[dannyw]

Are you really arguing that because child pornography exists, no large company should offer ETE photos?

Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?

And that photos present some of the most sensitive materials on your device:

- geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time

- people's consensual sex tapes

- photos of passwords, account recovery codes, private keys, seed words

[vngzs]

In the bloom filter example, what device calculates the hash inputs for the bloom filters? If it's the server, then the server needs a copy of the image to check. So is it the client? If so, how can you prevent a malicious client from forging their hashes to be those of known-safe images?

Not saying it's not possible to build an E2E image storage service that also has the protections society tends to demand. Just saying that I haven't seen anyone do it yet, because these problems are subtle.

[dannyw]

Apple has direct-from-bootloader control over all of their hardware, unless you boot Linux on a Mac (in which case you don't get iCloud).

So a 'malicious client' doesn't need to be part of the threat model here. And also, if you really stretch your argument, that's like saying we need to outlaw Linux and open source software because malicious actors can modify the code.

The whole idea that society demands content providers compromise ETE just because of child pornography isn't something I've heard of being 'accepted as common truth' outside of this post.

Some politicians demand it, but I thought at least amongst tech, there's the recognization that strong, *unbreakable* encryption is important.

There's an implicit obligation to build services and technology that is resistant to abuse, but that isn't an argument to not implement ETE.

[vngzs]

Thanks for the "how" - I guess if you fully control the client and server, there's some extra checks you could implement client-side based on the cryptographic root of trust.

FWIW, I wasn't really trying to make a prescriptive statement about how the world ought to be, I was more trying to describe what (I think) the perspective of these corporations has been on the matter.

In the past, I've been an encryption advocate with the knowledge that we (tech) must sacrifice some ability to appease politicians in implementing it. What you're describing sounds like an innovative way to preserve privacy and provide security for at-risk people, which is a perspective I haven't heard before.

[philwelch]

> Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?

This is not a good argument. “Known child abuse material” is the tip of the iceberg. There’s nothing stopping people from creating new “child abuse material”, and the people who are doing that sort of thing are the ones who are more important to catch.

[dannyw]

So because there are pedophiles, we should build backdoors in all cloud image hosting services?

Should we build backdoors in AES because there are terrorists in the world?

[philwelch]

> So because there are pedophiles, we should build backdoors in all cloud image hosting services?

That’s not what I’m saying and I can’t possibly imagine how you could infer that in good faith.

[headmelted]

I’m arguing that because it exists no company of Apple’s size is going to risk unknowingly hosting it, and I wouldn’t either if I were in their shoes.

I agree with you in terms of photos being some of the most private information we have, but the E2E argument doesn’t ever get won by the tech community without a guarantee of blocking/catching/preventing CP and being able to make that evidence available for prosecution.

To the arguments above: Any processing server side implies no real E2E. Any processing client side is by definition under the control of the client and subject to forgery/hacking/spoofing/tampering.

[dannyw]

Absolutely every large company hosts an incredible amount of child pornography and abuse material.

Facebook is the largest platform for child trafficking, and Google is the world's largest resource for finding out how to commit criminal acts.

Crime always exist. We shouldn't build a techno-totalitarian surveillance state just because crime exists.

"It is better that ten guilty persons escape than that one innocent suffer".

Chinese Communists employed similar but opposite reasoning during the uprisings in Jiangxi, China in the 1930s: "Better to kill a hundred innocent people than let one truly guilty person go free".

[oarsinsync]

> geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time

Geo-IP is the process of taking an IP address and attributing an location to that IP address.

I think you meant GPS location?