[!] Apples geplantes CSAM Scanning unter iOS 15 von führenden Krypto Experten zerrissen in Paper:
Fefe hat auf das Paper von DEN führenden Krypto Gurus verlinkt.
Hier der Link: https://arxiv.org/pdf/2110.07450.pdf
Bin mal gespannt, ob Apple immer noch behauptet, dass das alles ok sei, wenn Experten die wirklich Ahnung von Kryptographie haben ein Paper schreiben und davon abraten.
Ausschnitt aus der Conclusion (S.37-38]:
8 Conclusions and Recommendations
CSS has been promoted as a magical technological fix for the conflict between the privacy of people’s data and communications and the desire by intelligence and law enforcement agencies for more comprehensive investigative tools. A thorough analysis shows that the promise of CSS solutions is an illusion.
Technically, moving content scanning from the cloud to the client empowers a range of adversaries. It is likely to reduce the e�cacy of scanning, while increasing the likelihood of a variety of attacks.
Economics cannot be ignored. One way that democratic societies protect their citizens against the ever-present danger of government intrusion is by making search expensive. In the US, there are several mechanisms that do this, including the onerous process of applying for a wiretap warrant (which for criminal cases must be essentially a “last resort” investigative tool) and imposition of requirements such as “minimiza- tion” (law enforcement not listening or taping if the communication does not pertain to criminal activity). These raise the cost of wiretapping.
By contrast, a general CSS system makes all material cheaply accessible to gov- ernment agents. It eliminates the requirement of physical access to the devices. It can be configured to scan any file on every device. And it has become part of some agencies’ vision. GCHQ’s pitch document “AI for national security: online safety” sets a goal of:
Providing tools and techniques to identify potential grooming behavior within the text of messages and in chat rooms; highlighting the exchange of illegal images and tracking the disguised identities of offenders across multiple accounts; searching out and discovering hidden people and illegal services on the dark web. AI could also enable us to help law enforcement infiltrate rings of offenders and bring them to justice.
So the filter code in your phone won’t just be looking for illegal pictures. GCHQ goes on:
AI tools can also be trained to analyse seized and intercepted im- agery, messages, other forms of internet content, and chains of contact, to support investigators in the identification of victims and discovery of accomplice offenders. AI running across both content and metadata could also protect our analysts from unnecessary exposure to traumatically dis- turbing material.
It is unclear whether CSS systems can be deployed in a secure manner such that invasions of privacy can be considered proportional. More importantly, it is unlikely that any technical measure can resolve this dilemma while also working at scale. If any vendor claims that they have a workable product, it must be subjected to rigorous public review and testing before a government even considers mandating its use.
This brings us to the decision point. The proposal to preemptively scan all user devices for targeted content is far more insidious than earlier proposals for key escrow and exceptional access. Instead of having targeted capabilities such as to wiretap communications with a warrant and to perform forensics on seized devices, the agen- cies’ direction of travel is the bulk scanning of everyone’s private data, all the time, without warrant or suspicion. That crosses a red line. Is it prudent to deploy ex- tremely powerful surveillance technology that could easily be extended to undermine basic freedoms?
Were CSS to be widely deployed, the only protection would lie in the law. That is a very dangerous place to be.
Danach kommt noch einiges zum Thema Gesetze…
Fazit:
Apple lass die Finger davon
- - -
Hier der Link: https://arxiv.org/pdf/2110.07450.pdf
Bin mal gespannt, ob Apple immer noch behauptet, dass das alles ok sei, wenn Experten die wirklich Ahnung von Kryptographie haben ein Paper schreiben und davon abraten.
Ausschnitt aus der Conclusion (S.37-38]:
8 Conclusions and Recommendations
CSS has been promoted as a magical technological fix for the conflict between the privacy of people’s data and communications and the desire by intelligence and law enforcement agencies for more comprehensive investigative tools. A thorough analysis shows that the promise of CSS solutions is an illusion.
Technically, moving content scanning from the cloud to the client empowers a range of adversaries. It is likely to reduce the e�cacy of scanning, while increasing the likelihood of a variety of attacks.
Economics cannot be ignored. One way that democratic societies protect their citizens against the ever-present danger of government intrusion is by making search expensive. In the US, there are several mechanisms that do this, including the onerous process of applying for a wiretap warrant (which for criminal cases must be essentially a “last resort” investigative tool) and imposition of requirements such as “minimiza- tion” (law enforcement not listening or taping if the communication does not pertain to criminal activity). These raise the cost of wiretapping.
By contrast, a general CSS system makes all material cheaply accessible to gov- ernment agents. It eliminates the requirement of physical access to the devices. It can be configured to scan any file on every device. And it has become part of some agencies’ vision. GCHQ’s pitch document “AI for national security: online safety” sets a goal of:
Providing tools and techniques to identify potential grooming behavior within the text of messages and in chat rooms; highlighting the exchange of illegal images and tracking the disguised identities of offenders across multiple accounts; searching out and discovering hidden people and illegal services on the dark web. AI could also enable us to help law enforcement infiltrate rings of offenders and bring them to justice.
So the filter code in your phone won’t just be looking for illegal pictures. GCHQ goes on:
AI tools can also be trained to analyse seized and intercepted im- agery, messages, other forms of internet content, and chains of contact, to support investigators in the identification of victims and discovery of accomplice offenders. AI running across both content and metadata could also protect our analysts from unnecessary exposure to traumatically dis- turbing material.
It is unclear whether CSS systems can be deployed in a secure manner such that invasions of privacy can be considered proportional. More importantly, it is unlikely that any technical measure can resolve this dilemma while also working at scale. If any vendor claims that they have a workable product, it must be subjected to rigorous public review and testing before a government even considers mandating its use.
This brings us to the decision point. The proposal to preemptively scan all user devices for targeted content is far more insidious than earlier proposals for key escrow and exceptional access. Instead of having targeted capabilities such as to wiretap communications with a warrant and to perform forensics on seized devices, the agen- cies’ direction of travel is the bulk scanning of everyone’s private data, all the time, without warrant or suspicion. That crosses a red line. Is it prudent to deploy ex- tremely powerful surveillance technology that could easily be extended to undermine basic freedoms?
Were CSS to be widely deployed, the only protection would lie in the law. That is a very dangerous place to be.
Danach kommt noch einiges zum Thema Gesetze…
Fazit:
Apple lass die Finger davon
- - -
[!] Beitrag/Thread des Tages [macfix.de]