[slg]

What is "this promise"? Because I would consider it "we will only scan files that you upload to iCloud". That was true a month ago and that would be true under this new system. The only part that is changing is that the scanning happens on your device before upload rather than on an Apple server after upload. I don't view that as a material difference when Apple already controls the hardware and software on both ends. If we can't trust Apple to follow their promise, their products should already have been considered compromised before this change was announced.

[lokedhs]

Why is the scanning done on the device in the first place? Photos uploaded to Icloud are not encrypted (because the US government was apparently opposed to that idea), so why not do what Google and Facebook does and do the scanning once the image reaches their servers. What is the benefit in running the scan on the device?

[fsflover]

> The only part that is changing is that the scanning happens on your device before upload

This is the key point.

1. What if I change my mind and decide not to upload the picture?

2. This is a new mechanism for scanning private pictures on the device. What could go wrong?

> If we can't trust Apple to follow their promise, their products should already have been considered compromised before this change was announced.

Many people did trust Apple to keep their files private until now.

[zepto]

> This is a new mechanism for scanning private pictures on the device.

No it isn’t. It’s a mechanism for scanning pictures as they are uploaded to iCloud Photo Library.

Private pictures on the device are not scanned.

[fsflover]

Pictures not uploaded yet are private.

[zepto]

Not if you have opted to have them uploaded.

[int_19h]

Cloud backups are the default on iOS, so you rather have to opt out. And that doesn't even account for apps that can do the same.

[zepto]

iCloud backups are not scanned.

Also, what apps are you talking about?

[simondotau]

If your device generates a safety token and it's never uploaded anywhere, that's a no-op.

[slg]

How are those two examples different than before? You can't unupload a photo under either the old or new system. I don't know why we would expect that the scanning feature will be more prone to accidentally scan too many photos compared to the uploading feature accidentally uploading too many photos.

>Many people did trust Apple to keep their files private until now.

And that was my original point. If a pinky promise from Apple is not enough to trust them, then Apple should have never been trusted.

[fsflover]

> You can't unupload a photo under either the old or new system.

You can choose to upload many pictures. They will start uploading. Then, you change your mind. Some pictures were not uploaded yet. But they were scanned by the new algorithm.

[kelnos]

I do wonder what happens in that case to the scan results for the photos that weren't yet uploaded. From earlier articles it sounded like the "voucher" is attached to the image upon upload, so it stands to reason that if you cancel an upload, results don't get uploaded for photos that didn't get uploaded. Who knows, though...