Yes, there seems to be a lot of conflation between the two separate systems (in the media, and in comments on here).
As you say, it’s important to be precise, otherwise people won’t take your arguments seriously. To summarise:
One system involves hash checking. This is performed when photos are being uploaded to iCloud. The hashes are calculated on-device. Private set intersection is used to determine whether the photos being uploaded match anything in the CSAM hash list. Photos that match will be reviewed manually - if I recall correctly, this only occurs after a certain threshold has been reached. This system will only match known CSAM (or whatever else is in the hash list).
The second, independent, system, is a machine learning model which runs on-device to detect sexually explicit photos being received on Messages.app. This system is designed to be run on children’s phones. The system will hide these explicit images by default, and can be configured to alert parents - that feature is designed for under-13s. This system doesn’t use the CSAM hash list.
Based on my reading, the first system is interesting in that the threshold is also cryptographically determined. Each possible hit forms part of a key, and until a complete key is made none of the images can be reviewed.
Should also be noted the second system sends no images to Apple or is reviewed by Apple employees in any way. It's just using the same on device ML that finds dog pics for example.
I think Apple PR screwed up here announcing all these features at once on one page, and not having the foresight they would be conflated. It also didn't help that a security researcher leaked it the night before without many of the details (iCloud only for example).
Context should also be included. CSAM has been happening for years on most (all?) photo hosts, and is probably one of the blockers to full E2E encryption for iCloud photos (I so hope that's coming now!).
Finally, nothing has really changed. Either iOS users trust Apple will use the system only as they have said or they won't. Apple controls the OS, and all the 'what if' scenarios existed before and after this new feature. As described, it is the most privacy preserving implementation of CSAM to date.
Moreover, it was found that in US v. Ackerman that the NCMEC's inspection of a user's private email was an unlawful violation of their fourth amendment rights specifically because AOL passed along the email based on a hit against the NCMEC database without inspecting it. Had AOL inspected it than the repetition of the inspection by NCMEC would simply be a repetition of the search performed by AOL which was permitted under their contract with the customer.
Not only does Apple state that they will "review" the images, they must do so in order to deprive the user of their forth amendment protection against unlawful search by the government.
> and is probably one of the blockers to full E2E encryption for iCloud photos
Apple is free to provide encryption and they are choosing to not do so.
I was referring the second system mentioned by the parent. NOT the CSAM system. Conflating these systems has been huge issue with the random articles coming out. They are distinct.
From the GP
> The second, independent, system, is a machine learning model which runs on-device to detect sexually explicit photos being received on Messages.app. This system is designed to be run on children’s phones. The system will hide these explicit images by default, and can be configured to alert parents - that feature is designed for under-13s. This system doesn’t use the CSAM hash list.
> Apple is free to provide encryption and they are choosing to not do so.
Sort of. They cited the FBI a few years ago when they put the brakes on adding E2EE to everything. It would also create a huge target for legislation, 'Apple is helping CP people - think of the children!' The new method of CSAM will let Apple add E2EE, and fight off calls for legislation.
I fully agree that some people are conflating the imessage nudity detection to the detriment of the public dialog. Though I think there are also problems with imessage, including the fact that minors are not completely devoid of civil rights relative their parents, that the same mechanisms could be easily retargeted against adults (with some dictatorships taking on the role of the parent accounts), and that doing so normalizes our children to a pervasive electronic surveillance... I think it is a substantially different matter and one of less concern.
I don't think I agree on the "sort of"--
It is unambitious the effective law in the US, established in court, that if the tech company scanning is a product of government coercion than the scanning cannot be performed without a warrant.
In Ackerman Google went out of their way to testify that they were not being coerced by the government, but were scanning out of their own commercial interest (to avoid a public loss of reputation for hosting child porn on their systems).
If Apple wants to defend their failure to act in their user's best interest, they need to do so directly by calling out the governments coercion. Or otherwise, they ought to admit (as google did) that no meaningful government coercion exists and that their actions at the users expense are driven by their commercial interests.
There are two central possibilities: That the searching is coerced, in which case it is an unlawful violation of the user's fourth amendment rights, or that it is not coerced, in which case it is an activity that Apple is freely engaging with for the benefit of their commercial interests.
In either case-- facilitating an unlawful invasion of user's constitutional rights on behalf of the government, or voluntarily invading the privacy of their users for commercial benefit Apple is ethically in the wrong.
I don't doubt that this dichotomy, if widely recognized, would put apple in a difficult position-- but that's a cost of doing business.
>I think Apple PR screwed up here announcing all these features at once on one page, and not having the foresight they would be conflated. It also didn't help that a security researcher leaked it the night before without many of the details (iCloud only for example).
This sums up my entire feelings on the matter at this point.
This isn't a protection of your privacy. It's because US v. Ackerman (2016) the appeals court ruled that when AOL forwarded an email with an attachment whos hash matched the NCMEC database to law enforcement without anyone looking at it, and law enforcement looked at the email without obtaining a warrant was an unlawful search and had AOL looked at it first (which they can do by virtue of your agreement with them) and gone "yep, thats child porn" and reported it, it wouldn't have been an unlawful search.
Instead, if Apple were to report the existence of a match to law enforcement without divulging the image, which (if the matching is precise enough) should be enough to create probable cause to allow law enforcement to obtain a warrant. The only once a warrant was issued would anyone look at the image. That would be more protective.
What they're actually doing just inserts an unaccoutable additional step that reduced your privacy for the specific purpose of undermining your due process by avoiding the need of law enforcement to evade your privacy.
As you say, it’s important to be precise, otherwise people won’t take your arguments seriously. To summarise:
One system involves hash checking. This is performed when photos are being uploaded to iCloud. The hashes are calculated on-device. Private set intersection is used to determine whether the photos being uploaded match anything in the CSAM hash list. Photos that match will be reviewed manually - if I recall correctly, this only occurs after a certain threshold has been reached. This system will only match known CSAM (or whatever else is in the hash list).
The second, independent, system, is a machine learning model which runs on-device to detect sexually explicit photos being received on Messages.app. This system is designed to be run on children’s phones. The system will hide these explicit images by default, and can be configured to alert parents - that feature is designed for under-13s. This system doesn’t use the CSAM hash list.