I get the concern, but is there any evidence to suggest technology based solutions by themselves lead to any of those obviously bad false positive outcomes? Has anybody ever been send to prison, placed on a sex offender list, or even been charged based purely on the output of an automated evaluation that you posses CSAM or some other illegal material? One can certainly imagine the dystopian horror of such a scenario, but whatever the specific technology in question, it's difficult to imagine it playing out in the current legal system of any of country that isn't already based around just semi-randomly throwing people in jail.
>I get the concern, but is there any evidence to suggest technology based solutions by themselves lead to any of those obviously bad false positive outcomes?
Yes. In fact, it's mathematically provable that these false positives must happen, unless you never label anything as CSAM.
> it's mathematically provable that these false positives must happen
This is not true. It’s mathematically provable that false positives are possible, not that they must happen. In fact, the chances of collisions happening are astronomically low and basically nil when you use them in the way Apple was proposing (two separate hashes; several matches required).
> This is not true. It’s mathematically provable that false positives are possible, not that they must happen. In fact, the chances of collisions happening are astronomically low and basically nil when you use them in the way Apple was proposing @JimDabell
WTF are you on about?!
That IS NOT how math works. If millions of images are uploaded per day, there are GUARANTEED false positives.
It's not a /maybe/ but an absolute fucking certainty.
I agree his overconfident tone isn't helping, but let's not assume malevolence.
I think his argument is that the FP rate can be set to a vanishingly small value, and so we can in theory proceed as if it were effectively zero, as we do with hash collisions. This reasoning is false for two reasons: one theoretical, and one practical.
The theoretical reason is that a nonzero FP rate means that as the number of samples approaches infinity, a false-positive is guaranteed to occur (as you rightly point out).
The practical reason is that complex image classifiers do not exhibit what any sane person would consider a "vanishingly small" FP rate, especially given the volume of samples being processed in this case.
I'm sorry, you are mistaken. You can set the FP rate arbitrarily low, but they will eventually happen. "Basically nil" is not the same as "actually nil".
I also suspect you are grossly exaggerating the d', and grossly understating the FP rate of Apple's solution, as I am unaware of any image processing system whose FP rate is "basically nil". Your assertion warrants hard numbers.
> You can set the FP rate arbitrarily low, but they will eventually happen. "Basically nil" is not the same as "actually nil".
I know “basically nil” is not the same as “actually nil”, that’s why I said “basically nil” and not just “nil”. It is “nil for all practical purposes”. This is a good enough standard for software the whole world uses all day every day to depend upon – otherwise hashes would be pretty useless.
“Eventually” needs clarification here. Of course, if you spend from now until the heat death of the universe iterating through the search space you could get there. But that doesn’t mean that in practical use, such a collision is guaranteed as you claim. This system could have run its entire lifetime without a collision. You are mistaking “if you cover the entire search space” for what happens in the real world.
Do you understand that there is not one, but two hashes, and that they both need to collide simultaneously for each image? And do you understand that this has to happen not just a single time, but for several images on your system? That’s why I specifically said “basically nil when you use them in the way Apple was proposing” and described how it worked.
Everybody with even a basic grasp of what hashes are understand that collisions are certain when considering the entire search space. But that doesn’t correspond with what happens in practical terms, which is why hashing is actually useful in general, and I think people are getting too fixated on “hashes can have collisions” to notice the other properties of the system.
Apple can tune the false positive rate by varying the number of matches necessary to flag an account. They say they chose a threshold that would result in a false positive rate of one in a trillion. Are you saying they got their maths wrong or were lying, and that’s actually impossible? Because there’s only eight billion people on the planet and most of them don’t have Apple accounts, so if one in a trillion is accurate, then it seems entirely possible for this system to have run indefinitely without a single false positive.
Remember – I said “basically nil when you use them in the way Apple was proposing (two separate hashes; several matches required)”, and not that a single hash function wouldn’t ever produce a single collision for a single image. Do you really disagree with that?
We're discussing mathematics, so it has a precise meaning: as the number of samples approaches infinity, the probability of observing a false-positive approaches 1.
As I mentioned in another comment, your claim is both formally and practically incorrect. It is formally incorrect for the reason above. Given enough samples, a false-positive must occur.
It is practically incorrect because there exists no image-classification system whose FP rate is small enough that multiple FPs won't be observed daily, given the number of samples at play [0].
[0] Except, of course, for the trivial case in which you allow an exorbitant number of misses, but surely this isn't what you're arguing...
Actually, we're talking about both, and you are wrong on both counts.
If you weren't, you would be able to point to an existing system that has demonstrated the capability of classifying an image set on the order of iCloud's, without producing a false-positive. You can't, because such a system doesn't exist.
> you would be able to point to an existing system that has demonstrated the capability of classifying an image set on the order of iCloud's, without producing a false-positive.
This is not relevant to what I was saying; it sounds like you might be mixing up collisions with false positives.
As I said before:
> Remember – I said “basically nil when you use them in the way Apple was proposing (two separate hashes; several matches required)”, and not that a single hash function wouldn’t ever produce a single collision for a single image. Do you really disagree with that?
The relevant false positive is when an account gets flagged by Apple. That’s when it actually matters; that is what we don’t want to happen; that is what Apple are describing as a one in a trillion chance. The rate of hash collisions are only important as an input to that larger system.
That “number of samples”? It’s not the number of images in the whole of iCloud. It’s the number of Apple accounts. It doesn’t matter what happens “approaching infinity”, it matters what happens in the range zero to eight billion. We have a known upper bound, and it is substantially less than infinity. It doesn’t matter if a false positive is guaranteed “approaching infinity”, what matters is the likelihood of a false positive for any Apple account. That is not guaranteed, and actually extremely unlikely.
Also, just checking – you do understand that iCloud is using perceptual hashes and that it’s iMessage that uses an image classifier, right? Perceptual hashes aren’t normally referred to as image classifiers and aren’t really doing the same sort of thing as OCR; with OCR you need to output a token even if the shape is uncertain, but that failure case doesn’t exist for perceptual hashes because the result is just that there isn’t a match. What would be a false positive in the OCR case would be a false negative in the perceptual hash case, which we don’t care about for the purpose of this discussion.
> is there any evidence to suggest technology based solutions by themselves lead to any of those obviously bad false positive outcomes?
Specific to this type of technology? YouTube and their Content ID comes to mind - stories abound about people getting random videos flagged or demonetized because of a match to something in a background, or false positive match to their own original rendition, or to their own original rendition of their own work they own copyright to, or even against noise. Some of those stories end up harming those YouTubers financially. It's happening often enough that pretty much every channel I've watched has a video commenting or complaining about this at this point.
Then, related, random bans of Google accounts, or people having their apps kicked off Apple's App store or Google's Play Store for seemingly no reason (following some of those stories over the years, I estimate it's 3:1 false positive to the person actually violating ToS). Google account bans, in particular, can easily make your life very difficult for some time, or even kill your company, and they have a nasty feature of being transitive (if you have multiple Google Accounts connected in an obvious way, e.g. by recovery number, having one banned tends to be followed by having the rest banned too).
Point being, those big cloud companies don't have particularly good reputation when it comes to algorithmic moderation. So when one of those companies wants to deploy another set of automated scans, with a twist that a false positive now has a chance of quickly and irreversibly derailing your whole life, it's hopefully understandable why people are apprehensive.
> whatever the specific technology in question, it's difficult to imagine it playing out in the current legal system of any of country that isn't already based around just semi-randomly throwing people in jail.
With this particular crime, you don't have to go into jail to have your life destroyed. You don't even have to go to court. All it takes is that a rumor leaks out that you're accused of consuming or producing CSAM - it'll do irreparable damage to your relationship with others, as they're always be wondering whether there wasn't something to those rumors.
In a way, this technology being criticized so loudly and broadly is a form of mitigating the damage it could cause: the more people are aware it's liable to spurious false positives, the more chance the victims of such false positives have that others will believe them.
