Meh. Dropbox and Google Drive can run arbitrary queries over your files stored there. iCloud (assuming they finish e2ee transition) will have to push the same hashes to everyone. It's not transparent and we don't have a way to inspect what exactly are they searching for, but at least there's a way in principle to reverse engineer the algorithm and to monitor how often hash database gets updated.
In my book that's a step in the direction of privacy, compared to old status quo.
> Meh. Dropbox and Google Drive can run arbitrary queries over your files stored there.
However, unlike with Apple's invasive on-device scanning, you can encrypt files before storing them at Dropbox or Google Drive. There are even simple turnkey solutions like Sookasa:
"Sookasa acts as a transparent layer over Google Drive to encrypt your sensitive files on the cloud and across connected devices..." https://www.sookasa.com/GD
"Sookasa protects data both on devices and in the cloud, and decouples the data from the encryption keys, meaning your data stays secure no matter where it goes." https://www.sookasa.com/dropbox-security/
In an alternative universe where they built a remotely updated database, yes. But that’s not this universe.
I’m going to go further and say that people are doing a very bad job articulating why the incremental privacy risk of the scheme is significant, over the always-existent privacy risk of a proprietary vendor updating software they entirely control to scan data uploaded to a cloud service which guarantees no protection from vendor access. A later software update to include more hashes or whatever could always regress privacy.
One is a proprietary third-party, optional service acting against you, the other is your own device acting against you. That's the difference and it should be pretty easy to understand.
They also could embed the whole database into iOS and activate certain hashes only for certain iCloud accounts. No one would know because the database is encrypted multiple times.
They could do a lot of things. They’ve told us what they do. It’s not this. The FAQ released yesterday specifically says that users cannot be targeted.
> The same set of hashes is stored in the operating system of every iPhone and iPad user, so targeted attacks against only specific individuals are not possible under our design.
The problem with this sentence is that Apple assumes that they can't target specific individuals because every iPhone and iPad user has the exact same database in their iOS device.
But what if they have a hash in the database where they know that only one person has this exact image on their device? This way you could single out one individual with the same database.
This is a better way to frame the discussion, IMHO.
The conversation is around Apple, which is critical, but we need to compare them to the rest of the industry, and discuss the government/citizen tradeoffs in that light. I.e., holistically, not per company.
True. The constant migration of everything to the cloud has lots of consequences just like this. If the false positive are as common as the fotoForensics guy states, this could also become a new weapon for corporate warfare. A small competitor to a market Apple wants to control happens to have assets stored in an apple cloud? Guess who's offices are getting raided today?
That is indeed what the article does, does it not? It makes the case that storing online with a decryption key that can be used with a search warrant is probably the right trade off, and the way other companies sometimes implement this.
Then you get to choose whether to push your data to the third party or not, given the risks involved.
The author even notes they were opposed to Facebook's end-to-end encryption previously, I assume because as for defaults it sets a precedent and makes it unsearchable, but I'm not sure the specific tradeoffs they weigh and points they consider since it's behind a paywall (and I'm not sure I agree).
> discuss the government/citizen tradeoffs in that light. I.e., holistically, not per company.
Right now the differences are essentially per-company, since we've let our experiences be controlled almost entirely by a small subset of companies. To abstract the implementation from the primary implementer is to obfuscate some of the cause and effect here. We should discuss this as a societal tradeoff, as you note, but we should not ignore that this was spurred by a company running out in front of what was required of it and implementing this system which many see as at the expense of their users privacy.
> You get to choose whether to push your data to Apple and trigger the scanning with their solution too.
That's purely an implementation detail, and subject to change at any time. That's why people are upset.
One solution is limited to you actually pushing your data off your private device, the other is limited to a list of items you say you want to push off your device, but actually happens on your device.
That's the difference between someone searching a large warehouse you and many others have stored belongings, and someone coming into your house and searching through your items freely as long as they're on the list.
Beyond the difference in privacy that search entails fundamentally, people are very worried that the list itself is limited only by policy, and truly, the search of items on that list has full access to your private details but for the grace of those performing the search and controlling the list.
The key escrow option is strictly worse than the current implementation, but it is also naturally constrained and the exposure is entirely user controlled. If you do not put data online in that situation, there is no way for them to process it without first exfiltrating it, which we already have laws and systems in place to hamper.
> That's purely an implementation detail, and subject to change at any time.
That’s an evergreen complaint. If they want to introduce a general purpose scanning mechanism they can do so at any time. This is not that.
> That's why people are upset.
I don’t think so. I think they are upset because they don’t like the fact that Apple has any power over them and this remind them of that even though it is not in fact an abuse.
I actually agree with this, but I don’t think that claiming Apple’s implementation to be something it is not is helpful.
The key escrow solution is strictly worse in any future. If key escrow becomes established as a norm between cloud providers and law enforcement, then no free alternative will ever be possible.
> The key escrow solution is strictly worse in any future. If key escrow becomes established as a norm between cloud providers and law enforcement, then no free alternative will ever be possible.
I don't think that's true. Systems or programs to encrypt locally before pushing up to a shared platform are possible and currently in use. Those that want that additional security have recourse to get it. Alternatively, people could run their own cloud sync instances (also already available in some forms). This puts the control in the users hands (don't sync to cloud, pre-encrypt to shared cloud, or do some personal sync thing), while also setting a clear precedent of what is acceptable on users personal devices.
The problem here is that this implementation really has nothing to do with cloud sync. Apple has currently linked it to whether you're pushing that data to iCloud, but that's an arbitrary distinction. In the world without iCloud, they could make it scan any media that was sent across the network. The iCloud distinction is entirely arbitrary, which is why people are not satisfied with it. There is nothing beyond promises to keep it that way, and promises are less binding than laws and national security letters.
> The problem here is that this implementation really has nothing to do with cloud sync.
It is built into the photo uploading mechanism and only scans photos in a very narrow way that can’t be twisted into generic scanning.
> they could make it scan any media that was sent across the network.
Definitely false. It cannot match anything except photos in this very narrow way.
> There is nothing beyond promises to keep it that way,
Not true. The mechanism cannot be used as a general purpose media scanner.
What is true is that Apple could add a general purpose scanner in future, but it wouldn’t leverage this mechanism, and their potential to add arbitrary spyware has always been there and is not changed by this.
I don’t keep child porn on my phone (or any where else. I also don’t keep smallpox in my freezer or nuclear weapons on my basement. Noninvasive scans for these things probably make the world a better place in some ways.
The part I object to having my life disrupted by having my personal accounts unilaterally deleted by a fucking buggy bot. Our phones are too important to us to just have them shut off without notice. That’s bullshit.
Is a picture of a naked kid going to trigger this algorithm?
In a few places taking pictures of your child naked while swimming is considered child pornography. Other places having children run around naked on the beach is the norm. (I have a few pictures of me, at 3y/o, naked on the beach)
In the world of remote medicine, can a parent take pictures of their naked child to send to a doctor?
How are they going to fit their cultural specifics to the world?
Knowing how Facebook dealt with it - they are going to apply the strictest rules, so no naked child photos are allowed on your iPhone anymore. For no reason.
Who do I call (and how do I call them) if the person agrees with the automated false positive and disables my account/phone and reports me to the police? Just being accused of having CSAM is ruinous. What's my recourse if there's an innocent bug in their system that reports me to the police?
I was at Apple for more than a decade and a half. I saw an untold number of Michael Bolton bugs [0]. It's one thing when a bug causes a dropped frame in a video or a menu takes a tenth of a second too long to appear. It's another when it ruins your life and bankrupts you defending yourself.
In my book that's a step in the direction of privacy, compared to old status quo.