141 comments

[ 3.0 ms ] story [ 215 ms ] thread
Didn't the US government recently start scanning messages for Covid misinformation?
Ah you must not of heard of Edward Snowden
This is a strawman "fact check". They disprove something that was never alleged to seem as if they're fact checking when in fact they're just trying to protect politicians trying to get corporations to intrude into your speech and privacy.

What was said was the DNC was trying to get the text message providers to monitor the text, not that the DNC could read your text messages. The text message providers can absolutely monitor your texts.

https://www.politico.com/news/2021/07/12/biden-covid-vaccina...

>Biden allied groups, including the Democratic National Committee, are also planning to engage fact-checkers more aggressively and work with SMS carriers to dispel misinformation about vaccines that is sent over social media and text messages.

It was never "the DNC can read your texts".

Not sure why you're being downvoted when this is a proven privacy issue. It's not about democrats v. republicans or iPhone vs Android, it's about our leadership as a whole, and what kinds of powers they have. The fact that our government even has access to our private communications should feel like a conflict of interests, especially in a nation that prides itself on freedom.
because people are so polarized the idea of engaging corporations to intrude on your private messages is ok if its your 'team'.

People never seem to realize what they're setting up are mechanisms and agreements that will facilitate further interventions. The mechanisms will be used against everyone, forever. This is just further increasing the centralization of power behind politicians who never deserve it and who use it on people with no power to resist, no matter whose team they're on.

or they realize and are so pre-occupied with their team they don't care, which is sad and short sighted.

Good to get these reminders that our data is in fact not private and that our computers have other owners than us..
Open source hardware and software is the only sustainable path forward.

Perhaps that DIY processor fab discussion is worth a re-read.

Edit: HN Discussion of open source phones: https://news.ycombinator.com/item?id=28164208

HN Discussion of open source laptops: https://news.ycombinator.com/item?id=28266315

I mean what if apples search decides that I am suspicious? Will they unlock my keychain and give all my logins to some police or worse random people somewhere to check my stuff? Very disappointing indeed
I don't believe Apple can unlock your Keychain. It requires your biometric (touch/face) to unlock from the Secure Enclave.
Per the threat model most of the people on here seem to be buying into, Apple can do whatever they want in an iOS update, including sending iCloud Keychain secret keys to a server they control.
The threat model people are buying into here is that Apple can’t do what they want today, but if they deploy this CSAM detector, only then will they be able to do whatever they want.
The threat model is that Apple has been capable of doing whatever they want, and this CSAM detector has demonstrated that Apple will do whatever they want.
Then by that logic, what they want is build a complex and highly narrow mechanism for checking only the photos that are uploaded to iCloud Photo Library for CSAM, and absolutely nothing more.
Today. They didn't want to do that yesterday. They will certainly want to do something else tomorrow.

Apple has a history of modifying devices that people bought in ways they didn't want and could not change (like putting a non-removable News app on their computers), but the CSAM episode shows Apple is willing to do a lot more, and more importantly, explained this to users who didn't care about the past abuses.

>… explained this to users who didn't care about the past abuses.

There is no abuse here.

Wow from your description people here sound like idiots. Sounds like you're pretty frustrated, what's up?
What part makes people sound like idiots?
"Privacy is a human right" really does seem like it was only an advertising slogan.

When Apple says "privacy" they seem to have only meant from advertisers and hackers. I'm surprised and disappointed.

I've honestly always interpreted their privacy activism that way. Apple acts as the warden of your data. Backups are encrypted for your privacy, but they hold a copy of the key. Traffic is obfuscated through fake Tor, but they manage the network. iMessage seems safe enough, but the source code is tightly sealed away, only accessible to Apple's eyes.

It's still a valid way to advertise the company because I trust Apple more than I trust Google or Microsoft, who are Apple's biggest competitors. I'd much rather use Apple's cloud integration than Google's or Microsoft's within their operating systems as well.

But don't think they don't have any data on you. Apple knows about as much about you as Google, but Apple keeps the data to themselves instead of selling access to advertisers. Always consider the possibility that the Apple four years down the line might not have the same ideals as the Apple of today or yesterday. We've seen Microsoft slide from a "you pay money, we give you software" to a "free software if you hand us your data" model and there's no reason why Apple couldn't choose to do the same.

Well said, appreciate the long term perspective and summary of what you see across backups, fake Tor, and closed source iMessage.

Good point about changing of Apple leadership. Tim Cook has said that 10 years from now he won't be the Apple CEO. That means someone new is coming in.

I purchased a Linux-first System76 laptop and will switch out my other iDevices. It's not just about Apple - any sort of closed source software/hardware just seems unsustainable long term. Having "trust" in organizations seems misplaced.

More than "the customer", Apple is, in the end, beholden to government and its laws, whims, etc.

Until a company is more powerful than the government I'm not sure how anyone can have an absolute assurance of privacy from a corporation.

Regarding Apple scanning images, you actually gain more privacy than you have now. Way more. But the near-universal dislike of this initiative leads me to believe people do not understand either a) the current way in which Apple handles images and subpoena requests; or b) some aspect of the (admittedly complex) scanning implementation. But I don't know the precise area that people are getting hung up, so it's tough to address people's fear with the right facts to alleviate that fear. Hence the very one-sided, negative response to the photo scanning. That said, if you clarify where it is that you feel you will lose privacy, I will gladly try to address that for you.
Can you elaborate on why you think this gives us way more privacy than we had before? I don't see how adding on-device scanning does that.

I think that people generally understand what's going on and where this might lead us in the future.

It's less about scanning (they were already doing that on their side) and more about keys. Before, there were two keys. The one on your device, and one for accessing the data on their servers. Apple could be compelled to decrypt that data and hand it over to the government, and the government could ask for literally anything. So all the fear about "what if they decide to scan for images of XYZ" is a fear that already exists. Apple has made it clear that they do not want to aid the government in any way, and stated so directly to congress in 2019. Congress, in turn, made it clear that if they (big tech) didn't come up with a solution, they would legislate some kind of "backdoor" requirement, which would be terrible for everyone.

So they had to come up with some kind of solution that:

1. Keeps the government happy enough that they don't pass terrible legislation.

2. Keeps Apple's servers from storing illegal content.

3. Keeps Apple from being involved in the subpoena process.

4. Maintains user privacy – because that's the whole point of this exercise.

I genuinely think if people understood how they accomplished this they would see that Apple accomplished two of the objectives (1, 4) and will eventually accomplish #3 as well.

But back to keys. Your device has a master key for decrypting the photos, and that's always been the case. What I'm about to talk about Apple's servers only, and not your device:

Imagine the two-key system required to launch a nuke, or the big Hollywood bank vault that requires two people to simultaneously get retina scans. "Shared Key Encryption" is the same idea – no one person with a key can decrypt the target. What's cool about this is you can have as many keys as you want, and all of them must be present in order to decrypt the contents. How many keys is Apple using? Well in this particular encryption layer, they are using ~31 keys, and Apple only has ONE.

If we stop right there, you can already see how this is way more secure. A government cannot compel Apple to hand over your unencrypted data. Apple has been able to do this in a much simpler way for a long time, but not without causing the government to pass counter-legislation in response. They haven't implemented better security before this for that very reason.

So where do the other keys come from? They are generated anytime a match is found in the CSAM database on your phone. Even that database is hashed, so your CSAM database and its hashes are unique from every other iPhone user. If there is no match with the CSAM database for a particular image, the keys for its decryption are never generated. Meanwhile each time CSAM match is made, another of the 31 keys gets generated. So in a (super over-simplified) way, the "bad" images are keys for each other. This is why Apple has set a "threshold" for how many CSAM images must be detected before Apple is notified. They have to meet that threshold in order to have all the keys to be able to decrypt all the offending images. Even then, all other images in your account still remain encrypted and inaccessible.

All of this keeps the government happy enough to keep the bad legislation at bay. It's not a perfect solution, but it's better than the alternative, and it results in greater privacy than we have today.

Unless/until I see technical documents showing why there is a privacy issue for people who don't have CSAM, I am 100% in favor of this solution.

Thanks. I can agree that the process sounds very secure, but I still can't agree that it's more private. Apple had and will have the capability to decrypt iCloud data, so why add the additional scanning on the phone, of all places?

> Unless/until I see technical documents showing why there is a privacy issue for people who don't have CSAM

For me, it's about trust. Why not just do the scanning on their servers? With moving the scanning to the client, they've crossed the Rubicon. Apple has built a generic, automatic reporting tool for content on phones, which to my knowledge hasn't existed to date. On top of that, they've set the example that it's acceptable to perform client-side scanning.

Today it's against CSAM, but what about tomorrow? What will happen in authoritarian countries? Prior to this, I believe Apple had the high ground and could say, "we don't have the capability to scan devices and exfiltrate data". But now, it's there.

Perhaps you may say that this is the "slippery slope" argument, and maybe it is. I hope it never expands to include other things. Though I have a hard time imagining that this doesn't get expanded in the future.

I like your point about ~31 keys. Hadn't realized it worked like that with all images now being encrypted.

One caveat is that according to this article out today, Apple was not scanning iCloud Photo Libraries for CSAM previously: https://9to5mac.com/2021/08/23/apple-scans-icloud-mail-for-c...

"Apple has confirmed to me that it already scans iCloud Mail for CSAM, and has been doing so since 2019. It has not, however, been scanning iCloud Photos or iCloud backups."

The clear distinction being that iCloud Mail scanning doesn't happen on device.

For my part, all Apple needs to do is move CSAM scanning to the cloud. No service provider can be expected to keep images of child abuse on their servers. Apple would join myriad cloud service providers in scanning for and reporting such material.

My problem is the use of my own device to run the scan. It's a waste of system resources. Presumably, a trivial software update down the line could expand its ambit to locally stored files. And we have the issue of Apple being compelled to run searches for non-CSAM hashes.

The point was so they wouldn't need to see the plaintext of the photos on their servers.

Somebody needs to invent a FHE (fully homomorphic encryption) CSAM algorithm, so that Apple could scan encrypted photos for badness on the cloud.

Not Cool, now we can enforce all kinds of arbitrary censorship on encrypted data. Be careful what you wish for.
Also, the Apple system allows for a way of verifying matches to screen for false positives which the encrypted approach would not.
Are photos uploaded to iCloud encrypted client-side?

I suggest the answer is in the negative, given the ability to look at them on the web, and the ability to reset your iCloud password using 2FA.

These suggest Apple has a copy of the decryption keys, which I'm happy for them to use to scan files I have stored on their servers, for CSAM, or, within reason, anything.

Yes, they’re encrypted client-side, then unencrypted in browser. This is relatively easy to verify if you do not trust an anonymous comment, and I suggest you do so.
> Are photos uploaded to iCloud encrypted client-side?

Well, I can share a link to them and others can see them, including anonymous users. Just leads me to believe that either they aren’t or if they are, they have the key.

Alternatively, someone could realize that existing CSAM that's so widespread it's in the database basically equals water under the bridge, whereas creating CSAM that isn't in the DB requires to harm more children.

Poverty and power imbalance is what harms children the most, by far. But we can't tackle that without stepping on the toes of greed, so we do circus instead.

You say water under the bridge, others will say where there's smoke there's fire.
But this isn't smoke, this is a photo of smoke. And as I said, the raging fires all of us can see in plain view go mostly unchecked. Where there is a photo of smoke, there may be fire, but where there is obviously a huge blazing fire, there surely is fire.
In some ways, I think privacy advocates could be shooting themselves in the foot here. I think that mainstream storage encryption (mainstream as in WhatsApp and Signal, as opposed to encrypting your NAS using linux commands) is very important for privacy, and that deploying it without running into CSAM objections and legislation is a Sisyphean task for for-profit businesses. Messaging seems to be more legally defensible than storage from a business perspective.

If you take as an axiom that mainstream businesses will be forced to protect themselves against contributing to CSAM distribution, then the choice to offer encrypted cloud storage to non-technical end users REQUIRES doing the scan on a trusted computer (Apple has chosen the phone itself).

I think the arguments that this can be abused are very real, but it's worth talking about how to fix that, because I think the alternative might be sacrificing E2EE cloud storage in the mainstream (as has happened with every other mainstream company). Perhaps more thought should be put into making this process auditable by the device owner (or by a trusted 3rd party -- say the EFF).

Or perhaps the scanning could be federated -- say I don't want Apple doing that, but I might trust a privacy oriented non-profit to "certify" to Apple that my personal photo album is CSAM-free. Can that 3rd party scan be blinded, such that I send data that is representative of my images, but I've already anonymized my photos using a transformation?

Could we audit (similar to certificate transparency):

1) What data from the device is being scanned? What data is being uploaded?

2) What "hashes" are being matched against, and how are those changing over time? Can the data lineage of the NCMEC database be audited? Would that pick up malicious hashes injected into the database?

Generally, I think our privacy paradigm needs to be built in such a way that it can actually be deployed in our policy environment. More realpolitik, less ethical grandstanding.

FHE doesn't let the other party access the results of algorithms run on your data. Other parties can run an algorithm on your encrypted data, but only you can interpret the results.
That's a good point. The device with the key would still have to forward the results.
This is correct. I have no problems of them scanning my icloud mail or photos. I just don't like the idea of there being a system level scanner for a hash database on my device assuming that I'm guilty until proven innocent. I was going to upgrade my iPhone this fall to latest model, now I'm very hesitant to do so and looking at alternatives.
But you do like the idea of a server-level scanner for a hash database assuming that you're guilty until proven innocent?
Nobody does, but that's the current status-quo anyways. Almost every cloud-based service provider will do this anyways, Apple's only change is that they've moved their surveillance from their computers to mine. If I can't know how secure my phone is at all times, then I frankly can't feel comfortable using it.
Yeah, I don't get the cloud/device distinction people are making. Increasingly they are one and the same (if you know what I mean).
ODINN => On Device, Intrusive, Neural Network.

You cannot photocopy a dollar bill. Kinda makes sense.

https://en.wikipedia.org/wiki/EURion_constellation

Now imagine a "live" neural network running on your phone or camera that prevents you from taking pictures of the Eiffel Tower at night due to "Suspected Copyright Abuse".

https://www.snopes.com/fact-check/photographs-of-eiffel-towe...

Next imagine that a local government issues a digital "All Points Bulletin" which scans all pictures on all phones for a "person of interest in a crime (against the state)", conveniently associated with the emergency alert broadcast network.

First they came: https://en.wikipedia.org/wiki/First_they_came_...

>Yeah, I don't get the cloud/device distinction

Maybe I can make it clearer.

It is like you are asked or demanded to install some antivirus on your computer, but this is not a typical antivirus , it is not scanning to protect you but to find evidence against you and destroy your life.

A list of facts, let me know if you disagree with the reality or my conclussion

Apple could have scanned iCloud already, why did they not do it so far? Either there is a super low number of CP on iCloud which implies this feature is not needed OR Apple was lazy, incompetent or had some other reason and let a lot of bad guys escape . I would conclude from this that Apple , if they really care of children, should freaking start scanning the existing iCloud images now.

From the above I am inclined to believe that this is not an action to protect the children, the reality does not fit, if there is so much CP on iCloud but Apple just woke up then WTF is that all PR about protecting children.

With all the attention it has been getting I think its only a matter of time before CSAM-SWATing starts to happen on those cloud services. The amount of people who know that scanning is happening just dramatically increased in the past month.

And for all we know it may have already happened and someone is currently rotting in jail who shouldn't be there.

Middle aged dude raided by cops who find CSAM on their cloud accounts, claims that his phone got hacked. Lying sack of shit pedo, of course he'd say that, right?

We've had plenty of time for it to have already happened since various services have been scanning for CSAM for some time.
> The amount of people who know that scanning is happening just dramatically increased in the past month.
My pre-owned Pixel arrives tomorrow and I'm looking forward to playing around with open-source alternatives. I think I'm going to start with this: https://lineage.microg.org/
I’m aiming for a used Pixel 5 and GrapheneOS. GrapheneOS seems to have the most focus on breaking entirely away from Google services.
GrapheneOS has been a dream so far on my used Pixel 4.

Turns out Android can be pleasant when you don't have to deal with oem ui changes and non-optional bloatware.

There is an alternative, more reasonable way to look at the Apple proposal.

The scanning occurs in order to upload files to iCloud photos. Your device is attesting that data you upload to iCloud photos is not pre-established CSAM. If you do not like the privacy implications of having your content inspected locally, on your device, simply choose another cloud photo provider and turn off iCloud photos.

You are told about the system and you are free to turn the service off. That doesn't sound like a massive privacy invasion to me.

iOS doesn't allow other cloud photo services to upload in the background except via flaky hacks, so the choice for iPhone users is really between iCloud Photos and crippled alternatives.
This is the tradeoff of the Apple ecosystem. For most users the trade off is a no-brainer because they don't care about the theoretical concerns that, in expectation, do not apply to them. I mean, what is the probability of this technology causing an innocent user harm? 1/1,000,000 ? 1/10,000,000? 1/100,000,000?
All evidence is that the chance of harm is literally zero.

This stuff is used to scan pics on every photo hosting service already, and there’s no known instances of a life ruined over a hash collision.

Every one of the harm narratives comes from a slippery slope fallacy.

According to Apple, 1/1 Trillion chance of a false report per year.

So the chance for a single photo to be incorrectly matched is much higher. But by setting a threshold at ~30 images before triggering a manual review, they get the odds extremely low.

My bet is that error threshold will remain a constant for them. As tech gets better, they will reduce the threshold accordingly to maintain that error rate. In five years, I’m guessing they will only need three images to trigger a review.

I use NextCloud which syncs my photos from my iPhone to my in-home server. Then I use borgbackup to encrypt my photos/videos and send them to a cloud provider. All of it is automated and wasn't too much of a hassle to setup.
iCloud does more than just uploading. It enables transparent sync and offloading of photos. This means if your device has limited storage, iCloud Photos can shunt photo data out to the cloud while maintaining a local representation of the photo's existence. These iCloud features are "baked into" the APIs that apps use to integrate with the system photo library, e.g.: https://developer.apple.com/documentation/photokit/phasset#1...

You can come up with third party solutions that accomplish some portion of this use case (photo backup) but you'll never be able to accomplish what Apple does with iCloud Photos unless Apple opens its APIs.

A third party could implement the PHAsset abstraction over their own implementation of a photo library action sheet and the file provider APIs. It wouldn’t get you to feature parity, but the major differences are but minor frictions if your privacy threat model involves nation state adversaries.

It is not possible to write an app on iOS that has permanent, transparent background network and runtime access, and it’s also not clear allowing such apps would be a privacy benefit for users at large. Apple already makes exceptions to this for certain apps (e.g. it seems like my Verizon Wireless app has background runtime). Are you suggesting that Apple should nominate a few photo services receive the same exception?

It's a benefit for users at large because they get to use services that provide more benefits (like Google Photos search and automatic video creation), services with more privacy (like self-hosted photo services), or services that are cheaper (like Amazon Photos).

Android has demonstrated that there is no need to whitelist this. This is purely a lock-in play for Apple.

I’m unclear if you’re saying that one can implement a new access mechanism to Apple’s default photo library (the one managed by the Photos app and that the camera saves to by default) or if you’re suggesting that I need to design my own alternative photo album. If the latter, then “but minor frictions” seems… unreasonable.

Not sure what nation state adversaries have to do with a simple question about photo library access.

If your argument is that Apple should be forced to give everyone access to the proprietary abstractions it builds on its own operating systems, like PHAssets, then we are no longer in the world of privacy and now in the world of “when is it ok to force companies to build features the public [HN posters] wants?” There are many answers to this, but it seems like the current legal regime in most places says: “Very rarely.”

My argument is that nothing stops a photo sync solution from building much of the relevant stack themselves: you can build MGAssets and get apps to adopt your photo library view controller as an action sheet or use File Provider abstractions to build the same in file pickers. 1Password, eg, offers a direct to 1P button as an SDK for 3rd parties to use. Once you separate out what you can’t do easily because it would take a lot of investment to build yourself versus what actual platform features you’d like to force Apple to build, I think your argument that the latter should be done is even less compelling.

The question of whether Apple should open the "proprietary abstractions it builds on its own operating system" is a major one that is now being litigated in multiple courts and regulatory jurisdictions. My argument is simply that sophisticated iCloud integration falls into this category and should probably receive attention from those same courts and regulatory insitutions.

To the extent this is about privacy, the argument is that Apple has created an opinionated regime for scanning user photos using untested technology -- and has (quite correctly, I think) determined that privacy-conscious users should have the right to opt out. The issue here is that Apple's version of "opt out" does not allow users access to the same functionality through third-party cloud providers. Users who opt out for privacy and security reasons will be substantially worse off than users who opt in. This isn't the only reason that regulators should consider revisiting Apple's cloud integration, but it's a new and important one that did not exist before Apple announced this service.

We are using Synology Photos in our family.

On iOS devices, it randomly stops synchronizing, and it is necessary to manually resume sync. Very annonying; most normal (not-enthusiast) users would be bitten, that they assume their photos are synced, when they are not.

Interestingly, Android devices do not have such issue.

This comment should be way up. People afraid of "what else" Apple can start scanning on our devices has always been a reality, way before CSAM. If they ever decided to remove the feature, it's not like it will magically make it impossible for Apple to ever scan our devices again in the future. They can run whatever code they want on their device. We've always put our trust on Apple to not do any shady things on our phone. This new outrage makes no sense at all. As you said, people can turn iCloud Photos off to disable the scan. Therefore people need to STFU.
> We've always put our trust on Apple to not do any shady things on our phone

…and now we have a case in point of them doing shady things on our phones. This breaks the trust.

I don’t see what’s shady about this because it’s so public. They could do everything that’s happening on phone on the iCloud servers without telling you. So at worst it uses extra bandwidth per upload and some processing power and thus battery life from your phone. The minor advantage is you can actually inspect their procedural hashing algorithm, though not how they compare images server side.

Sure, they could do something else in the future but that’s alway the risk with every update.

It's the same point as above. They could do shady things with your data on their server. They could do shady things with the data on your phone. They always /could/, and up till now I trusted them not to.

But now they /have/, that is the change.

Ok they lost your trust and it’s completely your choice to make that decision however you want, but how was this shady?
Creating a novel on-device scanning mechanism and claiming that is somehow more privacy is a lie, and therefore shady.

Using that novel on-device scanning capability to secretly report people to authorities, that's beyond shady.

Claiming that the novel hashing algorithm is verifiable by third parties, but simultaneously suing any third parties that try to analyze the actual code running (without being subject to Apple NDA), is mega shady.

Secretly reporting people to authorities based on unverifiable novel image hashing algorithms and only image "derivatives", whatever that means, that's ultra shady.

Pretending that people are somehow "misunderstanding" if they are alarmed by this unprecedented, unverifiable scanning and secret snitching mechanism being run over their private photos, that's extra ultra mega shady, but typical of Apple.

Look at this shitshow explanation. When have you ever seen Apple being so terrible at explaining a feature? None of this smells right: https://www.youtube.com/watch?v=OQUO1DSwYN0

Ok, so you are largely misunderstanding the details.

> Creating a novel on-device scanning mechanism and claiming that is somehow more privacy is a lie, and therefore shady.

Would you rather Apple actually directly look at your images? If not then it is a privacy improvement. Because they are legally required to search their servers for this stuff when directed to by the FBI.

> Using that novel on-device scanning capability to secretly report people to authorities, that’s beyond shady.

Except they don’t actually do that, phones don’t get the hashes to do any comparisons. Sever side comparisons only flags images which causes Apple employees to look at down samples images. Critically they don’t have the authority or incentives to prosecute you.

> suing any companies that try to analyze the code running, is mega shady.

And not something their actually doing.

> Based on unverifiable

Again false people have been looking at the algorithm used.

>Would you rather Apple actually directly look at your images?

No. Why would that be necessary?

I would expect to be reported if I willingly uploaded images matching exact hashes of CSAM to Apple servers. I don't understand why Apple employees would ever be able to, or need to, view my images, and I would expect Apple if it were really a privacy-focused company to never let that happen.

>Except they don’t actually do that, phones don’t get the hashes to do any comparisons. Sever side comparisons only flags images which causes Apple employees to look at down samples images. Critically they don’t have the authority or incentives to prosecute you.

It's client side, that's why we're having this discussion.

This is all a secret process. As I said, Apple employees look at an unspecified number of "derivatives" of people's images in a secret process, and if they tick a box, the authorities get all your data. There's nothing saying how close a "derivative" needs to be to actual CSAM to trigger this process, just "trust us, because children".

No audits, no due process, no mandatory notifying customers that are affected, no notifying of how many total customers were reported every month, just a secret illegal search and snitching mechanism with some crypto mumbo jumbo and "trust us, because children" sprinkled on top.

>And not something their actually doing.

*they're. Yes they are: https://news.ycombinator.com/item?id=28219278

From a comment: > ... “With their left hand, they make jail-breaking difficult and sue companies like Corellium to prevent them from existing. Now with their right hand, they say, ‘Oh, we built this really complicated system and it turns out that some people don’t trust that Apple has done it honestly—but it’s okay because any security researcher can go ahead and prove it to themselves.’”

>people have been looking at the algorithm used.

Who? How? Are you talking about the ones that are gagged by Apple NDA? Link to papers?

As another commenter posted, no amount of spin will make on-device scanning a good idea.

> It's client side, that's why we're having this discussion.

> This is all a secret process.

Those are in contradiction a client side process is inspectable.

This is disingenuous and you know it.

As you know, there is a server-side element, the crypto mumbo jumbo makes it impossible to audit which images will trigger the automated snitching mechanism from the secret list of hashes. So it is both a secret process and doing scanning client-side.

Also Apple is busily suing companies who dare to make client-side inspection feasible, as I noted.

What people make this aurguement fail to understand is that legally there is a HUGE difference between

"We will not make software that scans files on the device"

and

"We will not allow the software we made to scan for anything other than CSAM"

Under US law it would be very hard to force apple to do the first, but no where near as hard to compel them to change the database they of files they are scanning for...

This is a dubious legal theory. The compelled action the government asked Apple to take in the case of Apple vs. FBI was a very minor technical change.
It's not about the technical complexity of the change. It's about the public blowback from such a change. The U.S. government compelling Apple to install some all-access backdoor would be a big story.

The U.S. government compelling Apple to make some small process change to this new system wouldn't be a big story by comparison.

Example: A year from now the U.S. government tells Apple they are no longer allowed to review the flagged CSAM imagery themselves but must rather report it directly to law enforcement.

A change most people wouldn't think twice about ("why does Apple need to be the ones reviewing this obscene illegal material anyway") yet would introduce a massive vulnerability into the surveillance process.

I don’t see what public blowback has to do with legal arguments, at least without also assuming some kind of legal realism.
I wasn't commenting on the law, rather the claim about the technical complexity of the change.
iCloud Photos is a synchronization service that is integrated very tightly into the core iOS system. Even the basic APIs that allow apps to integrate with the system photo library are "iCloud aware" in the sense that the photo might not be on your device. iCloud Photos makes it possible to page photos on and off your device, which is a critical feature for people who can't afford to pay for the high-end iOS devices with extensive NVRAM storage.

You, as a user, can turn off iCloud Photos. But your device functionality will be limited. And you cannot replace that functionality with any third-party alternative that will have the same feature-set and access to the low-level device features: Apple ensures this through the design of their OS and its extensive security features.

There is a version of "you don't have to use iCloud Photos" in which Apple opens their OS to competing cloud services. But you can't say this is an option while also locking the device down to use one cloud provider.

It is hard to square the idea that Apple’s proposed CSAM detection pipeline is a fundamental affront to privacy, a human right, with the argument that turning off iCloud Photos is a false choice because alternatives don’t or can’t have feature parity. Even more so because every cloud photo service with the scale and quality of iCloud Photos is doing the same (and arguably worse!).

I use Nextcloud and it is a more or less ok user experience; the major inconvenience is that your photo library isn’t available in UIImagePickerControllers. The image preview mechanics you describe can already be simulated with file provider APIs.

Edit. I think my point more simply stated is that if you think turning off iCloud Photos or switching photo sync with another cloud provider “solved” the privacy problem, then you are in the same group of people who are annoyed that they can’t use Spotify with Siri or AirPlay 2. Welcome to the large number of 2nd class citizens on iOS. It’s not great out here, but it certainly doesn’t make the toggle a false choice.

I don’t think you need to square those options. I think that scanning people’s photos is very much an affront to privacy. Apple clearly agrees with me at some level because they are advertising that their system is “opt in”: you only get scanned if you turn on iCloud Photos. But this argument assumes that for most users this is a choice. For many users who have purchased iPhones with lower storage levels this is not really a choice — they have to use iCloud Photos to get the functionality they paid for, else they can’t synchronize photos and have to manually manage and risk deleting photos. They can use third party apps, but only with reduced functionality because Apple has chosen to privilege their own cloud service and lock those functions away from third party developers. To me it seems like Apple’s opt-in consent argument would make sense if and only if they offered users equivalent choices in third party cloud functionality: which they don’t.
The user to whom Apple’s offer is a false choice is one that assumed they would always be able to update to the latest iOS while uploading whatever photos they wanted into iCloud Photo Library without any kind of content scanning. Turning private API into public API is a huge investment, and I’ll be honest: this hypothetical user seems quite far-fetched, and I don’t see how this investment is worthwhile for Apple to make. Especially so because most of the criticism is about a slippery slope where all rules don’t apply: Apple could just as easily scan the photos the 3rd party processes as well. So what incremental privacy do they even gain?
You seem to be conflating a number of very different issues. It would be a lot simpler if you didn’t do that.

There are several separate questions. 1) Should users have the right to opt out of scanning. Apple have answered (1) in the affirmative: yes, they understand that some users want this option and have designed their system with explicit guarantees that users can do this. This is not an accident or a miscalculation on Apple’s part. They clearly understand that forcing this scanning on non-consenting users is unacceptable and their marketing copy makes this clear.

The second question (2) is whether Apple’s compromise to preserve user privacy (allowing users to disable photo sync while providing no third-party alternatives with equivalent feature sets) is acceptable. Apple presumably thinks it is. I think that disabling Apple’s photo sync features will not be acceptable — and indeed will be actively harmful to some users. We can disagree about whether this matters but this is the heart of the disagreement. Having strong opinions doesn’t settle the question, it just demonstrates that the issue is contentious. Settling the issue requires user surveys and an economic analysis at minimum, not opinions on HN.

Then there is a third point (3): does Apple have any obligation to provide opt-out users with alternative services that bring their devices back to the full functionality that they possessed when the devices were purchased. Your view is that “this is not worth it to Apple.” We do not disagree. My claim is that Apple’s view on the issue is not necessarily the final world on the issue. Apple also believes that they should have a monopoly on app distribution and many other aspects that define the iOS experience. These views are disputed and there is no “correct” answer. My claim is that the operation of cloud infrastructure should be a part of this dispute, and Apple’s decision to make their system “opt in” should be viewed as such in light of the fact that Apple controls essential features in such a way that Apple can effectively hobble the device of any user who declines to consent, with no recourse or alternative available to the user.

I think your response to this has to grapple with Apple’s very clear argument on (1). Which means that “Apple can do whatever it wants because they’re powerful” isn’t a sufficient response. And if the rest of your answer revolves around unsupported hypotheses about what Apple users expected, then you should probably come back with some strong evidence like user surveys to support those claims.

I agree with your framing except that in 2 and 3, the matter is already settled. The status quo is Apple gets to build what it wants. It’s on you and others to do an immense amount of work to prove that Apple should be forced into building features you want and not what they deem best. I’m generally happy with what they’ve made, and I think the power to compel them to make changes is more likely to be wielded by dumb and possibly malevolent people than altruistic, privacy-focused computer experts.

I’m not sure why the burden to do user surveys is on me. Presumably the first order user survey is, “Will our customers abandon us?” which Apple must have done and everything past that is on you to conduct to justify your ask of them.

Pretty obviously the only reason to scan on-device is that you intend to expand on-device scanning to all files on the device, regardless of whether they are uploaded or not. ("We don't want child molesters to get away by turning off uploads," said Apple spokesperson.) Literally no reason to develop this otherwise. Scanning cloud images would be 100x easier.
Apple has declared their criteria for evaluating the privacy of their CSAM scanning approach in their USENIX talk, and none of it relies on scanning all files. If you want to accuse them of lying, you will need to bring a lot more evidence since (i) presumably you believe they weren’t lying in the past and (ii) it would be an enormous liability if they were now.

There are many reasonable criteria under which the proposed model is superior for privacy. Perhaps the only reasonable criteria under which it is not is some kind of scope creep in what files are scanned. (Scope creep in what content is scanned for is a risk - an even greater one as there is no transparency over the hash list - of incumbent solutions as well.)

Either that, or Apple really doesn’t want their server to access (ie. decrypt) all photos by default. Maybe they actually weren’t lying when they defended being more private by having all computing happen on-device, and the server not accessing your data.

Now, what seems more likely to you? They suddenly decided to go towards scanning all offline files for no business nor legal benefit, or they tried to respect their own marketing of how their ecosystem should work?

What you said changes nothing about the concerns the parent comment/s raised: which is, having the scanning on the device in any manner what-so-ever. That is the objection.

The fundamental issue is that Apple is crossing an important privacy line: my property (my phone) vs their property (their external servers).

It's identical to saying that because USPS (or any mail carrier) is allowed to scan mail that moves through their system, across their property, they should also be allowed to come into my home and scan mail there. Hey, they promise to only look at mail while inside the home, what's the big deal. It represents the same shift: my home vs their shipping infrastructure.

People would universally go ballistic if USPS/UPS/Fedex declared they were going to begin routinely entering homes to examine mail packages before they were sent out. No matter how you dressed that up (they only do it if you print a shipping label first, indicating preparation to send a package through their system), it wouldn't assuage anyone.

Genuine question. I know this is not the situation we find ourselves in but, if your options were on-device scanning for CSAM+encrypted iCloud Photos (that Apple could not decode) OR cloud-based scanning of iCloud Photos which would you pick? Are you still opposed to all on-device scanning?

Edit: Thank you all for your replies. I don't share the exact same concerns as some of you but I appreciate you sharing your thoughts/reasoning. I really did what to know what people thought about this in the context of an E2E iCloud-* and it's been hard to pick that out of all the other discussions.

I'd pick the latter. I doubt iCloud will ever be a zero-knowledge service.
Probably the latter, because frankly E2E encryption means very little to me when one end is the world's most powerful company.
I'd happily pick cloud based scanning. At least that way I can opt out by not using their cloud. I have serious doubts that choosing not to use iCloud will actually stop Apple from running scanning code on my device. Having a capability pretty much ensures that it will be used, and likely misused.
My house shouldn't be full of eyes and ears.

CSAM today, political materials another. This could also be used to identify whistle blowers, reporters' sources, and more.

I'd hate to have gay porn on my iPhone in a Sharia law state.

Or images of tank man in mainland China.

Imagine when the detector extends to not just files. Things typed or said.

This is a steep cliff, and we're drawing closer to the edge.

> Or images of tank man in mainland China.

The Chinese government forcibly installs spyware on people’s phones today. What Apple does or doesn’t do is of no consequence to them.

> The Chinese government forcibly installs spyware on people’s phones today. What Apple does or doesn’t do is of no consequence to them.

And that makes this okay? You're defending this use against us too.

Did someone say it was ok? The point is that it’s silly to say this CSAM mechanism makes a difference in China.

Does the US government have the power to order Apple to scan everyone’s phones for politically undesirable images?

I don’t think so.

So long as I'm confident that disabling the iCloud Photos service also disables the scanning, I prefer the local scanning + e2e encryption.

(My take is that if I can't trust Apple when they say this is the case, I also can't trust that they're not already being made to scan all my photos locally, so...)

Apple shoving this false dichotomy at us is the problem. I choose option #3 - Apple (et al) freely scan everything stored in their cloud, while users' devices use encryption that renders most scanning moot.
(comment deleted)
The surveillance infrastructure IS the point. NO point just doing it in the cloud. It HAS to be on device.
You've hit the nail on the head for me. The part that offends me is that the scanning is happening on my device that I paid for, and had no knowledge of the eventual introduction of when I bought the phone.

If they want to scan cloud storage, by all means. But I shouldn't have to have my device bogged down with this extra pointless computation.

The idea that it’s going to slow your device down is an odd one.
> Presumably, a trivial software update down the line could expand its ambit to locally stored files.

And backing up one level, this is why I’m finally working hard to take control of my devices and data from companies like Apple. This most recent episode shows that “a trivial software update” such as the one in iOS 14.3 can introduce this on-device scanning where non existed before. We knew it was possible of course, but now we have a clear cut example of it. They’ve lost my trust and that’s that.

> [...] They’ve lost my trust [...]

Exactly how I feel. I used to cautiously kinda trust Apple's so-called "commitment" to privacy, but this change just shows us that any such promises are purely theater.

Now that the damage is done, I doubt it can be undone, especially in my case. My opinion on Apple's credibility has crashed through the floor. In my opinion, they're now as untrustworthy as Google or Facebook.

For me it's a step further. I cannot trust any company for more than privacy theater. Apple was simply the last to fall.

I'm starting to look at companies to see if they meet these must-haves:

1. E2E encryption

2. Open source hardware and software

Everything else is "nice to have". The current options out there are missing a lot of "nice to haves", but they will get better. I'll be a vocal customer telling them what I want.

“Trust” is entirely my issue with Apple too. I spent some time - and even wrote a post on my site - trying to clarify my thoughts and the steady erosion of trust seemed to be what I most object to. I too am trying to take control and responsibility for the computers I use now. Proving tricky, but baby steps…
Just read through your blog post, there's plenty of great insights on there and I appreciated someone being so thoughtful and tactful with their response. As a Rust developer, I fully encourage you to push through and learn the language: I've walked a few tenured web devs through the language, and they're always surprised by how strongly typed and simple everything is once you understand the syntax. Truly one of my favorite languages to work with!

As for 'alternatives' like you listed towards the bottom, I fully recommend setting up your own Nextcloud instance. It's a really versatile little thing, capable of hosting your photos/documents/music/whatever from a decent online interface (or WebDav, if you're a nerd.)

"They’ve lost my trust and that’s that."

Same here. There's a finality to this, closure.

I'm done reading about it, nothing more I need to say about Apple. I just purchased a System76 laptop and am ditching my MBP. I've been a Mac Addict for 20 years and now I've outgrown Apple. Privacy is a human right.

What I'm wondering now is "how do I replace my iPhone, AirPods, and iPad?"

Ask HN: Do you use Purism, PinePhone, or Fairphone? https://news.ycombinator.com/item?id=28216287

Ask HN: Do you use a Linux-first laptop? (System76, Librem, Dell XPS Dev Ed) https://news.ycombinator.com/item?id=28216287

Me too. Not a huge Mac user, but I use my iPad and AirPods a lot.

I haven't tried them, though the Sony ear buds look like a great option to AirPods: https://www.sony.com/lr/electronics/truly-wireless/wf-1000xm...

As far as the tablet goes... I dunno. I haven't tried an android tablet and I'm not too keen on it. Maybe a Surface? The iPad is damn good at what it does...

The biggest convenient of AirPods for me is how damn easy they connect and disconnect. Wonder if there's a way to support that on other devices and platforms. It's a dream.

And yeah, iPad...

Pinephone has options: https://pine64.com/product-category/tablets/

> Presumably, a trivial software update down the line could expand its ambit to locally stored files.

Sure but this is equally true now as it will be after they deploy the CSAM detector.

It’s not a real argument against the detector.

Doing so would sacrifice privacy. I'll take the hit on my battery.
I asked in another thread (and got downvoted), if Apple does it on the user devices to save money. How much would it cost to scan everything on the serverside?
Ideally they wouldn’t be able to scan my iCloud photos at all. There’s real value in being able to maintain privacy while also gaining the benefits of live, remote storage and backup.

The generous interpretation is that Apple moved this on-device to preserve user privacy. They just miscalculated the response to an admitted backdoor.

My problem is the use of my own device to run the scan. It's a waste of system resources.

I'll restate what I posted on another thread about this [0]. There should be a clear, bright line here.

----

In all these threads everyone is coming close to the crux of the issue, but I want to restate it in clearer terms:

There is a sacrosanct line between "public" and "private," "mine" and "yours." That line cannot be crossed by Western governments without a warrant. Cloud computing has deliberately blurred this line over time. This on-device scanning implementation blows right past that line.

Our tools before the computing revolution, and our devices after, become a part of us. Our proprioception extends to include them as part of "self." A personal device -- a tool that should be wholly owned and wholly dependable, like pen and paper -- that betrays its user, is a self that betrays itself.

[0]: https://news.ycombinator.com/item?id=28162412

You're exactly right.

We have a word for what Apple is installing on your device: spyware. And it's worse than typical spyware in that it's using your device to spy on you and report its findings back to law enforcement.

Framing as “on device scanning” is contrary to facts. It’s the client SDK operating the same algo on an upload event image at the client end of the upload API as it would run at the server end, just not having to decrypt it to do it.

But to your theme — there’s no clear bright line in client SDKs.

Devs do not think of these or handle these as if they belong to the user.

If you study the cesspool of user tracking and other privacy violations on iOS devices, it’s mostly developers using the same client-side SDKs across their apps, and users none the wiser.

Sometimes devs also have no idea. At least, they profess surprise and drop these SDKs when the user behavior harvesting is pointed out to them.

For whatever reason, everyone’s OK with this.

Perhaps the line is too blurred between client and server, thanks to emergence of concepts like node.js (“run same code on client or server”) that make this sound like a feature.

Or maybe it really shouldn’t matter where the code runs provided it respects boundaries, or better, those boundaries of intentionality and access are technically guaranteed inviolate.

This is exactly what I complained about in past threads and nearly nobody agreed with me there. Seems like the tide has changed!

This is my only complaint. I don't care what you do on your own cloud, don't try and force my device to do the heavy lifting especially when the activity is not in my own interest.

Correct me if I'm wrong, but I find the idea of people sending this kind of materials via email to be asking for trouble, to put it mildly.
While I agree, law enforcement in the U.S. is supposedly bound by the "expectation of privacy" where, I think we can all agree, we ought to have an expectation of privacy when we send an email directly to one of our contacts.

Of course Google and Gmail (as an obvious example) are not law enforcement so they can specify the terms of privacy when you sign up, scan your email if they wish, etc.

Interesting, I don’t have an expectation of privacy when it comes to unencrypted emails. Likely due to them being regularly scanned and archived at work etc.
> I think we can all agree, we ought to have an expectation of privacy when we send an email directly to one of our contacts.

We ought.

But in my country I once received a piece of physical mail from a more important institution in a more special (but not shady) country and the mail literally arrived open. I realised this is how people under communist regimes must have felt.

In the U.S., “the Fourth Amendment permits the warrantless searching of mail entering or leaving the United States…. Congress specifically has authorized the warrantless search of mail at the border, although some of those provisions place restrictions on the reading of correspondence. See, e.g., 19 U.S.C. § 1583(a)(l) (permitting warrantless search of mail of domestic origin transmitted for export … and foreign mail transiting the United States”)…”
Regular mail to a contact has circumstances where it can be searched:

The expectation that personal correspondence should remain private is centuries old. In the 1750s, for example, Postmaster Benjamin Franklin instituted a policy forbidding postmasters from reading individuals’ letters.

So it is dismaying that the Postal Service, the Inspection Service and the DOJ are not upfront with the public as to when they feel fit to open private mail.

https://www.rstreet.org/2014/11/19/yes-the-government-can-op...

Electronic mail does not enjoy enhanced protections over regular mail. Arguably, as electronic mail is sent through a chain of third parties without an envelope, the expectation of privacy is less.

Email is like postcards: “privacy” depends on being one in a sea of items, and a postal worker averting their eyes.

Something wasn’t squaring between the claims that Apple has already been scanning iCloud Photos for years, that Apple reports hundreds of instances of CSAM while Facebook reports millions, and that Apple knows they have a major CSAM problem. Good to find out the problem was with the first one.

I wonder if the “you know they already do this server-side, right?” people feel the slightest bit chastened.

It definitely makes sense to scan things that are passed around - mail is an example of that, and Gmail [and also Facebook, Twitter] scan for this, along with scanning for computer viruses, and in some cases (public posts) copyrighted content.

It makes absolutely no sense to scan people's photos that they aren't sharing with anyone else. Why are they bothering with scanning people's photo backups at all?

With the exception of "shared photo albums", I don't see why they're doing this.

If I were permitted to put something on your server that could put you in legal jeopardy, wouldn't you want to know what I'm putting on your server?
I'm not sure it would put me (as a provider) in legal jeopardy. You'll need a cite for that, and you don't have one. Providers only need to take action if they have been made aware about it, and are not required to proactively scan.

See [1] 18 USC 2258A, relevant part below.

(f) Protection of Privacy. Nothing in this section shall be construed to require a provider to— (1) monitor any user, subscriber, or customer of that provider; (2) monitor the content of any communication of any person described in paragraph (1); or (3) affirmatively search, screen, or scan for facts or circumstances described in sections (a) and (b).

Or here's another cite in plain English-

... for CSAM, to hold platforms liable, the government would have to prove that they did not take action when they knew federally illegal content was on their sites. The law doesn’t create an obligation for platforms to go out and proactively monitor... [2]

[1] https://www.law.cornell.edu/uscode/text/18/2258A [2] https://freedomhouse.org/article/qa-social-media-regulation-...

Apple doesnt give a shit about the children, this is such a simple and transparent play. If they did, the kids wouldn't still be assembling their phones in China.
“Govt misuse”…Period. The infrastructure of survellience seems to have been laid out for a while. iStasi is a new Apple product.