Following my previous post about Apple’s CSAM program, there have been more people who have voiced serious concerns about this.

The last article is the one I want to focus on. In it, there is a claim:

Shortly afterward, a user called Cory Cornelius produced a collision in the algorithm: two images that generate the same hash. It’s a significant finding, although Apple says additional protections in its CSAM system will prevent it from being exploited.

Apple is using, on the devices, a hashing system called NeuralHash, and then claims that when their iPhone detects an image about to be uploaded to iCloud Photos, it’ll run a different server side hashing algorithm to double check if it actually is an image of child abuse or not.

In a call with reporters regarding the new findings, Apple said its CSAM-scanning system had been built with collisions in mind, given the known limitations of perceptual hashing algorithms. In particular, the company emphasized a secondary server-side hashing algorithm, separate from NeuralHash, the specifics of which are not public. If an image that produced a NeuralHash collision were flagged by the system, it would be checked against the secondary system and identified as an error before reaching human moderators.

Hashing is an important part of encryption and privacy. A hash is an encryption that is supposed to only go one direction. If data is fed into a hashing algorithm, it is supposed to then give output that is statically unlikely to be the same as anything other data that is given to the algorithm. Common uses for this will be that most online services store their user’s passwords in a hashing system, so when you type in your password, it is hashed, checked against the stored hashed, not the actual password. The benefit for this is that if that organization has its user database compromised, the intruder would only have hashes, not actual passwords.

Here are some examples. I have three images of the Overwatch character Mercy. The first is just a fairly low resolution image, the second I’ve added a single black pixel, and the third I’ve added one more. Notice that the hash values are very different from each other.

Mercy Original

SHA256 hash: 016820e2e93f62a8887756017c5380f2cb03c067edf14f63c90b8fa61aea17d1

Mercy image with one black pixel added

SHA256 hash: af30d128d8741f256f24c5e4d367dcad8c6d31002f1e77dc49e836a47f56e830

Mercy image with two black pixels added

SHA256 hash: 7c1bb0713b0727838bcba1cbef7283eee843891cf3d812be1fa2f3e99be01d0a

All modern computer systems have hashing functions. With MacOS, you can get SHA256 hash values by running:

sha -a 256 [nameoffile]

In Windows, using PowerShell:

Get-FileHash [nameoffile]

SHA256 outputs 256 bits, which is usually expressed in hexadecimal as above. Therefore, math says that there are 2^265 possible outputs that it can give, or this number:


The probability that two files will yield the same output is very small. However, Apple’s NeuralHash and SHA256 work differently. Apple’s technical summary of NeuralHash state that similar images are supposed to generate the same hash, despite not being perfectly identical. The goal for this is obvious - traditional hashing algorithms would be easily fooled by very slightly manipulating the images to be detected. The problem with this is, as demonstrated by the person mentioned in The Verge article is that there is a non-trivial chance that this algorithm will flag a benign image as an image of child harm. Apple claims that there is a secondary server side hashing that occurs to detect false positives (but doesn’t say what it is), and that an iCloud Photos account will have to have 30 or more images that the system believes is child harm before it does anything at all.

Personally, I have not been swayed by Apple’s publications trying to assure the public about how this system is going function. I don’t like the idea of Apple digging around in files, but I’m really concerned about legal issues arising from this system for people who are completely innocent of the horrible crimes that it is designed to dissuade. I hope that I am wrong, but I’m very pessimistic about this.