[HN Gopher] Apple's Plan to "Think Different" About Encryption O... ___________________________________________________________________ Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Life Author : bbatsell Score : 734 points Date : 2021-08-05 20:20 UTC (2 hours ago) (HTM) web link (www.eff.org) (TXT) w3m dump (www.eff.org) | mcone wrote: | I wish there was a privacytools.io for hardware. I've been an | iPhone user since the beginning but now I'm interested in | alternatives. Last I checked, PinePhone was still being actively | developed. Are there any decent phones that strike a balance | between privacy and usability? | teddyh wrote: | The Librem 51 is both more powerful then the PinePhone, and is | slated2 to get RYF certification3 from the FSF. | | 1. https://puri.sm/products/librem-5/ | | 2. https://puri.sm/posts/librem-5-update-shipping-estimates- | and... | | 3. https://ryf.fsf.org/ | Knighttime wrote: | There are tons of devices compatible with LineageOS. I suggest | taking a look there. https://lineageos.org/ | kivlad wrote: | I'd go a step further and recommend https://grapheneos.org/ | with a Pixel phone. | Knighttime wrote: | That too! It's restricted to Pixel devices though, and (I'm | not 100% sure on this. It at least doesn't include it.) | doesn't support things like MicroG which is a must for | getting some apps that rely on Play Services to work | correctly. I really think Graphene is only good for | hardcore privacy and security enthusiasts, or for | situations that actually require the security. I guess it | just depends on how much convenience you want to sacrifice. | josh_today wrote: | Serious question- how can anyone know these operating | systems are truly secure? Is there a way to test the source | code? From a code perspective could Google have placed a | back door in Android to access these forks? | nicetryguy wrote: | I'm looking forward to this platform being expanded to facially | ID against more databases such as criminals, political | dissenters, or anyone with an undesirable opinion so that SWAT | teams can barge into the homes of false positive identifications | to murder them and their dogs. | babesh wrote: | Apple is part of the power structure of the US. That means that | it has a hand in shaping the agenda for the US but with that | power comes the responsibility to carry out the agenda. | | This also means that it is shielded from attack by the power | structure. That is the bargain that the tech industry has struck. | | The agenda is always towards increasing power for the power | structure. One form of power is information. That means that | Apple is inexorably drawn towards increasing surveillance. Also, | Apple's massive customer base both domestic and overseas is a | juicy surveillance target. | babesh wrote: | And if you don't believe me, ask yourself who holds the keys to | iCloud data for both foreign and domestic customers. Ask Apple | if it has ever provided data for a foreign customer to the US | government. What do you think GDPR is for? | | Hint: it isn't end to end encrypted, Apple doesn't need your | password to read the information, and you will never know | | Who the frack would design a system that way and why? | babesh wrote: | The die was cast with the 2020 elections when Apple decided get | into the fray. Much of tech also got into the fray. Once they | openly decided to use their power, they couldn't get back out. | strictnein wrote: | This is an excellent example of how far off the rails the EFF has | gone. This is completely false: | | > "Apple is planning to build a backdoor into its data storage | system and its messaging system" | Kaytaro wrote: | How so? That's literally what it is. | shuckles wrote: | None of the announcements describe an iMessage back door, | even if you're being extremely generous about what back door | means. | thedream wrote: | The Cult Of The Apple hawks its slimy surveillance Snake Oil to a | gluttonous throng of thralls. | | So where's the news? | everyone wrote: | When u upload any build to app store, before you can have it in | testflight or submit it for release, you have to fill out this | questionnaire asking "does your app use encryption?" If you say | yes, you're basically fucked, good luck releasing it.. You have | to say no as far as I'm aware. | arihant wrote: | I'm very concerned that a bunch of false positives will send | people's nudes to Apple for manual review. I don't trust apple's | on device ML for something this sensitive. I also can't imagine | that Apple will now not be forced to implement government forced | filtering and reporting on iMessage. And this will likely affect | others like WhatsApp because now governments know that there is a | way to do this on E2E. | | What are some other fully encrypted photo options out there? | [deleted] | hncurious wrote: | Apple employees successfully pressured their employer to fire a | new hire and are petitioning to keep WFH. | | https://www.vox.com/recode/2021/5/13/22435266/apple-employee... | | https://www.vox.com/recode/22583549/apple-employees-petition... | | Will they apply that energy and leverage to push back on this? | | How else can this be stopped before it goes too far? Telling | people to drop Apple is even less effective than telling people | to delete Facebook. | lijogdfljk wrote: | I doubt this will be as clean. A large swath of people will | defend this "for the children". | mccorrinall wrote: | They are putting their own users under surveillance. Didn't | expect that from Apple. | triska wrote: | I remember an Apple conference where Tim Cook personally assured | us that Apple is fully committed to privacy, that everything is | so secure because the iPhone is so powerful that all necessary | calculations can happen on the device itself, and that we are | "not the product". I think the Apple CEO said some of this in the | specific context of speech processing, yet it seemed a specific | case of a general principle upheld by Apple. | | I bought an iPhone because the CEO seemed to be sincere in his | commitment to privacy. | | What Apple has announced here seems to be a complete reversal | from what I understood the CEO saying at the conference only a | few years ago. | avnigo wrote: | I'm still waiting on iCloud backup encryption they promised a | while back. There were reports that they scrapped those plans | because the FBI told them to, but nothing official announced | since 2019 on this. | minsc__and__boo wrote: | Yet Apple gave access to all the chinese user iCloud data to | the Chinese government, including messages, emails, pictures, | etc. | | NYT Daily had an episode where they talked about how the CCP | is getting Apple to bend it's commitment to privacy: | | https://www.nytimes.com/2021/06/14/podcasts/the- | daily/apple-... | Klonoar wrote: | I think the EFF is probably doing good by calling attention to | the issue, but let's... actually look at the feature before | passing judgement, e.g: | | https://twitter.com/josephfcox/status/1423382200880439298/ph... | | - It's run for Messages in cases where a child is potentially | viewing material that's bad. | | - It's run _before upload to iCloud Photos_ - where it would've | already been scanned anyway, as they've done for years (and as | all other major companies do). | | To me this really doesn't seem that bad. Feels like a way to | actually reach encrypted data all around while still meeting | the expectations of lawmakers/regulators. Expansion of the tech | would be something I'd be more concerned about, but considering | the transparency of it I feel like there's some safety. | | https://www.apple.com/child-safety/ more info here as well. | aaomidi wrote: | > - It's run _before upload to iCloud Photos_ - where it | would've already been scanned anyway, as they've done for | years (and as all other major companies do). | | Then why build this functionality at all? Why not wait until | it's uploaded and check it on their servers and not run any | client side code? This is how literally every other non- | encrypted cloud service operates. | Klonoar wrote: | I assume (and this is my opinion, to be ultra-clear) that | it's a blocker for E2E encryption. As we've seen before, | they wanted to do it by backed off after government | pressure. It wouldn't surprise me if this removes a | blocker. | | Apple has shown that they prefer pushing things to be done | on-device, and in general I think they've shown it to be a | better approach. | aaomidi wrote: | That really makes little to no sense - it's not E2EE if | you're going to be monitoring files that enter the | encrypted storage. That's snakeoil encryption at that | point. | | I sincerely doubt Apple is planning to do E2EE with | iCloud storage considering that really breaks a lot of | account recovery situations & is generally a bad UX for | non-technical users. | | They're also already scanning for information on the | cloud anyway. | Klonoar wrote: | Eh, I disagree - your definition feels like moving the | goalposts. | | Apple is under no obligation to host offending content. | Check it before it goes in (akin to a security checkpoint | in real life, I guess) and then let me move on with my | life, knowing it couldn't be arbitrarily vended out to x | party. | philistine wrote: | Going on with your life in this situation means police | officers have been given copies of the photos that | triggered the checkpoint. Do you want that? | pseudalopex wrote: | Apple's paper talks about decrypting suspect images. It | isn't end to end.[1] | | [1] https://www.apple.com/child- | safety/pdf/CSAM_Detection_Techni... | Klonoar wrote: | Feel free to correct me if I'm wrong, but this is a | method for decrypting _if it's matching an already known | or flagged item_. It's not enabling decrypting arbitrary | payloads. | | From your link: | | >In particular, the server learns the associated payload | data for matching images, but learns nothing for non- | matching images. | | Past this point I'll defer to actual cryptographers (who | I'm sure will dissect and write about it), but to me this | feels like a decently smart way to go about this. | pseudalopex wrote: | Matching means suspect. It doesn't have to be a true | match. | | It could be worse. But end to end means the middle has no | access. Not some access. | aaomidi wrote: | And remember the E2EE is pure speculation at this point. | aaomidi wrote: | Then don't offer "E2EE" | xienze wrote: | > Expansion of the tech would be something I'd be more | concerned about | | Yeah, and that's precisely what will happen. It always starts | with child porn, then they move on to "extremist content", of | which the term expands to capture more things on a daily | basis. Hope you didn't save that "sad Pepe" meme on your | phone. | kps wrote: | > _considering the transparency of it_ | | What transparency? Apple doesn't publish iOS source. | mapgrep wrote: | > It's run _before upload to iCloud Photos_ - where it | would've already been scanned anyway | | Right, so ask yourself, why is it on the device? Why not just | scan on the server? | | To me (agreeing with much of the commentary I've seen) the | likeliest answer is that they are confining the scan to pre | uploads now not for any technical reason but to make the | rollout palatable to the public. Then they're one update away | from quietly changing the rules. There's absolutely no reason | to do the scan on your private device if they plan to only | confine this to stuff they could scan away from your device. | karaterobot wrote: | Since nobody would ever object to it, protecting against | child abuse gets used as a wedge. As the article points out, | the way this story ends is with this very backdoor getting | used for other things besides preventing child abuse: | anything the government asks Apple to give them. It's an | almost inevitable consequence of creating a backdoor in the | first place, which is why you have to have a zero-tolerance | policy against it. | [deleted] | randcraw wrote: | So your argument is, if you've done nothing wrong, you have | nothing to worry about. Really? Will you feel the same when | Apple later decides to include dozens more crimes that they | will screen for, surreptitiously? All of which are searches | without warrants or legal oversight? | | Let me introduce you to someone you should know better. His | name is Edward Snowden. Or Louis Brandeis, who is spinning in | his grave right about now. | | The US Fourth Amendment exists for a damned good reason. | fredgrott wrote: | Hmm, seems to me since most smart criminals understand not | to leave a digital footprint that what Apple will catch is | those are idiots and make a honest mistake and those how | are dumb and make a mistake in putting their illegality | online. | | So I would ask US Lawmakers why cannot the phone companies | make the same commitments? As the reason seems to be we | have bad people doing crime using digital communication | devices. | | Last time I checked the digital pipeline ie phone lines is | still under FFC rules is it not? | | If they answer that its to hard tech wise then why cannot | Apple make the same argument ot law makers? | Klonoar wrote: | You do realize you could get this message across without | the needlessly arrogant tone, yeah? All it does is make me | roll my eyes. | | Anyway, that wasn't my stated position. I simply pointed | out that this is done for a subset of users (where there's | already existing reasons to do so, sub-13 and all) and that | on syncing to iCloud this _already happens anyway_. | | I would gladly take this if it removes a barrier to making | iCloud E2E encrypted; they are likely bound to do this type | of detection, but doing it client-side before syncing feels | like a sane way to do it. | kickopotomus wrote: | > I would gladly take this if it removes a barrier to | making iCloud E2E encrypted; they are likely bound to do | this type of detection, but doing it client-side before | syncing feels like a sane way to do it. | | But there is an issue there. Now there is a process on | your phone capable of processing unencrypted data on your | phone and communicating with the outside world. That is | spyware which will almost certainly be abused in some | way. | xondono wrote: | > Now there is a process on your phone capable of | processing unencrypted data on your phone and | communicating with the outside world. | | What? That's what all apps _by definition_ do. My retinas | can't do decryption yet! | JackGreyhat wrote: | Actaully, I don't think it will remove a barrier for | iCloud E2E encryption at all. On the contrary. All it | will remove, is the barrier for what we find acceptible | for companoes like Apple to implement. I think Apple made | a very intrusive move, one that we will come to accept | over time. After that, a next move follows...and so on. | That's the barrier being moved. A point will be reached | when E2E encryption is nothing more than a hoax, a non- | feature with no added value. A mirage of what it is | supposed to be. All of these things are implemented under | the Child Protection flag. Sure, we need child | protection, we need it badly, but the collateral is huge | and quite handy too for most 3 letter agencies. I don't | have the solution. The other day my 3 year old son had a | rash, I took pictures of it over the course of a few | days. A nude little boy, pictures from multiple angles. I | showed my dermatologist. What will happen in the future? | Will my iPhone "flag" me as a potential child predator? | Can I tell it I'm a worried dad? Do I even have to be | thinking about these things? | thesimon wrote: | "Feels like a way to actually reach encrypted data all around | while still meeting the expectations of lawmakers/regulators" | | And isn't that a problem? Encrypted data should be secure, | even if lawmakers don't want math to exist. | Klonoar wrote: | Your data should be encrypted on Apple's servers and | unreadable by them; rather, this is my desire from Apple. | They are likely bound to scan and detect for this kind of | abusive content. | | This handles that client-side instead of server side, and | if you don't use iCloud photos, it doesn't even affect you. | If syncing? Sure, decrypt it on device and check it before | uploading - it's going to their servers after all. | | Don't want to even go near this? Don't use Message or | iCloud, I guess. Very possible to use iOS/iDevices in a | contained manner. | wayneftw wrote: | It runs on _my device_ and uses my CPU, battery time and my | network bandwidth (to download /upload the hashes and other | necessary artifacts). | | I'd be fine with them scanning stuff I uploaded to them with | their own computers because I don't have any really | expectation of privacy from huge corporations. | kps wrote: | Apple already uses 'your' CPU, battery time and network | bandwidth for its Find My / AirTag product. | babesh wrote: | You can turn it off. | Klonoar wrote: | I feel like this argument really doesn't add much to the | discussion. | | It runs only on a subset of situations, as previously noted | - and I would be _shocked_ if this used more battery than | half the crap running on devices today. | | Do you complain that Apple runs code to find moments in | photos to present to you periodically...? | aaomidi wrote: | What is the point of running this on device? The issue | here is now Apple has built and is shipping what is | essentially home-phoning malware that can EASILY be | required with a court order to do something entirely than | what it is designed to do. | | They're opening themselves to being forced by 3 letter | agencies around the world to do some really fucked up | shit to their users. | | Apple should never have designed something that allows | for fingerprinting of files & users for stuff stored on | their own device. | Klonoar wrote: | Your entire argument could be applied to iOS itself. ;P | aaomidi wrote: | Not really, iOS didn't really have the capability of | scanning and reporting files based on a database received | by the FBI/other agencies. | | There is a big difference when this has been implemented | & deployed to devices. Fighting questionable subpoenas | and stuff becomes easier when you don't have the | capability. | wayneftw wrote: | > I feel like this argument really doesn't add much to | the discussion. | | Oh, I guess I should have just regurgitated the Apple | press release like the gp? | | > It runs only on a subset of situations... | | For now. But how does that fix the problem of them using | my device and my network bandwidth? | | > I would be _shocked_ if this used more battery than | half the crap running on devices today. | | You think you'll be able to see how much it uses? | | > Do you complain that Apple runs code to find moments in | photos to present to you periodically...? | | Yes. I hate that feature, it's a waste of my resources. | I'll reminisce when I choose to, I don't need some | garbage bot to troll my stuff for memories. I probably | already have it disabled, or at least the notifications | of it. | lights0123 wrote: | My big issue is what it opens up. As the EFF points out, it's | really not a big leap for oppressive governments to ask Apple | to use the same tech (as demoed by using MS's tech to scan | for "terrorist" content) to remove content they don't like | from their citizens' devices. | acdha wrote: | That's my concern: what happens the first time a government | insists that they flag a political dissident or symbol? The | entire system is opaque by necessity for its original | purpose but that seems to suggest it would be easy to do | things like serve a custom fingerprints to particular users | without anyone being any the wiser. | philistine wrote: | My heart goes to the queer community of Russia, whose | government will pounce on this technology in a heartbeat | and force Apple to scan for queer content. | acdha wrote: | They'd have many other countries keeping them company, | too. | | One big mess: how many places would care about false | positives if that gave them a pretext to arrest people? I | do not want to see what would happen if this | infrastructure had been available to the Bush | administration after 9/11 and all of the usual ML failure | modes played out in an environment where everyone was | primed to assume the worst. | vimy wrote: | Teens are also children. Apple has no business checking if | they send or receive nude pics. Let alone tell their parents. | This is very creepy behavior from Apple. | | Edit: I'm talking about this https://pbs.twimg.com/media/E8DY | v9hWUAksPO8?format=jpg&name=... | xondono wrote: | Call me crazy, but if your 13yo is sending nudes, I think | that as a parent you want to know that. | | Current society is pushing a lot of adult behavior into | kids, and they don't always understand the consequences of | their actions. | | Parents can't inform their kids if they aren't aware. | hb0ss wrote: | Children as defined by Apple differs per legal region, for | the US it is set to 13 years or younger. Also, your parents | need to have added your account to the iCloud family for | the feature to work. | Closi wrote: | That's not what this solution is doing, it's checking a | hash of the photo against a hash of known offending | content. | | If someone sends nude pics there is still no way to tell | that it's a nude pic. | [deleted] | randcraw wrote: | Nude pic ID is routine online. Facebook developed this | capability over 5 years ago and employs it liberally | today, as do many other net service providers. | mrits wrote: | Not true. We don't know how the fuzzy hash is working. | It's very likely a lot of nudes would fall in the | threshold Apple has set. | krrrh wrote: | That's only the first part of what was announced and | addressed in the article. | | The other part is on-device scanning for nude pics a | child is intending to send using machine learning and | securely notifying the child, and then parents within the | family account. The alert that the kids get by itself | will probably be enough to stop a lot of them from | sending the pic in the first place. | slownews45 wrote: | I'm a parent. It's weird seeing HN push against this. | | This sounds like a feature I'd like | [deleted] | philistine wrote: | I agree with you in principle, but I also know that kids | will soon find methods of sharing that defeat any scans. | Other apps and ephemeral websites can be used to escape | Apple's squeaky-clean version of the world. | slownews45 wrote: | Sure - that's fine. | | But if I'm picking a phone for my kid, and my choice is | this (even if imperfect) and the HN freedomFone - it's | going to be Apple. We'll see what other parents decide. | Bud wrote: | False, and this shows that you didn't read the entire | article. You should go and do that. | [deleted] | artimaeis wrote: | You're conflating the CSAM detection of photos uploaded | to iCloud with the explicit detection for child devices. | The latter is loosely described here: | https://www.apple.com/child-safety/. | | > Messages uses on-device machine learning to analyze | image attachments and determine if a photo is sexually | explicit. The feature is designed so that Apple does not | get access to the messages. | Spooky23 wrote: | It would be if that were what they were doing. They are | not. | Bud wrote: | Yes, it is, and you need to read the entire article. | spiderice wrote: | I think you're both partially right. | | > In these new processes, if an account held by a child | under 13 wishes to send an image that the on-device | machine learning classifier determines is a sexually | explicit image, a notification will pop up, telling the | under-13 child that their parent will be notified of this | content. If the under-13 child still chooses to send the | content, they have to accept that the "parent" will be | notified, and the image will be irrevocably saved to the | parental controls section of their phone for the parent | to view later. For users between the ages of 13 and 17, a | similar warning notification will pop up, though without | the parental notification. | | This specifically says that it will not notify the | parents of teens, as GGP claims. So GP is right that | Apple isn't doing what GGP claimed. However I still think | you might be right that GP didn't read the full article | and just got lucky. Lol. | krrrh wrote: | Parents do have a legal and moral responsibility to check | on their children's behaviour, and that includes teens. | It's somewhat analogous to a teacher telling parents about | similar behaviour taking place at school. | | I suspect a lot of how people feel about this will come | down to whether they have kids or not. | anthk wrote: | I don't know about your country but in mine in Europe | teens have privacy rights OVER their parents' paranoia. | | That includes secrecy in private communications and OFC | privacy within their own data in smartphones. | dhosek wrote: | The fact that teens are children means that if, say a 16-yo | sends a nude selfie to their s.o., they've just committed a | felony (distributing child pornography) that can have | lifelong consequences (thanks to hysterical laws about sex | offender registries, both kids could end up having to | register as sex offenders for the rest of their life and | will be identified as having committed a crime that | involved a minor. Few if any of the registries would say | more than this and anyone who looks in the registry will be | led to believe that they molested a child and not shared a | selfie or had one shared with them). The laws may not be | just or correct, but they are the current state of the | world. Parents need to talk to their kids about this sort | of thing, and this seems one of the less intrusive way for | them to discover that there's an issue. If it were | automatically shared with law enforcement? That would be a | big problem (and a guarantee that my kids don't get access | to a device until they're 18), but I'm not ready1 to be up | in arms about this yet. | | 1. I reserve the right to change my mind as things are | revealed/developed. | jfjsjcjdjejcosi wrote: | > if, say a 16-yo sends a nude selfie to their s.o., | they've just committed a felony ... The laws may not be | just or correct, but they are the current state of the | world. | | Hence, strong E2E encryption designed to prevent unjust | government oppression, _without_ backdoors. | | Parents should talk to their teenagers about sex | regardless of if they get a notification on their phone | telling them they missed the boat. | SahAssar wrote: | I get your points, but the end result is that the client | in an E2EE system can no longer be fully trusted to act | on the clients behalf. That seems alarming to me. | philistine wrote: | I'd argue that the problem of minors declared sex | offenders for nude pictures has reached a critical mass | that scares me. At this point, sex offenders of truly | vile things can hide by saying that they are on a sex | offender registry because of underage selfies. And I | think most people will believe them. | wccrawford wrote: | I worked with someone that claimed this, years ago. And | they were still young enough that I believed them. | anthk wrote: | > The laws may not be just or correct, but they are the | current state of the world | | America, not Europe. Or Japan. | bambax wrote: | > _they 've just committed a felony (distributing child | pornography)_ | | In the US, maybe (not sure if this is even true in all | states), but not in most other countries in the world, | where a 16-year-old is not a child, nudity is not a | problem, and "sex offender registries" don't exist. | | The US is entitled to make its own (crazy, ridiculous, | stupid) laws, but we shouldn't let them impose those on | the rest of us. | nerdponx wrote: | > Apple has no business checking if they send or receive | nude pics. Let alone tell their parents. | | Some people might disagree with you. | | There are people out there who are revolted by the | "obviously okay" case of 2 fully-consenting teenagers | sending each other nude pics, without any coercion, social | pressure, etc. | | Not to mention all the gray areas and "obviously not okay" | combinations of ages, circumstances, number of people | involved, etc. | slownews45 wrote: | It will be the parents who are deciding this - | particularly if they are buying these phones. | | If parents don't like this feature, they can buy a | lineage OS type phone. If parents do they will buy this | type of phone for their kids. | philistine wrote: | Big correction: it will be the other kids' parent who | will decide for your kid. Apple will give your children's | picture to the other kid's parents. | | That's terrifying. | slownews45 wrote: | What a lie - I'm really noticing an overlap between folks | fighting this type of stuff (which as a parent I want) | and folks just lying horribly. | | "if a child attempts to send an explicit photo, they'll | be warned before the photo is sent. Parents can also | receive a message if the child chooses to send the photo | anyway." - https://techcrunch.com/2021/08/05/new-apple- | technology-will-... | | So this gives kids a heads up that they shouldn't send | it, and that if they do, their parent will be notified. | So that's me in case you are not reading this clearly. | | Now yes, if someone is SENDING my child porn from a non- | child account, I as the parent will be notified. Great. | | If this is terrifying - that's a bit scary! HN is going a | bit off the rails these days. | | Allow me to make a prediction - users are going to like | this - it will INCREASE their trust in apple in terms of | a company trying to keep them and their family safe. | | I just looked it up - Apple is literally the #1 brand | globally supposedly in 2021. So they are doing the right | thing in customers minds so far. | thomastjeffery wrote: | That's entirely GP's point: preferring to cater to those | people affects the rest of us in a way we find | detrimental. | Klonoar wrote: | You describe it as if Apple's got people in some room | checking each photo. It's some code that notifies their | parents in certain situations. ;P | | I know several parents in just my extended circle alone | that would welcome the feature, so... I just don't think I | agree with this statement. These parents already resort to | other methods to try and monitor their kids but it's | increasingly (or already) impossible to do so. | | I suppose we should also take issue with Apple letting | parents watch their kids location...? | strictnein wrote: | This is not how the system works at all. | vimy wrote: | https://pbs.twimg.com/media/E8DYv9hWUAksPO8?format=jpg&na | me=... What am I reading wrong? | strictnein wrote: | Already answered here: | https://news.ycombinator.com/item?id=28079919 | Bud wrote: | Answered incorrectly. You need to read the rest of the | article. | dabbledash wrote: | The point of encrypted data is not to be "reached." | ElFitz wrote: | True. But, first, it also means anyone, anywhere, as long as | they use iOS, is vulnerable to what the _US_ considers to be | proper. Which, I will agree, likely won't be an issue in the | case of child pornography. But there's no way to predict how | that will evolve (see Facebook's ever expanding imposing of | American cultural norms and puritanism). | | Next, it also means they _can_ do it. And if it can be done | for child pornography, why not terrorism? And if it can be | done for the US' definition of terrorism, why not China 's, | Russia's or Saudi Arabia's? And if terrorism and child | pornography, why not drugs consumption? Tax evasion? Social | security fraud? Unknowingly talking with the wrong person? | | Third, there _apparently_ is transparency on it today. But | who is to say it 's possible expansion won't be forcibly | silenced in the same way Prism's requests were? | | Fourth, but that's only because I slightly am a maniac, how | can anyone unilaterally decide to waste the computing power, | battery life and data plan of a device I paid for without my | say so? (probably one of my main gripes with ads) | | All in all, it means I am incorporating into my everyday life | a device that can and will actively snoop on me and | potentially snitch on me. Now, while I am not worried _today_ | , it definitely paves the way for many other things. And I | don't see why I should trust anyone involved to stop here or | let me know when they don't. | adventured wrote: | The US is very openly, publicly moving down the road called | The War on Domestic Terrorism, which is where the US | military begins targeting, focusing in on the domestic | population. The politicians in control right now are very | openly stating what their plans are. It's particularly | obvious what's about to happen, although it was obvious at | least as far back as the Patriot Act. The War on Drugs is | coming to an end, so they're inventing a new fake war to | replace it, to further their power. The new fake war will | result in vast persecution just as the last one did. | | You can be certain what Apple's scanning is going to be | used for is going to widen over time. That's one of the few | obvious certainties with this. These things are a Nixonian | wet dream. The next Trump type might not be so politically | ineffectual; more likely that person will be part of the | system and understand how to abuse & leverage it to their | advantage by complying with it rather than threatening its | power as an outsider. Trump had that opportunity, to give | the system what it wanted, he was too obtuse and rigid, to | understand he had to adapt or the machine would grind him | up (once he started removing the military aparatus that was | surrounding him, like Kelly and Mattis, it was obvious he | would never be allowed to win a second term; you can't keep | that office while being set against all of the military | industrial complex including the intelligence community, | it'll trip you up on purpose at every step). | | The US keeps getting more authoritarian over time. As the | government gets larger and more invasive, reaching ever | deeper into our lives, that trend will continue. One of the | great, foolish mistakes that people make about the US is | thinking it can be soft and cuddly like Finland. Nations | and their governments are a product of their culture. So | that's not what you're going to get if you make the | government in the US omnipotent. You're going to get either | violent Latin American Socialism (left becomes dominant) or | violent European Fascism (right becomes dominant). There's | some kind of absurd thinking that Trump was right-wing, as | in anti-government or libertarian; Trump is a proponent of | big government, just as Bush was, that's why they had no | qualms about spending like crazy (look at the vast | expansion of the government under Bush); what they are is | the forerunners to fascism (which is part of what their | corporatism is), they're right wingers that love big | government, a super dangerous cocktail. It facilitates a | chain of enabling over decades; they open up pandora boxes | and hand power to the next authoritarian. Keep doing that | and eventually you're going to get a really bad outcome | (Erdogan, Chavez, Putin, etc) and that new leadership will | have extraordinary tools of suppression. | | Supposed political extremists are more likely to be the | real target of what Apple is doing. Just as is the case | with social media targeting & censoring those people. The | entrenched power base has zero interest in change, you can | see that in their reaction to both Trump and Sanders. Their | interest is in maintaining their power, what they've built | up in the post WW2 era. Trump and Sanders, in their own | ways, both threatened what they constructed. Trump's chaos | threatened their built-up system, so the globalists in DC | are fighting back, they're going to target what they | perceive as domestic threats to their system, via their new | War on Domestic Terrorism (which will actually be a | domestic war on anyone that threatens their agenda). Their | goal is to put systems in place to ensure another outsider, | anyone outside of their system, can never win the | Presidency (they don't care about left/right, that's a | delusion for the voting class to concern themselves about; | the people that run DC across decades only care if the | left/right winner complies with their agenda; that's why | the Obamas and Clintons are able to be so friendly with the | Bushes (what Bush did during his Presidency, such as Iraq, | is dramatically worse than anything Trump did, and yet Bush | wasn't impeached, wasn't pursued like Trump was, the people | in power - on both sides - widely supported his move on | Iraq), they're all part of the same system so they | recognize that in eachother, and reject a Trump or Sanders | outsider like an immune system rejecting a foreign object). | | The persistent operators in DC - those that continue to | exist and push agenda regardless of administration hand- | offs - don't care about the floated reason for what Apple | is doing. They care about their power and nothing else. | That's why they always go to the Do It For The Kids | reasoning, they're always lying. They use whatever is most | likely to get their agenda through. The goal is to always | be expanding the amount of power they have (and that | includes domestically and globally, it's about them, not | the well-being of nations). | | We're entering the era where all of these tools of | surveillence they've spent the past few decades putting | into place, will start to be put into action against | domestic targets en masse, where surveillence tilts over to | being used for aggressive suppression. That's what Big Tech | is giddily assisting with the past few years, the beginning | of that switch over process. The domestic population | doesn't want the forever war machine (big reasons Trump & | Sanders are so popular, is that both ran on platforms | opposed to the endless foreign wars); the people that run | DC want the forever war machine, it's their machine, they | built it. Something is going to give, it's obvious what | that's going to be (human liberty at home - so the forever | wars, foreign adventurism can continue unopposed). | chrsstrm wrote: | > is vulnerable to what the US considers to be proper | | This stirs up all sorts of questions about location and the | prevailing standards in the jurisdiction you're in. Does | the set of hashes used to scan change if you cross an | international border? Is the set locked to whichever | country you activate the phone in? This could be a travel | nightmare. | judge2020 wrote: | As this isn't a list of things the U.S. finds prudish, | but actual images of children involved in being/becoming | a victim of abuse, it doesn't look like there are borders | [yet]. | | If the situation OP suggests happens in the form of | FBI/other orgs submitting arguably non-CSAM content, then | Apple wouldn't be complicit or any wiser to such an | occurrence unless it was after-the-fact. If it happens in | a way where Apple decides to do this on their own dime | without affecting other ESPs, I imagine they wouldn't | upset CCP by applying US guidance to Chinese citizen's | phones. | Klonoar wrote: | I think your points are mostly accurate, and that's why I | led with the bit about the EFF calling attention to it. | Something like this shouldn't happen without scrutiny. | | The only thing I'm going to respond to otherwise is this: | | >Fourth, but that's only because I slightly am a maniac, | how can anyone unilaterally decide to waste the computing | power, battery life and data plan of a device I paid for | without my say so? (probably one of my main gripes with | ads) | | This is how iOS and apps in general work - you don't really | control the amount of data you're using, and you never did. | Downloading a changeset of a hash database is not a big | deal; I'd wager you get more push notifications with data | payloads in a day than this would be. | | Battery life... I've never found Apple's on-device | approaches to be the culprit of battery issues for my | devices. | | I think I'd add to your list of points: what happens when | Google inevitably copies this in six months? There really | is no competing platform that comes close. | falcolas wrote: | > what happens when Google inevitably copies this in six | months? There really is no competing platform that comes | close. | | Then you have to make a decision about what matters more. | Convenience and features, or privacy and security. | | I've made that decision myself. I'll spend a bit more | time working with less-than-perfect OSS software and | hardware to maintain my privacy and security. | pseudalopex wrote: | What transparency? The algorithm is secret. The reporting | threshold is secret. The database of forbidden content is | secret. | mtgx wrote: | It's all been downhill since we heard that they stopped | developing the e2e encrypted iCloud solution because it might | upset the FBI even more. | nerdponx wrote: | The cynical take is that Apple was _never_ committed to privacy | in and of itself, but they are commited to privacy as long as | it improves their competitive advantage, whether by marketing | or by making sure that only Apple can extract value from its | customers ' data. | | Hanlon's razor does not apply to megacorporations that have | enormous piles of cash and employ a large number of very smart | people, who are either entirely unscrupulous or for whom | scruples are worth less than their salaries. We probably aren't | cynical _enough_. | | I am not arguing that we should always assume every change is | always malicious towards users. But our index of suspicion | should be high. | withinboredom wrote: | I'd say you're spot on, but I can't say why. | hpen wrote: | I've always been convinced that Apple cared about privacy as | a way of competitive advantage. I don't need them to be | committed morally or ethically, I just need them to be | serious about it because I will give them my money if they | are. | philistine wrote: | Tim Cook looks like he believes in money, first and | foremost. Anything goes second. | robertoandred wrote: | Except the hashing and hash comparison are happening on the | device itself. | zionic wrote: | That's even worse | dylan604 wrote: | It is secure, as long as you have nothing to hide. If you have | no offending photos, then the data won't be uploaded! See, it's | not nefarious at all! /s | JohnFen wrote: | > because the CEO seemed to be sincere in his commitment to | privacy. | | The sincerity of a company officer, even the CEO, should not | factor into your assessment. Officers change over time (and | individuals can change their stance over time), after all. | unstatusthequo wrote: | 4th Amendment. Plaintiff lawyers gear up. | skee_0x4459 wrote: | wow. in the middle of reading that, i realized that this is a | watershed moment. why would apple go back on their painstakingly | crafted image and reputation of being staunchly pro privacy? its | not for the sake of the children lol. no, something happened that | has changed the equation for apple. some kind of decisive shift | has occurred. maybe apple has finally caved in to the chinese | market, like everyone else in the US, and is now making their | devices compatible with chinese surveillance. or maybe the US | government has finally managed to force apple to crack open its | shell of encryption in the name of a western flavored | surveillance. but either way, i think it is a watershed moment | because securing privacy will from this moment onward be a fringe | occupation in the west. unless a competitor rises up, but thats | impossible because there arent enough people who care about | privacy to sustain a privacy company. thats the real reason why | privacy has died today. | | and also i think its interesting how kids will adjust to this. i | think a lot of kids wont hear about this and will find themselves | caught up in a child porn case with foamy mouthed parents of the | recipient sapping any reserves of rational motive that the police | might have left. because if im not mistaken you can be convicted | of child porn distribution even if it was images of your own body | taken by yourself being distributed. | cblconfederate wrote: | Makes you rally for NAMBLA | new_realist wrote: | Moral panics are nothing new, and have now graduated into the | digital age. The last big one I remember was passage of the DMCA | in 1999; it was just absolutely guaranteed to kill the Internet! | And as per usual, the Chicken Littles the world were proven | wrong. The sky will not fall in this case, either. Unfortunately | civilization has produced such abundance and free time that | outage viruses like this one will always circulate. | dukeofdoom wrote: | Technocrats are the new railway tycoons | new_realist wrote: | Studies have shown that CCTV reduces crime (https://whatworks.col | lege.police.uk/toolkit/Pages/Interventi...). I expect results | here will be even better. | | This technology uses secret sharing to ensure a threshold of | images are met before photos are flagged. In this case, it's even | more private than CCTV. | | Totalitarian regimes to do not need some magic bit of technology | to abuse citizens; that's been clear since the dawn of time. | Those who are concerned about abuse would do well to direct their | efforts towards maintenance of democratic systems: upholding | societal, political, regulatory and legal checks and balances. | | Criminals are becoming better criminals by taking advantage of | advancements in technology right now, and, for better or worse, | it's an arms race and society will simply not accept criminals | gaining the upper hand. | | If not proven necessary, society is capable of reverting to prior | standards (Habeas Corpus resumed after the Civil War, and parts | of the Patriot Act have expired, for example.). | kappuchino wrote: | You link to an article that says ... "Overall, the evidence | suggests that CCTV c an reduce crime.". And then continues | mention that specific context matters: Vehicle crime ... oh | well, I wonder if we could combat that without surveilance, | like better locks, remote disable of the engine ... There as | here with the phones, society has to evaluate the price of the | loss of privacy and abuse by totalitarien systems, which will | happen - we just can't say when. This is why some - like me - | resist backdoors at all if for the price of "more crime". | RightTail wrote: | This is going to be used to suppress political dissidents aka | "populist/nationalist right" aka the new alqaeda | | searching for CP is the original pretext | anthk wrote: | More like the reverse, fool. The power loves right wing people | and racists. | | If anything, the left and progressive left will be prosecuted. | | China? They even attacked Marxist demonstrations in | universities. Current ideology in China is just Jingoism or | "keep shit working no matter how". | robertoandred wrote: | How? Please be specific. | gruez wrote: | Presumably by adding signatures for "populist/nationalist | right" memes. | [deleted] | iamleppert wrote: | It's pretty trivial to iteratively construct an image that has | the same hash as another, completely different image if you know | what the hash should be. | | All one needs to do, in order to flag someone or get them caught | up in this system, is to gain access to this list of hashes and | construct an image. This data is likely to be sought after as | soon as this system is implemented, and it will only be a matter | of time before a data breach exposes it. | | Once that is done, the original premise and security model of the | system will be completely eroded. | | That said, if this does get implemented I will be getting rid of | all my Apple devices. I've already switched to Linux on my | development laptops. The older I get, the less value Apple | products have to me. So it won't be a big deal for me to cut them | out completely. | jjtheblunt wrote: | Cryptographic hashes are exactly not trivial to "dupe". | | https://en.wikipedia.org/wiki/Cryptographic_hash_function | pseudalopex wrote: | Perceptual hashes aren't cryptographic. | handoflixue wrote: | Is there anything stopping them from using an actual | cryptographic hash, though? | layoutIfNeeded wrote: | Ummm... the fact that changing a single pixel will let | the baddies evade detection? | pseudalopex wrote: | Even the smallest change to an image changes a | cryptographic hash. | kickopotomus wrote: | They are not using cryptographic hashes. They are using | perceptual hashes[1] which are fairly trivial to replicate. | | [1]: https://en.wikipedia.org/wiki/Perceptual_hashing | tcoff91 wrote: | This seems dumb. I'm sure that sophisticated bad people | will just alter colors and things to defeat the hashes and | meanwhile trolls will generate collisions to cause people | to falsely be flagged. | tcoff91 wrote: | what is the hashing scheme? I assume it must not be a | cryptographically secure hashing scheme if it's possible to | find a collision. It's not something like sha256? | cyral wrote: | They call it NeuralHash, there is a lengthy technical spec | and security analysis in their announcement | swiley wrote: | I'm really worried about everyone. Somehow I've missed this until | now and I've felt sick all day since hearing about it. | andrewmcwatters wrote: | I suspect Apple is subject to government and gag orders and | Microsoft has already been doing this with OneDrive but no one | has heard about it yet. | wellthisisgreat wrote: | Apple's parental controls are HORRIBLE. There is at least 20% | false positives there, that flag all sorts of absolutely benign | sites as "adult". | | Any kind of machine-based contextual analysis of users' content | will be a disaster. | robertoandred wrote: | Good news! It's not doing contextual analysis of content. It's | comparing image hashes. | wellthisisgreat wrote: | oh that's actually kind of good news then. I couldn't believe | Apple wouldn't know about the inadequacy of their PC | pseudalopex wrote: | You mixed up the 2 new features. The child pornography | detection compares perceptual hashes. The iMessage filter | tries to classify sexually explicit images. | threatofrain wrote: | Recent relevant discussion. | | https://news.ycombinator.com/item?id=28068741 | | https://news.ycombinator.com/item?id=28075021 | | https://news.ycombinator.com/item?id=28078115 | new_realist wrote: | Moral panics are nothing new, and have now graduated into the | digital age. The last big one I remember was passage of the DMCA | in 1999; it was just absolutely guaranteed to kill the Internet! | And as per usual, the Chicken Littles the world were proven | wrong. The sky will not fall in this case, either. Unfortunately | civilization has produced such abundance and free time that | outage viruses like this one will always circulate. Humans need | something to spend their energy on. | nopeYouAreWrong wrote: | uhhh....dmca has been a cancer and destroyed people...so...the | fears werent exactly unfounded | kevin_thibedeau wrote: | It would be a shame if we had to start an investigation into your | anti-competitive behavior... | klempotres wrote: | Technically speaking, if Apple plans to perform PSI on device (as | opposed to what Microsoft does), how come that "the device will | not know whether a match has been found"? | | Is there anyone who's familiar with the technology so they can | explain how it works? | gruez wrote: | >how come that "the device will not know whether a match has | been found" | | Probably using some sort of probabilistic query like a bloom | filter. | c7DJTLrn wrote: | Catching child pornographers should not involve subjecting | innocent people to scans and searches. Frankly, I don't care if | this "CSAM" system is effective - I paid for the phone, it should | operate for ME, not for the government or law enforcement. | Besides, the imagery already exists by the time it's been found - | the damage has been done. I'd say the authorities should | prioritise tracking down the creators but I'm sure their | statistics look much more impressive by cracking down on small | fry. | | I've had enough of the "think of the children" arguments. | burself wrote: | The algorithms and data involved are too sensitive to be | discussed publicly and the reasoning is acceptable enough to | even the most knowledgeable people. They can't even be | pressured to prove that the system is effective. | | This is the perfect way to begin opening the backend doors. | bambax wrote: | Yes. I'm not interested in catching pedophiles, or drug | dealers, or terrorists. It's the job of the police. I'm not the | police. | 2OEH8eoCRo0 wrote: | Why is it always "think of the children"? It gets people | emotional? What about terrorism, murder, or a litany of other | heinous violent crimes? | falcolas wrote: | I invite you to look up "The Four Horsemen of the | Infocalypse". Child Pornography is but one of the well | trodden paths to remove privacy and security. | kazinator wrote: | And remember, a minor who takes pictures of him or herself | is an offender. | zionic wrote: | I'm furious. My top app has 250,000 uniques a day. | | I'm considering a 24h black out with a protest link to apple's | support email explaining what they've done. | | I wonder if anyone else would join me? | mrits wrote: | There isn't any reason to believe the CSAM hash list is only | images. The government now has the ability to search for | anything in your iCloud account with this. | geraneum wrote: | Didn't they [Apple] make the same points that EFF is making now, | to avoid giving FBI a key to unlock an iOS device that belonged | to a terrorist? | | " Compromising the security of our personal information can | ultimately put our personal safety at risk. That is why | encryption has become so important to all of us." | | "... We have even put that data out of our own reach, because we | believe the contents of your iPhone are none of our business." | | " The FBI may use different words to describe this tool, but make | no mistake: Building a version of iOS that bypasses security in | this way would undeniably create a backdoor. And while the | government may argue that its use would be limited to this case, | there is no way to guarantee such control." | | Tim Cook, 2016 | rubatuga wrote: | Think of the children!!! | bississippi wrote: | First they built a walled garden beautiful on the inside and | excoriated competitors [1] for their lack of privacy. Now that | the frogs have walked into the walled garden, they have started | to boil the pot [2] . I don't think the frogs will ever find out | when to get off the pot. | | [1] https://www.vox.com/the-goods/2019/6/4/18652228/apple- | sign-i... | | [2] https://en.wikipedia.org/wiki/Boiling_frog | roody15 wrote: | My two cents: I get the impression this is related to NSO pegasus | software. So once the Israeli firms leaks were made public Appple | had to respond and has patched some security holes that were | exposed publicly. | | NSO used exploits in iMessage to enable them to grab photos, | texts among other things. | | Now shortly after Apple security patches we see them pivot and | now want to "work" with law enforcement. Hmmm almost like once | access was closed Apple needs a way to justify "opening" access | to devices. | | Yes I realize this could be a stretch based on the info. Just | seems like an interesting coincidence... back door exposed and | closed.... now it's back open... almost like governments demand | access | Spooky23 wrote: | This article is irresponsible hand-waving. | | " When Apple releases these "client-side scanning" | functionalities, users of iCloud Photos, child users of iMessage, | and anyone who talks to a minor through iMessage will have to | carefully consider their privacy and security priorities in light | of the changes, and possibly be unable to safely use what until | this development is one of the preeminent encrypted messengers." | | People sending messages to minors that trigger a hash match have | more fundamental things to consider, as they are sending known | photos of child exploitation to a minor. | | The EFF writer knows this, as they describe the feature in the | article. They should be ashamed of publishing this crap. | morpheuskafka wrote: | You've got it mixed up. The messages are scanned for any | explicit material (which in many but not all cases is illegal), | not specific hash matches. That's only for uploads to iCloud | Photos. | | Additionally, you are not "obliged" to report such photos to | the police. Uninvolved service providers do have to submit some | sort of report iirc, but to require regular users to do so | would raise Fifth Amendment concerns. | itake wrote: | > they are sending known photos of child exploitation to a | minor | | How do you know its a known photo of child exploitation? The | original image that was hashed and then deleted. Two completely | different images have the same hash. | | WhatsApp automatically saves images to photos. What if you | receive a bad image and are reported due to someone else | sending the image to you? | Spooky23 wrote: | You're obliged to report that image to the police. These | types of images are contraband. | itake wrote: | > You're obliged to report that image to the police. | | Is this a legal obligation for all countries that iPhones | operate in? I wasn't able to find a law via a quick google | search for the US. | | For US law, are there protections for people that report | the contraband? I'm not sure if good samaritan or whistle | blower laws protect you. | temeritatis wrote: | the road to hell is paved with good intentions | NazakiAid wrote: | Wait until a corrupt govenment starts forcing Apple or Microsoft | to scan for leaked documents exposing them and then automatically | notifying them. Just one of the many ways this could go wrong in | the future. | m3kw9 wrote: | Gonna get downvoted for this, I maybe the few that supports this | and I hope they catch these child exploiters by the boat load and | save 1000s of kids from traffickers and jail their asses | pseudalopex wrote: | The child pornography detection only tries to find known child | pornography. It does nothing to stop traffickers. | panny wrote: | I left Apple behind years ago after using their gear for more | than a decade. I recently received a new M1 laptop from work and | liked it quite a bit. It's fast, it's quiet, it doesn't get hot. | I liked it so much, that I was prepared to go back full Apple for | a while. I was briefly reviewing a new iPhone, a M1 mini as a | build server, a display, and several accessories to go along with | a new M1 laptop for myself. (I don't like to mix work and | personal) | | Then this news broke. Apple, you just lost several thousand | dollars in sales from me. I had items in cart and was pricing | everything out when I found this news. I will spend my money | elsewhere. This is a horrendous blunder. I will not volunteer | myself up to police states by using your gear now or ever again | in the future. I've even inquired about returning the work laptop | in exchange for a Dell. | | Unsafe at any speed. Stallman was right. etc etc etc. | shmerl wrote: | Is anyone even using Apple if they care about privacy and | security? | cwizou wrote: | The FT article mentioned it was US only (at least according to | the title, please correct me if wrong), but I'm more afraid of | how other governments will try to pressure Apple to adapt said | technology to their needs. | | Can they trust _random_ government to give them a database of | only CSAM hashes and not insert some extra politically motivated | content that they deem illegal ? | | Because once you've launched this feature in the "land of the | free", other countries will require for their own needs their own | implementation and want to control said database. | | And how long until they also scan browser history for the same | purpose ? Why stop at pictures ? This is opening a very dangerous | door that many here will be uncomfortable with. | | Scanning on their premises would be a much better choice, this is | everything but (as the "paper" linked tries to say) privacy | forward. | aalam wrote: | The initial rollout is limited to the US, with no concrete | plans reported yet on expansion. | | "The scheme will initially roll out only in the US. [...] | Apple's neuralMatch algorithm will continuously scan photos | that are stored on a US user's iPhone and have also been | uploaded to its iCloud back-up system." | | Researchers interviewed for the article would agree with your | analysis. "Security researchers [note: appears to be the named | security professors quoted later in the article], while | supportive of efforts to combat child abuse, are concerned that | Apple risks enabling governments around the world to seek | access to their citizens' personal data, potentially far beyond | its original intent." | | Article link for ease of access: | https://www.ft.com/content/14440f81-d405-452f-97e2-a81458f54... | cwizou wrote: | Thanks, after some fiddling I managed to finally read the | full text from the article and it's definitely short on | details on the rollout. Let's hope they rethink this. | falcolas wrote: | Apple, | | Not that you care, but this is the straw that's broken this | camel's back. It's too ripe for abuse, it's too invasive, and I | don't want it. | | You've used one of the Four Horsemen of the Infocalypse | perfectly... and so I'm perfectly happy to leave your ecosystem. | | Cheers. | FpUser wrote: | Luckily I only use phone to make phone calls, offline GPS and to | control some gizmos like drones. Do not even have data plan. Not | an Apple customer either so I guess my exposure to things | mentioned is more limited. | imranhou wrote: | I think it's easy to say no to any solution, but harder to say | "this is bad, but we should do this instead to solve the | problem". In a world with ubiquitous/distributed communication, | the ideas that come up would generally avoid direct interception | but some way to identify a malicious transaction. | | I only urge that whenever we come up and say no to ideas like | this, one should only do that only when accompanied by their | thoughts on an alternative solution. | trangus_1985 wrote: | I've been maintaining a spare phone running lineage os exactly in | case something like this happened - I love the apple watch and | apple ecosystem, but this is such a flagrant abuse of their | position as Maintainers Of The Device that I have no choice but | to switch. | | Fortunately, my email is on a paid provider (fastmail), and my | photos are on a NAS, I've worked hard to get all of my friends on | Signal. While I still use google maps, I've been trialing out OSM | alternatives for a minute. | | The things they've described are in general, reasonable and | probably good in the moral sense. However, I'm not sure that I | support what they are implementing for child accounts (as a queer | kid, I was terrified of my parents finding out). On the surface, | it seems good - but I am concerned about other snooping features | that this portents. | | However, with icloud photos csam, it is also a horrifying | precedent that the device I put my life into is scanning my | photos and reporting on bad behavior (even if the initial dataset | is the most reprehensible behavior). | | I'm saddened by Apple's decision, and I hope they recant, because | it's the only way I will continue to use their platform. | rasengan wrote: | Your original post said postmarketOS. That is weird that you | changed it to lineage (and misspelled that). | trangus_1985 wrote: | Yeah, sorry, I mixed them up in my head. I'm currently | running Lineage on a PH-1, not Postmarket. I would not | consider what I have set up to be "production ready", but I'm | going to spend some time this weekend looking into what | modern hardware can run Lineage or other open mobile OSes | trangus_1985 wrote: | Oh hey wait you're the freenode guy. While we're on the topic | of hostile actions by a platform provider... | rasengan wrote: | Doesn't change that you're a liar. | hncurious wrote: | Why is that weird? | artimaeis wrote: | It's not the device that's less secure or private in this | context, it's the services. There's no reason you couldn't just | continue using your NAS for photo backup and Signal for | encrypted-communications completely unaffected by this. | | Apple seems to not have interest in users devices, which makes | sense -- they're not liable for them. They _do_ seem interested | in protecting the data that they house, which makes sense, | because they're liable for it and have a responsibility to | remove/report CSAM that they're hosting. | [deleted] | Andrew_nenakhov wrote: | Signal is still a centralised data silo where by default you | trust CA to verify your contacts identify. | chimeracoder wrote: | > Signal is still a centralised data silo where by default | you trust CA to verify your contacts identify. | | You can verify the security number out-of-band, and the | process is straightforward enough that even nontechnical | users can do it. | | That's as much as can possibly be done, short of an app that | literally prevents you from communicating with anyone without | manually providing their security number. | Andrew_nenakhov wrote: | I said, 'by default'. I know that it is possible to do a | manual verification, but I am yet to have a chat with a | person who would do that. | | Also, the Signal does not give any warnings or indication | that chat partner identify is manually verified. Users are | supposed to trust Signal and not ask difficult questions | chimeracoder wrote: | > I said, 'by default'. I know that it is possible to do | a manual verification, but I am yet to have a chat with a | person who would do that. | | I'm not sure what else you'd expect. The alternative | would be for Signal not to handle key exchange at all, | and only to permit communication after the user manually | provides a security key that was obtained out-of-band. | That would be an absolutely disastrous user experience. | | > Also, the Signal does not give any warnings or | indication that chat partner identify is manually | verified | | That's not true. When you verify a contact, it adds a | checkmark next to their name with the word "verified" | underneath it. If you use the QR code to verify, this | happens automatically. Otherwise, if you've verified it | manually (visual inspection) you can manually mark the | contact as verified and it adds the checkmark. | Andrew_nenakhov wrote: | > I'm not sure what else you'd expect. | | Ahem. I'd expect something that most xmpp clients could | do 10+ years aho with OTR: after establishing an | encrypted session the user is given a warning that chat | identify of a partner is not verified, and is given | options on how to perform this verification. | | With CA you can make a mild warning that identity is | verified by Signal, and give an options to dismiss | warning or perform off-the-band verification. | | Not too disastrous, no? | | > That's not true. When you verify a contact, it adds a | checkmark next to their name with the word "verified" | | It has zero effect if the user is given no indication | that there should be the word _verified_. | | It is not true what you say. _This_ [1] is what a new | user sees in Signal - absolutely zero indication. To | verify a contact user must go to "Conversation settings* | and then "View safety number". I'm not surprised nobody | ever established a verified session with me. | | [1]: https://www.dropbox.com/s/ab1bvazg4y895f6/screenshot | _2021080... | int_19h wrote: | I did this with all my friends who are on Signal, and | explained the purpose. | | And it does warn about the contact being unverified | directly in the chat window, until you go and click | "Verify". The problem is that people blindly do that | without understanding what it's for. | trangus_1985 wrote: | Yeah, but it's also useful for getting my friends on board. I | think it's likely that I eventually start hosting matrix or | some alternative, but my goal is to be practical here, yet | still have a privacy protecting posture. | Sunspark wrote: | Your friends aren't going to want to install an app to have | it connect to trangus_1985's server. Be happy just getting | them on Signal. | Saris wrote: | I think no matter what devices you use, you've nailed down the | most important part of things which is using apps and services | that are flexible, and can be easily used on another platform. | trangus_1985 wrote: | I knew that eventually it'd probably matter what devices I | used, I just didn't expect it to be so soon. | | But yeah, I could reasonably use an iphone without impact for | the foreseeable future with some small changes. | OJFord wrote: | > While I still use google maps | | I use Citymapper simply because I find it better (for the city- | based journeys that are my usual call for a map app) - but it | not being a Google ~data collection device~ service is no | disadvantage. | | At least, depending why you dislike having everything locked up | with Google or whoever I suppose. Personally it's more having | _everything_ somewhere that troubles me, I 'm reasonably happy | with spreading things about. I like self-hosting things too, | just needs a value-add I suppose, that's not a reason in itself | _for me_. | JumpCrisscross wrote: | > _with icloud photos csam, it is also a horrifying precedent_ | | I'm not so bugged by this. Uploading data to iCloud has always | been a trade of convenience at the expense of privacy. Adding a | client-side filter isn't great, but it's not categorically | unprecedented--Apple executes search warrants against iCloud | data--and can be turned off by turning off iCloud back-ups. | | The scanning of childrens' iMessages, on the other hand, is a | subversion of trust. Apple spent the last decade telling | everyone their phones were secure. Creating this side channel | opens up all kinds of problems. Having trouble as a controlling | spouse? No problem--designate your partner as a child. | Concerned your not-a-tech-whiz kid isn't adhering to your | house's sexual mores? Solved. Bonus points if your kid's phone | outs them as LGBT. To say nothing of most sexual abuse of | minors happening at the hands of someone they trust. Will their | phone, when they attempt to share evidence, tattle on them to | their abuser? | | Also, can't wait for Dads' photos of their kids landing them on | a national kiddie porn watch list. | mojzu wrote: | If The Verge's article is accurate about how/when the CSAM | scanning occurs then I don't have a problem with that, sounds | like they're moving the scanning from server to client side, | the concerns about false positives seem valid to me but I'm | not sure the chance of one occurring has increased over the | existing icloud scanning. Scope creep for other content | scanning is definitely a possibility though so I hope people | keep an eye on that | | I'm not a parent but the other child protection features seem | like they could definitely be abused by some parents to exert | control/pry into their kids private lives. It's a shame that | systems have to be designed to prevent abuse by bad people | but at Apple's scale it seems like they should have better | answers for the concerns being raised | SquishyPanda23 wrote: | > sounds like they're moving the scanning from server to | client side | | That is good, but unless a system like this is fully open | source and runs only signed code there really aren't many | protections against abuse. | js2 wrote: | > designate your partner as a child. | | That's not how it works, unless you control your partner's | Apple ID and you lie about their DOB when you create their | account. | | I created my kids Apple IDs when they were minors and | enrolled them in Family Sharing. They are now both over 18 | and I cannot just designate them as minors. Apple | automatically removed my ability to control any aspects of | their phones when they turned 18. | | > Dads' photos of their kids landing them on a national | kiddie porn watch list. | | Indeed, false positives is much more worrying. The idea that | my phone is spying on my pictures... like, what the hell. | odyssey7 wrote: | > That's not how it works, unless you control your | partner's Apple ID and you lie about their DOB when you | create their account. | | Rather than reassuring me, this sounds like an achievable | set of steps for an abuser to carry out. | leereeves wrote: | More than achievable. Abusers often control their | victims' accounts. | selykg wrote: | I feel like you're sensationalizing this a lot. | | There's two functions here. Both client side. | | First, machine learning to detect potentially inappropriate | pictures for children to view. This seems to require parental | controls to be on. Optionally it can send a message to the | parent when a child purposefully views the image. The image | itself is not shared with Apple so this is notification to | parents only. | | The second part is a list of hashes. So the Photos app will | hash images and compare to the list in the database. If it | matches then presumably they do something about that. The | database is only a list of KNOWN child abuse images | circulating. | | Now, not to say I like the second part but the first one | seems fine. The second is sketchy in that what happens if | there's a hash collision. But either way it seems easy enough | to clear that one up. | | No father is going to be added to some list for their | children's photos. Stop with that hyperbole. | JumpCrisscross wrote: | > _the Photos app will hash images and compare to the list | in the database. If it matches then presumably they do | something about that. The database is only a list of KNOWN | child abuse images circulating._ | | This seems fine as it's (a) being done on iCloud-uploaded | photos and (b) replacing a server-side function with a | client-side one. If Apple were doing this to locally-stored | photos on iCloud-disconnected devices, it would be nuts. | Once the tool is built, expanding the database to include | any number of other hashes is a much shorter leap than | compelling Apple to build the tool. | | > _it seems easy enough to clear that one up_ | | Would it be? One would be starting from the point of a | documented suspicion of possession of child pornography. | 015a wrote: | This is Apple installing code on their users' devices with | the express intent to harm their customers. That's it! This | is inarguable! If this system works as intended, Apple is | knowingly selling devices that will harm their customers. | We can have the argument as to whether the harm is | justified, whether the users _deserved it_. Sure, this only | impacts child molesters. That makes it ok? | | "But it only impacts iCloud Photos". Valid! So why not run | the scanner in iCloud and not on MY PHONE that I paid OVER | A THOUSAND DOLLARS for? Because of end-to-end encryption. | Apple wants to have their cake and eat it too. They can say | they have E2EE, but also give users no way to opt-out of | code, running on 100% of the "end" devices in that "end-to- | end encryption" system, which subverts the E2EE. A | beautiful little system they've created. "E2EE" means | different things on Apple devices, for sure! | | And you're ignoring (or didn't read) the central, valid | point of the EFF article: _Maybe_ you can justify this in | the US. Most countries are far, far worse than the US when | it comes to privacy and human rights. The technology | exists. The policy has been drafted and enacted; Apple is | now alright with subverting E2EE. We start with hashes of | images of child exploitation. What 's next? Tank man in | China? Photos of naked adult women, in conservative parts | of the world? A meme criticizing your country's leader? I | want to believe that Apple will, AT LEAST, stop at child | exploitation, but Apple has already estroyed the faith I | held in them, only yesterday, in their fight for privacy as | a right. | | This isn't an issue you can hold a middleground position | on. Encryption doesn't only kinda-sorta work in a half-ass | implementation; it doesn't work at all. | 2OEH8eoCRo0 wrote: | >While I still use google maps | | You can still use Google Maps without an account and | "incognito". I wish they'd allow app store usage without an | account though- similar to how any Linux package manager works. | trangus_1985 wrote: | That's not really the issue. The issue is that for google | maps to work properly, it requires that the Play services are | installed. Play services are a massive semi-monolithic blob | that requires tight integration with Google's backend, and | deep, system-level permissions to operate correctly. | | I'm not worried about my search history. | boring_twenties wrote: | Last I checked (about a year ago), the Google Maps app did | work with microG (a FOSS reimplementation of Google Play | Services). | trangus_1985 wrote: | I use maps on my phone on a regular basis - I would | vastly prefer to have something less featured and stable | versus hacking the crap out of my phone. But that's good | to know. | brundolf wrote: | One workaround is to use the mobile web app, which is | surprisingly pretty decent for a web app. And because it's | a web app, you can even disable things like sharing your | location if you want to | 2OEH8eoCRo0 wrote: | Ahhh, gotcha. Did not realize that. Makes sense. | techrat wrote: | People need to remember that most of Android got moved into | Play Services. It was the only way to keep a system | relatively up to date when the OEMs won't update the OS | itself. | | Yeah, it's a dependency... as much as the Google Maps APK | needing to run on Android itself. | opan wrote: | In addition to F-Droid, you can get Aurora Store (which is on | F-Droid) which lets you use an anonymous login to get at the | Play Store. I use it for a couple free software apps that | aren't on F-Droid for some reason. | C19is20 wrote: | What are the apps? | sunshineforever wrote: | I also recommend Aurora Store as a complete replacement for | the Play store. The one thing is that I've never tried | using apps that I paid for on it but it works very well for | any free apps. There is an option to use a Google account | with Aurora but I've only ever used the anonymous account. | | The only slight dowbside is that I haven't figured out how | to auto update appd, so your apps will get out of date | without you being notified and you have to manually do it. | This problem might literally be solved by a simple setting | thay I haven't bothered to look for, IDK. | | On the plus side it includes all the official play store | apps, along side some that aren't allowed by play store. | | For examples, Newpipe, the superior replacement YouTube app | that isn't allowed on play store due to it subverting | advertisements and allowing a few features that are useful | for downloading certain things. | bambax wrote: | > _probably good in the moral sense_ | | How, how is it even morally good?? Will they start taking | pictures of your house to see if you store drugs under your | couch? Or cook meth in your kitchen?? | | What is moral is for society to be in charge of laws and law | enforcement. This vigilante behavior by private companies who | answer to no one is unjust, tyrannical and just plain crazy. | _red wrote: | Yes, my history was Linux 95-04, Mac 04-15, and now back to | Linux from 2015 onwards. | | Its been clear Tim Cook was going to slowly harm the brand. He | was a wonderful COO under a visionary CEO-type, but he holds no | particular "Tech Originalist" vision. He's happy to be part of | the BigTech aristocracy, and probably feels really at home in | the powers it affords him. | | Anyone who believes this is "just about the children" is naive. | His chinese partners will use this to crack down on "Winnie the | Poo" cartoons and the like...before long questioning any Big | Pharma product will result in being flagged. Give it 5 years at | max. | ursugardaddy wrote: | you make that sound like a bad thing, I'd love to live in a | world without child abuse spreading rampant on the internet | and not having to suffer though what passes for political | speech (memes) these days. | | maybe once we detect and stop stuff like this from happening | before it gets very bad, we can grow as a society and adjust | our forms of punishment accordingly too | adamrt wrote: | Is this a bot comment? Account is two hours old. | | You want to not suffer through political memes? And jump to | scanning private messages for dissent, by authoritarian | governments being okay!? | | What?! | ursugardaddy wrote: | No, I'm being serious. technology like this could be very | beneficial. | | there's a good chance that if we continue to improve | surveillance law enforcement agencies and justice | departments could begin to focus on rehabilitation and | growing a kinder world. | | right they are like firemen trying to put out fires after | the building has been ruined | | if it doesn't work we're doomed anyway, so what's the | problem? | empressplay wrote: | The problem is what you're describing is literal facism? | Lammy wrote: | _Helen Lovejoy voice_ Won 't somebody _please_ think of the | children!? | runjake wrote: | Once you give them the power, they'll never willingly hand | it back. | withinboredom wrote: | I don't think anyone is arguing that making it harder to | abuse children is a bad thing. It's what is required to do | so that is the bad thing. It'd be like if someone installed | microphones all over every house to report on when you | admit that you're guilty to bullying. No one wants | bullying, but I doubt you want a microphone recording | everything and looking for certain trigger words. Unless | you have an Alexa or something, then I guess you probably | wouldn't mind that example. | LazyR0B0T wrote: | Organic Maps on Fdroid is a really clean osm based map. | JackGreyhat wrote: | Nearly the same as MagicEarth...I use it all the time. | crocodiletears wrote: | Does it let you select from multiple routes? I've been using | Pocketmaps, but it only gives you a single option for | routing, which can lead to issues in certain contexts | Sunspark wrote: | I'm impressed, it actually has smooth scrolling unlike OsmAnd | which is very slow loading tiles in. | | Critical points I'd make about Organic Maps, I'd want a lower | inertia setting so it scrolls faster, and a different color | palette.. they are using muddy tones of green and brown. | alksjdalkj wrote: | Have you found any decent google maps alternatives? I'd love to | find something but nothing comes close as far as I've found. | Directions that take into account traffic is the big thing that | I feel like nobody (other than Apple, MS, etc.) will be able to | replicate. | | Have you tried using the website? I've had some luck with that | on postmarketOS, and it means you don't need to install Play | services to use it. | krobbn wrote: | I really like Here WeGo, and it allows you to download maps | for specific countries too to have available offline. | beermonster wrote: | OsmAND | manuelmagic wrote: | I'm using since many years HERE Maps https://wego.here.com/ | nickexyz wrote: | Organic maps is pretty good: | https://github.com/organicmaps/organicmaps | new_realist wrote: | The argument from reactionary HN neckbeards is basically, | "can't you see that this _could_ be used for great evil?" | | No shit. That's obvious to just about... everyone on the | planet. Many things in this world can be used for great evil: | knives, gasoline, guns, TNT, cars--even most household items | when used with creativity. It is quite impossible to create | something which can't be abused in some form. But society still | allows them, because it judges that the good outweighs the bad, | and systems exist to manage the risk of evil use. | | In this case, I have every expectation that this scanning will | be auditable, and society will eventually work out most of the | imperfections in systems like these, and strike the right | balance to make the world a better place. | [deleted] | threatofrain wrote: | What is your home NAS setup like? | trangus_1985 wrote: | Freenas, self-signed tightly-scoped CA installed on all of my | devices. 1TBx4 in a small case shoved under the stairs. | | tbh, i would vastly prefer to use a cloud based service with | local encryption - I'm not super paranoid, just overly | principled | quest88 wrote: | What do you use to sync phone photos to your NAS? I like | Google Photos' smartness, but I also want my photos on my | Synology NAS. | antgiant wrote: | I personally am a fan of Mylio for that. | https://mylio.com/ | voltaireodactyl wrote: | If you haven't already heard of it, cryptomator might be | just what you're after. | lcfcjs wrote: | Found the paedo. | cle wrote: | Unfortunately with SafetyNet, I feel like an investment into | Android is also a losing proposition...I can only anticipate | being slowly cut off from the Android app ecosystem as more | apps onboard with attestation. | | We've collectively handed control of our personal computing | devices over to Apple and Google. I fear the long-term | consequences of that will not be positive... | trangus_1985 wrote: | I don't think it's implausible that I carry around a phone | that has mail, contacts, calendars, photos, and private chat | on it. And then, have a second, older phone that has like | Instagram and mobile games. It's tragic. | sodality2 wrote: | Unfortunately a big bulk of the data they profit off of is | simply the ads and on-platform communication and behavior. | Doesn't really matter if you use a different device if you | still use the platform. Sure, it's slightly better, but it | really isn't a silver bullet if you're still using it. And | this is coming from someone who does this already. | heavyset_go wrote: | > _We 've collectively handed control of our personal | computing devices over to Apple and Google_ | | Hey now, the operating system and app distribution cartels | include Microsoft, too. | techrat wrote: | Loosing sight of the forest for this one tree. | | 1) Google doesn't release devices without unlockable | bootloaders. They have always been transparent in allowing | people to unlock their Nexus and Pixels. Nexus was for | developers, Pixels are geared towards the end user. Nothing | changed with regards to the bootloaders. | | 2) Google uses Coreboot for their ChromeOS devices. Again, | you couldn't get more open than that if you wanted to buy a | Chromebook and install something else on it. | | 3) To this day, app sideloading on Android remains an option. | They've even made it easier for third party app stores to | automatically update apps with 12. | | 4) AOSP. Sure, it doesn't have all the bells and whistles as | the latest and greatest packaged up skin and OS release, but | all of the features that matter within Android, especially if | you're going to de-Google yourself, are still there. | | Any one of those points, but consider all four, and I have | trouble understanding why people think REEEEEEEE Google. | | So you can't play with one ball in the garden (SafetyNet), | you've still got the rest of the toys. That's a compromise | I'm willing to accept in order to be able to do what I want | to and how I want to do it. (Eg, Rooting or third party | roms.) | | If you don't like what they do on their mobile OS, there's | _nothing_ that Google is doing to lock you into a Walled | Garden to where the only option you have is to completely | give up what you 're used to... | | ...Unlike Apple. Not one iOS device has been granted an | unlockable bootloader. Ever. | shbooms wrote: | "1) Google doesn't release devices without unlockable | bootloaders. They have always been transparent in allowing | people to unlock their Nexus and Pixels. Nexus was for | developers, Pixels are geared towards the end user. Nothing | changed with regards to the bootloaders." | | This is not accurate. Pixels that come from Verizon have | bootloaders that cannot be fully unlocked. | Zak wrote: | Safetynet is becoming a problem, and the trend shows to | signs of slowing down. | | I shouldn't have to choose between keeping full control | over my device and being able to use it to access the | modern world. | Shank wrote: | I really love the EFF, but I also believe the immediate backlash | is (relatively) daft. There is a potential for abuse of this | system, but consider the following too: | | 1. PhotoDNA is already scanning content from Google Photos and a | whole host of other service providers. | | 2. Apple is obviously under pressure to follow suit, but they | developed an on-device system, recruited mathematicians to | analyze it, and published the results, as well as one in-house | proof and one independent proof showing the cryptographic | integrity of the system. | | 3. Nobody, and I mean nobody, is going to successfully convince | the general public that a tool designed to stop the spread of | CSAM is a "bad thing" unless they can show concrete examples of | the abuse. | | For one and two: given the two options, would you rather that | Apple implement serverside scanning, in the clear, or go with the | on-device route? If we assume a law was passed to require | serverside scanning (which could very well happen), what would | that do to privacy? | | For three: It's an extremely common trope to say that people do | things to "save the children." Well, that's still true. Arguing | against a CSAM scanning tool, which is technically more privacy | preserving than alternatives from other cloud providers, is an | extremely uphill battle. The biggest claim here is that the | detection tool _could_ be abused against people. And that very | well may be possible! But the whole existence of NCMEC is | predicated on stopping the active and real danger of child sex | exploitation. We know with certainty this is a problem. Compared | to a certainty of child sex abuse, the hypothetical risk from | such a system is practically laughable to most people. | | So, I think again, the backlash is daft. It's been about two days | of the announcement being public (leaks). The underlying | mathematics behind the system has barely been published [0]. It | looks like the EFF rushed to make a statement here, and in doing | so, it doesn't look like they took the time to analyze the | cryptography system, to consider the attacks against it, or to | consider possible motivations and outcomes. Maybe they did, and | they had advanced access to the material. But it doesn't look | like it, and in the court of public opinion, optics are | everything. | | [0]: https://www.apple.com/child- | safety/pdf/Alternative_Security_... | api wrote: | (2) is important. Apple put effort into making this at least | somewhat privacy-respecting, while the other players just scan | everything with no limit at all. They also scan everything for | any purpose including marketing, political profiling, etc. | | Apple remains the most privacy respecting major vendor. The | only way to do better is fully open software and open hardware. | echelon wrote: | > There is a potential for abuse of this system, but consider | the following too | | > I think again, the backlash is daft. | | Don't apologize for this bullshit! Don't let your love of brand | trump the reality of what's going on here. | | Machinery is being put in place to detect what files are on | your supposedly secure device. Someone has the reins and | promises not to use it for anything other than "protecting the | children". | | How many election cycles or generations does it take to change | to an unfavorable climate where this is now a tool of great | asymmetrical power to use against the public? | | What happens when the powers that be see that you downloaded | labor union materials, documents from Wikileaks, or other files | that implicate you as a risk? | | Perhaps a content hash on your phone puts you in a flagged | bucket where you get pat downs at the airport, increased | surveillance, etc. | | The only position to take here is a full rebuke of Apple. | | edit: Apple apologists are taking a downright scary position | now. I suppose the company has taken a full 180 from their 1984 | ad centerpiece. But that's okay, right, because Apple is a part | of your identity and it's beyond reproach? | | edit 2: It's nominally iCloud only (a key feature of the | device/ecosystem), but that means having to turn off a lot of | settings. One foot in the door... | | edit 3: Please don't be complicit in allowing this to happen. | Don't apologize or rationalize. This is only a first step. We | warned that adtech and monitoring and abuse of open source were | coming for years, and we were right. We're telling you - loudly | - that this will begin a trend of further erosion of privacy | and liberty. | artimaeis wrote: | It's not doing any sort of scanning of your photos while | they're just sitting on your device. The CSAM scanning only | occurs when uploading photos to iCloud, and only to the | photos being uploaded. | | Source (pdf): https://www.apple.com/child- | safety/pdf/CSAM_Detection_Techni... | pseudalopex wrote: | > It's not doing any sort of scanning of your photos while | they're just sitting on your device. | | Yet. The point is the new system makes it feasible. | cblconfederate wrote: | What is the point of E2EE vs TLS/SSL based encryption? | randcraw wrote: | You presume Apple and the DoJ will implement this with human | beings at each step. They won't. Both parties will automate as | much of this clandestine search as possible. With time, the | external visibility and oversight of this practice will fade, | and with it, any motivation to confirm fair and accurate | matches. Welcome to the sloppiness inherent in clandestine law | enforcement intel gathering. | | As with all politically-motivated initiatives that boldly | violate the Constitution (consider the FISA Court, and its | rubber stamp approval of 100% of the secret warrants put before | it), the use and abuse of this system will go largely | underground, like FISA, and its utility will slowly degrade due | to lack of oversight. In time, even bad matches will log the | IDs of both parties in databases that label them as potential | sexual predators. | | Believe it. That's how modern computer-based gov't intel works. | Like most law enforcement policy recommendation systems, | Apple's initial match algorithm will never be assessed for | accuracy, nor be accountable for being wrong at least 10% of | the time. In time it will be replaced by other third party | screening software that will be even more poorly written and | overseen. That's just what law enforcement does. | | I've personally seen people suffer this kind of gov't abuse and | neglect as a result of clueless automated law enforcement | initiatives after 9-1-1. I don't welcome more, nor the gradual | and willful tossing of everyone's basic Constitutional rights | that Apple's practice portends. | | The damages to personal liberty that are inherent in conducting | secret searches without cause or oversight is exactly why the | Fourth Amendment requires a warrant before conducting a search. | NOW is the time to disabuse your sense of 'daftness'; not years | from now, after the Fourth and Fifth Amendments become | irreversibly passe. Or should I say, 'daft'? | avnigo wrote: | I'd be interested to see what any Apple executives would | respond to the concerns in interviews, but I don't expect Apple | to issue a press release on the concerns. | vorpalhex wrote: | Who verifies CSAM databases? Is there a way to verify the CSAM | hashlist hasn't been tampered with and additional hashes | inserted? | | Would it be ok to use this approach to stop "terrorism"? Are | you ok with both Biden and Trump defining that list? | feanaro wrote: | > that a tool designed to stop the spread of CSAM is a "bad | thing" | | It's certainly said to be designed to do it, but have you seen | concerns raised in the other thread | (https://news.ycombinator.com/item?id=28068741)? There have | been reports from some commenters of the NCMEC database | containing unobjectionable photos because they were merely | _found in a context alongside some CSAM_. | | Who audits these databases? Where is the oversight to guarantee | only appropriate content is included? They are famously opaque | because the very viewing of the content is illegal. So how can | we know that they contain what they are purported to contain? | | This is overreach. | shuckles wrote: | That's a problem with NCMEC, not Apple's proposal today. | Furthermore, if it were an actual problem, it would've | already manifested with the numerous current users of | PhotoDNA which includes Facebook and Google. I don't think | the database of known CSAM content includes photos that | cannot be visually recognized as child abuse. | tsimionescu wrote: | Why do you not think that? As far as I understand, there is | no procedure for reviewing the contents, it is simply a | database that law enforcement vouches is full of bad | images. | shuckles wrote: | NCMEC, not law enforcement, produces a list of embeddings | of known images of child abuse. Facebook and Google run | all photos uploaded to their platforms against this list. | Those which match are manually reviewed and if confirmed | to depict such scenes, are reported to CyberTip. If the | list had a ton of false positives, you think they | wouldn't notice that their human reviewers were spending | a lot of time looking at pictures of the sky? | Shank wrote: | > Who audits these databases? Where is the oversight to | guarantee only appropriate content is included? They are | famously opaque because the very viewing of the content is | illegal. So how can we know that they contain what they are | purported to contain? | | I wholeheartedly agree: there is an audit question here too. | The contents of the database are by far the most dangerous | part of this equation, malicious or not, targeted or not. I | don't like the privacy implications about this, nor the | potential for abuse. I would love to see some kind of way to | audit the database, or ensure that it's only used "for good." | I just don't know what that system is, and I know that | PhotoDNA is already in use on other cloud providers. | | Matthew Green's ongoing analysis [0] is really worth keeping | an eye on. For example, there's a good question: can you just | scan against a different database for different people? These | are the right questions given what we have right now. | | [0]: https://twitter.com/matthew_d_green/status/1423378285468 | 2091... | shuckles wrote: | Matt should read the release before live tweeting FUD. The | database is shipped in the iOS image, per the overview, so | targeting users is not an issue (roughly). | pushrax wrote: | Is the database frozen or can they push out updates | independently of iOS updates? If not, targeting | individual users definitely doesn't seem possible unless | you control OS signing. | shuckles wrote: | The database is shipped in the iOS image. | pushrax wrote: | That's what you wrote originally - and to me it doesn't | indicate whether it can also be updated from other | sources or not. | | Lots of content is shipped in the iOS image but can | update independently. | shuckles wrote: | The technical summary provides a lot of detail. I don't | think Apple would omit remote update functionality from | it if such capability existed, especially since database | poisoning is a real risk to this type of program. I'm | comfortable with interpreting the lack of evidence as | evidence of absence of such a mechanism. Explicit | clarification would certainly help though, but my | original point stands: there is positive evidence in the | docs which the FUD tweets don't engage with. | | In particular, I'm referencing the figure which says that | the database of CSAM hashes is "Blinded and embedded" | into the client device. That does not sound like an asset | the system remotely updates. | pseudalopex wrote: | You should understand the difference between a protocol | and an easy to change implementation detail before | throwing around words like FUD. | shuckles wrote: | Has Matt redacted any of the FUD from his tweets last | night which aren't true given the published details from | today? For example, his claim that the method is | vulnerable to black box attacks from GANs isn't | applicable to the protocol because the attacker can't | access model outputs. | | Furthermore, if "an easy to change implementation detail" | in your threat model is anything which could be changed | by iOS update, you should've stopped using iPhone about | 14 years ago. | [deleted] | indymike wrote: | > backlash is daft | | Fighting to preserve a freedom is not daft, even if it is David | vs. Goliath's bigger, meaner brother and his friends. | [deleted] | throwaway888abc wrote: | 1. was new to me. | | TIL - (2014) PhotoDNA Lets Google, FB and Others Hunt Down | Child Pornography Without Looking at Your Photos | | https://petapixel.com/2014/08/08/photodna-lets-google-facebo... | shivak wrote: | > recruited mathematicians to analyze it, and published the | results, as well as one in-house proof and one independent | proof showing the cryptographic integrity of the system. | | Apple employs cryptographers, but they are not necessarily | acting in your interest. Case in point: their use of private | set intersection, to preserve privacy..of law enforcement, not | users. Their less technical summary: | | > _Instead of scanning images in the cloud, the system performs | on-device matching using a database of known CSAM image hashes | provided by NCMEC and other child safety organizations. Apple | further transforms this database into an unreadable set of | hashes that is securely stored on users' devices._ | | > _Before an image is stored in iCloud Photos, an on-device | matching process is performed for that image against the known | CSAM hashes. This matching process is powered by a | cryptographic technology called private set intersection.._ | | The matching is performed on device, so the user's privacy | isn't at stake. But, thanks to PSI and the hash preprocessing, | the user doesn't know what law enforcement is looking for. | xondono wrote: | Well, it'd be kind of dumb to make the mistake of building a | system to stop child pornography only to have it become the | biggest distributor of CP photos in history | wayneftw wrote: | This is an abuse my property rights. The device is my property | and this activity will be using my CPU, battery time and my | network bandwidth. That's the abuse right there. | | They should just use their own computers to do this stuff. | samatman wrote: | Photos is just an app. | | You can use another photo app, link it to another cloud | provider, and be free of the burden. | | If you use Photos, you're along for the ride, and you've | consented to whatever it does. | | You don't get a line-item veto on code you choose to run, | that's never been how it works. | | For what it's worth, I'm basically with the EFF on this: it | looks like the thin end of a wedge, it sucks and I'm not | happy about it. | | But being histrionic doesn't help anything. | zionic wrote: | No it's not, it's the entire OS. | jimbob45 wrote: | I don't know how true this is. I don't see any way to block | Photos from viewing the files on this device and I see no | reason that it can't read files from my other apps. | jdavis703 wrote: | Then you have two choices, disable iCloud photo backups or | don't upgrade to iOS 15. There are plenty of arguments | against Apple's scheme, but this isn't one of them. | Sunspark wrote: | This is going to do wonders for Apple's marketshare once the | teenagers realize that Apple is going to be turning them in to | the police. | | Teens are not stupid. They'll eventually clue-in that big brother | is watching and won't appreciate it. They'll start by using other | messengers instead of imessage and then eventually leaving the | ecosystem for Android or whatever else comes down the pike in the | future. | Calvin02 wrote: | I think the issue is that what the tech community sees as privacy | is different than what the general public thinks of as privacy. | | Apple, very astutely, understands that difference and exploited | the latter to differentiate its phones from its main competitor: | cheap(er) android phones. | | Apple didn't want the phones to be commoditized, like personal | computers before it. And "privacy" is something that you can't | commoditize. Once you own that association, it is hard to fight | against it. | | Apple also understands that the general public will support its | anti child exploitation and the public will not see this as a | violation of privacy. | etempleton wrote: | I think this is probably the reasonable and responsible thing for | Apple to do as a company, even if it it goes against their | privacy ethos. Honestly they probably have been advised by their | own lawyers that this is the only way to cover themselves and | protect shareholder value. | | The question will be if Apple will bend to requests to leverage | this for other reasons less noble than the protection of | children. Apple has a lot of power to say no right now, but they | might not always have that power in the future. | websites2023 wrote: | Apple's battle is against Surveillance Capitalism, not against | state-level surveillance. In fact, there is no publicly traded | company that is against state-level surveillance. It's important | not to confuse the two. | | Think of it this way: If you want to hide from companies, choose | Apple. If you want to hide from the US Government, choose open | source. | | But if your threat model really does include the US government or | some other similarly capable adversary, you are well and truly | fucked already. The state-level apparatus for spying on folks | through metadata and traffic interception is now mode than a | decade old. | krrrh wrote: | The problem is that as governments gain access to new | technological capabilities and exploit crises to acquire more | emergency powers, increasingly large numbers of peoples' threat | models begin to include government. | | The best hopes against a population-wide Chinese-style social | credit system being implemented in the US remain constitutional | and cultural, but the more architectural help we get from | technology the better. "Code is law" is still a valid | observation. | [deleted] | tablespoon wrote: | > Think of it this way: If you want to hide from companies, | choose Apple. If you want to hide from the US Government, | choose open source. | | It's not just the US government: they've been cooperating with | the PRC government as well (e.g. iCloud in China runs on | servers owned by a state-owned company, and apparently China | rejected the HSM Apple was using elsewhere, so they designed | one specifically for China). Apple has some deniability there, | but I personally wouldn't be surprised if China could get any | data from them that it wanted. | | https://www.nytimes.com/2021/05/17/technology/apple-china-ce... | tomxor wrote: | I keep thinking, It's like they are _trying_ to be the most | ironic company in history... | | But then I have to remind myself, the old Apple is long gone, the | new Apple is a completely different beast, with a very different | concept of what it is marketing. | amelius wrote: | It's the RDF. People still think of Apple as the Old Apple. The | rebellious company that stood for creative freedom. The maker | of tools that work _for_ the user, not _against_ the user. | endisneigh wrote: | Unless the entire stack you're using is audited and open source | this sort of thing is inevitable. | | As far as this is concerned, seems like if you don't use iMessage | or iCloud you're safe for now. | _red wrote: | >don't use iMessage | | 1. Send someone you hate a message with cartoon making fun of | tyrant-president. | | 2. That person is now on a list. | | Its swatting-as-a-service. | ezfe wrote: | If you read the article, you'd understand that among ALL the | issues, this is not one: | | - Photos scanning in Messages is on-device only (no reporting | to govt.) and doesn't turn on unless you're an adult who | turns it on for a minor via Family Sharing controls. - iCloud | Photos scanning doesn't take effect unless you save the photo | and it's already in a database of flagged photos. So in your | scenario, you'd have to save the photo received from the | unknown number to get flagged. | _red wrote: | >So in your scenario, you'd have to save the photo received | from the unknown number to get flagged. | | Whew! I was worried there for a minute. Maybe for extra | safety I could say "SIRI I DISAVOW OF THIS MESSAGE!"?? | bingidingi wrote: | would you not report unsolicited child porn to the FBI | anyway? | samatman wrote: | Y'know, I have no idea what I'd do in this situation and | I really hope I'll never find out. | | If a kilo of heroin just showed up in the back seat of my | car, I'd throw it out the window and try not to think | about it. I certainly wouldn't bring it to the police, | because _mere possession is a serious crime_. | | CP is the same way, except it comes with a nice audit | trail which could sink me even if I delete it | immediately. Do I risk that, or do I risk the FBI | deciding I'm a Person of Interest because I reported the | incident in good faith? | | There are no good choices there. | tsimionescu wrote: | The scan doesn't detect child porn, it detects photos in | the CSAM database. The two may or may not be same thing, | now it in the future. | lijogdfljk wrote: | I'm confused - the article explicitly states this scenario | - minus the swatting. | | Ie unless you're replying to purely the swatting part, the | article seems to support this. Specifically a prediction | that governments will creep on legally requiring Apple to | push custom classifiers: | | > Apple's changes would enable such screening, takedown, | and reporting in its end-to-end messaging. The abuse cases | are easy to imagine: governments that outlaw homosexuality | might require the classifier to be trained to restrict | apparent LGBTQ+ content, or an authoritarian regime might | demand the classifier be able to spot popular satirical | images or protest flyers. | ezfe wrote: | That sentence is wrong. It simply isn't accurate of the | current system. It relies on future changes to the | system, not just changes to a database. | | The iMessage feature is not a database comparison system, | it's to keep kids from getting/receiving nudes | unexpectedly - and it works based on classifying those | images. | | I don't dispute this is a slippery slope - one could | imagine that a government requires Apple to modify it's | classification system. However, that would presumably | require a software update since it happens on device. | xondono wrote: | That refers to the icloud scanning, the idea being that | if the hash database contains propaganda, people | uploading that propaganda to icloud could get reported by | their own device. | arihant wrote: | Didn't apple also announce a feature for iOS 15 where | iMessage photos are somehow automatically collected and | shown in iCloud? A way to reduced hassle of creating shared | albums. So with that, I think all users of iCloud photos | are under risk here. | ncw96 wrote: | > As far as this is concerned, seems like if you don't use | iMessage or iCloud you're safe for now. | | Yes, this is correct. The Messages feature only applies to | children under 18 who are in an iCloud Family, and the photo | library feature only applies if you are using iCloud Photos. | withinboredom wrote: | I'm fairly certain the age is different per region and | hopefully tied to the age of consent (in this particular | case). | rootusrootus wrote: | I don't think it has anything to do with age. It has | everything to do with you adding the phone to your family | under settings and declaring that it belongs to a child. | You control the definition of child. | jdavis703 wrote: | I could imagine an abusive partner enabling this to make | sure their partner isn't sexting other people. Given the | pushback for AirTags I'm surprised people aren't more | concerned. | endisneigh wrote: | You're misunderstanding what this is if this is an actual | concern of yours. | jdavis703 wrote: | I'm not sure I'm misunderstanding. This is another | feature that allows someone with access to another | person's phone to enable stalkerware like features. | rootusrootus wrote: | Anyone 13 or older can remove themselves from a family | sharing group. The only exception is if screen time is | enabled and enforced for their device. | | Frankly, if you have an abusive partner with physical | control over you and a willingness to do this, the fact | that Apple supports this technology is the _least_ of | your problems. | xondono wrote: | Except this would require consent of the abused partner | when creating the account to set an age <13yo. | | You can't ser this to other accounts on you family | remotely. | josh_today wrote: | Would artificially inflating every child's age to 18+ | eliminate the iMessage problem | [deleted] | edison112358 wrote: | "This means that when the features are rolled out, a version of | the NCMEC CSAM database will be uploaded onto every single | iPhone." | | So every iPhone will now host the explicit images from the | National Center for Missing & Exploited Children database. | spiznnx wrote: | The database contains perceptual hashes, not images. | pgoggijr wrote: | No, they will host the hashes computed from those images. | hartator wrote: | Yes, everyone in jail! It's probably just the md5 or something | like that, but I don't like it either. | joshstrange wrote: | > So every iPhone will now host the explicit images from the | National Center for Missing & Exploited Children database. | | It's hashes, not the images themselves. | cblconfederate wrote: | And how did the user end up with the hashes? He hashed the | original images which he then deleted, your honor! | | BTW this is going to be a major target for smearing people | that the US doens't like | joshstrange wrote: | I'm sorry but this is the most ridiculous thing I've read | today. Hashes have never and probably will never be used | "smear" someone the US doesn't like. We can speculate about | them planting evidence but trying to prosecute based on | hashes baked into the OS used by millions? That's absurd. | kevincox wrote: | I'm pretty sure this is a non-tech way of saying "a machine | learning model" or other parameters which is not a particularly | useful form of this database. | artimaeis wrote: | > No user receives any CSAM photo, not even in encrypted form. | Users receive a data structure of blinded fingerprints of | photos in the CSAM database. Users cannot recover these | fingerprints and therefore cannot use them to identify which | photos are in the CSAM database. | | Source (PDF): https://www.apple.com/child- | safety/pdf/Technical_Assessment_... | zionic wrote: | How long until a hacker uses ML to generate collisions against | those hashes? | outworlder wrote: | For what purpose? A collision doesn't mean that you found the | source images. Not even close. | __david__ wrote: | Find collisions, spam the colliding photos to people you | don't like, watch the mayhem unfold. | acdha wrote: | With a broader rollout to all accounts and simply scanning | in iMessage rather than photos there's one possible | scenario if you could generate images which were plausibly | real photos: spam them to someone before an election, let | friendly law enforcement talk about the investigation, and | let them discover how hard it is to prove that you didn't | delete the original image which was used to generate the | fingerprint. Variations abound: target that teacher who | gave you a bad grade, etc. The idea would be credibility | laundering: "Apple flagged their phone" sounds more like | there's something there than, say, a leak to the tabloids | or a police investigation run by a political rival. | | This is technically possible now but requires you to | actually have access to seriously illegal material. A | feasible collision process would make it a lot easier for | someone to avoid having something which could directly | result in a jail sentence. | octopoc wrote: | So you can upload the colliding images to iCloud and get | yourself reported for having child porn. Then after the law | comes down on you, you can prove that you didn't ever have | child porn. And you can sue Apple for libel, falsely | reporting a crime, whatever else they did. It would be a | clever bit of tech activism. | bingidingi wrote: | I guess in theory you could poison the well by widely | sharing many false positives? | ursugardaddy wrote: | Improved swatting, it's going to all make for a badass | october surprise next election | bjustin wrote: | There is a minimum number of hash matches required, then | images are made available to Apple who then manually checks | that they are CSAM material and not just collisions. That's | what the 9to5Mac story about this says: | https://9to5mac.com/2021/08/05/apple-announces-new- | protectio... | strogonoff wrote: | If Mallory gets a lawful citizen Bob to download a completely | innocuous looking but perceptual-CSAM-hash-matching image to his | phone, what happens to Bob? I imagine the following options: | | - Bob's info is sent to law enforcement; Bob is swatted or his | life is destroyed in some other way. Worst, but most likely | outcome. | | - An Apple employee (or an outsourced contractor) reviews the | photo, comparing it to CSAM source image sample used for the | hash. Only if the image matches according to human vision, Bob is | swatted. This requires there to be some sort of database of CSAM | source images. | | - An Apple employee or a contractor reviews the image for abuse | without comparing it to CSAM source, using own subjective | judgement. | literallyaduck wrote: | It is okay to use the back door when we want to find people: | | being terrorists | | exploiting children | | who are not vaccinated | | use the wrong politically correct language | | anything else we don't like | Drblessing wrote: | Use signal y'all | slaymaker1907 wrote: | I'd be surprised if this goes through as is since you can't just | save this stuff indefinitely. Suppose a 14 year old sexts a 12 | year old. That is technically child porn and so retention is | often illegal. | outworlder wrote: | > these notifications give the sense that Apple is watching over | the user's shoulder--and in the case of under-13s, that's | essentially what Apple has given parents the ability to do. | | Well, yes? Parents are already legally responsible for their | young children and under their supervision. The alternative would | be to not even give such young children these kind of devices to | begin with - which might actually be preferable. | | > this system will give parents who do not have the best | interests of their children in mind one more way to monitor and | control them | | True. But the ability to send or receive explicit images would | most likely not be the biggest issue they would be facing. | | I understand the slippery slope argument the EFF is making, but | they should keep to the government angle. Having the ability for | governments to deploy specific machine learning classifiers is | not a good thing. ___________________________________________________________________ (page generated 2021-08-05 23:00 UTC)