AI Spyware on your Phone - Client Side Scanning
An abstract
Client-Side Scanning (CSS) is a technology that scans your files (photos, messages, etc.) on your device to detect harmful content. While designed to combat serious crimes, it raises privacy concerns about device surveillance, potential misuse by governments or bad actors, and expanded monitoring of sensitive or lawful content.
This article explains CSS, its implications for privacy and security, and why it matters to everyone, not just tech experts. I also provides actionable tips to help protect your data and mitigate the risks of CSS.
What is client-side scanning?
Client-Side Scanning (CSS) is a technology that allows your device, like your phone or computer, to check files—such as photos, messages, or videos—for specific content and compares those files “fingerprints” with known file fingerprints host on a server. Imagine your phone acting like a security guard that scans your pictures for anything illegal or inappropriate before they get uploaded to the internet or cloud storage. The stated goal of CSS is often to stop crimes like the spread of harmful materials, such as child abuse images, avoiding your raw data being sent to a server somewhere for server-side scanning to take place.
To work, CSS uses special tools to compare your files against a database of known content, but it does this directly on your device instead of on a company’s servers. This means your data doesn’t need to be sent anywhere else for scanning. If your device finds a match with harmful content, it can alert the company or authorities, depending on how the system is set up.
The idea is founded in good intentions, but many are concerned about it is used. There is worry it could used invade privacy because your personal device is being used to monitor what you store or share. There’s also the fear that governments or others might expand the technology to monitor lawful but sensitive things, like political opinions or private conversations. While CSS is meant to protect people, critics argue it could easily be misused and pose risks to everyone’s privacy and security.
Why does it matter to me?
This matters to the average person because it directly impacts privacy, security, and how personal devices like smartphones or laptops are used. While it’s often touted as a way to protect against serious crimes like child abuse or terrorism, it raises concerns about who controls the scanning and how it could be used in the future.
CSS involves your device scanning your personal files, such as documents, photos or messages, without your explicit consent or any visibility into what they are looking for. Even if the system is designed to look for specific harmful content, it means your device is being used as a surveillance tool. This shifts control over your data from you to companies or governments, which removed true privacy over our thoughts and ideas. Over time, there’s a risk that this type of survaillence could expand to target other types of content, like political speech or private conversations, especially in countries with weaker protections for personal freedoms. Governments around the world have taken action against basic controls of security/privacy or even outright banned these technologies.
Second, CSS could create new security risks. If scanning systems are hacked or misused, they could be used to spy on people or falsely accuse someone of having illegal content. With even large govnments or corporations getting breached regularly, even if those in control have good intetions bad actors can possibly leverage these tools. For the average person, this means their trust in their devices and the privacy of their data might be at risk. In a world where we rely on our devices for work, communication, and personal storage, these concerns make CSS a topic that affects everyone—not just tech experts.
Actions to take
Technologies and ToS are ever evolving so this recommendations may change over time. There are a few key steps one could consider to help mitigate the potential risks and/or exposure to technologies such as CSS.
- Use Open-Source software or privacy centric tech
- Switch to software and platforms that are transparent and do not implement CSS. Look for open-source apps (like Signal for messaging) that prioritize end-to-end encryption and do not scan your data. Open-source tools allow independent experts to verify their security and ensure there are no hidden surveillance features.
- Switch to Linux and De-Googled Andriod
- Consider switching away from Microsoft Windows and Mac OSX towards open-sourced desktop OSes like Linux. Both Microsoft and Apple have been slowing integrating CSS and adjacent technologies into their Operating Systems over the years.
- Consider switching off of Apple’s iOS and Standard Andriod towards something like GrapheneOS.
- Avoid most Cloud Services
- When you send your data into “the cloud” you almost always relinquish control of that data. You should consider self-hosted options if you are technically inclined, or keep copies locally.
- If you do use cloud storage consider using something like VeraCrypt to upload only fully encrypted containers so CSS is mitigated.
- Review application updates manually instead of relying on automatic updates. While the current implementation of CSS-enabled software can respect some level of privacy, code changes can swifty change that.
- Most importantly, be vigilent
- Stay updated on emerging technologies and policy changes. Support organizations and groups who oppose intrusive tech such as CSS. Public knowledge and resistance to such technologies will hopefully at minimum delay the inevitable surveillance state and further erosion of privacy
References
| Article | Link | Summary |
|---|---|---|
| EEF - In 2021, We Told Apple: Don’t Scan Our Phones | Article | Summary |
| Ask HN: If client side scanning on devices becomes mandatory, what would you do? |
Article | Summary |
| IEEE - Attitudes towards Client-Side Scanning for CSAM, Terrorism, Drug Trafficking, Drug Use and Tax Evasion in Germany |
Article | Summary |
| Bugs in our pockets: the risks of client-side scanning | Article | Summary |
| Apple quietly deletes details of derided CSAM scanning tech from its Child Safety page without explanation |
Article | Summary |