Periodic reminder that Apple has not officially abandoned its photo scanning plans, and could still flip the switch on a billion users at any moment.
Apple has been collecting feedback from the community. (I know this because I talked to them.) I don’t know that they appreciated my feedback that much but I sure felt better afterwards.
My biggest question for the company was: why do you think this is ok? They didn’t really say much. But without characterizing this as a specific response by Apple or anyone at Apple, I think I can try to get at the argument.
For a long time, Apple has been trying to push traditional cloud-based functionalities down to the device level so the cloud “sees nothing”. They do this for photo classification, FindMy, and device analytics.
In that view, client-side CSAM scanning *feels* like another instance of this problem. Except that, of course, it’s not the same.

It feels like Apple forgot something important: users don’t care *where* the task happens…
… what Apple has actually been solving is a question of *user consent*. The real question is not “where does this task get computed” but rather “do I consent to share this data.” Client-local processing simply removes the need to consent to sharing.
When it comes to Apple’s client-side CSAM processing, they’ve tried to elide this issue of consent in two ways. First, they throw a lot of smoke at the problem. Take this confusing FAQ answer, for example.
(Someone asks why this is confusing. My response is: ok, where is my “private photo library” on device, and how is that library different from the photo library that Apple will scan — other than a settings switch?)
The second thing that Apple has done is bind the “user consent” question into a question of whether the user activates Apple’s cloud services at all.

If you don’t consent, your phone becomes less useful.
Notice that this is not the same kind of consent that Apple requires for its other services, like photo classification. You can opt out of sharing data with Apple without hobbling your device. That is a very big deal.
So now I want to get to the main point: why does Apple think this is ok? And here’s the “insight”: I think Apple has convinced itself that as long as users *could potentially* opt out, this is the same thing as actually obtaining meaningful consent.
It obviously is not. For many people cloud backup services are not optional. Some don’t have a computer to back up to. They’re an integral part of a modern device, like Wi-Fi support or a camera. If you punish people who opt out, that isn’t consent: you’re just coercing them.
I don’t expect Apple to respond to a moral argument like this. What I do expect is that Apple agrees with me. Why do I believe this? Because I think Apple knows exactly how important these cloud services are, since they track how many of their users activate them.
Not only do they almost certainly keep careful track of these numbers, it’s extremely likely that they optimize their products to maximize them. They can do this because they control the default settings on new devices and OS upgrades.
And when you speak to Apple, it’s very clear that they know this. It’s very clear that they understand their users aren’t meaningfully consenting to scanning. And it’s also very clear that they don’t have much of an answer.
Which brings me to my last point (I swear.) What will happen in a world where it is no longer feasible to opt out of cloud services? Because that world is coming very quickly. Apple also doesn’t have a very convincing answer to that question, and that worries me. ///

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Feb 16
Oops… forgot to upload my COVID booster record to the appropriate website and have now been warned that if I don’t get my act together I’m fired. (NB: I got the booster in September.)
“Fired” seems a little harsh, frankly. Banned from campus might be a bit more proportionate? (I’m on a leave of absence from teaching.) Have never really sympathized with the antivax side before.
In fairness they won’t fire me until March 7, and they’ll send me two whole written emails before they terminate my tenured position ;)
Read 4 tweets
Feb 15
“Decentralization” means very different things to different people.
I guess this is mostly a subtweet of David Rosenthal’s talk. I’m not sure if I even disagree with it, exactly. blog.dshr.org/2022/02/ee380-…
It’s pretty hard to disagree with critiques of proof-of-work mining, which is an environmental catastrophe. But then what’s the objection to proof-of-stake? It “isn’t effective at decentralization”. Image
Read 5 tweets
Jan 25
I read the new location tracking complaint against Google filed by three state AGs and DC. It shouldn’t be surprising to anyone who is familiar with Google, but it’s pretty detailed. Thread. 1/
The basic allegation is that Google (mainly via Android) made it extremely difficult to turn off location data collection, and when people *did* try to turn this off, Google still collected and used location data for advertising.
As described in the complaint, there are basically three ways Google can get your location. (1) via GPS, (2) by monitoring nearby WiFi networks, (3) through IP address. Even if you turn GPS off, Google uses some of these. 2/
Read 13 tweets
Jan 21
I don’t know what’s going on at Twitter. When CISOs leave social media companies unexpectedly it can mean all sorts of unpleasant things. nytimes.com/2022/01/21/tec…
On the other hand if @LeaKissner is interim CISO then there can’t be anything too weird going on.
(For those who don’t know the history here, it’s Alex Stamos vs Yahoo (2015) & Alex Stamos vs. Facebook (2018) arstechnica.com/tech-policy/20…
Read 4 tweets
Jan 17
This is not an experiment I’m super excited to do on my own hardware (plus I don’t have a Chinese payment method.) Has anyone tried changing their Apple account to “mainland China” on the iCloud website to see what happens to data flows on their devices? ImageImage
My question is: what warnings do you get on-device before it starts uploading your data to Guizhou? I hope someone is/has moved to China recently and is willing to try this for me.
What can I offer people to do this experiment for me? Happy to offer all the RTs in the world and I’ll even scrape up a tiny bounty if someone is willing.
Read 5 tweets
Jan 16
Although Facebook is the primary target of this pressure campaign, it’s hard not to notice how closely Apple’s client-side scanning announcement fits with the UK government’s desires.
Don’t listen to anyone who tells you “they’ll never give in to government pressure” when it’s obvious they already are.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

:(