> The in the cloud vs. on your device aspect of this debate is the most important part and cannot be glossed over.
I really do think it's a weird aspect to fixate on, though.
So long as Apple is only scanning the photos that're being uploaded to its servers, it genuinely doesn't matter to me where that scanning happens. It's a scan that could have happened in either location, and the version where it's happening locally is arguably more private/secure-from-fishing-expeditions. If I don't like that the scanning occurs, I can disable the uploading.
The distinction would matter if the local-scan involved things that weren't being uploaded. But it doesn't, so from my perspective the only difference is an implementation detail.
> Still: they scan photos locally - those are not cloud photos, those are local photos.
They are cloud photos. I say that because:
1. The photos are in the process of being uploaded to the cloud when they are scanned
2. The result of the scan is attached to the photo only when it is uploaded to the cloud. If the photo is deleted from the cloud, or the upload is canceled, the scan result is discarded
Practically, the system works precisely the same whether or not the scanning happens on device before the image reaches the cloud, or on the server after the image reaches the cloud.
The only well-intentioned argument about why on-device vs. on-server scanning matters is that "slippery slope" argument, which presupposes that:
1. Apple putting this scanning code in iOS not only somehow makes it easier/more tempting to use it for non-CSAM, but all but guarantees it will be used for non-CSAM.
2. Apple does not already have the ability to run whatever code they want, on any of your devices, without you ever knowing
3. Apple folds very easily to government demands, especially when it comes to privacy, their core differentiator
I don't think any of these are true. You might think they are, but then I'm not sure what point there is in discussing any more.
> or if they are forced to.
I'm not sure what this implies. If someone forces you to upload a photo to the cloud, surely that will get scanned regardless of whether the scanning is performed on-device or on-server?
> Speaking purely personally, whether the scanning happens immediately-before-upload on my phone or immediately-after-upload in the cloud doesn't really make a difference to me.
What I find interesting is that so many people find it worse to do it on device, because of the risk that they do it to photos you don't intend to upload. This is clearly where Apple got caught off-guard, because to them, on-device = private.
It seems like the issue is really the mixing of on-device and off. People seem to be fine with on-device data that stays on-device, and relatively fine with the idea that Apple gets your content if you upload it to them. But when they analyze the data on-device, and then upload the results to the cloud, that really gets people.
> But apples perspective is that on-device scanning prevents them from looking at your photos in the cloud at all.
In terms of the privacy intrusion, what difference does it make whether the images are scanned on your device or on their servers? They're getting scanned just the same either way.
But if they did it on their servers, it would provide a technical impediment to expanding beyond the use of iCloud, and remove the need to trust Apple as much. That seems like it would be much better for users while still allowing the functionality they claim to be seeking.
> today the scanning is only for images uploaded to iCloud, and only for CSAM
This, to me, would be exponentially less privacy invasive as I’ve come to assume all major cloud hosting providers implement something like this (look at Google Drive), but Apple has said that the scanning is done on-device, meaning whether or not you upload your photo library to iCloud, your local photos will be scanned with an on-device database of hashes.
Essentially iOS photos now implement a direct API call to the feds with some vague “human verification” layer if you go above an unknown threshold
> There are several issues about this that Apple does not address. A big one for me is the indignity and humiliation of them force scanning my phone for CP.
Are you okay (conceptually, assuming a perfect database) with them scanning pictures uploaded to iCloud for this material if the scanning happens on their servers? Or is this a complete "these pictures should never be scanned, regardless of where it happens" position?
If the former, I personally don't feel a distinction between "a photo is scanned immediately before upload" and "a photo is scanned immediately after upload" is very meaningful. I'd be more concerned if there wasn't a clear way to opt-out. I acknowledge that there's room to disagree on this, and maybe I'm unusual in drawing my boundaries where I do.
If the latter... I think that ship has sailed. Near as I can tell, all the major cloud platforms are scanning for this stuff post-upload, and Apple was a bit of an outlier in how little they were doing before this.
> But scanning someone's locally stored images on a device that they own is a completely different situation.
They're only scanning photos that you upload them to iCloud Photos - this is not (currently) a blanket "we'll scan all your local photos whenever" situation.
> It's the difference between the airport checking my luggage for illegal drugs
... and FedEx/UPS checking your outgoing packages for drugs.
>If scanning is done in the cloud, I can disable cloud uploads and reasonably trust no filter list will get me reported
Or that it uploads local copies to be scanned in the cloud and doesn't save them to your account but may trigger LE response... Though I suppose that would cause concern about the massive network traffic, whereas no one would notice Apple scanning local photos (w/o some sort of advanced disassembly to see how much the on-board ML chip is used)
> the privacy comes from the fact that an on-device model results in 0 Apple servers ever examining your photos (unless you have 30 CSAM flags on your iCloud account), whereas an on-server model results in Apple servers examining every single photo you upload.
Every single photo you upload is getting scanned -- it's just that Apple is doing the scanning on "your" device instead of their servers.
From the point of view of the privacy of your photos, I fail to see what the difference between the two is. I mean, if they did the exact same type of scanning on their servers instead of your device, the level of privacy would be identical.
In terms of general privacy risks, not to mention the concept that you own your devices, there is an enormous difference between the two, and on-device scanning is worse.
> Apple's solution was to scan stuff that was going to be uploaded anyway on-device before upload.
Fairly sure that most of the worry around that was because such a system could very easily be changed to do the same to any photo.
And people felt like their phone wasn't theirs and that it could snitch on you. We know that you truly do not own your phone, but most people do not view it that way.
Sure, it is technically better than doing that check on on a server, but the general public do not currently view it that way.
Personally do not like the system as you would be unable to escape it if it started scanning local photos (which I feel is only a matter of time), something you can with google drive and such, by not using them.
> IMO, Apple will likely end up scanning all content you choose to put on their servers.
Even if that was a goal (and I would argue they have a hard stance against it), this system as built is not usable for that.
While they can scan locally, every step of recording, thresholds, and subsequent automated/manual auditing is built to require content to be uploaded to iCloud Photos.
No, the scanning is happening on local devices, but only during the upload-to-iCloud process. That’s the key difference that is upsetting a lot of people.
Are you trolling? What Federighi proposed before was scanning "for CSAM" on device [1]. Same angle.
> Doing it on device is probably preferable to on cloud and at worst no different.
Please elaborate. How is it better to force users to run software they don't want than to let them decide whether or not to have their photos scanned when they choose to upload them to the cloud?
Anyway it's a false dichotomy. Apple isn't doing on-device scanning, and now they've announced they won't do it in the cloud either.
> It's about the fact that the scanning occurs locally on your device, which is meaningfully different
Yeah it IS different, most people feel much better about things that happen on device.
Since this only happens for photos on their way to iCloud, in your analogy it would be like searching the bags when you put them in the cab to go to the airport.
Furthermore, it would be like TSA had a machine that could search your bags for guns, without any human even seeing an x-ray of them. Plus the machine would need 30 gun alerts before it takes any action at all.
I don't know about you but I would not have any issues whatsoever with that.
> Lie? I don't take kindly to such words, because you're ascribing malicious intent where there is none.
Howdy partner, it seems my tone communicated the sentiment as intended. It is unreasonable to ascribe anything but malice in this case, because the rationale strains credulity. Do you know at what point Apple is determining your intent to sync photos? What processes, exactly, are they hooking into in order to trigger the local hash functionality? Is it the resource hogging Photos-Agent frequently complained about? Is this thresholding functionality restricted to cloud content, or is the local database mentioned involved? Does that local database only relate to images uploaded to the cloud, and how would the deletion of local and/or cloud content influence that?
These are all questions that are either unaddressed, provide no assurance beyond "trust us", or hint at logical conflicts between the stated purpose of local scanning and the actual implementation details. With all that in mind, granting Apple and its defenders the benefit of doubt is laughably foolish.
> At the point of upload to the cloud service -where they would be scanned anyway-.
So scan them there? Why ahould the phone scan local photos? And icloud is enabled by default, guess who's going to disable it if that would've been implemented?
> No, it required a threshold of N photos to match before they were submitted for human verification.
Yay, private photos leaking to companies employees because of a flawed algorithm, makes perfect sense.
> To reiterate: scanning your device is not a privacy risk, but copying files from your device without any notice is definitely a privacy issue.
Not a lawyer, but I believe this part about legality is inaccurate, because they aren’t copying your photos without notice. The feature is not harvesting suspect photos from a device, it is attaching data to all photos before they are uploaded to Apple’s servers. If you’re not using iCloud Photos, the feature will not be activated. Furthermore, they’re not knowingly transferring CSAM, because the system is designed only to notify them when a certain “threshold” of suspect images has been crossed.
In this way it’s identical in practice to what Google and Facebook are already doing with photos that end up on their servers, they just run the check before the upload instead of after. I certainly have reservations about their technique here, but this argument doesn’t add up to me.
> iCloud Photos can be used on Windows, for example. This scanning only applies to iOS devices. You could use iCloud Photos and not be subject to the scanning.
That's great for the <0.001% of people who use iCloud Photos without an iPhone. Everyone else is SOL.
>Nothing about what they're doing is contradictory with privacy beyond what they're already doing. The only reason they're even implementing it this way is because they do care about privacy. They could just not encrypt and scan on the server like Google, Microsoft, Dropbox, Box.com and more.
False dichotomy. Apple doesn't have to do either of these things.
I really do think it's a weird aspect to fixate on, though.
So long as Apple is only scanning the photos that're being uploaded to its servers, it genuinely doesn't matter to me where that scanning happens. It's a scan that could have happened in either location, and the version where it's happening locally is arguably more private/secure-from-fishing-expeditions. If I don't like that the scanning occurs, I can disable the uploading.
The distinction would matter if the local-scan involved things that weren't being uploaded. But it doesn't, so from my perspective the only difference is an implementation detail.
reply