Apple recently revealed its deep perceptual hashing system NeuralHash to detect child sexual abuse material (CSAM) on user devices before files are uploaded to its iCloud service. Public criticism quickly arose regarding the protection of user privacy and the system's reliability. In this paper, we present the first comprehensive empirical analysis of deep perceptual hashing based on NeuralHash. Specifically, we show that current deep perceptual hashing may not be robust. An adversary can manipulate the hash values by applying slight changes in images, either induced by gradient-based approaches or simply by performing standard image transformations, forcing or preventing hash collisions. Such attacks permit malicious actors easily to exploit the detection system: from hiding abusive material to framing innocent users, everything is possible. Moreover, using the hash values, inferences can still be made about the data stored on user devices. In our view, based on our results, deep perceptual hashing in its current form is generally not ready for robust client-side scanning and should not be used from a privacy perspective.
翻译:苹果公司最近披露了它深层的感知散射系统 NeuralHash, 以便在文件上传到其iCloud服务之前在用户设备上检测儿童性虐待材料( CSAM) 。 在保护用户隐私和系统可靠性方面,公众的批评迅速出现。 在本文中,我们首次展示了基于NeuralHash 的感知性散射的深度全面经验分析。 具体地说, 我们显示当前深层感知散射可能并不强大。 对手可以通过对图像进行微小的改变来操纵散射值, 要么通过梯度方法, 要么仅仅通过进行标准的图像转换、 强迫或防止散射碰撞。 这种攻击允许恶意行为者很容易地利用探测系统: 从隐蔽虐待材料到设置无辜用户, 一切皆有可能。 此外, 使用散射值仍然可以对用户设备上储存的数据作出推断。 我们认为, 以我们的结果为基础的深感知的当前形式的散射一般不准备进行稳健的客户端扫描, 并且不应从隐私角度使用。