I won't be posting any more preimages against neuralhash for now

196 points by nullc ↗ HN
I've created and posted on github a number of visually high quality preimages against Apple's 'neuralhash' [1][2] in recent days.

I won't be posting any more preimages for the moment. I've come to learn that Apple has begun responding to this issue by telling journalists that they will deploy a different version of the hash function[3].

Given Apple's consistent dishonest[4] conduct on the subject I'm concerned that they'll simply add the examples here to their training set to make sure they fix those, without resolving the fundamental weaknesses of the approach, or that they'll use improvements in the hashing function to obscure the gross recklessness of their whole proposal. I don't want to be complicit in improving a system with such a potential for human rights abuses.

I'd like to encourage people to read some of my posts on the Apple proposal to scan user's data which were made prior to the hash function being available. I'm doubtful they'll meaningfully fix the hash function-- this entire approach is flawed-- but even if they do, it hardly improves the ethics of the system at all. In my view the gross vulnerability of the hash function is mostly relevant because it speaks to a pattern of incompetence and a failure to adequately consider attacks and their consequences.

- https://news.ycombinator.com/item?id=28111959 Your device scanning and reporting you violates its ethical duty as your trusted agent.

- https://news.ycombinator.com/item?id=28111908 Apple's human review exists for the express purpose of quashing your fourth amendment right against warrantless search.

- https://news.ycombinator.com/item?id=28121695 Apple is not being coerced to perform these searches and if they were that would make their actions less ethical, not more.

- https://news.ycombinator.com/item?id=28097304 Apple uses complex crypto to protect themselves from accountability.

- https://news.ycombinator.com/item?id=28124716 A simplified explanation of a private set intersection.

- https://news.ycombinator.com/item?id=28101009 Perceptual hashes at best slightly improve resistance to false negatives at the expense of destroying any kind of cryptographic protection against false positives (as this thread has shown!). Smart perverts can evade any perceptual hash, dumb ones won't alter the images.

- https://news.ycombinator.com/item?id=28097508 Apple's system and ones like it likely create an incentive to abuse more children

And these posts written after:

- https://news.ycombinator.com/item?id=28260264 A second "secret" hash function cannot be secret from the state actors that produce the database for Apple.

- https://github.com/AsuharietYgvar/AppleNeuralHash2ONNX//issu... fuzzy hashes with resistance against false positives tracable to sha256 are possible, but require you to value privacy over avoiding false negatives.

[1]

7 comments

[ 4.2 ms ] story [ 37.6 ms ] thread
Would love to see HN analytics on how many times this is read from Apple corp IP ranges.
:) Alas, fewer now that it's been banished from the front page.
As someone who has recently bought into the Apple ecosystem... this is all so disappointing.

Not because I thought Apple were heroes and protecting my privacy, but because:

- Buying into the ecosystem (literally) wasn't cheap.

- I enjoy the macOS user experience.

- My M1 MacBook Air was affordable, it's silent (it doesn't have a choice), it performs very well, and the battery lasts the whole day.

I've read that "it doesn't make a difference unless you enable iCloud photos", but it'll still be there... and what's coming next?

Yup. I had been waiting for the next refresh of the Apple silicon MBP for awhile, but I can’t see myself getting one now. I’m looking for reasonable alternatives. The frame.work laptop seems alright. The Dell XPS 13 Developer Edition seems great but I have no idea what kind of shit Dell is loading onto it. Maybe puri.sm?
Mind you, all of this is possible because of how we effectively killed and buried our antitrust enforcement.

Hosting your files is a perfectly separable service. It should be offered separately from your phone hardware, OS, app market, etc. Separately as in "not subsidized from the device sales or ad revenue". Separately as in "with the related costs directly charged to the customers, or to some channel that does not depend on the current market share".

This would make it extremely easy for the end users to switch providers, so any similar act would be equivalent to a business suicide. But, well, we live in a world where most online services are free (as in paid via channels over which the consumers and new competition have zero control), so the corporations can get away with it.

Given how technical the subject matter is I have been surprised how easily many "less and non-tech" family and friends have grasped the major issues. The existence of adversarial images has been enough to pivot many from distrust and distaste into a state of explicit disgust at Apple's behaviour.

If one adversarial image exists, I do not see the need for more. Let Apple create a public trail of lies and incompetence to convince engineers, lawmakers, and the public that technological innovation to censor the evidence is not a reasonable nor safe way to avoid addressing the causes of child abuse, and to cast doubt on any "evidence" gathered by similar systems whether they be for papering over abuse or silencing dissenters.

A small number of Engineers are doing great work to shore up democracy. I just hope there are enough people both skilled and willing to bridge the gap to legislature.

> https://news.ycombinator.com/item?id=28097508 Apple's system and ones like it likely create an incentive to abuse more children

I'm surprised more people haven't noticed this counterproductive dynamic.

A static database of "burnt" CSAM helps create an extra premium for new images – either via expert camouflaging of older images, or the creation of fresh images not yet in the NCMEC's database.

Is 'whack a mole' against old imagery a game worth playing, if it creates incentives for more victimization?

Further: while the NCMEC database is supposedly secret, knowing its contents would be quite valuable to CSAM rings. The sorts of law-enforcement agencies involved, & quasi-governmental NGOs like NCMEC, often have poor computer security, or face insider threats from the very criminals they target. Any level of serecy the database is alleged to have should be considered conjectural, contingent, and fragile.

In particular, there seems a strange mismatch of "millions" of automated reports each year from Facebook (& maybe others) to NCMEC, with hardly any followup arrests/convictions to follow. (Maybe: zero?) Might CSAM rings be using throwaway accounts to bulk-probe the NCMEC database, in an 'oracle attack', to deduce its contents?

Might Apple's system increase the potential avenues for such probes? Fill an old Aple device with CSAM until you see it phone-home with an upload of thumbnails for Apple personnel to review.

Apple may have created a system that, while effectively unreviewable by legitimate researchers because of Apple's secrecy of methods & databases, & the legal peril of probing its behavior with actual CSAM, still lets criminal researchers learn a lot to help craft their illegal behavior.

But hey, Apple then gets to assuage grandstanding Senators & Attorneys General with the boast: "We're firing as many nonsense unprosecutable events at NCMEC as Facebook does. We're doing something!"