Mike Peterson
Government abuses of Apple's CSAM iCloud detection system in the U.S., like expansion to terrorist subjects and similar matters, is prevented by the Fourth Amendment, according to security firm Corellium's chief operating officer.
In a Twitter thread Monday, Corellium COO and security specialist Matt Tait detailed why the government couldn't just modify the database maintained by the National Center of Missing and Exploited Children (NCMEC) to find non-CSAM images in Apple's cloud storage. For one, Tait pointed out that NCMEC is not part of the government. Instead, it's a private nonprofit entity with special legal privileges to receive CSAM tips.
Because of that, authorities like the Justice Department can't just directly order NCMEC to do something outside of its scope. It might be able to force them in the courts, but NCMEC is not within its chain of command. Even if the Justice Department "asks nicely," NCMEC has several reasons to say no.
However, Tait uses a specific scenario of the DOJ getting NCMEC to add a hash for a classified document to its database.
In this scenario, perhaps someone has this photo on their phone and uploaded it to iCloud so it got scanned, and triggered a hit. First, in Apple's protocol, that single hit is not enough to identify that the person has the document, until the preconfigured threshold is reached.
— Pwn All The Things (@pwnallthethings) August 9, 2021
Tait also points out that a single image of non-CSAM wouldn't be enough to ping the system. Even if those barriers are somehow surmounted, it's likely that Apple would drop the NCMEC database if it knew the organization wasn't operating honestly. Technology companies have a legal obligation to report CSAM, but not to scan for it.
So thanks to DOJ asking and NCMEC saying "yes", Apple has dropped CSAM scanning entirely, and neither NCMEC nor DOJ actually got a hit. Moreover, NCMEC is now ruined: nobody in tech will use their database.
— Pwn All The Things (@pwnallthethings) August 9, 2021
So the long story short is DOJ can't ask NCMEC politely and get to a yes
Whether or not the government could compel NCMEC to add a hash for non-CSAM images is also a tricky question. According to Tait, the Fourth Amendment probably prohibits it.
NCMEC is not actually an investigative body, and there are blocks between it and governmental agencies. When it receives a tip, it passes the information along to law enforcement. To actually prosecute a known CSAM offender, law enforcement must gather their own evidence, typically by warrant.
Although courts have wrestled with the question, the original CSAM scanning by a tech company is likely compliant with the Fourth Amendment because companies are doing so voluntarily. If it's a non-voluntary search, then it's a "deputized search" and in violation of the Fourth Amendment if a warrant is not provided.
For the conspiracy to work, it'd need Apple, NCMEC and DOJ working together to pull it off *voluntarily* and it to never leak. If that's your threat model, OK, but that's a huge conspiracy with enormous risk to all participants, two of which existentially.
— Pwn All The Things (@pwnallthethings) August 10, 2021
Apple's CSAM detection mechanism has caused a stir since its announcement, drawing criticism from security and privacy experts. The Cupertino tech giant maintains that it won't allow the system to be used to scan for anything other than CSAM, however.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
30 Comments
Yeah… No. It’s happened many times in the past that companies were compelled to do something and were placed under gag orders so it would be a serious crime for them to leak that order. Not saying I have a strong opinion on this new feature one way or the other, but I’m not buying this argument.
Shocking how many people do not want this feature and seem keen to protect the rights of pedophiles :#
For a company like Apple which is so fervent about privacy rights, it’s both disconcerting and alarming that they’d carve out any exception regardless of how righteous or noble the cause.
Didn’t the NSA violate the 4th amendment when it was caught spying on American citizens who were not suspects of committing terrorism?
Just because the govt could force an update to the NCMEC database doesn’t mean Apple updates their data to push out in an iOS update.