All the recent talk about Apple, 'the guys who care about your privacy', has seen them go from "what happen on your iPhone stays on your iPhone" to "but it's all about the children!"
So let's start with CSAM (child sexual abuse material), of course we need to protect our children, and I am sure Apple is trying to do just that, however, the road to hell is paved with good intentions. And let's get this out of the way, Apple was never your friend. And this is where things getting tricky with CSAM.
By doing this on a country by country basis, the hashed file being uploaded to your phone was not prepared by, nor can it be verified by Apple, but it was given to them!. Now let's assume for now that the file only has CSAM hashes on it at this time, what guarantees that this will be the case in the future?
What if a government gives Apple a file that includes other hashes. Perhaps a picture of Winnie the Pooh in China or a picture of an activist they want to locate?
Let's rewind to the mass demonstrations in Hong Kong 2 years back. Apple pulled an app from the store that tracked the locations of both police and demonstrators. Apple's justification was that the app encouraged illegal activities. This, unsurprisingly, was after a vitriolic piece in the People’s Daily (the mouthpiece newspaper of the Chinese Communist Party) stating that:
“Letting poisonous software have its way is a betrayal of the Chinese people’s feelings”.
It showed that Apple would bend to the Chinese Government, after all profits before people, right? However, consider that people could have used the app to avoid getting in to the clashes on their way to work or a Mother not wanting their children to get teargassed?
Consider also that Apple makes most of its hardware in China, and they can't just pull out of their largest market (with the cheapest child labor!) And it didn't stop with the 'crowd' app as the New York Times app, VPN apps and other news apps were also removed from the Chinese app store.
The new iCloud + Privacy Relay has just launched, but has already been removed in some countries. It shows Apple follows the dictats pf oppressive Governmental 'requests' and guidelines.
Working condition violations have never been a big concern for Apple as these date back so far it is almost ignored yet numerous pieces have appeared over the years exposing these and data manipulation. Below are a selection of some of these, just to give you a flavor for their 'hidden' corporate culture:
The issue doesn't end if a Government request comes in, but also with false positives.
Of course this then goes to a human review, but do you feel comfortable that your private pictures, perhaps even of your own children, are being reviewed by someone at Apple? And it does lead to the next big question "if our pictures are E2EE and "not even Apple can see them" how is the human reviewing even possible?"
Let's not forget Pegasus…
All in all this is not a flattering look at your 'privacy partner', Apple! No, Apple is not your friend, Apple is great at marketing, it started in 1984 where Apple claimed this is why 1984 will never be like 1984. The problem is that them now in 2021 is so much further ahead of Orwell's nightmarish Blueprint! Do you really want to trust Apple in its closed garden setup with this new method to 'protect children'?
Don't get me wrong, I want to believe, but a lot of things can be going awry. I am not saying it will, and if it is only "appropriate and approved" CSAM hashes that are scanned by the phone or device and nothing else can ever be added then all well and good, Apple claims there is "almost no way to get a false positive" and that sounds good but in the end we need to trust that Apple will not add anything else, nor that governments will force them to send one more hash...
Apple addressed these concerns in a rushed FAQ file:
However, all I read out of this is "trust us"! But why would we? They failed people in Hong Kong before where one wrong hash reported to a bad government can cost lives. And it is something I just don't feel comfortable recommending. Thankfully we have options, such as Linux, GrapheneOS or CalyxOS.