Apple has announced the new client-side content scanning (based on parameters received from the center) to find child sexual abuse materials to be reported to law enforcers.
The point I try to make is that it will do little to protect children (while weakening users’ privacy and pushing criminals to hide better) but it will be used as an excuse to justify a tight control of the devices in order to perpetuate their apparent monopolistic power through the app store in a time when such behavior is under the fire of competition authorities.
As per Apple’s announcement, that will happen when uploading those content to iCloud (Apple’s cloud) and it will be opt-in when usage is limited to the device (i.e. not when uploading to iCloud, but for example when sending a message with those contents).
I want to stress that this is Apple’s current announcement. Is it going to be forever so ? Quite unlikely: if the purpose is to analyze content stored on iCloud, given it’s not encrypted, it would be much easier to analyze it once it’s uploaded to the servers, as it is the case with Dropbox, Microsoft, etc.
The fact that, for non-cloud content, the feature is opt-in, implies that
- criminals will not opt-in (and not use cloud services) and
- not criminals are not exposed to such content anyway (have you received such material recently ??).
Children’s safety groups praised Apple’s moves, arguing that they strike a necessary balance which “brings us a step closer to justice for survivors whose most traumatic moments are disseminated online”.
As abominable as these materials can be, do we really believe that opt-in client-side scanning will do something to eradicate those behaviors ? Do we thing criminals will opt in ? Do we really believe that client side scanning of content uploaded to iCloud will eradicate them ? Do we think criminals use iCloud for their trades ?
I want to stress again that this is the current announced feature. It is easily forseeable that over time pressure by law enforcers will increase to move past the opt-in regime and thus not only for iCloud. What else would be the point of having client side scanning just for iCloud if you could do it centrally as all other providers do ? Quite obviously, client side scanning is for client side scanning. And once there’s that feature, requests to use it will increase.
Having started right away with general client side scanning would likely not have been acceptable by the user and by legal communities. But starting just for iCloud, just for the most abominable of all possible crimes, makes client side scanning more acceptable. And those who oppose it appear to be conniving with criminals. This is the same argument we have heard time and again for the compression of privacy rights in favor of a supposed increase of security. But this equation (less privacy = more security) is only apparently founded. Less privacy equals more data, more data does not equal more information and more information does not equal more security. (remember intel agencies knew the menace of 9.11 attacks ? And many others… (almost all, in Europe)).
Do we really think criminals trade CSAM in plain-sight web sites ? Or via ordinary messages ? Or store them on public cloud servers run by major corporations ?…
But the idea is very attractive to law enforcers, tomorrow’s possibility to dig into users’ content without having to complicate their lives installing trojans. It’s the dream of a backdoor available to law enforcement. But when a backdoor is installed, the backdoor exists and history teaches that it’s only a matter of time before it’s also used by the bad guys and authoritarian regimes.
The above issues have also been raised by other important commentators and better than I have done. But there’s one more angle I want to add: Why is Apple doing it, given their previous stances on privacy safeguards, and why are they doing it now ?.
First of all, please do this (really) easy exercise:
- right click on the cat below and save the file to your computer.
- then go to this link , hit ‘browse’ and select the file you just saved; move the “hidden bits” gauge to 3 and see the output.
This ain’t magic, but very simple, five centuries old mathematics. You could even encrypt it with a password to obtain the payload and it may be impossible to tell, if you don’t know the little secret.
Do we really think criminals don’t know mathematics or programming ?
Client side scanning can do little to stop criminals, unless you have a full control of what apps users can install on their devices. (and how they can use them).
But this is precisely the case of some antitrust actions that are now being brought forward against Apple on the basis that they purportedly excise a monopolistic power on the platform, by their tight control of the App Store where they are the gatekeepers who decide which apps can or can’t be installed by users on their devices.
Apple could have introduced client-side scanning anytime in the past, but now, thanks to this move, Apple will be able to tell the supreme court and the FTC narratives like…
- They have just released this beautiful tool, that will help law enforcers combat these abominable crimes, but only if they can tightly control apps installed by users
- If you’re siding with device neutrality you’re siding with the criminals
- Fewer competition is a price worth paying to protect children
Eventually, in order to have an effective (?) law enforcement, the only possibility is that hardware and software manufacturing companies exercise a total control on the software users can use, de facto becoming states’ digital-law-enforcement agencies.
If this isn’t a total dystopia, I don’t know what dystopia is…