Apple's privacy vs. child safety debate
The company pauses its plans to scan devices for CSAM after privacy outcry
Can online services identify harmful content while simultaneously preserving end-to-end encryption? It’s a question that has no easy answers, and Apple’s upcoming proposals to scan iPhone users’ photo libraries for illegal child sexual abuse and related contraband imagery aims to strike a middle-ground. But is it?
While Facebook and other social media platforms do a server-side scan for child sexual abuse material (CSAM), the concerns are different with Apple in that the technology not only bakes surveillance capabilities right into its devices, it also opens more potential vectors for repurposing the tool, compelling the company to scan for content beyond abuse content. Viewed in this light, it’s not surprising that the system has fast become a lightning rod for controversy.
Apple, for its part, has defended its contentious plans for which it has sparked some sharp criticism among privacy advocates and security researchers, adding it will reject any government demands to use new child sexual abuse image detection system for surveillance. It has also pushed back against a possibility that the system could be manipulated to detect other objectionable forms of photos at the request of authoritarian governments.
“Let us be clear, this technology is limited to detecting CSAM stored in iCloud and we will not accede to any government’s request to expand it,” the company explained. Apple has since confirmed that it does already scan iCloud Mail for CSAM as of 2019, but not iCloud Photos or iCloud backups.
The iPhone maker has also reiterated that its system is actually an advancement in privacy that will “enabl[e] a more private world” because it will scan photos “in the most privacy-protecting way we can imagine and in the most auditable and verifiable way possible.”
The initiative, however, have been met with a swift backlash over worries that to could introduce a backdoor into Apple’s software, and that it could provide a blueprint for breaking secure end-to-end encryption, and open the door to more troubling invasions of privacy. More than 90 policy groups from the U.S. have urged Apple to drop the proposals over worries that they could be “used to censor protected speech, threaten the privacy and security of people around the world, and have disastrous consequences for many children.”
“It’s truly disappointing that Apple got so hung up on its particular vision of privacy that it ended up betraying the fulcrum of user control: being able to trust that your device is truly yours,” technology commentator Ben Thompson said last month.
What’s more, researchers from Princeton University who built an Apple-like system to identify CSAM in end-to-end encrypted online services said they abandoned it due to numerous abuse and misuse concerns. Writing in an op-ed for the Washington Post, Jonanath Mayer and Anunay Kulshrestha argued that such a system “could be easily repurposed for surveillance and censorship,” noting that “the design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.”
Given that the upcoming system relies on matching hashes derived from the images against a database of CSAM hashes, this could lead to a situation called “hash collisions,” wherein two totally different images produce the same “hash” or signature. Not only this has the potential to create a false positive, potentially implicating innocent victims for having child porn, the false positive could be accidental or intentionally triggered by a malicious actor.
Although Apple initially opted to downplay many of these concerns, pointing out the safety nets it’s built around this feature, and that the tool is specifically set up to identify collections of child pornography — as it is only triggered when 30 different hashes have been identified, making the aforementioned scenario highly unlikely — the company has since reversed its stance.
If anything, the firestorm ignited by Apple’s announcement is unlikely to die anytime soon. But the lack of concrete answers is a sign that the system, while well intentioned, isn’t ready yet for primetime. It’s no surprise, then, that the company said it’s temporarily paused its plans to “collect input and make improvements before releasing these critically important child safety features.”
“The features […], intending to help protect children, would create an infrastructure that is all too easy to redirect to greater surveillance and censorship,” the Electronic Frontier Foundation said in a statement. “But the company must go further than just listening, and drop its plans to put a backdoor into its encryption entirely.”
What’s trending in security?
💲 A threat actor called “Mr. White Hat” has returned the $610 million they stole from the decentralized finance platform Poly Network. The hacker said the plan was never to keep the money, just to prove there are security weaknesses associated with DeFi platforms. Well, mission accomplished! [Tom Robinson / The Hacker News]
📶 John Binns, a 21-year-old Virginia native living in Turkey, has admitted to being the main force behind the massive T-Mobile hack that exposed the sensitive information of more than 50 million people. “I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal in an interview, who breached the company’s network via an unprotected router in July.
Following the revelation, T-Mobile CEO Mike Sievert apologized for the leak and announced a cybersecurity pact with Mandiant. This is the sixth major data breach T-Mobile publicly acknowledged in the past four years. [WSJ / T-Mobile]
🔎 Turning on surveillance using surveillance tools? “Images and videos from oppressive regimes’ surveillance systems are being leaked in a new surge of suspected hacktivism that uses states’ own panopticons against them,” the Record's Andrea Peterson reported, detailing the recent leaks from Iranian and Belarusian prisons. [The Record]
⚠️ Autodesk disclosed it was one of the 18,000 firms breached in the massive SolarWinds cyber espionage campaign that came to light late last year. “We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents. While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations,” the company said in a filing with the U.S. Securities Exchange Commission. [SEC]
🕸️ Cyber criminals are increasingly using virtual machines to compromise networks with ransomware. By using virtual machines as part of the process, the idea is to conduct malicious activity with additional subtlety, because running the payload within a virtual environment reduces the chances of the activity being discovered. [Symantec]
🇩🇪 The German state of Hamburg’s data protection agency (DPA) issued a public warning not to use Zoom over data protection concerns, noting that the popular videoconferencing service does not comply with the GDPR’s requirement for a valid legal basis for processing personal data. [TechCrunch]
💳 Threat actors have leaked one million stolen credit cards for free online as a way to promote a fairly new and increasingly popular cybercriminal site named AllWorld.Cards that's dedicated to selling payment-card credentials. The cards are said to have been stolen between 2018 and 2019. [D3lab / Cyble]
🇨🇳 A cyber-espionage group believed to be operating out of China targeted at least four critical infrastructure organizations in a southeast Asian country, a water company, a power company, a communications company, and a defense organization, between November 2020 to March 2021 as part of an intelligence-gathering campaign. “The ability of the attacker to maintain a stealthy presence on the targeted networks for a number of months indicates they were skilled,” researchers said. [Symantec]
🚜 At DEFCON 29, an Australian researcher known only as ‘Sick Codes’ detailed what he referred to as a “tractor load of vulnerabilities” of Wi-Fi, 4G and 5G-connected John Deere farming equipment that, if exploited by an attacker, would could be abused “to upload files to any user, log in as any user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log in to any third party accounts.” [YouTube / Vice]
🇮🇷 A threat actor known as Indra is believed to be behind recent wave of attacks targeting the Iranian Railways and the Ministry of Roads and Urban Development systems in July 2021. [Check Point Research]
🖼️ A California man this month admitted he hoarded over 620,000 photos and 9,000 videos stolen from strangers’ Apple iCloud accounts until mid-2018 to find and share images of nude young women. Using social engineering techniques, Hao Kuo Chi collected the material by impersonating Apple customer support staff and sending out emails to trick his victims into providing Apple IDs and passwords. [Los Angeles Times]
🛡️ The Chinese government launched at least four websites — dubbed “cyberspace security and vulnerability professional databases” — for the reporting of vulnerabilities in networks, apps, industrial control systems and smart cars. [South China Morning Post]
🇷🇺 Malicious code was discovered in the firmware of four low-budget push-button mobile phones sold through Russian online stores — DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 — that subscribed users to premium SMS services without their knowledge. [The Record]
🤖 The Hafnium attacks against Exchange servers across the U.S. and the world earlier this year may have had a more serious goal in mind beyond just stealing emails and intellectual property — to siphon artificial intelligence research from companies, governments, and universities. [NPR]
🚩 A new Rust-based information stealer called Ficker is being advertised on criminal forums to help threat actors steal sensitive information from compromised devices. It’s distributed via Trojanized web links and compromised websites. [BlackBerry / Infoblox / CyberArk]
🗄️ The past weeks in data breaches, leaks, and ransomware: Accenture, Bangkok Air, Bilaxy, Boston Public Library, Brazilian National Treasury, Chase Bank, Colonial Pipeline, Crytek, Ethiopian Airlines, Guntrader, Indonesia's eHAC, Lojas Renner, T-Mobile, Tokio Marine Holdings, U.S. Census Bureau, and 1.9 million records from the U.S. FBI’s terrorist watchlist.
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!