Contrary to January 2020 Reports, Apple Is Not Currently Checking iCloud Photos Against CSAM Hashes

In my commentary about Apple’s recently announced child safety initiatives, I have repeatedly stated that the company was already checking hashes of images uploaded to iCloud Photos against NCMEC hashes of known CSAM. I was not the only one who thought this — the same idea was referenced by many others, like in the TidBits FAQ and by Jason Aten, who writes for Inc — but most of us were referencing sources that relied upon reporting from the Telegraph. That article carries this correction:

This story originally said Apple screens photos when they are uploaded to iCloud, Apple’s cloud storage service. Ms Horvath and Apple’s disclaimer did not mention iCloud, and the company has not specified how it screens material, saying this information could help criminals.

This note was appended one day after the Telegraph published its original report — that is, one day after it was cited by numerous other outlets. Unfortunately, none of those reports reflected the Telegraph’s correction and, because the Telegraph has a soft paywall and the title of the article remained “Apple scans photos to check for child abuse”, it is not obvious that there were any material changes to correct. Robinson’s Law strikes again.

Still, that is no excuse. I should have checked the claims of these reports against that original Telegraph article before relaying the same error. I regret not doing that. Please consider this a correction.

Via Michael Tsai who adds:

In any case, this changes how I interpret Apple’s FAQ, as well as speculation for the future. If photo library scanning is new, Apple is not reimplementing a previously working system in a way that is potentially less private (since it could be easily tweaked to scan non-cloud photos). It also seems less likely to imply a switch to making iCloud Photos E2EE. It could simply be that Apple wanted to implement the fingerprinting in a way that took advantage of distributed CPU power. Or that it wanted to avoid having a server scanner that it could be compelled to use. This also explains why Apple only made 265 reports in 2020.

This certainly changes how I read this entire situation.