“Privacy. That’s iPhone.” Or is It?

November 11, 2021 In Blog, Cell Phones, Privacy, Technology By Frances McDonald

The tech giant is facing substantial criticism after announcing its plans to combat Child Sexual Abuse Material (“CSAM”) through the implementation of on-device photo scanning software, and then promptly reversing course and halting the planned updates until further notice.^[1]

On August 5, 2021, Apple released a statement titled, “Expanded Protections for Children,” previewing the new iOS and iPadOS safety features to be incorporated in future iOS and iPadOS software updates.^[2] These included updates to the Messages app, as well as the Siri and Search features of Apple devices; however, the most controversial update came in the form of the on-device photo scanning software, referred to as CSAM detection software.^[3]

Under the proposed CSAM detection software, Apple would reduce each photo on a user’s device to a unique set of numbers, referred to as “hash.”^[4] If the user chose to upload its photos to iCloud, Apple would then compare the hashes of a user’s photos with the hashes of images in a database of known CSAM.^[5] Should a user surpass a threshold number of matches within the database, the case would be escalated to an Apple employee for individual review, and if the photos did in fact contain CSAM content, the user’s account would be disabled, and Apple would report the photos to the National Center for Missing and Exploited Children (“NCMEC”).^[6]

Scanning consumer photos for CSAM content is a routine practice among tech moguls such as Facebook, Twitter, and Reddit.^[7]. However, the critical difference in Apple’s proposed updates is that, for the first time in Apple products, the CSAM detection software would be implemented on users’ devices instead of within the iCloud server.^[8]

While Apple’s goal of protecting children from CSAM is an undeniably worthy one, some are calling out the proposed software changes as a shift towards an “infrastructure of surveillance.”^[9] Because the photo scanning would occur on the device (as opposed to within iCloud), a user’s decision to uncheck iCloud Photos may not matter if Apple was faced with governmental pressure to scan for other types of content on that user’s phone or iPad. ^[10]. Furthermore, as one commentator wrote, “the capability to reach into a user’s phone now exists, and there is nothing an iPhone user can do to get rid of it.”^[11]

In response to Apple’s CSAM detection software announcement, more than 90 global organizations signed a letter addressed to Apple, calling on the company to scrap its new plan for photo-scanning surveillance.^[12] “Once this capability is built into Apple products, the company and its competitors will face enormous pressure – and potentially legal requirements – from governments around the world to scan photos not just for CSAM, but also for other images a government finds objectionable.”^[13]

Despite Apple pressing pause on the update rollout, cybersecurity experts are still emphasizing the dangerous nature of the proposed on-device technology. In a recently released report, more than a dozen prominent cybersecurity experts described the software as “ineffective and dangerous strategies that would embolden government surveillance.”^[14]

Specifically, the report identifies many critical ways in which on-device scanning can fail including by misinterpreting safe images as harmful ones, failing to uncover the harmful images at all, and institutionalizing “bulk surveillance systems launched on the public’s personal devices.”^[15]

Susan Landau, a co-author of the report and a professor of cybersecurity policy at Tufts University, described this type of on-device technology as “scanning of a personal private device without probable cause for anything illegitimate being done.”^[16] As a whole, these experts argue that the on-device technology proposed by Apple hardly presents a safer or more secure future for the world.^[17]

Apple’s CSAM photo detection software highlights the uphill battle that technology companies face in protecting digital privacy while attempting to halt illicit activity on their platforms. On-device scanning software presents not only the potential for abuse by authoritarian governments, but also raises specific legal questions surrounding users’ rights, including whether Apple can make these programs mandatory, the amount of notice that is required for user compliance, whether the NCMEC could be considered as a “state actor” or a private corporation, and the extent of transparency involved in the NCMEC CSAM database.^[18]

At present, there is no easy answer to the potential legal and policy questions that on-device scanning software proposes. But one thing is clear: digital privacy concerns are increasingly putting tech giants like Apple in between the rock of protecting user privacy and the hard place of eradicating illegal and immoral activity on their platforms.

Footnotes[+]

Footnotes
1	See Jon Brodkin, Amid Backlash, Apple Will Change Photo-Scanning Plan but Won’t Drop it Completely, ARS TECHNICA (Sept. 3, 2021, 10:09 AM), https://arstechnica.com/tech-policy/2021/09/apple-promises-to-change-iphone-photo-scanning-plans-to-address-criticisms/ [https://perma.cc/YXP6-RW49].
2	Expanded Protections for Children, APPLE, https://www.apple.com/child-safety/ [https://perma.cc/56CK-LAFS ] (last visited Oct. 22, 2021).
3	See id.
4	See id.
5	See id.
6	See id.
7	Adi Robertson, Apple’s Controversial New Child Protection Features, Explained, VERGE (Aug. 10, 2021, 5:43 PM), https://www.theverge.com/2021/8/10/22613225/apple-csam-scanning-messages-child-safety-features-privacy-controversy-explained [https://perma.cc/N8V8-PP2H].
8	See id.
9	Jon Brodkin, Apple Explains How iPhones Will Scan for Child-Sexual Abuse Images, ARS TECHNICA (Aug. 5, 2021, 7:29 PM), https://arstechnica.com/tech-policy/2021/08/apple-explains-how-iphones-will-scan-photos-for-child-sexual-abuse-images/ [https://perma.cc/D7P7-V5L4].
10	See Kif Leswing, Apple’s Privacy Reputation is at Risk with the Changes It Announced, CNBC (Aug. 6, 2021, 3:08 PM) https://www.cnbc.com/2021/08/06/apples-privacy-reputation-is-at-risk-with-new-changes.html (highlighting a common concern among privacy advocates that authoritarian governments may see the software as an opportunity to silence political speech by demanding that Apple flag political memes and protest photos on devices).
11	Ben Thompson, Apple’s Mistake, STRATECHERY (Aug. 9, 2021) (emphasis in original), https://stratechery.com/2021/apples-mistake/[https://perma.cc/9L9Z-9S7P].
12	See Nadia Dreid, ACLU Says Apple Must Scrap Photo Scanning Feature, LAW360 (Aug. 19, 2021, 7:55 PM), https://www.law360.com/articles/1414554/aclu-says-apple-must-scrap-photo-scanning-feature [https://perma.cc/XBC2-BK8Q].
13	Letter from Center for Democracy & Technology and Other Institutions to Tim Cook (Aug. 19, 2021), available at https://cdt.org/wp-content/uploads/2021/08/CDT-Coalition-ltr-to-Apple-19-August-2021.pdf [https://perma.cc/FJ2M-FG9A].
14	Kellen Browning, Cybersecurity Experts Sound Alarm on Apple and E.U. Phone Scanning Plans, N.Y. TIMES (Oct. 14, 2021), https://www.nytimes.com/2021/10/14/business/apple-child-sex-abuse-cybersecurity.html [https://perma.cc/6HYE-YK7M].
15	Susan Landau, Bugs in Our Pockets: The Risks of Client-Side Scanning, LAWFARE (Oct. 15, 2021, 8:00 AM), https://www.lawfareblog.com/bugs-our-pockets-risks-client-side-scanning [https://perma.cc/3LDR-ZW4H]; see Hal Abelson, et al., Bugs in Our Pockets: The Risks of Client-Side Scanning (2021) (unpublished manuscript), available at https://arxiv.org/pdf/2110.07450.pdf (arguing that the risks involved in client-side scanning, including threats to the safety and privacy of lawful civilians, renders the potential benefits provided to law enforcement inadequate).
16	Browning, supra note 14.
17	See Landau, supra note 15; Abelson, supra note 15.
18	See Paul Rosenzweig, The Apple Client-Side Scanning System, LAWFARE (Aug. 24, 2021, 8:01 AM), https://www.lawfareblog.com/apple-client-side-scanning-system [https://perma.cc/WS5F-XAVS].

Frances McDonald

Frances McDonald is a second-year J.D. candidate enrolled in Fordham University School of Law’s evening division and a staff member of the Intellectual Property, Media & Entertainment Law Journal. She holds a B.A. in Politics and International and Global Studies from Sewanee: The University of the South.

“Privacy. That’s iPhone.” Or is It?

“Privacy. That’s iPhone.” Or is It?

Share this:

Related

Frances McDonald