Now that Apple has changed the rules, everyone should be under their impression that their phone is a cop and will snitch them out to the re-education board for punishment. This is reality.
But if it was, I would suggest using a different phone. Maybe a fairphone running /e/ - that's my setup, with almost exclusively open source software. I can recommend it.
What they built is a way of scanning things on your phone and reporting that to Apple. The chance of multiple governments not passing laws eventually to force this into scanning for whatever they wish is low. Previously to this Apple could have fought back on privacy terms but now its argument will be much weaker.
edit: It's also a model based scanner so they scan for types of things and similar things instead of explicit copies of things. Which makes it an even more powerful tool for governments than a simple direct scanner.
All of which has been common for a long time. You where already sending your unencrypted phots to Apple, that’s the point when you should be concerned. Apple and all other service providers are required by US and most other countries laws to do searches on their servers.
The only difference is Apple is upfront about what their doing on iCloud where most backup providers are keeping silent.
>You where already sending your unencrypted phots to Apple
No, I wasn't. The whole point here is that Apple is not scanning server side, they've built the functionality to scan device side. You need never use iCloud in any way whatsoever in order for Apple's new scanning tech to be used against you. That is a major difference.
>Apple and all other service providers are required by US and most other countries laws to do searches on their servers.
No, they are not, even if that was the new thing Apple is doing which it isn't. If a company builds server-side scanning, then they may be required to fulfill certain requirements. But companies are not required to actually do that in the first place even if many choose to do so. Apple already did scan uploaded photos and voluntarily chose not to have E2EE for iCloud data in order to please law enforcement agencies, but that's a voluntary choice by Apple. This new client side scanning is a different beast. Please try to gain even the slightest fucking clue what you are talking about before spouting off on something so important.
Edit: to add for those interested in more details on the law, the federal reporting requirements are under 18 U.S. Code § 2258A [0]. What you'll see there is a "Duty To Report", and the reason for that is to evade Constitutional protections. If the government compelled companies to scan, as well as any legal challenges (by very well funded actors) and public blow back, as a practical matter those companies would become State Actors for the purposes of 4th Amendment evaluation. However, even if it's heavily incentivized so long as it's "voluntary" courts have repeated ruled that 3rd parties can do searches that would be illegal for the government, turn discovered evidence over to the government who in turn may then use it freely. Walter v. United States (1980, [1]) is a good example, covering the [righteous and just prosecution] of someone transporting "films depicting homosexual activities" after it was mailed to the wrong address and turned over to the FBI which I'm sure everyone here on HN would applaud and definitely is what they have in mind when they think of client side scanning in the US. Tim Cook is carrying on that tradition with Pride no doubt.
> You need never use iCloud in any way whatsoever in order for Apple's new scanning tech to be used against you.
False. Phones don’t download the CSAM hashes so they can’t do device side scanning as they have nothing to compare the images to. Yes, the phone uploads a hash, but they also upload the unencrypted images along side it.
Thus the only thing that changes is Apple isn’t paying for the compute power to do the hashing. That and a tiny amount of extra bandwidth on uploading images.
PS: In response to your edit, perceptual hashes are a grey area. However, as long as a judge agrees they can very much just take down production systems when it pertains to a case. That’s a rather big stick to force compliance even if it’s not an explicit law it’s very much a consequence of it. Thus companies really don’t push back as some that have simply got raided.
>> The whole point here is that Apple is not scanning server side
>False.
No, TRUE. Apple announced TWO difference technologies. The first one is specifically for completely independent machine learning client-side scanning of all messages. From Apple's own announcement:
>First, new communication tools will enable parents to play a more informed role in helping their children navigate communication online. The Messages app will use on-device machine learning to warn about sensitive content
Which has been clarified to mean any and all sexually explicit material, and then notifies the parents. Apple is billing this as only for child accounts and only to parents, but that is merely a set of flags and directions in the programming not anything inherent to the system. It could be applied to any ML model at all and the notifications sent to anyone at all. The system is now built and ready for governments to compel Apple to use for other things in complete violation of device owner's rights, backed by Apple's total ownership of device root.
The second feature is the one for client-side scanning of all photos uploaded to iCloud for illicit content using "neuralhash" which is subject to collisions as have already been repeatedly generated and received lots of discussion here as well as elsewhere (ie., [0]). That is claimed to be initially aimed at uploads and CSAM only, not that there is any way to be sure, but again same thing: the system now exists to perform arbitrary fuzzy scans on-device whether someone is uploading elsewhere or not.
This is absolutely new and horrible capability. If you upload something unencrypted to somebody else's property, as well as the law there is a reasonable common sense understanding that you're depending upon their good will and that they may be compelled at that point without having to involve you. "Possession is 9/10 of ownership" and all that, regardless of details. Now one's own personal private property will have built-in locked down systems to scan all your data based on arbitrary third party choices.
You are missing the point. It’s too easy to make excuses “for the children”. We are tying to fight against dystopia here, against a global technological panopticon. Even if this feature was made with entirely the best intentions, with the strictest controls and best audits — it’s still a cop in your pocket. And that cop always wants more. And more. History has demonstrated this.
Fantasy is believing that granted powers will not be abused because the powerful claim they won’t abuse them. Yes, we extrapolate and this might seem outlandish to the naive. Some of us know how history rhymes and call out the patterns that are paving the road the hell.
Scanner firmware won't scan currency, even if doing so is legal.