There, Apple, I fixed it for you
Apple’s CSAM privacy fiasco (see my Sunday article) continues with apparently contradictory “clarifications.” In trying to tell the public “there’s nothing to see here” Apple released two documents on its use of CSAM technology: an FAQ and a CSAM Technical Summary (PDF links).
The CSAM Technical Summary seems to say scanning takes place “on-device” while the FAQ seems to contradict that with a flat “No”.
First, Just the FAQs
Apple’s FAQ states:
The above makes it seem, to me, unequivocally that there there is “No” reading of photo files that happens on your iPhone, i.e., no on-device scanning. But the language seems lawyer weaselly in at least two spots:
“[is] Apple…going to scan all the photos stored on my iPhone?”
“this feature only applies to photos that the user chooses to upload to iCloud Photos”
If you read those statements hyper-literally, it does not answer the intended question broadly. To me, and I think to most reasonable people, a ‘private iPhone photo library’ means ‘anything on my iPhone’ whereas Apple seems to be hyper-technically defining ‘private iPhone photo library’ as ‘a library not selected for uploading to iCloud Photos’.
So, for example, if you have 2 photo albums on your iPhone (e.g., Album A and Album B) and you “choose” to upload only Album A to iCloud Photos, Apple will scan only Album A. So technically they are not scanning “all the photos stored on [your] phone”.
Technically True But Misleading
Nevertheless, that still means Apple can scan some of your files (i.e., all files from Album A) on your iPhone and the above FAQ statements can still be true. Worst still, many users don’t consciously choose anything. They basically have all their photos hit iCloud (e.g., via Photo Stream, monolithically turning on iCloud Photos for all their photos, etc.). As such, commonly, most users wont know Apple’s CSAM will scan most if not all photos on their phone, which, I think is contrary to the spirit of Apple’s above FAQ.
Why does that matter? The question of where Apple reads your files is super important. If Apple reads/scans photo files you chose to send to iCloud, and that only happens on Apple’s iCloud server, well, no big deal. That’s no longer on your device, and you chose to put it up on the cloud.
But if the scanning happens on your iPhone, then shame on Apple. Why? Because then Apple is not informing you nor getting your permission to do things to your device and data and its invading your privacy. Apple has then effectively created a potentially privacy destroying backdoor to your device and data.
That distinction may seem small and subtle, but it’s everything.
And Now the CSAM Technical Summary
Now lets compare the above FAQ with Apple’s CSAM Technical Summary:
Apple’s CSAM Technical Summary makes it apparently clear that it operates “on-device” — on your device/iPhone. For the “comput[ation]” of the image NeuralHash, the on-device matching process accesses, processes and transforms data from your image files. And to process your image, it must read into your files. Although the language throughout these documents is consistently obfuscating that your files are being read on your device by deftly avoiding even a single instance of the word “read” throughout, page 5 of Apple’s CSAM Technical Summary does tell that’s what’s going on:
That the “image is passed” seems to be a euphemism for what Apple is doing, which is reading into your photo files on your device to create the NeuralHash. Bottom line, Apple’s CSAM implementation seems to have some process on-device that has access to your files and reads into them to create these hashes.
You’ve Lost That Loving Feeling
Apple pleads, you can trust it will not allow others to abuse such a backdoor process. But like I said earlier:
[C]ode is infinitely mutable…Even if you trust people at Apple to do the right thing today, the people there tomorrow may not have the same power, inclinations, or agenda. A simple change of management and a software patch update, and now the criteria and those pulling the strings are different.
Considering Apple’s FAQ, seemingly and perplexingly, is either, at best, deftly misleading, or, at worst, outright lying, I think it has exhausted all trust.