Do You Trust Apple?
Well, Do You??
Apple's new Child Protection features have raised security concerns about the data we entrust to Apple devices and services. Indeed, there is much grist to grind about this thorny issue, and this is not the first time privacy concerns have arisen around Cloud storage in general and Apple's iCloud services in particular. Nevertheless, Apple is attempting to address a genuine and severe problem that most people understand is a massive issue in today's world; Apple is late to the party in many ways. Google and Microsoft have already implemented similar features, and there have been some notable arrests due to the illicit content they uncovered. However, privacy advocates argue that it is not Apple's (or Google's) job to police everyone's data. On the other hand, do we want Apple to do nothing to combat serious human-rights abuses because of concerns that the technology may be misused? That is the thorny question, the dilemma upon whose horns we are straddled.
But, of course, anytime you entrust valuable data to a third party, you take a risk—and this applies equally to Cloud storage and local storage on your device when the service provider deems it their responsibility to monitor.
The obvious risks are:
(1) The data may be lost. Of course, we can protect against loss by keeping backups, but the whole purpose of cloud storage is that maintaining backups is taken care of for us. Most providers do an excellent job of this; therefore, we may safely generalize and say that data loss by cloud storage providers is exceedingly rare.
(2) The data may become corrupted. Ditto, and ditto, with a side order of repeat, acknowledge, and roger-ten-four.
However, the privacy risk is the one we are addressing:
(3) Others may see our data. Those who work in Information Technology are well aware that anyone with admin privileges can access pretty much anything in the system. This situation is where encryption comes into play. Cloud data is generally encrypted with the master keys stored and managed such that only the data's owner can decrypt it. At least that's what we're told.
Is it really, though?
In 2019, the Justice Department obtained an illegal "Covert Warrant" for Rudy Giuliani's iCloud account. They took Privileged documents and unilaterally decided what they could and could not read. We will leave the illegality of the Justice Department's actions and the willful violation of Lawyer-Client Privilege for others to debate. We are only interested in the technology and how the government, with Apple's help, broke into a supposedly encrypted account.
Don't let them gaslight you. Others can indeed see our "securely encrypted" Cloud data, simply because we do not control the keys. The only way to stop them is to control your own keys!
Then there are so-called "National Security Letters" (NSLs). NSLs are a constitutionally questionable search procedure that gives the government the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and, really, almost anyone. Moreover, served entities are prohibited from telling anyone about their receipt of the NSL. This gag hinders any attempt at public oversight, and there have been rampant claims of abuse.
Not only must we worry about malicious hackers stealing our valuable data through a breach of a cloud provider's storage, but we must also beware of our government invading our privacy, Fourth Amendment be damned.
Despite the promises of Apple and others who provide similar services, once placed in the Cloud, others may see our data. Do we care if the U.S. Government sees our financial data or our grandkid's pictures if we do nothing wrong? What about the CCP? Or Russia? Why not just place our private files on a public bulletin board at the local 7-11? I think not.
Even the most innocent of files or images can open the door to immense abuse.
Apple's new CSAM (Child Sexual Abuse Material) system opens a new front in the ongoing war between privacy advocates and totalitarian busybodies. Totalitarians claim that if they can merely access the totality of our digital lives, they can stamp out whatever evil-du-jour is on their radar. Today it's child porn; tomorrow, it may be religious, political, terrorist-related, pro/anti leanings on vaccines, cat photos, or anything else. Thoughtcrime becomes real, and our data is scrutinized for wrongthink. Such is the world in which we live. Orwell described it over seventy years ago, and today we call it 'Cancel-Culture.'
No sensible person wishes to enable child abuse, but that's not the point. The rational person must beware of the inevitable false positives. Those who seriously engage in terrorism, money laundering, pedophilia, or other unsavory activity know how to hide. It is the unwary, as well as the doting grandparent who snaps an innocent 'baby on a bearskin rug' photo who is at risk of having their life upended. Criminals tend to know how to cope, or at least those who don't are quickly caught.
The Fourth Amendment exists for a reason.
Apple's 'new protective feature' uses a NeuralHash Algorithm that has already been reverse-engineered. Further, it has been demonstrated to experience hash collisions, where two photographs hash to the same value. Finally, it has been shown possible to hash innocuous images that are flagged as malicious or tweak malicious content to yield an innocuous hash.
Worse, the technology behind the CSAM hashing can easily extend to other types of content, such as might be demanded by China, Russia, India, or any other repressive government. Potential abuse by Western governments pales into insignificance compared to the genuine, ongoing abuses perpetrated by the brutal totalitarian regimes. It is not only the CSAM scanner and the potential for false positives that worry us. Personal privacy is under assault on a global scale. The U.S. Government has a well-earned reputation for abuse, dating from the J. Edgar Hoover days, and don't even get me started on the modern-day witch-hunts that began under the George Bush administration.
Even so, the NSA and the FBI are playful innocents compared to many international actors. Cute names like Fancy Bear, Pawn Storm, Sednit, or Tsar Team belie some truly evil organizations connected with totalitarian, terrorist regimes. Hardly a day passes but what some Cloud-based data is stolen and held for ransom, used for criminal activity, or even just disclosed without permission.
What can the innocent end-user do to protect themselves? Sadly, we live in an age where our technology is mainly out of our control. So we have a choice. We can leave everything open and unencrypted and submit to whatever scrutiny our masters dictate, or we can resist, where and how we are able.
They will scan our data without permission, but we do not have to make it easy. We have a few strings we can pull, some mitigations we can perform.
(1) Use reasonably secure open-source platforms where possible. For example, Linux-based desktop platforms offer tremendous potential for security, but those on common mobile devices as well as common desktop platforms, not so much.
(2) Use a secure email system, as far as possible. The common systems everyone uses (yahoo, gmail, Apple mail, and so on) are emphatically not secure. Your every message is scrutinized. ProtonMail is promoted as end-to-end encrypted with no logs, but despite its no IP logs claims, the company recently drew criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France. In full damage control mode, they acknowledged that the company does not abide by requests from non-Swiss law enforcement authorities, it is required to do so if Swiss agencies agree to assist foreign services such as Europol in their investigations. So even ProtonMail is not entirely trustworthy.
(3) Use a good VPN, either one you control the endpoints of (nearly impossible) or one not based in the US. Look for one operated by radical privacy advocates, to start.
(4) Encrypt, encrypt, and encrypt. You should encrypt any sensitive or private data you store in anyone's cloud storage service — not only Apple but anyone's. You should also encrypt any sensitive or private data you keep on your computer. Finally, any valuable files stored offline on those handy removable hard drives should be encrypted as well. Drives sitting on a shelf, unencrypted, may be stolen or copied. If unencrypted, that data can easily be read by anyone. If you doubt the value of encryption, please allow me to refer you to Bruce Schneier's 2016 essay on "The Value of Encryption."
(5) Be careful what you upload to any cloud service. Not just photographs, but any content — financial records stored unencrypted in a Cloud volume can be an open book to anyone who cares. We have gone far beyond being offended by nudity or porn. We live in an age where today's innocuous joke is tomorrow's cancel trigger.
(6) Use a real camera, one not connected to a cloud. Be very wary of taking photos with a phone camera. Remember, the CSAM scanner operates on the device, not the Cloud. So if you're serious about photography, particularly anything that might one day offend someone, don't use a Cloud-connected camera. Today's smartphones have fantastic cameras built-in, but that convenience includes a very convenient CSAM scanner, not to mention that your every photo is subject to an NSA search without your knowledge via an NSL. Force them to come to you, if they have good reason, not illegally filch your data behind your back.
(7) Once you have your grandkids' photos from your "real" camera, encrypt them and keep them offline as much as possible.
This is NOT ABOUT EVADING tHE LAW! This is about evading the consequences of an invasive, over-reaching government and the constant threat of AI-driven false-positive associations. This is about avoiding becoming the victim of an international criminal plot. This is about avoiding being "monetized" by the big advertising engines, making money for the likes of Facebook, Apple, Amazon, Google, and Facebook without compensation. This is about keeping your personal data private, and minding your own business, while keeping the do-gooder busybodies at bay. Criminals already know to avoid scrutiny. This is about empowering ordinary citizens with the same tools criminals already use, this is about leveling the playing field.
We live in Orwellian times. Encryption will protect you. Encryption is your friend.
Use it consistently, use good passwords, and don't forget them.