Nerd For Tech
Published in

Nerd For Tech


In 2020, Facebook reported 20.3 million cases of child sexual abuse to the US authorities, whereas Apple reported only 265 cases. Even if Facebook has more users, the proportion of reporting does not add up. This enormous gap exists because Apple does not scan iCloud images citing privacy concerns. In 2016, Apple came under fire for denying to unlock the iPhone of San Bernardino terrorist Syed Farook. Eventually, the FBI was able to break through the encryption using support from a third-party organization, but Apple hard stance against breaching privacy is patent here. In 2019, Apple touted its stance with a privacy billboard inspired by the Hangover trilogy.

Apple advertised this billboard at CES-2019

Moving forward, Apple wants to End-to-End encrypt the iCloud accounts of users. But not so fast, a hard stance on privacy comes with some caveats. Some crimes like Child Sexual abuse are intolerable, which we collectively agree. Other services like Dropbox, Google Drive, and Facebook scan all the images that are uploaded to their server and utilizing the technology similar to Photo DNA (developed by Microsoft in 2009), they detect images pertinent to child sexual abuse material

  • Photo DNA creates a unique digital signature (hash of an image) of a photo and it helps to compare to similar images. A PhotoDNA hash is not reversible, and therefore cannot be used to recreate an image. It was donated by Microsoft to NCMEC (National Center for Missing & Exploited Children).
  • But this requires blatant scanning of all the images in a remote server, which threatens the privacy of an individual and the End-to-End encryption is out of the picture. So Apple came up with its CSAM detection technique, and we will try to comprehend its technical details to get a better sense of its inner workings and possible adversarial attacks.


  • It is a question of what trade-offs are we willing to accept. Do we want privacy? Yes. Do we want to avoid crimes related to child abuse? Big Yes. So CSAM detection addresses these trade-offs in a novel way and let’s now dive deep into it.


  • CSAM (Child Sexual Abuse Material) has three main components. (i)NeuralHash, (ii)PSI (Private Set Intersection), and (iii)Threshold secret sharing.
  • Neural Hash is similar to Photo DNA, it takes in an image and converts it into a unique digital signature called a hash. The Neural hash is robust to perturbations and noise in the image, hence similar-looking images have the same exact hash value. You cannot revert back to the image from a given hash value. Hash encoding is done by Locality Sensitive Hashing (LSH), where the images are encoded based on their similarity.
Even if the second image is transformed into a black and white format, it has the same hash value as the original one.
  • Then we have a client-side (on-device) image matching, where the neural hash of the user image which is to be uploaded to the iCloud, is compared with neural hashes of known child sexual abuse material provided by NCMEC. Private set intersection, here private means we have on-device matching hence private. Set intersection means we only consider those images that lie in the intersection of NCMEC known CSAM images and user images.
  • There is a threshold (T). You need to have ≥ T images to be flagged as a perpetrator and your account is up for manual inspection by Apple. Until the barrier for T is broken, none of your images is decrypted (the threshold for secret sharing). If you are found guilty then your account is sent to NCMEC, to further inform law enforcement agencies.
  • There are more nuances involved here, hence let’s tackle each component head-on.


  • The user has his/her images saved locally and if and only if the user uploads the images to the iCloud, the pipeline initiates. Note that every iOS user has a free 5GB space allocated to iCloud.
  • Neural Hash is a Machine learning self-supervised algorithm. It matches images to numbers. It uses self-supervised computer vision algorithms that don’t require training labels. Rather they use contrastive learning to classify images. Cat images are more similar to each other than cat-dog images. Hence in the embedding space, cat images are closer to each other.
Self-supervised does something similar by having similar images at one place in the embedding space. Source
  • So a user image passes through a Convolutional Neural Network, which breaks it down to N-dimensional vector space in embedding dimension.
Note that the embedding is simplified here, it is in a higher-dimensional floating-point format. It is just for visualization purpose
  • After generating the floating-point descriptor for each image, LSH (locality sensitive hashing) is done to discretize the floating descriptor as our primary goal is nearly similar images should have the same hash value.
  • LSH works as follows, we have black coloured hyperplanes that separate the space into + and -. Then after passing through the CNN, we have the embedding vectors of our images. If the vector is on the positive side of the hyperplane, then it is labelled + else -.
Note we start from LL’ in a clockwise manner. Inspired by the video by Yannic Kilcher on CSAM detection
  • See above, the blue ones which are very close (high cosine similarity) are having the same label and the yellow one has a different label
  • So we were able to discretize each image. You can choose more hyperplanes for better discretization. Here the image is transferred to a 3-bit hash value. Similarly, you can transfer into an M-bit hash value (M hyperplanes). This also conserves space, as you are encoding an image into M-bits only.

Neural Hash achieves a level of compression and preserves sufficient information about the image so that matches and lookups on image sets are still successful, and the compression meets the storage and transmission requirements.

  • Two images are similar if their cosine similarity is close to 1, so Neural hash will determine a threshold to group images based on their image descriptors and convert it into hash values that use LSH.


  • It ensures that Apple only knows about the images that lie at the intersection of NCMEC images and user images, nothing outside the intersection. It has three main steps, (i) the matching database setup, (ii) the on-device PSI protocol, (iii) the server-side PSI protocol.
  • Matching database setup: Apple gets the Neural Hashes of all the existing images from NCMEC and other child-safety organizations. Next by a series of transitions that includes the final blinding step based on Elliptic Curve Cryptography, the hashes are transformed which can only be decrypted by Apple servers. THIS IS DONE SO THAT NO ONE CAN DECRYPT NEURAL HASHES ON-DEVICE AND LOOK AT THE CHILD SEXUAL ABUSE IMAGES AS THIS IS ONLY A SERVER-SIDE SECRET.
  • Elliptic Curve Cryptography: It is much safer than RSA and it conserves the number of bits required for encryption. Like ECC-256 is safer than RSA-3072. RSA works by multiply two random prime numbers as private keys, which are difficult to retrieve from the multiplication result (if prime numbers are sufficiently large). ECC works by successive operations of a generator point (P) on the elliptic curve y² = x³+ax+b. The secret is the number of operations (k), done sequentially to get to the result R→k(P).
ECC curve.
  • The neural hash points to the row number of the database containing sexual abuse hashes, but the device cannot decrypt it yet as it is a server-side secret. Later to decrypt the image on the server, a payload is attached. Payload has the image in the plain text of pixel values. Blinded hash refers to the server-side secret that only Apple knows. Cryptographic header means the row number that the user image hash is pointing to. THE DECRYPTION KEY IS GENERATED IF AND ONLY IF THERE IS A MATCH.
On-device matching. Taken from the white paper from Apple on CSAM detection
  • In server-side matching protocol, if the user image doesn’t match with the database of the abusive image, the above step will not lead to the correct derived encryption key, and the server will be unable to decrypt the associated payload data. The server thus learns nothing about non-matching images. Also, the device doesn’t learn about the result of the match because that requires knowledge of the server-side blinding secret.


  • To avoid False positives, there is a threshold after which Apple can decrypt abusive photos. The failure rate specified by Apple is 1 in 1 trillion images.
  • Threshold secret sharing works by having another layer of encryption, which can only be decrypted after the counter exceeds the threshold.
  • It is like sharding, where a secret is divided into multiple shares and after only a threshold number of shares are unlocked, you can decrypt the message. If a secret is divided into 1000 shares and the threshold is set at 10, then you need 11 shares to decrypt the message.
  • With the matched images and server-side secret, Apple can decrypt the first layer of encryption, but to decrypt the second layer of encryption the threshold needs to be crossed.
Taken from the white paper from Apple on CSAM detection.
  • To prevent Apple servers from decrypting the second layer of encryption, a secret is generated by the user account which is unknown to Apple. The secret is divided into multiple shares and it has a threshold. After the threshold is crossed the key for the second layer decryption is activated.
  • So together with PSI matching and threshold sharing, Apple can decrypt the two layers of encryption and retrieve the payload data for manual review. In an interview by WSJ of Craig Federighi (SVP of Software Engineering at Apple), he mentioned a ballpark estimate of threshold=30.


  • A safety voucher has the decryption key for PSI matching and threshold sharing.
  • Synthetic vouchers serve the purpose of confusing Apple till the threshold is reached. Apple should be oblivious to the count of images before the threshold is reached. Synthetic vouchers achieve this by having the property of decrypting the first layer of security (PSI matching). Instead of image data, it has dummy data and it always points to a row in the CSAM database, hence PSI matching is successful. This ensures that these vouchers always register as a match in the server, thereby providing enough noise to the system to ensure Apple doesn’t learn about potential CSAM counts with any meaningful degree of certainty until the threshold is crossed.


Taken from the white paper from Apple on CSAM detection.
  • In the above image, the threshold is set at 3, hence only after the threshold is crossed, the image information for all the images is revealed.


  • In the Neural Hash steps, perpetrators can figure out a way to distort these images so as to beat the Neural Hash Machine learning model so that it produces a different neural hash as compared to the CSAM images. This will require a lot of experimentation to explore different distortion methods to game the model
  • What if crying children photos from their grandparents or parents account is flagged? So the NCMEC database needs to be accurate and these false signals can be repudiated in the manual review process by Apple. Also, the threshold needs to be crossed before decryption.
  • What if someone loads a lot of these CSAM images on someone’s phone and unbeknownst to the user, the account is flagged as a perpetrator. This may require logging user interaction with all these images, but it will spring up more privacy concerns.


  • The tricky part is the database with which Apple does not interact. We need to trust NCMEC that it is only including images pertinent to CSAM. Due to government intervention, other types of images can be appended to the database. Images related to political dissidence, against political rival party etc. Also, Apple mentioned that it will comply with other child-safety organizations, so a possibility of database corruption is likely when Apple moves to a global stage.
  • Also, Apple released a blog post when declaring this seminal update, instead of a full-fledged press conference. Then Apple C-suite employees had to explain the underlying technology to all the journalists due to the initial reticence by Apple.
  • A rigorous audit by Apple upper management team is expected to avoid these scenarios because this technology can be a serious intrusion to our privacy if it falls into wrong hands.

This ingenious technology is a worthy trade-off in my opinion, as it conserves privacy and checks on this heinous crime. But previously, Apple appeased the CCP to host Chinese iPhone user data on Chinese servers, so we have some trust issues with Apple. Hopefully, the auditing process in Apple is robust enough to deny these requests by governments it is a big responsibility given that there are more than a billion iOS devices. Nevertheless, this is a cool technology and I appreciate the Apple engineers who developed this.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Astarag Mohapatra

Astarag Mohapatra

Hi Astarag here, I am interested in topics about Deep learning and other topics. If you have any queries I am one comment away