Given some CP image, an attacker could perhaps morph it into an innocent looking image while maintaining the hash. Then spread this image on the web, and incriminate everybody.
Yes perceptual hashes are not cryptographically secure so you can probably generate collisions easily, (i.e. a natural looking image which has a attacker-specified hash).
Sounds like a fantastic way for law enforcement to get into your phone with probably cause. Random message you a benign picture from some rando account with a matching hash. Immediate capture for CP, data mine the phone, insert rootkit, 'so sorry about the time and money you lost - toodles'.
Warrants do have to name why, and where. However, anything they find along the way is fair game. If they open your trunk to find drugs and see a dead body, then the dead body is still admissible. (Assuming that the opening the trunk for drugs is okay.)
It'd be interesting to see how the way common images are reused (for example in memes by only adding text) would be enough to change that hash. If it wasn't enough it could spread very quickly.
Of course I'd dare not research or tinker with it lest I'll be added to a list somewhere such is the chilling effect.
I guess in that case they'd delete that single hash from the database because they'd still have an endless (sadly) supply of other bad image hashes to use instead.
> Then spread this image on the web, and incriminate everybody.
You'd still have to generate several images and persuade people to download multiple of them into their photo roll. And as I understand it there's yet another layer of Apple employees to review the photo metadata before it ever makes its way to law enforcement.
That does seem like an interesting protest vector, though. Generate a bunch of images that match CSAM images but are mundane. Then have everyone download them and send them to their cloud. Someone then needs to spend resources determining that the images are _not_ actual matches. Basically, a DDOS attack on the functionality.
It's a risky bet, though: if somehow that intermediate layer fails and you find yourself locked up and accused of storing/disseminating CSAM material, it's not like the civil rights era when your friends and neighbors (and hopefully employers) will understand you've been arrested for a peaceful protest.
The smarter, if potentially less ethical solution is to encode such images and make memes with them. One of them going viral is likely to flag an enormous number of people along the way.
Here is a proof of concept I just created on how to proceed : https://news.ycombinator.com/item?id=28105849