macOS 13 Spies on users' images despite iCloud and Analytics being turned off | Long live Apple CSAM detection?

[AlTech]

Note To Reader: Whilst I consider this to be news topic pertaining to tech and would normally be posted in Tech News subforum, this news has not been corroborated as far as I am aware and the sources are not tech media outlets or journalists thus it feels more appropriate to put this in the macOS subforum.

 

Summary

A macOS user has discovered that macOS 13 spies on user's images even with iCloud not connected and Analytics turned off.

 

The spying involves macs phoning home to Apple when users preview an image on their mac by pressing the spacebar.

 

It looks like Apple didn't remove CSAM detection from macOS after all despite the media reporting otherwise.

 

Quotes

The source discloses how they knew this occurred:

Quote

I use a program called Little Snitch which alerts me to network traffic attempted by the programs I use. I have all network access denied for a lot of Apple OS-level apps

 

 

Quote

Imagine my surprise when browsing these images in the Finder, Little Snitch told me that macOS is now connecting to Apple APIs via a program named mediaanalysisd (Media Analysis Daemon - a background process for analyzing media files). It’s very important to contextualize this. In 2021 Apple announced their plan to begin clientside scanning of media files, on device, to detect child pornography (“CSAM”, the term of art used to describe such images), so that devices that end users have paid for can be used to provide police surveillance in direct opposition to the wishes of the owner of the device.

 

Quote

Some weeks later, in an apparent (but not really) capitulation, Apple published the following statement:

Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.

The media erroneously reported this as Apple reversing course.

Read the statement carefully again, and recognize that at no point did Apple say they reversed course or do not intend to proceed with privacy-violating scanning features. As a point of fact, Apple said they still intend to release the features and that they consider them “critically important”.

 

My thoughts

This is honestly inexcusable and I frankly wish there were more options out there for people who struggle with tech and use Apple because it's the easiest option for them. It is clear that Apple does not respect users' ownership of their devices if this is how they treat their customers. For anybody who chooses to use macOS, I would strongly recommend switching to Windows or Linux. For those that need to use macOS or are forced to do so, use Pihole or something like it to block Apple's requests so that they timeout.

 

The media is also somewhat to blame for inaccurately reporting the news.

 

Sources

https://sneak.berlin/20230115/macos-scans-your-local-files-now/

 

Louis reads the other source linked and provides his own input.

 

[Sauron]

7 hours ago, AluminiumTech said:

For anybody who chooses to use macOS, I would strongly recommend switching to Windows or Linux.

I don't know if I'd go that far, especially Windows hasn't exactly been great at not violating people's privacy...

 

I wouldn't even conceptually oppose the idea of the OS alerting authorities if heinous illegal material is found on the drive, I just hope if this type of functionality is introduced it will rely on local and regularly updated definitions like antiviruses and only call home if something bad is found, rather than just uploading metadata of every image.

Quote

Who knows what types of media governments will legally require Apple to scan for in the future? Today it’s CP, tomorrow it’s cartoons of the prophet

Spare me... I don't think Apple was legally required to do this at any point... and if they wanted to look for "cartoons of the prophet" they could start doing it tomorrow regardless of whether the CSAM check was in place before or not. I don't buy that this is some sort of gateway into further privacy abuse from Apple because 1) they could do it anyway and 2) they are not going after anything and everything that could be illegal, just specifically after child abuse material which derives from and perpetuates, you guessed it, child abuse.

Quote

This is your first and only warning: Stock macOS now invades your privacy via the Internet when browing local files, taking actions that no reasonable person would expect to touch the network, with iCloud and all analytics turned off, no Apple apps launched (this happened in the Finder, via spacebar preview), and no Apple ID input. You have been notified of this new reality. You will receive no further warnings on the topic.

Wow, ok Morpheus. Welcome to the crowd of people who've been shouting from the rooftops for years that Apple doesn't care about privacy nearly as much as they'd like you to believe. Now what?

Quote

A final reminder: if you’ve nothing to hide and you’ve done nothing wrong, those are the times when it is most important to limit information transfer to law enforcement.

There are good reasons to be weary of law enforcement invading your privacy but the vast majority of people already give away vast swaths of information about their lives and activities on social media, both intentionally and not. Is a CSAM scanner really the tipping point for what is acceptable?

[DrMacintosh]

8 hours ago, AluminiumTech said:

this news has not been corroborated as far as I am aware and the sources are not tech media outlets or journalists

This is exactly why this isn't news. The whole extent of this story is that there is a macOS daemon called mediaanalysisd and it requests network traffic. What is that traffic? How much data is being sent over the network? What does that daemon actually do? There are no answers to these questions and Apple is the only one who can answer these questions. So until that happens, anything posted about this is purely speculation. 

 

Also, another knock against saying this is Apples CSAM tool is that Apple publicly dropped all intentions of perusing that program. 

 

8 hours ago, AluminiumTech said:

For anybody who chooses to use macOS, I would strongly recommend switching to Windows

If you intent is to recommend users privacy oriented operating systems, this is extremely bad advice given how much telemetry Microsoft collects on its users. Recommending people switch to Windows based entirely on one background process with an unclear purpose is misguided. 

 

 

[Roswell]

This is an extremely dumb take and even more stupid “story”. 

 

The mediaanalysisd process has been around for almost a decade, it locally analyzes your media files for Photos search/live text/indexing/visual search/whatever and then uploads metadata and hashes to iCloud to sync with your other devices and provide said visual search data. That’s all it does.

 

https://appleinsider.com/articles/23/01/21/tests-confirm-macos-finder-isnt-scanning-for-csam-images

 

12 hours ago, AluminiumTech said:

The spying involves macs phoning home to Apple

There’s no spying.

 

12 hours ago, AluminiumTech said:

I would strongly recommend switching to Windows

Lol

 

 

[DrMacintosh]

It has been confirmed that this daemon does nothing other than perform machine learning tasks. There is no spying. 

 

[Kateshi]

Hey all.

 

For Mac users I just want to suggest disabling SIP and then later rebooting MacOS to disable com.apple.mediaanalysisd and com.apple.photoanalysisd like this.

 

To do so, boot into recovery mode, open terminal and execute

csrutil disable

reboot

 

Once you do that and boot back into your OS (not in recovery mode anymore) you can execute the following commands in terminal:

launchctl bootout gui/$UID/com.apple.mediaanalysisd

launchctl disable gui/$UID/com.apple.mediaanalysisd

launchctl bootout gui/$UID/com.apple.photoanalysisd

launchctl disable gui/$UID/com.apple.photoanalysisd

 

Source: Reddit

[Roswell]

1 hour ago, Kateshi said:

Hey all.

 

For Mac users I just want to suggest disabling SIP and then later rebooting MacOS to disable com.apple.mediaanalysisd and com.apple.photoanalysisd like this.

 

To do so, boot into recovery mode, open terminal and execute

csrutil disable

reboot

 

Once you do that and boot back into your OS (not in recovery mode anymore) you can execute the following commands in terminal:

launchctl bootout gui/$UID/com.apple.mediaanalysisd

launchctl disable gui/$UID/com.apple.mediaanalysisd

launchctl bootout gui/$UID/com.apple.photoanalysisd

launchctl disable gui/$UID/com.apple.photoanalysisd

 

Source: Reddit

There's no reason to do this and it's going to break a ton of functionality for iCloud users.

 

Not to mention that disabling SIP is extremely reckless.

[seanondemand]

@AluminiumTechcurious about your thoughts on these new developments

[AlTech]

3 hours ago, seanondemand said:

@AluminiumTechcurious about your thoughts on these new developments

The development that it does nothing but machine learning tasks that communicate with Apple over the internet?

 

Just because Apple got caught with a system that is broken doesn't mean they didn't intend for it to work. Or perhaps we're all being taken for fools and the system does work as intended and Apple CSAM detection is detected using this even though no data seems to be transmitted (e.g. no data transmitted = not detected, data transmitted = detected).

 

It's also possible that this was a genuine mistake and the machine learning daemon isn't meant to connect to Apple online services. In that case, shame on Apple for not correcting it sooner and for not explaining explicitly that it was a bug rather than quietly changing the behaviour in macOS 13.2 .

[maplepants]

6 hours ago, AluminiumTech said:

The development that it does nothing but machine learning tasks that communicate with Apple over the internet?

 

Just because Apple got caught with a system that is broken doesn't mean they didn't intend for it to work. Or perhaps we're all being taken for fools and the system does work as intended and Apple CSAM detection is detected using this even though no data seems to be transmitted (e.g. no data transmitted = not detected, data transmitted = detected).

 

It's also possible that this was a genuine mistake and the machine learning daemon isn't meant to connect to Apple online services. In that case, shame on Apple for not correcting it sooner and for not explaining explicitly that it was a bug rather than quietly changing the behaviour in macOS 13.2 .

Where are you getting the idea that this is a mistake? mediaanalysisd does loads of indexing on your photolibrary, and syncs some of its data to iCloud. This is true now, and has been for a long time.

 

Are you not familiar with what features Photos.app offers? You should check out the Apple Insider article linked previously in this thread. It does a good job of explaining the situation. This whole story just feels like you misunderstanding something about macOS and then hilariously recommending Windows to people who might think macOS doesn't offer enough privacy.

 

I think people should be more interested in privacy, and protecting their data. But stories like this that are completely wrong and recommend "solutions" that offer worse privacy hinder the discussion. 

[AlTech]

1 hour ago, maplepants said:

Where are you getting the idea that this is a mistake? 

Given that macOS 12.2 no longer behaves the way 12.1 does with respect to this issue.

1 hour ago, maplepants said:

mediaanalysisd does loads of indexing on your photolibrary, and syncs some of its data to iCloud. This is true now, and has been for a long time.

 

Are you not familiar with what features Photos.app offers? You should check out the Apple Insider article linked previously in this thread. It does a good job of explaining the situation. This whole story just feels like you misunderstanding something about macOS and then hilariously recommending Windows to people who might think macOS doesn't offer enough privacy.

Windows doesn't have CSAM scanning and Microsoft never said they'd put it into Windows. Both Windows and macOS are flawed from a Privacy perspective but macOS is at best no better than Windows and at worse is worse than Windows.

 

Linux is preferable to both Windows and macOS for privacy reasons but most people will not switch to Linux.

1 hour ago, maplepants said:

I think people should be more interested in privacy, and protecting their data. But stories like this that are completely wrong and recommend "solutions" that offer worse privacy hinder the discussion. 

 

[maplepants]

28 minutes ago, AluminiumTech said:

Windows doesn't have CSAM scanning and Microsoft never said they'd put it into Windows. Both Windows and macOS are flawed from a Privacy perspective but macOS is at best no better than Windows and at worse is worse than Windows.

This basically tells me everything I need to know. Windows telemetry is not at all in the same league as anything on macOS.

 

Recommending Windows over macOS for privacy reasons just makes no sense.

[Roswell]

14 hours ago, AluminiumTech said:

Just because Apple got caught

These processes have been around for like 10 years and have been included in documentation since.

 

They weren’t caught doing anything. A small handful of uneducated users, including yourself, saw something they didn’t understand and made an Olympics grade leap into tinfoil hat land.