It is not CP, it is Child Sexual Abuse Material

Trigger warning: this entire post will trigger you. 

Let me rephrase the title. The media and people constantly report on "child pornography". It is not CP, it is

Child *SEXUAL ABUSE* Material

The average person on the street knows that child pornography is bad, but the words "child" and "pornography" often get blended into the idea that it's some older man taking pictures of teenagers between 13 and 18. That's bullshit. It's wrong.

The words "sexual abuse" are considered too honest and too offensive to be used in professional or polite company, such as the common media. The average publication even shies away from publishing the CSAM acronym. This is doing a disservice to the victims and the reality of those being abused. 

Primarily, it is abuse. Second, it is sexual. Rape, torture, agonizing pain, over and over again. We'll stop here because it only gets worse. And I'll spare the details of my 15 years of experience in helping investigate child abusers. 

What do we mean by "material"? Content. Images, animated gifs, cartoons, videos, audio recordings, deepfakes, in some countries this includes text descriptions or  stories.

Screenshot of Apple Child Safety Statement taken on 2021-08-10

Apple is in the news because they announced a plan to scan iOS and iPadOS devices for child sexual abuse material sometime soon. This involves a nuanced discussion, something the media has proven very bad at encouraging. In general, good for Apple.

Let's get the first concern out of the way. Apple is scanning your content. Yes, they are. Facebook, Google, Microsoft, Oracle, vKontacte, TenCent, and anyone with cloud storage already does this type of scan. Laws may vary on the edges, but child sexual abuse material is illegal, globally. The provider has to scan and has to report it somewhere. It's a flood, not a trickle. They face criminal liability if they willfully neglect to scan and/or fail to report child sexual abuse material on their systems. Any corporate lawyer will tell you ignorance is not bliss when it comes to this material. 

"But Google doesn't scan my device!"

In general, no they don't. They do not have to scan the device because everything is in their cloud already. They can scan it there and not waste your battery. Most of the "cloud providers" or "social networks" use clouds and that's where the scanning is done. Thanks for uploading. Thanks for sharing. It's been scanned for a decade already.

"It's a slippery slope! Pretty soon everything will be scanned!"

Yet another logical fallacy. Could it happen that once the tech is working for child sexual abuse detection that it is used for something else? Yes, it could. Is it likely? Who knows, but we can fight to stop it. Let's take a page from a completely different area, DNS.

Quad9 is a public DNS service which filters "bad IPs and hosts" from your queries. Here's their own words explaining what they do:

Quad9 is a free service that replaces your default ISP or enterprise Domain Name Server (DNS) configuration. When your computer performs any Internet transaction that uses the DNS (and most transactions do), Quad9 blocks lookups of malicious host names from an up-to-the-minute list of threats. This blocking action protects your computer, mobile device, or IoT systems against a wide range of threats such as malware, phishing, spyware, and botnets, and it can improve performance in addition to guaranteeing privacy.

Why bring them up?  Well, if they can block "known bad" parts of the internet, why can't they succumb to the laws of every country and block other content? I mean, they're literally in the business of making parts of the Internet unresolvable. Here's where the slippery slope argument falls apart, they're fighting an expansion of blocking non-malicious parts of the Internet. Just because they can do something at a technical level, doesn't mean they should or will do it. Their business model is not protecting other business models (movie piracy in this case), it's protecting the hosts on the Internet from bad IP ranges and other malware infected sites. Go ahead and read that blog post as it's more nuanced than I'm describing here in a paragraph.

Apple, Google, Yandex, others have billions of dollars (or the equivalent) to fight overreach and scope creep. A secondary point is that if Quad9 can scrape together funds to fight "slippery slopes", than the large cloud providers can do so with ease. There's no profit in defending child abuse. There's lots of profit in defending encryption and fighting scope creep.

I want to live in a world where this nuanced discussion happens, is happening, and every politician isn't just jumping for sound bites.  I'm glad to see this is happening as others write their opinions.

Fundamentally, Apple is a trillion dollar corporation. They'll think very hard about their implementation and still make mistakes in rolling it out. At least they're trying to do something about the problem. They'll correct the mistakes, better tune the system, and the world will move on. Meanwhile, millions of kids are still getting abused and the abusers are continuing to store and share the resulting content through all the same cloud/social networks we use every day.

Say you're an extremist and believe this is the beginning of the end. Your devices can be scanned and well, all privacy is lost. You are not a child abuser. Well, look into non-cloud or self-hosted solutions. They aren't quick nor point-and-click easy, but they can be done with far less technology skill than you think. More to come on these topics. Here's some reading for you in the meanwhile.