Governments planned to misuse CSAM scanning tech even before Apple’s announcement

By Ben Lovejoy

October 15, 2021

Background Apple insisted that it had a solid safeguard in place to protect privacy and prevent misuse. It would only match images against known CSAM databases; it would check at least two databases and require the image to be in both; action would only be triggered on 30 matching images; and there would be a manual review before law enforcement was alerted.

Any government could pass a law requiring tech companies to use their available capabilities (e.g., the CSAM scanning system) to look for images they say are associated with terrorism, or any type of political opposition.

Governments planned to misuse CSAM scanning tech A new report today shows that this is far from a theoretical concern. A group of security researchers says that the European Union planned to use this technology to scan for other types of images even before Apple revealed that it had developed its own system.

While the EU proposal was an independent initiative to use the same type of technology as Apple, it is not exactly a giant leap to imagine that – now the EU knows Apple possesses this capability – it might simply pass a law requiring the iPhone maker to expand the scope of its scanning. Why reinvent the wheel when a few strokes of a pen can get the job done in 27 countries? Image databases used within the EU may well be trustworthy, but once this precedent has been set, it would be a very small step for less enlightened governments to pass equivalent laws.

The researchers say that Apple’s approach is incredibly dangerous. “It should be a national-security priority to resist attempts to spy on and influence law-abiding citizens,” the researchers wrote […] “Expansion of the surveillance powers of the state really is passing a red line,” said Ross Anderson, a professor of security engineering at the University of Cambridge and a member of the group […]

“It’s allowing scanning of a personal private device without any probable cause for anything illegitimate being done,” added another member of the group, Susan Landau, a professor of cybersecurity and policy at Tufts University. “It’s extraordinarily dangerous. It’s dangerous for business, national security, for public safety and for privacy.”