Will you leave the Apple ecosystem because of CSAM?

[jseymour]

Okay, serious question:

Could Apple enable End to End Encryption without scanning at all? Could they get in trouble for hosting such images if there's no way for them to know if the images are there?

I believe not. (N.B.: IANAL, nor do I play one on TV, nor did I stay at a Holiday Inn Express last night.) The relevant US Code has been posted once-or-twice in this or one of the other on-device CSAM threads.

They are obliged to do something about it if it comes to their attention. They are not required to actively seek it out.

It's like Schrodinger's cat... the photos are both non-existing and existing at the same time. You can't tell because you can't get in to see them.

IOW: They do not, and can not, know what's in their customers' private data stores. What a concept.

I liken it to automobiles and their manufacturers. The auto manufacturers know their products are used to facilitate no end of crime. Speeding, drug trafficking, driving while impaired, child abduction, gun-running, bank robbery, etc. Apple doing this would be like auto manufacturers installing all kinds of illegal-behavior-detecting-and-reporting stuff in their cars. "But if you don't do anything illegal, you have nothing about which to worry," right?

 

[Mendota]

I started watching that video (I didn't finish it), I think he made it before knowing all the facts. He thinks it's only controlled by the NCMEC, but it's not. He also doesn't mention the second server-side check which is a very important step in reducing the likely hood of 30 false positives being submitted for human review.

It boils down to this. If you do not possess any illegal photos, then you WILL have 100% privacy. However, if all the checking was done directly on Apple's servers, then ALL of your photos would be open for review and they could scan for whatever they want or look through your personal photos whenever they want. That seems way less privacy focused to me. Am I wrong?

Yes, you are wrong... The issue that you keep missing is choice. People choose to put their photo and pictures on iCloud or OneDrive etc... If they have something they don't want scanned or viewed. They have the option to not upload it. This scanning if you are synced to iCloud will happen to all your photos or pictures.

 

[zakarhino]

Kinda shocked to see only 15% stand up, 85% embracing big brother… good luck with that…. You actually had the ability to stop it

The problem is how difficult it is to leave the Apple ecosystem, not just because of buy in but also because the only viable alternative is Google, the chieftain of invasive advertising technology.

Imagine if CSAM scanning was implemented on the server side and Apple's software had an option to turn on zero access E2EE for iCloud (thereby making content scanning impossible). Better yet, what if an option allowed you to choose a custom host as your photo backend (local NAS? a VPS running the photo library software?).

Right now the binary for expressing an opinion on this tech is between staying with Apple or leaving (turning off iCloud Photos isn't a realistic option long term as we should all be aware of by now). If instead the decision were between using Apple hosted iCloud Photos or using a custom host that has 100% feature parity with iCloud Photos (which means OS level integration for photo syncing like iCloud) I reckon that 15% would be a lot higher.

I should hope that's an option one day, perhaps when some anti trust laws get passed. Operating Systems shouldn't be a 'take the whole thing or leave it' kinda deal, they should be a lot more modular with open compatibility for third parties as alternatives for things.

 

[zakarhino]

Okay, serious question:

Could Apple enable End to End Encryption without scanning at all? Could they get in trouble for hosting such images if there's no way for them to know if the images are there? It's like Schrodinger's cat... the photos are both non-existing and existing at the same time. You can't tell because you can't get in to see them.

There is absolutely nothing stopping Apple from doing that. No legal requirement. No financial restraints. No technical deficiencies. Nothing. They simply choose not to do it, nobody really knows why. Many services exist that are centered around that "We are literally incapable of reading your data even if we were legally compelled to" sort of idea.

One argument you could make is that data recovery is impossible if you lose your password but that can easily be solved by allowing users to pick between "You're on your own" style zero access E2EE (which means no data recovery in the event you forget your password) or allowing Apple to keep an encrypted backup key that lets them recover your account for you.

This sort of thing already happens on macOS when you enable FileVault encryption. You are given the choice between backing up your encryption key to iCloud (which lets Apple and your iCloud account decrypt your Mac for you in case you forget your mac password) or making a local paper copy of the master encryption key (this is what I do).

 

[dk001]

Okay, serious question:

Could Apple enable End to End Encryption without scanning at all? Could they get in trouble for hosting such images if there's no way for them to know if the images are there? It's like Schrodinger's cat... the photos are both non-existing and existing at the same time. You can't tell because you can't get in to see them.

I am not sure about other countries however at this time in the US, there is no law that says a company must search for this stuff. If they have obtained actual knowledge they must report it to the NCMEC or (there is a list of law agencies).

So Apple could do E2EE and would not ever know.

 

[dk001]

I started watching that video (I didn't finish it), I think he made it before knowing all the facts. He thinks it's only controlled by the NCMEC, but it's not. He also doesn't mention the second server-side check which is a very important step in reducing the likely hood of 30 false positives being submitted for human review.

It boils down to this. If you do not possess any illegal photos, then you WILL have 100% privacy. However, if all the checking was done directly on Apple's servers, then ALL of your photos would be open for review and they could scan for whatever they want or look through your personal photos whenever they want. That seems way less privacy focused to me. Am I wrong?

This was made before Apple clarified some points but I would encourage you to watch it as they have some great discussion on the US law, who pays for NCMEC, and the definition of "private / privacy".

 

[zakarhino]

It boils down to this. If you do not possess any illegal photos, then you WILL have 100% privacy. However, if all the checking was done directly on Apple's servers, then ALL of your photos would be open for review and they could scan for whatever they want or look through your personal photos whenever they want. That seems way less privacy focused to me. Am I wrong?

You are in wrong in two ways. The first that your framing is entirely contingent on a false dichotomy: that scanning will happen regardless, this is not true legally or technically speaking. The second is that this solution means Apple can't "scan for whatever they want or look through your personal photos whenever they want": sorry, but both systems currently mean Apple have access to every single one of your photos, even those that don't get flagged on the system.

Before local CSAM scanning (right now) every single iCloud Photo is accessible by Apple because they have the keys. With local CSAM scanning Apple are still capable of accessing every single one of your iCloud Photos because they still have the keys. There is no difference between the two systems in regards to whether or not Apple can access your photos. Apple's PR statements about local scanning intentionally trick the user into thinking Apple can only access flagged photos that meet the "encrypted ticket threshold" but that's meaningless if they hold the keys that were used to encrypt the photos in the first place. Lots of people defending local scanning are doing so by pretending that this new system means Apple can't access your photos anymore, that's a complete lie unfortunately.

Let's pretend truly encrypted iCloud Photos (with no Apple access) were also rolled out with local CSAM scanning. Sure, maybe the local scanning technique combined with no Apple keys would be more private -- in the same sense that having one of your legs sawed off is preferable to having two legs blown up by an IED. When you say "100% privacy" that's completely wrong, it's more like 10% for the current system vs 15% for the hypothetical system I just described (where Apple have no keys), keep in mind Apple have not announced any intentions to build that hypothetical system.

The only "100%" option is guaranteed zero access E2EE that can be audited by any member of the public at any time, even they you could only really say "100%" and not "99%" if you could guarantee the system is perfect and bug free (impossible).

 

[jseymour]

As I noted in a prior post: There's something else they could do that would yield "nearly" E2EE and still allow them to scan content server-side: Asymmetric (aka: public/private key) encryption.

1. Photos are encrypted with Apple's public key for transport
2. Photos are decrypted at Apple's end with their private key
3. Photos are scanned for CSAM
4. Photos are encrypted with customer's public key
5. Thereinafter, photos can only be decrypted with the customer's private key

Not certain how, of even if, this would work with web browser access to iCloud photo libraries.

I still think Apple ought not be doing this at all, but, personally, I'd find it a lot more tolerable than on-device scanning, which I will not tolerate.

 

[Jayson A]

Yes, you are wrong... The issue that you keep missing is choice. People choose to put their photo and pictures on iCloud or OneDrive etc... If they have something they don't want scanned or viewed. They have the option to not upload it. This scanning if you are synced to iCloud will happen to all your photos or pictures.

What? You still have the option to not upload any of your photos and nothing is scanned if you don’t upload your photos to iCloud. What’s your point?

 

[eltoslightfoot]

I started watching that video (I didn't finish it), I think he made it before knowing all the facts. He thinks it's only controlled by the NCMEC, but it's not. He also doesn't mention the second server-side check which is a very important step in reducing the likely hood of 30 false positives being submitted for human review.

It boils down to this. If you do not possess any illegal photos, then you WILL have 100% privacy. However, if all the checking was done directly on Apple's servers, then ALL of your photos would be open for review and they could scan for whatever they want or look through your personal photos whenever they want. That seems way less privacy focused to me. Am I wrong?

Yes, you are wrong. If it was done on Apple's servers, I could elect not to use the servers.

Although, now that you mention it, I elected not to use Apple's phones any longer, so I guess it worked out the same.

--posted from my Pixel 5a.

 

[zakarhino]

People say zero access E2EE (or at the very least practically not scanning at all which was Apple's previous strategy) will never happen because the government will complain, hence why Apple implemented this system. In other words: because someone with 'inevitably' legally demand Apple build this system Apple should go right ahead and do it themselves now.

I say no. Apple are one of the most powerful companies in the world. I would much rather see them implementing technology that maximizes user privacy and security and THEN making a big public fight against the 'inevitable' legislators that seek to strip away those technologies. If they really cared about privacy this is what they would do, and they would rally their customers around those principles to help with the fight.

 

[eltoslightfoot]

What? You still have the option to not upload any of your photos and nothing is scanned if you don’t upload your photos to iCloud. What’s your point?

Which hackers have already figured out how to mess with and Apple has already been caught messing with icloud emails and, and, and....you take them at their word. I won't.

 

[Jayson A]

The only "100%" option is guaranteed zero access E2EE that can be audited by any member of the public at any time, even they you could only really say "100%" and not "99%" if you could guarantee the system is perfect and bug free (impossible).

I said 100% because in my case, I have nothing even remotely close to being in the NCMEC database, so the chances of 1 match is almost 0, but the changes of 30 false matches, plus make it through the server-side perceptual scan are basically 0. Yes, I realize there’s still a 1 in a trillion chance, but that’s a risk that I’m happy to take if it means taking down child predators.

So if there’s a .0000000000000001% chance that 30 of my innocent photos are viewed by Apple, let them. I’m not scared one bit.

 

[Jayson A]

Which hackers have already figured out how to mess with and Apple has already been caught messing with icloud emails and, and, and....you take them at their word. I won't.

You’re going to have to elaborate. What do you mean hackers have already messed with it? They’ve figured out a way to break into my iPhone and upload photos of mine to Apple?

 

[jseymour]

What? You still have the option to not upload any of your photos and nothing is scanned if you don’t upload your photos to iCloud. What’s your point?

Why do you keep arguing this? It's simple: People. Don't. Want. Scanning. On. Their. Devices. Why do you keep arguing "But...?" There are no "buts." People. Don't. Want. Scanning. On. Their. Devices.

Now you asked "Is Apple responsible if...?" Was that simply a ploy to re-energize this thread so you could again make the same arguments you have been? That people should be ok with be because...? Because, if so, I'll just wander back out again.

 

[zakarhino]

What? You still have the option to not upload any of your photos and nothing is scanned if you don’t upload your photos to iCloud. What’s your point?

People's mental model of Dropbox and OneDrive is that it's a selective "hard drive" you can put stuff on to share with other people. That's reflected in how people use those services too, there is an understanding that it's someone else's hard drive you're choosing to host certain files on. There are also many alternatives in the market to pick from that are mostly the same functionally (they all have desktop and mobile apps, they all let me share files with links) but do not scan your files because they are literally incapable of doing so.

People's mental model of the Photos app is "this is my photo library." There are no alternatives to pick from in Apple's ecosystem that offer the same level of integration what so ever. Asking people to turn off iCloud is essentially asking people to disable the one advantage Apple's ecosystem has over alternative platforms: seamless shared content between all devices. There is no part of the iCloud Photos experience that acts in the same way as Dropbox which lets you selectively pick what files you want to upload; you either upload everything or you upload nothing. You either keep the convenience of the ecosystem or you significantly nerf the abilites to the point of making any form of 'integration' between Apple devices a significant pain in the rear.

Additionally on device scanning means 90% of the work towards always on local scanning (regardless of iCloud status) is already done. At no point have Dropbox, Box, or OneDrive implemented a system that is millimeters away from being able to scan everything on my computer (although, I suspect that's what they already do behind the scenes for analytics purposes. That's why I don't use any of them).

If advocates for local scanning want to base their arguments on something that hasn't happened yet and has no indication of ever happening, i.e Apple removing the ability for them to look at your photos outside of the CSAM flagged ones, then the rest of us against local scanning should feel free to base our arguments on something that hasn't happened yet but has every indication of happening, i.e always on local scanning even with iCloud disabled.

 

[Mendota]

What? You still have the option to not upload any of your photos and nothing is scanned if you don’t upload your photos to iCloud. What’s your point?

Apple has been deliberately vague on this. The system is on your device. It is running in the background. According to Apple the only way to keep it from scanning is to disable iCloud, even here they are not clear. Do they mean iCloud photos sync, or do they mean disable iCloud all together? And again, if it was only about photos being uploaded, why have scanning on the device at all? They could just scan their servers the same as everyone else.

Where you and I differ is this: You choose to believe every word that Apple is telling you as if they never lie or engage in self-serving dishonesty. This is demonstrably false. They have on many occasions lied and misled their users for their own gain. This is a company that purposely installed an update that would slow down otherwise perfectly running phones, and concealed it. They were outed by other tech experts. Then they attempted another lie about why they had done it. After they were forced to stop, there have been no more issues with phones slowing because of so called "battery saving issues".

This is also the company that purposely placed the water sensors on their phones is such a place that they would trip for no reason other than air humidity. This allowed them to deny repair of legitimate issues, by claiming made up "water damage." And to add insult to injury, they would cancel the users Apple care without refund. It took a lawsuit to stop them doing that on the iPhone. They continue to employ this tactic on many of their computers.

So at the end of the day, no I don't just "trust" Apple.

 

[Jayson A]

Apple has been deliberately vague on this. The system is on your device. It is running in the background. According to Apple the only way to keep it from scanning is to disable iCloud, even here they are not clear. Do they mean iCloud photos sync, or do they mean disable iCloud all together? And again, if it was only about photos being uploaded, why have scanning on the device at all? They could just scan their servers the same as everyone else.

Where you and I differ is this: You choose to believe every word that Apple is telling you as if they never lie or engage in self-serving dishonesty. This is demonstrably false. They have on many occasions lied and misled their users for their own gain. This is a company that purposely installed an update that would slow down otherwise perfectly running phones, and concealed it. They were outed by other tech experts. Then they attempted another lie about why they had done it. After they were forced to stop, there have been no more issues with phones slowing because of so called "battery saving issues".

This is also the company that purposely placed the water sensors on their phones is such a place that they would trip for no reason other than air humidity. This allowed them to deny repair of legitimate issues, by claiming made up "water damage." And to add insult to injury, they would cancel the users Apple care without refund. It took a lawsuit to stop them doing that on the iPhone. They continue to employ this tactic on many of their computers.

So at the end of the day, no I don't just "trust" Apple.

They weren’t vague about it at all. They said it’s completely disabled if you do not upload photos to iCloud. If you turn off iCloud Photo Library, no scanning takes place. Simple as that.

“Does this mean Apple is going to scan all the photos stored on my iPhone?

No. By design, this feature only applies to photos that the user chooses to upload to iCloud Photos, and even then Apple only learns about accounts that are storing collections of known CSAM images, and only the images that match to known CSAM. The system does not work for users who have iCloud Photos disabled. This feature does not work on your private iPhone photo library on the device.”

https://www.apple.com/child-safety/...s_for_Children_Frequently_Asked_Questions.pdf — page 4

 

[Mendota]

They weren’t vague about it at all. They said it’s completely disabled if you do not upload photos to iCloud. If you turn off iCloud Photo Library, no scanning takes place. Simple as that.

“Does this mean Apple is going to scan all the photos stored on my iPhone?

No. By design, this feature only applies to photos that the user chooses to upload to iCloud Photos, and even then Apple only learns about accounts that are storing collections of known CSAM images, and only the images that match to known CSAM. The system does not work for users who have iCloud Photos disabled. This feature does not work on your private iPhone pho- to library on the device.”

https://www.apple.com/child-safety/...s_for_Children_Frequently_Asked_Questions.pdf — page 4

I love how they call spying a "feature". A classic example of Apple "gaslighting."

 

[dk001]

You are in wrong in two ways. The first that your framing is entirely contingent on a false dichotomy: that scanning will happen regardless, this is not true legally or technically speaking. The second is that this solution means Apple can't "scan for whatever they want or look through your personal photos whenever they want": sorry, but both systems currently mean Apple have access to every single one of your photos, even those that don't get flagged on the system.

Before local CSAM scanning (right now) every single iCloud Photo is accessible by Apple because they have the keys. With local CSAM scanning Apple are still capable of accessing every single one of your iCloud Photos because they still have the keys. There is no difference between the two systems in regards to whether or not Apple can access your photos. Apple's PR statements about local scanning intentionally trick the user into thinking Apple can only access flagged photos that meet the "encrypted ticket threshold" but that's meaningless if they hold the keys that were used to encrypt the photos in the first place. Lots of people defending local scanning are doing so by pretending that this new system means Apple can't access your photos anymore, that's a complete lie unfortunately.

Let's pretend truly encrypted iCloud Photos (with no Apple access) were also rolled out with local CSAM scanning. Sure, maybe the local scanning technique combined with no Apple keys would be more private -- in the same sense that having one of your legs sawed off is preferable to having two legs blown up by an IED. When you say "100% privacy" that's completely wrong, it's more like 10% for the current system vs 15% for the hypothetical system I just described (where Apple have no keys), keep in mind Apple have not announced any intentions to build that hypothetical system.

The only "100%" option is guaranteed zero access E2EE that can be audited by any member of the public at any time, even they you could only really say "100%" and not "99%" if you could guarantee the system is perfect and bug free (impossible).

One point of interest; Apple's appears to have created a new definition of privacy. It has become, according to Apple, if you have nothing to hide, no one will know so you are still private instead of the current definition. Privacy is now "You + Apple" instead of "You". While the last sentence is mine, the context is from Erik Neuenschwander, Apple's privacy chief.

So I guess under the new Apple Privacy definition, it is "more" private.


Wonder what the revised EULA will read like?

 

[dk001]

Prediction:
If this goes live, someone will sue under the 4th.
AND
Someone caught with CSAM will sue under (__fill in the blank__).

 

[Jayson A]

One point of interest; Apple's appears to have created a new definition of privacy. It has become, according to Apple, if you have nothing to hide, no one will know so you are still private instead of the current definition. Privacy is now "You + Apple" instead of "You". While the last sentence is mine, the context is from Erik Neuenschwander, Apple's privacy chief.

So I guess under the new Apple Privacy definition, it is "more" private.

You should never assume privacy when uploading content to someone else’s server, but it’s a lot more private than they had to make it.

If they have to do it, this is the way I’d want it to be done. I won’t stop using iCloud in fear. I’m gonna continue doing what I’ve always done and I won’t have to have my privacy invaded. That’s just how it works.

 

[dk001]

You should never assume privacy when uploading content to someone else’s server, but it’s a lot more private than they had to make it.

If they have to do it, this is the way I’d want it to be done. I won’t stop using iCloud in fear. I’m gonna continue doing what I’ve always done and I won’t have to have my privacy invaded. That’s just how it works.

You apparently are good with the new Apple definition of privacy?
Okay.

 

[Jayson A]

You apparently are good with the new Apple definition of privacy?
Okay.

I’m more okay with it this way than having all of my photos unencrypted yes.

 

[nickdalzell1]

I don't understand this whole 'shared photos across devices benefit of the cloud' everyone here talks about. All my tablets and smartphones have the same photos and music--mere copies of what's on my NAS that I copied over the day of activation. Everything's the same, no cloud needed! Open up Gallery, there they are. Open up Music, there they are.

The funny part is that since 90% of the stuff runs from my phone and not via the Internet, I can get about three days of battery life out of my S20 FE. Nothing syncs except email.