Skip to content

Top New Best Ask Show Jobs

Tell HN: Dont upload these images to iCloud as Apple will assume its Child Porn | Better HN

Tell HN: Dont upload these images to iCloud as Apple will assume its Child Porn (opens in new tab)

(drive.google.com)

227 pointsvictor8711294y ago100 comments

100 comments

ReactiveJelly4y ago

"Now you can block people in Drive. To prevent people from sharing unwanted files with you, ..."

hahaha. What a coincidence, Google!

So you got a hold of the neural hashes, and then used an error function and descent to generate images that match a 'hash'?

It feels wrong to call them 'hashes' when they're so weak to pre-image attacks. They're not the same idea as cryptographic hashes at all.

Also want to underline how spooky it is that some of them do resemble human forms.

4111111111111114y ago

Some? Literally all are clearly based on pornography.

First is veg&butthole, then boobs, next is doggy style etc etc (edit: it seems the order isn't consistent. So I'm likely seeing different images then you.)

You can go through them all and see the original pornography if you look at the shapes. To me, it looks more like they started with the real images and tweaked them to make them artsy.

yesbabyyes4y ago

I don't know, this sounds a bit like a Rorschach test to me.

ASalazarMX4y ago

I love this comment. I have no idea how these were generated, but even starting with random noise it's possible to end up with vaguely human shapes if that's what originated the hashes to begin with.

These images could be a joke, as I don't think we have a clear technical documentation of how these hashes are generated. Computer vision? Vectors? Face recognition software? It's definitely not a naive hash.

Edit: seeing the other comments in this thread referencing Twitter, it looks like it's more naive than expected, as the hash is resistant to resizing, but not to cropping. The implementation can change at Apple's discretion, though.

dragonwriter4y ago

> They're not the same idea as cryptographic hashes at all.

There is a reason cryptographic hashes are distinguished; some applications of hashing are only concerned with minimizing non-malicious collisions.

(Arguably, this is an application where malicious collisions are an issue, but perceptual hashes don't purport to be cryptographic.)

Don't forget how it started at Google.

Long before they claimed that they scan email for child porn, they made an email scanner to appease China, on a condition they will not target dissidents.

I think all remember how it went. Seeing their intimidation work, it only fired up the Chinese government, and led them to only increase their attempts at arm twisting, until Google clumsily pretended to "be tough" while still doing their last attempt behind the scenes negotiations, which, to their big surprise, got them banned overnight.

Don't forget how Google admitted their mistake and withdrew from the Chinese market.

Even though Google could have made a ton more money by helping China to build the tools of repression.

Don't forget that other large US corporations like Microsoft, Apple and Activision do build censorship tools and participate in repressing dissent.

My recollection was that Google was outgunned by Baidu and similar Chinese tools, who were being actively supported by the CCP, while Google was half-tolerate. At the same time, it was losing security, IP, and reputation. There was a nice PR play around it, but I don't think "Google could have made a ton more money by helping China to build the tools of repression." It's better to build those in-house.

> Don't forget how Google admitted their mistake and withdrew from the Chinese market.

Which I point to the decision they came inadvertently. It was their intention to play games with the regime which backfired on them, not vice versa.

Applejinx4y ago

I assumed that these are reverse engineered from legitimately illegal and problematic porn of known origin.

Not sure exactly how you'd go about doing it, but it seems like there might be a process for 'evening out' areas into solid color that maintains the hash? In which case you're running extensive image processing on illegal images and making variations from those very images.

More info on how this is done?

dragonwriter4y ago

> I assumed that these are reverse engineered from legitimately illegal and problematic porn of known origin

I would assume these were engineered by getting the perceptual hash valies, using distance from the hash values in the DB as an error function, and starting with an innocuous image and hash value, and iterating to a collision for each.

zepto4y ago

That technique can’t fool Apple’s algorithm.

For what it’s worth, the null hypothesis is that they are just fakes and the commenter is at best trying to illustrate a point.

Applejinx4y ago

Followup, since I can't edit: if my assumption isn't correct, well then, I stand corrected. I said in past tense, 'I assumed', and then asked for more info. That's not forthcoming, just a bunch of very upset assertions that of course I'm wrong and these things can't be reverse engineered from real porn.

I'm sure not interested in proving they can. Mind furnishing the info about how it's really done, then? Since according to you (for very obvious reasons) you can never compare these images to the source for the hashes, where did you extract the hashes from?

If you can so easily reverse engineer false positives from random data without ever seeing or using genuine porn to produce it, shouldn't you be disseminating this content as widely as you possibly can, rather than warning people about the danger of interacting with these false-positive images?

Still puzzled how and why this is being done. Are you trying to render Apple's system useless, or not?

Summary: I'm saying "there may be a way to take existing images that are illegal even to possess, and process them to obliterate the image while maintaining the hash. Is that what's being done here?" and the response is "AM NOT!!"

Genuine question: If those image were really generated from illegal porn, are those images themselves considered illegal? Or in other words: How much do you have to modify illegal images for them to become legal again? Or do they stay illegal no matter how much you transform them?

f38zf5vdt4y ago

Looking at the script below, it looks like it uses a gradient function for loss so that it learns to approach an image that generates a collision. If the case that the hashes themselves, being a result of a neural network, can be reverse engineered into pornographic images then does that raise a legal quandary?

Apple said that the risk of collision is "1 in one trillion" which for a hash function would be terrible. We also don't know what the one trillion images they tested against were. If you upload your regular porn to iCloud, it's likely that pornographic images will raise more false positives than say, pictures of sunsets.

Applejinx4y ago

Also relevant question: if these images were not at all generated from illegal porn, but they connect to hashes being used to flag illegal porn, is the purpose of this exercise to generate methods to SWAT people over the internet?

As in, pursue a mechanism to get these onto somebody's computer in a way that they'll be backed up via iCloud (for instance, if a person's got their email account including trash folder backed up in iCloud, and you send them the pictures which they 'throw away' because it means nothing to them, placing the images in a trash folder in the mail preferences)

Is that (a) practical and (b) the intent of this exercise? Seeing as every question I've had here has led to karma burning I figured I'd double down and ask if the person doing this is trying to prepare a weapon for swatting people. There are times I respond to downvoting pressure to 'stop talking!' by getting more interested, which I'm sure is a common reaction among some hackers.

victor871129OP4y ago

These harmless generated images have a neuralhash equivalent to those provided in the NCMEC database submitted for testing. I repeat: Dont upload these harmless images to iCloud as Apple will assume its Child Porn (CSAM). Scripts were available on a GitHub repo but were removed because they may cause damage to others.

yreg4y ago

Is the hash database and the hashing algo public? Or how do you know these match?

jhugo4y ago

Of course the database is public, it's on every iPhone!

malf4y ago

No, it’s not.

> Scripts were available on a GitHub repo but were removed because they may cause damage to others.

Is there an archived link?

Edit: I guess this? https://gist.github.com/unrealwill/c480371c3a4bf3abb29856c29...

zepto4y ago

> Dont upload these harmless images to iCloud as Apple will assume its Child Porn (CSAM)

This is not true. They may match the hash, but the will not match the visual derivative.

The system is not as easily fooled as you think.

post_break4y ago

We've learned from YouTube how well matching content works well. Apple will be better right? Right?

zepto4y ago

Yes. We know that it is based on the papers explaining how it works.

> The system is not as easily fooled as you think.

I would like to believe that is true, but the negative consequences of even generating a false-positive is enough to not attempt to upload any image.

LucidLynx4y ago

I tend to disagree here...

Based on the documentation from Apple, they are waiting to get *several* matches, *not only one* (we don't know what is *several* but I don't expect something like <= 3 pictures). Once the rate has been reached, they ask to a physical team to review the "positive matches", and deliberate if, yes or no, the images are CSAM or not.

If yes, after the manual process, the authorities are called.

yuppie_scum4y ago

The consequence is that someone at Apple reviews the case, notices that its a false positive, and closes the case.

krrrh4y ago

If Google Drive scans with the same database then how is your link working?

fulldecent24y ago

Because they are scanning with a different hash system.

LucidLynx4y ago

Do you have any proof?

The database of 200_000 images used by Apple (and others?) is private, and I did not found any trace of the hashes (but I could made a mistake here). So, how do you know that those correspond exactly (or with a certain threshold that has NOT been disclaimed by Apple) to the CSAM DB?

Also, NeuralHash has NOT been released by Apple yet (https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...), so...

The NeuralHash code is apparently included in the latest beta: https://twitter.com/KhaosT/status/1424205967122571268

victor871129OP4y ago

Im going to release 5 pieces of proof in the next 5 days

zepto4y ago

This comment discredits you.

Retr0spectrum4y ago

This is a lame attempt at trolling.

LucidLynx4y ago

Thank you Mr Scam

float44y ago

Just uploaded them all to my iCloud.

They way I see it, this is the best photo backup approach one can possibly take. Just get flagged for child porn, and have all your iPhone photos stored indefinitely on FBI servers.

Does the FBI have geo-redundancy?

Thanks for your service.

The problem with Apple’s approach to CSAM is that they use Neuralhash. Unlike other simple perceptual hashes, the failure modes and the collisions using this method are not well understood. I repeat here my previous comment in another thread : they use NN and triplet embedding loss, the exact same techniques used by neural networks for face recognition, so maybe the same shortcomings would apply here. For example a team of researchers found a 'Master Faces' that can bypass over 40% of Facial ID. Now suppose that you have such an image in your photo library, it would generate a ton of false positives and not just a single match with the NCMEC database.

zepto4y ago

As far as I can see the claim made here is not correct.

Assuming the images do as claimed match the hash, they must also match the ‘visual derivative’ in order to trigger a match.

The system isn’t as easily fooled as is being claimed here.

toxik4y ago

You have misunderstood. NeuralHash is the visual derivative. Read [1] carefully, it's a very confusing document even for experts - nowhere is there a second step to this process where some second type of "visual derivative" is matched.

The NeuralHash is what matters, solely.

[1] https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...

malf4y ago

There’s literally a page showing “NeuralHash + visual derivative” in the thing you posted.

toxik4y ago

Edit: I did find it, but only because somebody else pointed it out. Guess I suck at reading. Also search for "derivative" failed to find it.

This thread was good https://twitter.com/fayfiftynine/status/1427900272148246530

Be specific, because I cannot find it.

rvz4y ago

Here's a small tip: You can edit the title to have 'Tell HN' which will more likely bring this post to their attention.

Thanks for the heads up.

hdjjhhvvhga4y ago

Is this true? I have no idea how to even test it without causing problems to myself. After all, they pushed me to give them my credit card and physical address.

ithinkimgood4y ago

This is so fake it's not even funny. These are just images generated by the model from https://thisartworkdoesnotexist.com . It's hilarious to see so many people falling for it here

i_am_proteus4y ago

I've never used modern apple products, but I have a question on how apple cloud works: is it possible that simply sending these in a messenger software to someone who uses apple cloud for automatic backups could get that person flagged as a child pornographist?

The thing that everyone has their panties in a bunch about here and a that like an antivirus scanner, there will be a hash match to child abuse images when you send it.

The current practice is that Apple, Google, Microsoft, etc scan the content of your cloud storage.

The scenario that you described is a risk and has been since cloud providers started scanning 10-15 years ago. Some large companies scan their file servers as well.

zepto4y ago

Yes, except that in Apple’s implementation there also a ‘visual derivative’, which is essentially a blurred thumbnail.

Both must match to cause a positive.

These images may match the neuralshash, although we have no proof of that at all. They will not also match the visual derivative.

This whole post is based on incomplete information.

They will not also match the visual derivative.

How can you be certain, and what prevents a generated image from matching both?

hdjjhhvvhga4y ago

My understanding is that this is the whole point and one of the main reasons people get so upset about it.

zepto4y ago

No, because they won’t actually match. The poster is just wrong.

robertoandred4y ago

No, messages and regular file backups aren’t checked for child porn and the online photo library has multiple checks and reviews to prevent any false flagging.

harikb4y ago

“reviews” - that is another thing public has been crying about by the way

auslegung4y ago

But what if millions of people do it? Sounds like Little Brother.

dejw4y ago

then millions of people can f** * because it's apple! didn't google recently close a personal account of an indie game developer without giving him any explanation?

ugjka4y ago

Not clicking on that link, don't want my G account go poof

jsnell4y ago

Yeah, seems like anyone clicking through is playing with fire. If the description is correct, posting the link is highly irresponsible. (It seems like the right thing to do would be to serve the content from a server the OP controls themselves.)

podric4y ago

Maybe I'm an idiot but my curiosity got the best of me and I clicked the link. The photos just look like abstract modern art, although their perceptual hash may match that of known CSAM, I doubt that anyone who clicked the link will get into legal trouble even if Google flags that folder by detecting a perceptual hash match, as they will likely use real people to verify before taking legal action.

Google has been recently focused on cultivating the image that they care about user privacy. The last thing they want to do is call the cops on a bunch of HN users for looking at some abstract swirly pics.

yreg4y ago

I think the concern here isn’t legal trouble but getting banned by some automated system.

I’ve heard from googlers that once an account is nuked for suspected child abuse no one will ever want to touch it to find out whether the ban was legitimate.

I clicked the link. Those images look like modern, colorful and expressionistic art.

ugjka4y ago

With pornographic features... i installed tor-browser

mindslight4y ago

Why are you reading Hacker News from the same nym/container/IP as a logged in Google account that you care about?

ugjka4y ago

Yeah, I installed tor-browser later and checked the link

Retr0spectrum4y ago

This post is still getting linked from other places, so I think it's helpful to point out that it's almost certainly fake. (Hence its [flagged] status)

The images shown do appear to be adversarially generated inputs against some NN-based image hash or classifier, but there is no evidence to suggest that this is at all related to Apple's NeuralHash, or that the colliding hashes are from a real CSAM database (the target hashes are not public).

OP claimed they would "release 5 pieces of proof in the next 5 days" [1], and guess what, 11 days later they still haven't.

Look at OP's post and comment history, it's quite clear that they are a troll.

In the mean time, it has been actually proven that hash collisions against NeuralHash are trivially possible, see [2]

[1] https://news.ycombinator.com/item?id=28107393

[2] https://github.com/anishathalye/neural-hash-collider

cryptonector4y ago

Why was this flagged? I'm sure there are good reasons, I just want to know.

EDIT: Oh, I mixed up tabs. This is a link to a google drive of pictures. Because I have scripts disabled, I got no thumbnails, and I'm thinking since this was flagged, maybe I really don't want to get any thumbnails.

Someone please post this to the Apple subreddit. I'd love to see hell breaking loose over there.

yreg4y ago

What do you mean by "hell breaking loose"?

/r/Apple talks about this topic a lot and, similar to HN, is not happy about it. This drive link brings very little additional light to what was already known and discussed.

post_break4y ago

The sub is in crisis mode right now. Normally a huge pro-apple even on their worst days do no wrong sub. Right now people are pissed and speaking up. The mods are pissed that they have to deal with it (boo hoo). Anything to add fuel to this fire is good in my eyes because the same people who said "It's ok I have nothing to hide" from Edward Snowdens work are getting slapped in the face for their same ideology to this happening to Apple.

yreg4y ago

>"It's ok I have nothing to hide"

I don't remember that ever being a popular take on reddit.

But still, how do you know it's "the same people"? There are a lot of users who hold all kind of opinions.

zepto4y ago

How do you know it’s not pure disinformation?

It’s certainly not correct.

mcintyre19944y ago

What hash algorithm are they using? If this is legitimate (I’ll be honest - I’m not clicking) then surely any hash this easy to pre-image attack is completely useless? Why wouldn’t they be using a cryptographic hash here?

soneil4y ago

As I understand it the NN "perceptual hash" is supposed to hash the image, not the file. eg, if I take a photo of my cat, and hash the file. Then remove my geo data from the exif - the hash no longer matches. It is still very clearly my cat, but cryptographic hashes don't match. This could be resizing the image, saving as png, mirroring/flipping it, etc.

The "perceptual hash" should be able to say "no, that's still the same image" while the file data has been entirely transformed.

newscracker4y ago

Is this obtained from a set of images leaked from NCMEC and regenerated to match the expectations of the as yet (and probably forever) unknown Apple’s NeuralHash algorithm as well as the threshold used to flag content for internal human review for a system that’s going to be operational for U.S. Apple device users only when iOS 15 is released?

On what basis is a set of forest-like and post-alien-invasion and post-apocalyptic abstract art is going to get flagged (my poor eyes see one or two that could have some symbolism)?

As far as I know they all do CSAM, Google, Microsoft, Facebook, and now Apple with iOS 15. So isn't it already a problem that you have it in a Google Drive?

victor871129OP4y ago

I put it in Google Drive on purpose to analyze if Google is also scanning as aggressively as Apple. So far no warnings.

jbverschoor4y ago

Maybe someone needs to send these to some of the executives to make a point.

csomar4y ago

Did you try it with Apple, though? Or did anyone else?

“Your unlaminated, out-of-state driver's license is proof enough for me.”

There really is a Simpson’s quote for everything.

northisup4y ago

So will everyone. The whole industry uses the same algorithm to calculate hashes.

Then the list gets more accurate and we move on.

fulldecent24y ago

Missing a key feature ~~ there should be 30+ images. You need to have that many to flag an account.

northisup4y ago

So will everyone. The whole industry uses the same algorithm to calculate hashes.

zoba4y ago

How do you generate an image like this from a hash?

I think someone needs to play big techs own game and find some cases where this algorithm underperforms based on race or gender, publish a bunch of clickbait articles and get the whole program canceled. Erosion of privacy and authoritarianism isn’t enough to gain traction.

j / k navigate · click thread line to collapse