University Researchers Who Built a CSAM Scanning System Urge Apple to Not Use the 'Dangerous' Technology

[Mac4Mat]

The Bill of Rights (the 10 first amendments) has never restricted private citizens or companies. Originally it only restricted the power of the federal government and it wasn't until the 1920's it started to be applied to the individual states.

A private search has never been a violation of the 4th amendment since a privat party is not the federal government or an individual state or its representative. It might be trespassing and maybe even a form of breaking and entering.

Apple can't break the 4th amendment and as long as they ask for permission before scanning, they won't be trespassing either.

Nothing in the cases you refer to changed the legal status of Apple searching customer's photos.

The question with these cases were what kind of warrantless search can the government perform on the basis of information from a private search. None of these cases would have happened if law enforcement agency (or their agents) had gotten a warrant prior to performing a search.

Hans why have you done a 360 and misquoted my comment. Look at the whole post of mine and even the part comment of mine you quoted you will see it never spoke about restricting private citizens, it explained they were effectively exempted them from the conditions under the 4th AMENDMENT as they did not constitute a government search, but a private search, and I even posted the 4th wording showing that.

"A private search has never been a violation of the 4th amendment since a privat party is not the federal government or an individual state or its representative. It might be trespassing and maybe even a form of breaking and entering."

NO DISAGREEMENT. This is why I posted it?

Apple breaking the 4th Amendment? Where did that come from? No mention of that in my post?

It specifically gave the reasons why Apple and others were NOT breaking the 4th, because I even posted the wording showing it did not include PRIVATE parties?

In fact if you had read the court case in there instead of suggesting the opposite, you would note that it was ruled in court that NCMEC was in the case I posted ruled NOT to be a government agency.

Surprised you turned it around and put in comments not even in my post as if you answering comments I never made and in cases the opposite of what I had made?

It is quite clear this is arm twisting of Apple and others, by using the loophole of private parties, because if it was a government agency doing it, it would be against the 4th.

Under these circumstances it looks clear it is a way for governments/dictators/etc. to engage in plausible deniability yet having a backdoor in Apple systems, and you only have to look at some of the actions with regards Chinese requirements to understand that.

I'm still not against iCloud being used, but vehemently against the intrusion of our hardware being used, let alone being used by such machiavellian juggling of privacy laws, especially those in the name of child abuse and child pornography, where it will endanger these kids more now that the whole world has been made aware of hash checks on OUR hardware, and if you or anyone else things these people will not take evasive action, making it harder for the Government Agencies involved, you are living in cloud cuckoo land.

This in my opinion was done for one thing and one thing only and in the name of tackling child abuse and that was to initiate the reasons for a backdoor on your hardware and it will not be iPhone only in my opinion, it will span the whole range of products.

Some queried my estimation of hash database size extent, with some suggesting it was only 200,000 hashes, but where one of my original concerns was that even on an operational basis using just the NCMEC database was of no value, and where Apple has now addressed that hence increasing the database size, and the overhead on owners hardware, and where even this will need updating daily or weekly to be of value, but where again I'm not against this being an iCloud function, as its Apple's servers or contracted to Apple, but I am totally against the imposition of this on USERS hardware, because it is a backdoor, and the potential for abuse is immense.

I am still of the opinion this was done to create a backdoor by bending the 4th Amendment, bending the ear of Apple and others, like the Chinese appear to have done, and thereby avoiding breaches of the 4th Amendment, and to that end it is much more sinister than the altruistic excuse its to fight child abuse.

"The tech giant will now only flag images that had been supplied by clearinghouses in multiple countries and not just by the US National Center for Missing and Exploited Children (NCMEC), as announced earlier."

I hope Tim looks at more of my concerns, and addresses those also by NOT having hash software which is not a user request, not a user choice, and not even asking a users permission of what goes on in their own hardware, where whatever some suggest the operative word is SURVEILLANCE and a backdoor, becuase the specifics of the hashes are far subordinate to the big concern of a backdoor that can and no doubt will be used.

Governments have now cottoned on to the fact they can have a backdoor and checks on anything by using private parties to undertake such searches, and where there is no law compelling Apple to put this software on hardware we own, none at all.

Apple are choosing to do this, but in my opinion with leverage to make them.



It may be you genuinely misunderstood my post, and I accept it as that but it materially mis stated my post.

 

[Krizoitz]

What's different here is that it never reported the contents to anyone but you. This is an obvious and salient point. Tell your astroturf manager that we know about this and it's not relevant.

It’s 100% relevant since people have been freaking out about the mere fact that Apple is suddenly scanning the content of photos.

BTW, I’ll cut you some slack since you’re a newbie, but making false accusations like the one about astroturfing is frowned on by the moderators.

Um, yes it does. It enables a new framework to bypass the very difficult to intercept end-to-end encryption. Apple can't break iCloud encryption no matter what laws get passed. Now they have no excuse not to comply with new kinds of requests that involve on-phone scanning.

No it doesn’t. There NEVER
was end to end encryption on iCloud photos. This bypasses nothing. And if China passed a law that said Apple couldn’t encrypt photo uploads (or anything) they could do that to. The only thing stopping Apple from giving in to such laws is Apple. The CSAM system does nothing to change that situation.

Maybe on-phone scanning is more complicated that simply ditching encryption or building in a back door, but its not difficult once the framework is in place.

Since the entire tool is built around this specific database, it is more difficult, but the point is if Apple wanted to build an easy backdoor they could have. Taking a FAR narrower approach that targets one specific category is demonstrating they aren’t going to simply bend over and do what some power mad government demands. If they were they could have done that already.

Funny you should say that.

Why is it funny to point out that nothing has changed in regards to what authoritarian regimes could try to do? The CSAM system in no way makes that any easier or more likely. Those attacking Apple on this front are being completely illogical.

Calm analysis and actual facts objectively indicate that Apple's plan is intrusive, contrary to previous stated policies regarding privacy, and opens a door for abuse.

Clearly not since your “analysis” involved making statements that were trivially proven as false, and you had to throw in an ad hominem attack for no reason. You’ve helped to prove my points, thanks.

 

[orthorim]

The solution to this is simple - Clear Phone.

I'm working with a bunch of people who kept telling me Apple is evil, and I always disagreed and obviously have lots of Apple devices, but now... I have to say, "ok, yes, they've turned over to the dark side now, I can't deny it."

Clear Phone is my next phone.

It's based on Android with Google services removed, it has its own app store which is decentralized and censorship proof, it encrypts everything and protects your privacy, and it's a high end phone.

Will it be as good as iOS - no it won't but other considerations are more important now.

Sad but... it's a good time to leave, with iPhone 12/13 the ugliest ever iPhones, with the 5G BS, with the mask insanity at Apple stores. And Apple getting into "health" which likely means they'll join the ranks with Microsoft and Google in order to keep people sick and on subscription medicines for life. "You need our devices to be healthy" - no thanks.

If you think it's an exaggeration - not from my vantage point, it unfolds like a slow motion train wreck. It's exactly where this is going.

This CSAM scanning business puts Apple in a position where it can't say no.

If they say they will "deny any such request from governments" I almost laughed out loud.

That's a straight faced lie.

Apple can't afford to deny a request from the Chinese government! It's impossible; China has all the power and apple has none. In the USA, it also can't deny a request from government - not over the long run, although in the USA they can still engage the courts; but that won't last long. Ultimately, everything that is controlled by Apple is also controlled by the Chinese, Indian, Russian, and US governments.

Apple has already removed many apps from the app store on request from China. Because the CCCP didn't like those apps. Because these apps were used by freedom fighters, excuse me, domestic terrorists of course.

 

[hans1972]

This is what Rene Ritchie suggested: an intermediate relay server that does the CSAM check/reporting before sending the file to iCloud.

The only problem is cost. If this on-client scan is a way to save money by carrying out the check on the phone, then this isn’t going to help.

Then you would introduce a third-party which can see every photo going to iCloud.
Would people trust such a third-party?

 

[09872738]

with the 5G BS, with the mask insanity at Apple stores.

? What do you mean?

 

[cupcakes2000]

There is LineageOS, which is the base Android Operating System, which is open source. It's available for a variety of Android hardware platforms. It is essentially de-Googled Android. There's another project, but I cannot recall its name.

The original de-Googled Android was the CyanogenMod project. (LineageOS is a fork of that.) I ran CyanogenMod on my old Samsung tablet. It removed all the unnecessary Google and Samsung bloatware and intrusionware, but still gave me the rest of the Android experience.

In fact: A phone running an independent AOS distribution is arguably a great deal more private and secure than even an iOS device pre-CSAM-scanning. It's open source. That means many eyes see the actual source code that goes into the binary builds. If something nefarious gets stuffed in there, it doesn't take painstaking reverse engineering to find it and figure out it's there and what it does. It's immediately apparent. And almost certainly just as quickly removed. (And whomever put it there removed from access to the source code repository.)

ETA: It just occurred to me: I've essentially "lobotomized" my Apple Watch, anyway. If I can have the functionality I now have (essentially: date & time, notifications, and heart rate monitoring is all it's doing now) with it linked to an AOS install, maybe I'll keep it? I'm going to look into this.

ETA2: Whoops! A non-starter. So, once I leave the iPhone and iPad behind, the Apple Watch will be history, too. Too bad ¯\_(ツ)_/¯

LineageOS's April Fools' Day gag was neither funny nor timely (Update: LineageOS team apologizes)

Update: The LineageOS team has issued an apology following its misjudged April Fools' joke from last week.

www.androidauthority.com

Yeah, well trustworthy.

 

[bobcomer]

Then you would introduce a third-party which can see every photo going to iCloud.
Would people trust such a third-party?

It wouldn't be a third party unless Apple outsources it, it would just be another Apple server that's job would be to do it, but yes, I'd trust that more than on device scanning. (which is not hard since I don't trust on device scanning at all.)

 

[bobcomer]

? What do you mean?

Most 5G us normal people can get is what should be called 5G ready, it's not really any different than LTE speed-wise. If you live in a big city with real 5G, then it's good -- if you data cap isn't sucked up immediately!

My new Samsun Flip has all the 5G bands, but where I live, no way I'm going to see high band 5G anytime soon. (years)

 

[hans1972]

Hans why have you done a 360 and misquoted my comment. Look at the whole post of mine and even the part comment of mine you quoted you will see it never spoke about restricting private citizens, it explained they were effectively exempted them from the conditions under the 4th AMENDMENT as they did not constitute a government search, but a private search, and I even posted the 4th wording showing that.

I am disagreeing with these two statements:

"However the 4th Amendment interpretation is rather different to how it was envisaged when it was created, and where the USA and no doubt other countries have found a way to circumvent privacy laws, so they can shout from the rooftop about safeguarding privacy, whilst driving a coach and horses through it, FOR ANY PURPOSE, so its not about child abuse."

"With regards to the USA they are doing this because the 4th Amendment after Court rulings decided that you can circumvent the privacy enshrined in the 4th Amendment because they deem it ONLY APPLIES TO GOVERNMENT ACTION BUT DOES NOT CONSTRAIN PRIVATE PARTIES"

The 4th amendment was envisaged to only apply to the federal government in 1791.
The 4th amendment was envisaged to not apply to private companies, both in 1791 and in 2021. Nothing has changed.

No court rulings can have decided that the 4th amendment only applies to government actions since it has been that way since 1791.
No court rulings can have decided that the 4th amendment doesn't constrain private parties (including private search) since it has been that way since 1791.

At best these court cases can only have confirmed a long standing practise.

The cases you refer to have dealt with the issue of how much search a government party can do after a private search before needing a search warrant.

NCMEC was considered a government agent in United States vs. Ackerman.

 

[jseymour]

It’s 100% relevant since people have been freaking out about the mere fact that Apple is suddenly scanning the content of photos.

"Freaking out." Gotta love the way Apple's defenders refer to people who have legitimate concerns about what Apple plans to do. They're "freaking out." They're "entitled." They don't care about the welfare of children or are even pedophiles.

No it doesn’t. There NEVER was end to end encryption on iCloud photos.

Correct. So why not just continue not having E2E encryption on iCloud photos and scan them before encrypting them into storage?

Or, if clear transit is felt to be the problem, improve the transfer protocol to embed a private key in the data stream, encrypt them with an Apple-decryptable key, decrypt at the cloud end, scan, encrypt with the embedded user's public key. Thereinafter they could only be decrypted by their owner. Voilà: Secure and private, end-to-end. Easy, peasy.

For further security: Have the software that sends the photos off to iCloud digitally sign them with the users private key, first. That way it could be confirmed by both Apple and the user the photo or photos were never tampered with in-transit.

Yeah, well trustworthy.

Yeah, because somebody making an ill-conceived joke is on the same order as invading their privacy. Oh, wait: Are you suggesting this plan from Apple is really a badly-timed, ill-thought-out joke?

 

[pdoherty]

I mean for crying out loud, misgendering somebody gets you banned off Twitter even if it happened "off the platform", but the literal Taliban that kills homosexuals is still on twitter for some reason.

QFT - an excellent point.

 

[cupcakes2000]

Yeah, because somebody making an ill-conceived joke is on the same order as invading their privacy. Oh, wait: Are you suggesting this plan from Apple is really a badly-timed, ill-thought-out joke?

well, no. What it actually is is the creators of the os updating the os it included so called jokes. Injecting the os with os level warnings which are false and can be whatever whim the dev fancies - This is a massive invasion of privacy, and shows that regardless as to whether the source is opened, it still needs to be checked personally, or else the argument is irrelevant.

 

[VulchR]

Though they present established credentials does that have meaning again? I would like to think so. In this particular case however they write with hyperbole and drama not typical of scientific commentary. Shrugs. People like to trot out the experts when convenient, but in the end, get a 1000 PhDs together, you will get a 1000 opinions. I am not talking out of turn, I have one myself. It's like the Bible, you can always find a quote to support your position. Its not what one person says, but what most people are saying. Anyway, technology can rarely be turned back. We can complain, but we should prepare to deal with it.

And the number of qualified experts publishing commentary in favour of this lunacy is?

 

[jseymour]

well, no. What it actually is is the creators of the os updating the os it included so called jokes. Injecting the os with os level warnings which are false and can be whatever whim the dev fancies

You obviously don't know how open source works, so perhaps it would be wise for you to refrain on commenting upon it?

- This is a massive invasion of privacy,

Oh? And just how was that an "invasion of privacy?" Were they snagging end-user data? Scanning their devices? Please share.

and shows that regardless as to whether the source is opened, it still needs to be checked personally, or else the argument is irrelevant.

Like I wrote, above: You clearly don't know what you're talking about. Please stop. (And, yes: I actually do know what I'm talking about. In fact I still have code in Linux distros--and perhaps even a few lines in a FreeBSD distro [I don't recall].)

 

[jseymour]

And the number of qualified experts publishing commentary in favour of this lunacy is?

Zero, so far. I've asked at least three times, of different Apple defenders in different threads, to come up with at least one that supports this lunacy.

I'm still waiting.

 

[jk1221]

What makes you think there is such a thing as a generic pot photo hash? The hashes are for very specific photos and the nice independent researchers have already shown how easy it is for the photos that are being specifically searched for to be missed.

That was not the point at all. It is Apple's database of hashes. They can CHOOSE, themselves or based on government influence, to add hashes of other photos to that library (rugs, terrorism, anti-gov, etc) to check against.

Sure it is donated from NMEC only, for now.... THERE is the slipper slope argument everyone is making. What happens when a dictatorship like China comes in and says we want to scan for anti-gov images add these hashes or you cant sell your phones here?

You foresee Apple walking away from the biggest (or 2nd to India I cant remember off-hand)market in the world? Me thinks not.

 

[cupcakes2000]

You obviously don't know how open source works, so perhaps it would be wise for you to refrain on commenting upon it?


Oh? And just how was that an "invasion of privacy?" Were they snagging end-user data? Scanning their devices? Please share.


Like I wrote, above: You clearly don't know what you're talking about. Please stop. (And, yes: I actually do know what I'm talking about. In fact I still have code in Linux distros--and perhaps even a few lines in a FreeBSD distro [I don't recall].)

I don’t know what I’m talking about about because I say even open source can’t be trusted unless it’s verified preferably by yourself but you do becuase you put a few lines of code in somewhere you don’t recall. Gotcha. 👍

 

[cupcakes2000]

Oh? And just how was that an "invasion of privacy?" Were they snagging end-user data? Scanning their devices? Please share.

It’s a hypothetical potential for invasion of privacy. Just like this whole argument is based around a hypothetical invasion of privacy by Apple.

 

[scvrx]

I don’t know what I’m talking about about because I say even open source can’t be trusted unless it’s verified preferably by yourself but you do becuase you put a few lines of code in somewhere you don’t recall. Gotcha. 👍

Hey. I am loving your way of thinking. You are right. FOSS can't be trusted. But mutual interest of community can. So if someone is finding something, he is not "protecting his stock investment" or "validating an expensive purchase". He or she shares "the findings" and voila - since you as an user have full software access you put the effort and fix your stuff.
Mind you, this is on a middle level user skills.
The really serious people are building their systems with compilation.
Do you know what is this? https://en.wikipedia.org/wiki/Darwin_(operating_system)
This was the foundational reason to work on MacOS in the past. Now not anymore.

 

[jseymour]

What makes you think there is such a thing as a generic pot photo hash?

Theoretically speaking, they could stuff just about whatever signatures they wanted in there. There's disagreement as to the potential efficacy of such things as drugs, firearms, social settings, etc.

 

[cupcakes2000]

Hey. I am loving your way of thinking. You are right. FOSS can't be trusted. But mutual interest of community can. So if someone is finding something, he is not "protecting his stock investment" or "validating an expensive purchase". He or she shares "the findings" and voila - since you as an user have full software access you put the effort and fix your stuff.
Mind you, this is on a middle level user skills.
The really serious people are building their systems with compilation.
Do you know what is this? https://en.wikipedia.org/wiki/Darwin_(operating_system)
This was the foundational reason to work on MacOS in the past. Now not anymore.

Yes I know what Darwin is.

Do you realise that Apple have stated that the code for this new function will be independently audited? I mean - it’s not open source, so one can never truly know (should one have the skills to deal with such things), but the most respectable pirvacy software that’s already open source still does strive for an independent audit - bitwarden for example. It’s pretty transparent if so.

 

[jseymour]

I don’t know what I’m talking about about because I say even open source can’t be trusted unless it’s verified preferably by yourself but you do becuase you put a few lines of code in somewhere you don’t recall. Gotcha. 👍

A wise individual, when they've dug themselves into a hole, realizes it and stops digging

IIRC, I contributed some code to a FreeBSD firewall project. I've been retired for four years and that would have been a couple years before that. So I do not recall. That doesn't mean uncontrolled code went into the project. I was not on the project team, much less in a project management role, so it wouldn't have been my call as to whether or not to commit it, in any event.

Like I wrote, earlier: You really do not understand how open source projects work, so perhaps you ought to stop digging.

 

[jseymour]

It’s a hypothetical potential for invasion of privacy. Just like this whole argument is based around a hypothetical invasion of privacy by Apple.

It's not even remotely a hypothetical invasion of privacy. Good grief This is bringing "reaching" to a whole new level. What next: "They both use software, so it's the same thing?"

 

[cupcakes2000]

A wise individual, when they've dug themselves into a hole, realizes it and stops digging

IIRC, I contributed some code to a FreeBSD firewall project. I've been retired for four years and that would have been a couple years before that. So I do not recall. That doesn't mean uncontrolled code went into the project. I was not on the project team, much less in a project management role, so it wouldn't have been my call as to whether or not to commit it, in any event.

Like I wrote, earlier: You really do not understand how open source projects work, so perhaps you ought to stop digging.

People chuntering on about so called professional credentials on the internet, to specifically prove they’re somehow better and more knowledgeable about someone they know nothing about at all, is frankly embarrassing.

 

[Mega ST]

I am just a lowly user and dislike it too. The invasion of privacy is happening quite practical (not hypothetical) as you update whenever you leave iCloud on. And before that because you get their search database force installed anyway.