While most of the concerns about governments misusing CSAM scanning to detect things like political opposition have related to foreign governments, some have suggested that it could become an issue in the US, too.
Matt Tait, COO of security company Corellium, and a former analyst at British NSA equivalent GCHQ, says the Fourth Amendment means that this could not happen in the US …
Johns Hopkins cryptographer Matthew Green highlighted the following scenario with regard to adding non-child sexual abuse materials to the database:
1. US DoJ approaches NCMEC, asks them to add non-CSAM photos to the hash database.
2. When these photos trigger against Apple users, DoJ sends a preservation order to Apple to obtain customer IDs.
Tait says in a Twitter thread that the database is compiled by the National Center for Missing & Exploited Children (NCMEC), which isn’t strictly speaking a government agency – it’s a quasi-autonomous body, though it is mostly funded by the DOJ.
That hands-off-ness serves means that DOJ can’t simply NCMEC to do things. It could perhaps try and compel them via court order or ask quietly for them to do things. But it can’t just make them to do things directly.
Let’s take those in turn. What if DOJ asks nicely? In this case, NCMEC has every incentive to say “no”. CSAM scanning by tech companies in the US happens voluntarily. There’s a legal obligation to report CSAM, but no legal obligation to look for it.
Let’s suppose DOJ asks NCMEC to add a hash for, idk, let’s say a photo of a classified document, and hypothetically NCMEC says “yes” and Apple adopts it into its clever CSAM-scanning algorithm. Let’s see what happens.
In this scenario, perhaps someone has this photo on their phone and uploaded it to iCloud so it got scanned, and triggered a hit. First, in iS Apple’s protocol, that single hit is not enough to identify that the person has the document, until the preconfigured threshold is reached.
But suppose the request was a bunch of photos, or the person with the photo also has CSAM or w/e and the threshold is reached. What then?
Well, in this case, Apple gets alerted, and Apple reviews the images in question. But wait! The images aren’t CSAM. That means two things. First: Apple is not obliged to report it to NCMEC. And second, Apple now knows that NCMEC is not operating honestly.
As soon as Apple knows NCMEC is not operating honestly, they will drop the NCMEC database. Remember: they’re legally obliged to report CSAM, but not legally obliged to look for it.
So thanks to DOJ asking and NCMEC saying “yes”, Apple has dropped CSAM scanning entirely, and neither NCMEC nor DOJ actually got a hit. Moreover, NCMEC is now ruined: nobody in tech will use their database. So the long story short is DOJ can’t ask NCMEC politely and get to a yes
But, he says, let’s look at what happens if the government compels the NCMEC to add the fingerprint to the database. That, he says, would prevent a prosecution because it would conflict with the Fourth Amendment, which protects against illegal search and seizure.
When NCMEC gets a CSAM hit –what they call a “cyber tip” –they report it to relevant law-enforcement. Law-enforcement then typically gets a subpoena for records, and then work their way up to a full search warrant for evidence against the individual trading in CSAM.
To put that person in prison, they’ll need to eventually bring evidence, and that means they need the entire chain of evidence to be 4A-compliant. The ultimately evidence is derived from the warrant, its probable cause from the subpoena, and SO on, all the way back to the start.
But was the original search 4A-compliant? If no, the whole chain falls apart. This is a is a complicated area, and courts have wrestled with it for a long time. But broadly the consensus view is yes, it is 4A-compliant, because the original CSAM search was voluntary by the tech co.
But if NCMEC or Apple were * compelled* to do the search, then this search was not voluntary by the tech company, but a “deputized search”. And because it’s a deputized search, it is a 4A search and requires a particularized warrant (and particularization is not possible here).
So although the US government could get evidence this way, it couldn’t use it to prosecute anyone.
Of course, that doesn’t mean the government couldn’t use the information in other ways, but then you’re into a whole other legal rabbit hole.
Stanford’s Alex Stamos has called for more nuanced discussion on the risks of misusing CSAM scanning, and this thread certainly qualifies.
FTC: We use income earning auto affiliate links. More.