

OneDrive data automatically scanned for child porn - andrem
https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.lawblog.de%2Findex.php%2Farchives%2F2015%2F01%2F12%2Feine-datei%2F&edit-text=&act=url

======
tdicola
This is not news or a secret:
[http://blogs.microsoft.com/blog/2011/05/19/500-million-
frien...](http://blogs.microsoft.com/blog/2011/05/19/500-million-friends-
against-child-exploitation/)

You can learn more about the tech here:
[http://en.wikipedia.org/wiki/PhotoDNA](http://en.wikipedia.org/wiki/PhotoDNA)

------
RIMR
How exactly does a private company generate the hashs/"PhotoDNA" of all these
child porn images? Are they granted some sort of kiddie-porn-license? More
importantly, where do they get a hold of all of these images? Is there some
sort of government database that they are given access to?

If such a database exists, could you imagine the public outrage that would
result if someone hacked/leaked it? I bet there are a bunch of images that
only a handful of people ever had access to documented by our government...

~~~
sz4kerto
They don't need to hold the pictures anywhere to use the hash. 1. Police
somehow finds child porn. 2. They generate the hash[1]. 3. They distribute the
hash to large storage providers. 4. Storage providers compare the hash with
the data they store. 5. Profit.

[1]:hash might not necessarily be something like MD5, it might be a more
sophisticated photo fingerprint.

Edit: Anyway, I have no idea why is this on HN again, nth time. It's old news
and also automated photo fingerprinting is not exactly a huge issue for cloud
storages where you store unencrypted data on the first place. It's just
another machine reading the bytes of your data, and those bytes have been read
by many other machines as well. They don't even use this for advertising or
something that could make you a product. They don't even check for pirated
software or stuff like this, so this is not exactly groundbreaking news.

~~~
Karunamon
That leaves a question of collisions open. The chances are really low, but not
zero - does a hash match automatically generate events that lead to your front
door being kicked open and your pets shot, or is there an actual human that
needs to open the file and verify that yeah, it is a child abuse image?

~~~
Paul-ish
With any good hash function there is pretty much zero risk of this happening.

~~~
Karunamon
I'm not willing to ruin someone's life over the equivalent of winning a
particularly bad lottery.

~~~
Scaevolus
Your chances of having your life ruined by any other cause is at least 2^64
times more likely than because your uploaded cute_cat.jpg has the same hash as
a flagged child_porn.jpg.

~~~
dagw
I'm assuming we're not talking about SHA1 hashes here (which would be trivial
to get around), but image matching hashes (probably something like
[http://phash.org/](http://phash.org/)) which are much more fuzzy. If that is
the case then collisions will be far more common.

------
dmix
Google also scans gmail attachments for it as well. This has been known for a
while and the subject of quite a few public court cases. I wouldn't be
surprised if Dropbox did it as well. Along with things of national security
interest.

When local police get a warrant to do a forensic search of computers the judge
often requires that they search harddrives using known image/file hashes - as
opposed to looking through each file by hand - in order to protect that
persons constitutional right to privacy.

This right primarily applies to personal computers and doesn't exist (as
clearly) as defined by law when the files are stored on a remote cloud
service. Although whether cloud services have a similar high threshold of
assumed privacy is a recurring debate in criminal law, as storing your whole
life in cloud services is a relatively new phenomenon.

~~~
higherpurpose
Is Google doing it as well supposed to make me feel better or worse? That kind
of logic always bothers me, because it bypasses the arguments about whether
it's good or wrong, and just says "well others are doing it, too - so it must
be okay". It's like saying "well UK tortured as well, so why does it matter
that US tortured?" I think you get my point.

I also doubt that if they get a warrant, they'll _only_ scan the drives for
the hashes. That seems highly unlikely unless the FBI/prosecutors themselves
specify in their request to the judge that they only want to do the hash
scanning - but I don't see why they would want to limit themselves to that,
when they know the judge is likely to give them full access to it, if they
already have some evidence of "criminal activity", without which I assume they
wouldn't even bother getting a warrant.

~~~
dmix
> That seems highly unlikely unless the FBI/prosecutors themselves specify in
> their request to the judge that they only want to do the hash scanning

It depends on the case I guess. I heard this from a lawyer I know who has
worked on CP cases. Judges always try to limit the privacy exposure in every
warrant. By doing so the police can get access to warrants easier since it
requires a lower threshold of probable cause than say searching an entire
house.

Especially if the police found the person because they used a P2P site to
download a particular file or had a hash in their email account. A minimal
warrant to search for that hash is much easier to defend in court against
arguments by the defense of constitutional privacy violations of a full data
search.

The police have to do this minimization process in phone wiretaps as well.
They aren't supposed to listen nor store the phone call unless the information
is relevant to the case.

These limitations are clearly defined in warrants. It is up to the police and
forensic experts to follow it of course. But I'd imagine in high profile cases
the Judge/FBI wouldn't think twice about finding it appropriate to look at
every file.

------
ll123
1\. Download illegal porn using Tor.

2\. Rename the file .DS_Store and copy to victim's cloud folder

3\. They go to jail and get killed by another inmate a year into their
sentence. Justice prevails!

~~~
slouch
Prisons in my state separate criminals by a risk or violent threat level. A
whole facility gets this level, so no one in prison A is a violent criminal.
Violent criminals are all in another prison B in another county.

------
Karunamon
With our (semi) benevolent corporate overlords in mind, are there any safe and
cross platform ways to keep an encrypted container on these services?

I remember (but can't find for the life of me) an article somewhere that
stated you don't want to put something like a Truecrypt volume on a service
that does versioning, since the changes in the encrypted data each time you
change something can be used to leak data.

~~~
sz4kerto
If you store simple encrypted stuff at them, then it works fine. Using
OneDrive, Google Drive or anything alike to store a large(-ish), often-
changing volume in a way that it does not leak information does not make
sense, because the performance would be horrible then.

If it does not change often, then it does not leak much information,
naturally.

------
voidr
Ohhh the irony:

[http://vimeo.com/49048679](http://vimeo.com/49048679)

[http://en.wikipedia.org/wiki/Scroogled](http://en.wikipedia.org/wiki/Scroogled)

------
ommunist
And who knows for what else...

