answer so far is "quite well"), there's simply not much it can really do to my accounts or network.

I might make this change. Are you using any kind of app for 2FA like Google Authenticator?
I still have a few things like Authenticator rooted on my iPhone. I mostly use hardware tokens, so Authenticator is nice to have, but not critical for daily use. Signal is another one, I'm currently using the linked devices, but I don't have a "new root" yet.

I believe there are some Google Authenticator apps for KaiOS, just not in the main app store, and I've not gone through the process of working out sideloading yet.

You can use a password manager to do TOTP codes.

Google Authenticator is sort of a crap option for doing TOTP, all things considered.

> Are you using any kind of app for 2FA like Google Authenticator?

I'd love to go feature phone, but would be missing two essentials for work purposes:

- A 2FA application (eg Google Authenticator, Authy)

- A password manager (eg BitWarden, KeePass, etc)

I can do without emails etc but not those two, yet whenever feature phones try and be more feature-some they do the same old emails, FB, WhatsApp etc instead.

Japan, Thailand, and Vietnam manufacture a lot of phones.
What I think is funny: There are more privacy for consumer laws for Chinese tech companies in China than for US tech companies in USA! It's wild west essentially in USA in this regard. I'm sure what Apple is doing is also against the European Union's GDPR privacy laws. US is missing out here...
GDPR specifically excludes law enforcement so it doesn’t apply here. The sad thing is Apple was legally required to allow law enforcement to search iCloud backups before they implemented this system, so nothing fundamentally changed.

However, after this backlash you can bet other manufacturers will continue to hide what their actually doing.

As you've written... why there has to change something when it works already for law enforcement.
I think Apple was actually designing this system internally as an improvement in terms of privacy. Doing Perceptual hashing on the phones is more open and thus auditable than doing the same thing on their servers. They set things up to require multiple different images to match etc.

However, the perception was very different.

This kind of technology should not be on phone. Industry standard is doing it on the cloud. It requires only little code changes (let's say in the time frame of 5 years) that law enforcement or whoever says: Please extend that to offline photos and then it's only a few code changes to make that happen. I don't want a ticking time bomb and Apple pinky finger promises that this will not be abused in future.
(comment deleted)
What would they have to do to lose your business? Literally get you arrested?

You're financially supporting the creation of an Orwellian dystopia.

Every other cloud provider has scanned since 2013. We're already in the Orwellian dystopia.
I think Apple is the only major company who tries at least a little to resist Orwellian dystopia. Business model of other companies cannot allow resisting.
Are we talking about the major company that is happy to give access to all of their users content if the country (eg China) asks? If they were really serious about privacy they would not operate under those conditions.
Company can't operate in the country, if they don't follow country's rules. Sad truth. They should have left the China in that case. On their defense, they have given only information which is stored by their system, not actively increasing the collection of it or creation of backdoors.
Lineage and Linux exist and they're incredible. You've simply give up.
Lineage requires the Play Store to have paid apps or things I now pretty-much need for everyday life, at which point you've lost and it doesn't really matter whether it's Lineage or stock Android.

Linux is incredible... and still unusable for many everyday apps and workflows, and simply not an option for many people including myself. I've tried Linux distributions since 2011, they aren't there yet.

None of those things matter as much as a future where corporations don't have carte blanche over your information.

Support the continued freedom you enjoyed in your youth for future generations.

> Linux is incredible... and still unusable for many everyday apps and workflows, and simply not an option for many people including myself. I've tried Linux distributions since 2011, they aren't there yet.

I have actually totally dumped Windows recently (I have tried it past 5 years), because now Linux is getting very close for everything I need, and this same applies for many people. Can you give some examples which aren't there yet?

Can someone explain this to me --

The whole premise is that Google and Facebook and everyone else are just doing this on the unencrypted photos you upload, in their cloud, with their own (presumably, but correct me if I'm wrong) undocumented algorithms and datasets.

Now here comes Apple, documenting almost everything except the dataset itself, and everyone is freaking out because it's happening on your own device. But then it's encrypting the whole thing and uploading it to Apple where they presumably do no additional scanning.

What is the actual difference if it's being looked for on-device vs. by the provider? Supposedly in preparation for a bigger push of encryption of the photos themselves, if they are not already encrypted in the cloud.

Am I missing something more than "but it's happening on-device!"?

I think part of it is that Apple has always said "what happens on your iPhone stays on your iPhone". People expect Microsoft to be evil, and (post "don't be evil") Google to be evil. Apple was supposed to be the good guys in this. So it's more surprising and feels more like a betrayal when Apple decides to be evil.

Also, it's actually pretty easy to mess with Android and get it un-googled. Google don't make most Android phones, so there's less hardware-level enforcement of rules, and more independent alternatives. This is less so for Apple devices. If Apple decides to do something you don't like to your phone, you are SOL; you can only accept it or ditch Apple and switch to Android/something else.

> "what happens on your iPhone stays on your iPhone"

Well, technically this is still true. Files you are putting to iCloud by yourself voluntarily are not staying in your iPhone in the first hand. Everything which is against this, is only speculation currently.

Except that this is all about analysing files that are not on iCloud, but on the device. So what is on your phone is now being reported to people who might decide to trash your life. Hardly "staying on your iPhone".
That is not true if you read the technical details. Scan applies for files (and only for those) which are prepared to be uploaded into the cloud.

If you don't trust that, that is another story. System is full black box.

Yes, but it happens on your iPhone. So what happens on your iPhone isn't staying on your iPhone like they said it would.
So when I said:

Am I missing something more than "but it's happening on-device!"?

Your answer is "no".

I think you're deliberately missing the point here.

It's not whether it happens on-device, off-device, in the cloud, in the tubes, or anywhere.

It's that Apple said that they would not do this, and now they're doing this. You can make technical quibbles that what they promised was slightly different to what they're doing, but they're irrelevant. The core promise of "what happens on your iPhone stays on your iPhone" is being broken. It's that breaking of the promise that people are angry about. Does that make sense?

> Am I missing something more than "but it's happening on-device!"?

People think that this kind of capability was not there already, while it was. The simplest example case is normal iCloud sync. It scans your files and gets metadata, finally comparing to cloud to know which files to sync.

Other concern is, that this can be easily expanded to other kind of content, or whole device (outside of iCloud files). While, this sounds like valid concern, government who can force this change, could have forced it already. "Technology does not exist" is not valid excuse, never was. There are pretty expensive consults used by politics to prove these excuses otherwise.

If you're uploading your photos to someone else's computer, you've already accepted this state of things. It's a trade-off for convenience.
It never will be there. A focused group of devs who care about details will always beat design by committee. Always.
It's only a matter of time before Google starts doing the same thing. I can't imagine Google wont do it eventually.
I don't think they will. They already scan it all in the cloud, and the benefit of doing it on device is for user privacy, that's not something google gives a shit about.
All it takes is "Pedophiles are using Android to share images with one another in person by disabling uploading images to the cloud" or something like that to be a headline and the pressure will be on to follow Apple's direction.
Or does it already and didn't feel the need to make a press release.
> It's just not there yet

Respectfully, it is there. You are not. Which is fine - I prefer a Mac for general purpose computer use, word processing, web browsing, that sort of thing. But Linux can do these things just as well, it just requires you to configure them, which is strictly a "you" constraint and not a failure of the system.

This is a pretty bad argument. You can apply that "you're the constraint" logic to tons of bad designs and products and claim they're not actually bad.

Linux is not necessary a bad system, but usability (degree of effort, burden of knowledge, misuse risk) are absolutely a core determination on where or not a piece of technology is "there yet"

> degree of effort, burden of knowledge, misuse risk

I don't understand what you mean. My non-technical relatives use Linux just fine. There is no "burden of knowledge".

> I think the competition has too many tradeoffs.

I believe that, for example, anticorruption activists and gay people in Russia who may be subjected to state-imposed surveillance won't agree with you. Apple won't leave even the russian market in case the government demands to expand capabilities of the system. And they will never leave chinese market.

> macOS doesn't scan

I'm afraid I have some bad news for you:

"Features to detect child abuse material stored on iCloud coming in updates to US users iOS 15, iPadOS 15, watchOS 8, and macOS Monterey."

> Apple won't leave even the russian market in case the government demands to expand capabilities of the system. And they will never leave chinese market.

Who will? Google? Microsoft? HP? Dell? Huawei or Xiaomi or Lenovo (lol jk)? Which computer or phone manufacturers or service providers refuse to do business in Russia and China?

JFYI Google left China. Not sure about Russia. Anyway that's not an excuse for implementing such a neat surveillance tool.

Fortunately for now you have some escape hatches.

I believe that it would be a smart move for everyone to stop paying for nooses for their own gallows and start investing into privacy. There are some realistic ways to do it, just buy a damn Fairphone for a no-brainer start.

> JFYI Google left China

I know they did briefly after some attacks, but I also know that they had very little market share to lose at the time and have subsequently worked to get back in. Do you have a good summary of their current position there?

> Do you have a good summary of their current position there?

Nope, why would I? Also I'm pro-google, just pointed to a fact I know.

This^

For me it boils down to ecosystem and integration. I can have a fragmented set of devices and tools, or I can deal with CSAM having literally zero impact on me.

I also have an M1 laptop, it's insane that this little MacBook Air with 16GB ram is walking all over a 16'inch Macbook Pro with 64GB ram.

When a pedo gets released from prison, in some jurisdictions they are required to have scanning software installed on their devices. Apple makes every customer a suspected pedo. If you are comfortable with being treated this way, whatever floats your boat. Not everyone fancy receiving the same treatment as criminal on parole.
Agreed, I use Linux as my desktop PC (gaming and tinkering), Mac as my work PC and the Windows computer I had just died (Surface Pro 4). My mobile is an Android.

I don't any hardware or software developer... I don't really care if the US is reading my emails, images, chats and whatnot. I choose not to worry about those sort of things.

My product choices are more related to functionality and basic ROI.

this. It's 21st century people, we care about usability...

What simplifies in my life if I'm moving away from any ecosystem that tracks me to the OSS way, do I have to compile my own Chromium over the night? "oh, my Linux segfaulted, let's reinstall the OS"

time. Saving time on these operations is worth more than some X-company sniffing my network traffic. Yes, I care about privacy, I always decline the cookie pop-ups, always ask for GDPR contract before handing over my phone no./email to recruiters et. al. I'm doing my best without breaking usability & affecting time spent on these operations.

If you want to stick with a large name-brand cult you could try MAGA or QAnon, but their whole asthetic is pretty cringe. Scientology is always a good option.
I'll buy a Fairphone with pretty high probability next time. No more iPhones. On desktop I was always a Windows user, but recently switched to PopOS.

I try to use open source software where possible and after the endless stream of depressing news about working conditions and environmental impact of our juicy tech I'm ready to pay more for less to get (relatively) fair and open hardware too.

Edit: Considering Linux phones like Pinephone or Librem too, but they seem not ready to me yet and they emphasise much more on technical freedom and less on fair production.

In pursuit of an acceptable phone, I've eyed the Fairphone with its laudable stance on repairability in the name of eco-friendliness as well. Problem is it comes with Google's spyware (Android), a much bigger threat on privacy than anything Apple does. The solution seems to be to buy eSolutions Fairphone with de-Googled Android.

I can live without free GPS navi but I'm wondering what to do about the few cases where you need a "trusted" device (a misnomer if there ever was one), such as banking push TANs or other mobile banking TFA apps, TOTP apps, vaccination pass apps or Covid contact tracing/registration apps (I've managed to evade the latter kind of apps until now).

For a free GPS navi, OSMand does the job. You'll probably have to give up banking apps, while TOTP, by virtue of being a standard, has plenty of open-source implementations.

The contact tracing apps in europe interoperate, you can get the CCTG app from F-Droid and it works on AOSP (also includes vaccination pass storage). There are also others available.

This seems like an over-reaction. I'm highly opposed to Apple's CSAM move but they are still much better and transparent than Google, Amazon, and most other services.

Many of these already do something like this but they just don't actively tell you or document it.

Also, and please correct me if I am mistaken, Apple's CSAM is limited to iCloud for Photos. It does not just work against your local photos.

  CSAM Detection enables Apple to accurately 
  identify and report iCloud users who store
  known Child Sexual Abuse Material (CSAM) 
  in their iCloud Photos accounts
It seems like a needless waste of time do do all this as opposed to disabling iCloud for Photos...

Source: https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...

For me, it was well thought-out. Apple betrayed my trust as a consumer and the response in the past week was plain gaslighting. I thought about it for a couple of days and then decided that I don't want to support a company like that anymore.

(edit)I was planning to buy a new MBP/iPhone/Watch in Q4, so this made it easier to decide on those purchases earlier.(/edit)

It's correct that the CSAM scanning is currently only effective when iCloud is enabled - and for US customers only. For me, this detail is irrelevant. The backdoor might be inactive for now, but there would still be a backdoor on my phone.

You’re fooling yourself if you don’t think the government has a dozen other ways to backdoor you. Heck they basically just have packet scanners sitting on the networks of all the major telecoms, and almost certainly have compromised SSL root signing keys so they can trivially decrypt your traffic. Anything that goes over the network is fair game.

Love it or not, we live in a police state enforced by surveillance. Most Americans are just waking up to this because they’re not a member of a population actively oppressed by the police. Socialist / anarchist / labor communities that are more than shitposting groups meet almost exclusively in-person because their communications have long been targeted by law enforcement.

The government doing this is one thing but corporations controlled by a few vocal groups deciding what you can do and what you are allowed to know is a completely different thing.
Again, this has always been the case in the US. Newspapers were owned by wealthy businesses with a message to spread, as were the radio stations, then it was the big 3 TV networks for a long time, now it’s the 5 big tech companies. The gatekeeping is a feature, not a bug.

If you look to other societies, this happens there too. There is a symbiotic relationship between mass media and government at a fundamental level. There’s a reason that the first things you do after a coup are to lock down the Internet and sieze the TV / radio broadcast infrastructure.

Except in these cases, it's not the government asking these companies to take down the "misinformation" videos. In fact, some of these companies try to add "misleading" label to actual, official government announcements.. Trying to run a parallel, unelected government.
Which, again, has always been the case. It’s a very new phenomenon where an individual can deliver speech directly to thousands of people. The media were the gatekeepers of information and influencers of mass opinion, and they would frequently run stories with counterfactual information that suited their purposes.

Companies have always tried to run parallel, unelected governments. Whether it’s “company towns,” banana republics, or social media restrictions doesn’t matter.

No, I think the root of the problem is that the ability to disseminate information widely across a population is not a good thing. I do think there should be real regulation on mass speech that is proportional to the audience size. If you have 100k followers on Instagram, that should come with some responsibilities.

> has always been the case

I don't know what your point is. Even if this is true, (which it definitely isn't), should they continue to hold unlimited powers? Blood has been shed over centuries to limit the powers of the government and to get the rights we have.

I am not sure where you get the idea that free speech means speech without consequences. If I have a million followers and a sell something dubious, people would sue me for befrauding them

Here's the thing. You might hate Apple for what they did. But I'm looking at the competition (Google, Amazon, Microsoft) and they're still worse for privacy in well-documented ways. It's an evil but it's still the least among evils.
> It's an evil but it's still the least among evils.

Nope, you can use a degoogled android. There's still a matter of hardware that's not open but there's not much we can do that without sacrificing a lot of usability.

Then you can't use the Play Store (legally at least) and can't use paid apps. You're still taking a massive usability hit.
Yeah, provided I don't find alternative open-source / self-hosted apps. I'm not saying it's easy, but it seems doable in medium/long term - if you value privacy and owning your data.
> The backdoor might be inactive for now, but there would still be a backdoor on my phone

The key (from Apple's POV) is that this is done on your device, so the model can be audited, and users will know if it changes or is suddenly enabled where it wasn't before. Apple has documented the entire threat model and their design decisions realted to each threat vector.

It's worth reading the document, as it becomes pretty clear that this is a step towards enabling E2E for iCloud Photos.

The alternative to what Apple did is cloud-based scanning, which is less transparent, permanently disallows E2EE, and is more vulnerable to being changed by national decree. If CSAM scanning is going to (or is already) mandatory, I vastly prefer Apple's method here.

[1] https://www.apple.com/child-safety/pdf/Security_Threat_Model...

> If CSAM scanning is going to (or is already) mandatory, I vastly prefer Apple's method here.

This is such a good point. The US government has been heavily pushing for backdoors, and can gag discussion under threat of national security.

It also seems counter productive to punish the one corporation who is apparently being transparent about this. Nobody here likes marketing BS, but this reaction here on HN is why we get marketing BS instead of technical details.

Edit: Legally, these searches do not violate the 4th amendment because the government pretends hash scans are entirely voluntary. Most ISPs and email companies "voluntarily" choose to hash match. I can't remember the specifics, but ISPs that refuse to do this have been threatened with legal action.

https://www.bjcl.org/blog/hashing-it-out-how-an-automated-cr...

Even if we were to call this a "backdoor", it's a backdoor that creaks quite loudly. I mean, what's the attack vector here? The plan, as far as I'm aware, is to upload a list of hashes to each device that have been vetted by multiple child protection agencies. In order to surveil other things, additional hashes would need to be transferred that wouldn't be vetted by these agencies. That would be noticed, and that's the point where I would consider my trust to be betrayed.
>I mean, what's the attack vector here? The plan, as far as I'm aware, is to upload a list of hashes to each device that have been vetted by multiple child protection agencies.

I hope not.

If hashes are uploaded to devices, they can be extracted and images that clash against it can be created.

I think they're going to be creating hashes of images locally that are being uploaded and send it with the image. Then if the hash is found to match one on their database, that's flagged.

The problem then is, if they're matching on their side, what prevents them from receiving some order that forces them to match for other images?

> If hashes are uploaded to devices, they can be extracted and images that clash against it can be created.

Many organizations have the hashes, so they could leak nonetheless. Either way, I don't think that's a major problem. If the system interprets a picture of a pineapple as CSAM, you only need to produce the picture of a pineapple to defend yourself against any accusations. If clashes are too commonplace, the entire system would become unreliable and would have to be scrapped.

In any case, I have looked it up. The database is indeed on the device, but it's encrypted:

https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...

> Instead of scanning images in the cloud, the system performs on-device matching using a database of known CSAM image hashes provided by NCMEC and other child-safety organizations. Apple further transforms this database into an unreadable set of hashes, which is securely stored on users’ devices.

Overall, after reading the PDF, here is my understanding of the process:

1. Apple gathers a set of "bad hashes"

2. They upload to each device a map from a hashed bad hash to an encrypted bad hash

3. The device runs an algorithm that determines whether there are matches with hashed bad hashes

4. For each match, the device uploads a payload encrypted using a secret on-device key, and a second payload that contains a "share" of the secret key, encrypted using the neural hash and encrypted bad hash.

5. The device also periodically uploads fake shares with dummy data to obfuscate the number of matches that actually occurred. Apple can't tell fake shares from real ones unless they have enough real shares.

6. Once Apple has enough real shares, they can figure out the secret key and know which hashes caused a match.

The main concern I have, and as a non-expert, is step 2: it requires Apple to provide their key to an auditor who can cross-check with child protection agencies that everything checks out and no suspect hashes are included in the payload. In theory, that needs to be done every time a new on-device database is uploaded, but if it is done, or if child protection agencies are given the secret so that they can check it themselves, I think this is a fairly solid system (notwithstanding the specifics of the encryption scheme which I don't have the competence to evaluate).

The thresholding is also a reassuring aspect of the system, because (if it works as stated) the device can guarantee that Apple can't see anything at all until a certain number of images match, not even the count of matching images. The threshold could only be changed with an OS update.

There's certainly a lot of things to discuss and criticize about their system, but it's going to be difficult to do so if nearly no one even bothers reading about how it works. It's frustrating.

> If the system interprets a picture of a pineapple as CSAM, you only need to produce the picture of a pineapple to defend yourself against any accusations.

If the system interprets a picture of a pineapple on your phone as CSAM,

after Apple notifies the authorities they have identified child porn on your phone,

after the police detain you with the courtesies afforded to all alleged pedophiles,

after you cough up your phone’s password,

you only need to produce the picture of a pineapple to defend yourself against any accusations,

and then point out to the folks with the guns that no, you didn’t delete the child porn from your phone, look, it’s just a pineapple,

and then explain to your captors how hashes work,

then there’s nothing to worry about.

Good luck.

> after Apple notifies the authorities they have identified child porn on your phone,

Apple has a team that will manually vet the matches, so no pineapple picture or a fuzzy forced hash collision picture will cause the authorities to be notified.

So if you're worried someone will secretly send fake CSAM hash collision images to your phone to trigger the process, the worst that will happen is that some poor sod at Apple will get mildly inconvenienced.

How would they manually vet the matches, except by looking at the matched pictures?

And here's the real question, what's to stop them from using this on say: political memes instead of CSAM?

They have access to a "visual derivative" (which I suppose is their way of saying "thumbnail") but it probably wouldn't help if the adversarial example is normal porn. This being said, once the authorities are contacted, they will have to work to obtain the full image, because if all they have is a thumbnail and a voucher, the evidence would probably be thrown out in court.

As for using it for other things than CSAM, well, for one, Apple would know, because the thumbnails would show political memes, so they'd have to be in on the conspiracy. They probably don't want that liability. Furthermore, the hashes are supposed to be auditable: a third party could check that they are what they are, a court order could order such an audit, and it would be suspicious for Apple to refuse. They wouldn't want to include anything that could piss off any sufficiently powerful government or, say, the EU, because they are likely to figure it out. And if they give different hashes to different citizens, that will also be obvious.

I mean, that's one imaginary scenario. On the other hand, it's quite likely that upon a match the offending picture in full res is stored in an enclave on your device, and/or encrypted in the cloud, in such a way that it cannot be deleted by the user.

If they know this attack is possible, Apple, not being idiots, will cover their asses in court by saying that a match is merely strong evidence that the user may have had CSAM on their account, but that it cannot be said for certain unless the full image is obtained by the authorities, and that the full image should be where they say it is, with the voucher made by the device.

Because of that, prosecutors are unlikely to want to move forward without better evidence: Apple may very well testify for the defence if they do, and judges will ultimately chew them out. So yeah, I suppose rashness and incompetence in some parties may lead to a very uncomfortable situation, but ultimately it is likely that the police would be reprimanded for it and that it would be a lot more cautious afterwards.

You're in for a rough ride if you change entire platforms and ecosystems every time someone disappoints you. Afaik, Microsoft and Google do a lot worse than Apple, so where are you going to go? Linux?
> You're in for a rough ride if you change entire platforms and ecosystems every time someone disappoints you.

As an aside, this entirely explains US politics.

It is limited to photos destined for iCloud. A lot of rage appears to be around 'what if', but what if exists every day right now. I'll re-evaluate when Apple does one of those what ifs. They said they won't, and architected the system in such a way that it's hard do those what ifs, so we'll see.

The reality is, people have to trust their OS vendor.

Yes, but I would argue the 'rage' is justified (even if I don't agree with the actions folks are taking). It's opening the door, not matter how noble the effort or intention.

It doesn't compel me to drop Apple. I still think they are the best of the best, but I agree in sentiment to many people here that it was a huge drop in my trust.

The lesson for me is that I cannot trust any company, and that is probably a smart approach. I will depend on myself and right now Apple, amongst all the players, is still the one that manages my privacy better than anywhere else. But I'll be watching.

> I'm highly opposed to Apple's CSAM move but they are still much better and transparent than Google, Amazon, and most other services.

Is this actually true? Is there a way to see what information Apple has on you? I'm sure it's not the full extent of what they have, but for example I can see(and hear) past voice prompts I've given to Google Assistant and their results. I can also choose to delete this information(obviously no way to know this is actually deleted though).

One thing I'd really like is to find a semi-dumbphone I can use Signal on and just get rid of having a smartphone with me. I'm not sure if I'm going to drop Apple completely and this morning I was wondering how far I could get with an Apple Watch and something like the Nokia 8110.

If anyone has suggestions for a small, minimal phone I can still run Signal on I'd love to hear it.

Same here. Keep me posted. Thinking about a rooted Google Pixel.
How are you finding Manjaro for dev work? I set up Ubuntu 18 on a desktop build last year, it's decent but it's still finicky to be my daily driver, so I still use my MBP for work.

I think for a phone I may just drop back to a Nokia 3210 and buy a camera for family pictures. Whatsapp will be a loss, but hey, maybe it'll be nice to not have my phone as a distraction during the day.

It works well so far. Android Studio works just fine, and Emacs (doom-emacs in Evil mode) is obviously well supported in Linux. My professional development work still happens on a MacBook Pro, as my employer drives that choice.
> Manjaro

- https://github.com/arindas/manjarno

- https://manjarno.snorlax.sh/

There are only 3 distros worth using. Fedora KDE Plasma upgrading after stabl-er point releases, Arch and openSUSE Tumbleweed.

Everything else is very unprofessional or full of technical or human issues. I'm not trying to gatekeep newbies, like, if you use elementaryOS or Linux Mint you're still using Linux. No elitism intended I'm just giving you my opinion.

For exploration or self inflicted harm you can also use NixOS or weird small distros. Although I like Nix' concepts I don't like their implementation or approach to users.

Not yet switching but until last week I wanted to buy the next Watch (none yet), next iphone (now at X) and next ARM MacBook Pro. I decided to wait another year and first move all cloud stuff to some private hardware.
I've been lifelong Apple user (webdev, sysadmin, power user) up until 2018. I switched to dual-boot Fedora/Xfce and Win10 on a Lenovo X1C 6th Gen. It took several months to get used to, but I did not look back even once. The user experience is not as polished, but it gets the job done. In hindsight I was irrationally concerned about features or apps which I thought I would miss.
It would be hard to leave Apple. I'm at least waiting to see how this shakes out, and I'm aware of the fact that the other major commercial vendors (Microsoft, Google) are far worse than Apple on most of these issues.

Linux is still too high-maintenance for me, though I could be convinced. I am watching https://frame.work/ closely and considering grabbing one just to support that effort. The big flaw is use of Intel chips which are total shit compared to even Ryzens on power/performance.

The M1 makes leaving Apple even harder. The performance is great and the power efficiency makes a laptop feel like it has some kind of zero point infinite energy device in it. You can do a full day's work on an M1 running real apps like large builds, VMs, and IDEs and still have 1/3 battery remaining, and it's faster than a top-end Intel Mac.

There is absolutely nothing comparable to the M1 in the x64 PC ecosystem. A latest-generation Ryzen would be the closest you could get, but it's hard to find good Ryzen notebooks due to Intel's strong-arming of that space.

In terms of power usage versus CPU performance, nothing beats M1 indeed. In terms of pure performance, Ryzen 7 5800X beats M1 in nearly every benchmark. That's ~200W versus ~20-30W though.

In terms of SSD performance, the M1 SSD upgrade from 256 GB to 1TB cost about 500 EUR, while a 1TB Samsung 980 SSD (with very similar performance) costs about 120 EUR total.