I have one more bit of follow-up on the Apple Child Protection story, then a fun stopover into NFTs and Metaverses.
On to the update:
I had a call on background with Apple yesterday; I had three takeaways, and I think the best way to get at them is to cite this interview on TechCrunch between Matthew Panzarino and Erik Neuenschwander, head of Privacy Engineering at Apple.
On Being Limited to iCloud Photos
So if iCloud Photos is disabled, the system does not work, which is the public language in the FAQ. I just wanted to ask specifically, when you disable iCloud Photos, does this system continue to create hashes of your photos on device, or is it completely inactive at that point?
If users are not using iCloud Photos, NeuralHash will not run and will not generate any vouchers. CSAM detection is a neural hash being compared against a database of the known CSAM hashes that are part of the operating system image. None of that piece, nor any of the additional parts including the creation of the safety vouchers or the uploading of vouchers to iCloud Photos, is functioning if you’re not using iCloud Photos.
To use the framework I laid out in Apple’s Mistake, this isn’t just a Policy decision, it’s also a Capability decision; even if NeuralHash still ran (that’s the Policy decision part), the output can only be interpreted on the server side (the Capability decision). Neuenschwander explained earlier in the interview:
Our system involves both an on-device component where the voucher is created, but nothing is learned, and a server-side component, which is where that voucher is sent along with data coming to Apple service and processed across the account to learn if there are collections of illegal CSAM. That means that it is a service feature. I understand that it’s a complex attribute that a feature of the service has a portion where the voucher is generated on the device, but again, nothing’s learned about the content on the device.
This is the point I do wish Apple had communicated better; I am fundamentally more comfortable with server side analysis of this sort than I am with on-device analysis, and Apple’s system is a hybrid.
On Apple’s Privacy Definition
That noted, it seems pretty clear that my analysis from yesterday’s Daily Update about Apple’s definition of privacy perhaps being incomplete — at least as far customer expectations about control go — was spot-on. Again from Neuenschwander:
The things that we can say with this system is that it leaves privacy completely undisturbed for every other user who’s not into this illegal behavior, Apple gains no additional knowledge about any users cloud library. No user’s iCloud Library has to be processed as a result of this feature. Instead what we’re able to do is to create these cryptographic safety vouchers. They have mathematical properties that say, Apple will only be able to decrypt the contents or learn anything about the images and users specifically that collect photos that match illegal, known CSAM hashes, and that’s just not something anyone can say about a cloud processing scanning service, where every single image has to be processed in a clear decrypted form and run by routine to determine who knows what? At that point it’s very easy to determine anything you want [about a user’s images] versus our system only what is determined to be those images that match a set of known CSAM hashes that came directly from NCMEC and and other child safety organizations.
I understand on an intellectual level that Apple’s approach is more private than simply scanning everything uploaded to the cloud; I can’t shake the arguably irrational feeling, though, that my device doing the work is worse, and the impression I get is that this sentiment is genuinely surprising to Apple. That noted, the fact that the scanning is meaningfully tied to iCloud Photos — which is under my control — does ameliorate this a bit.
Finally, the answers about repressive governments demanding Apple utilize the service to find non-CSAM material are pretty weak, in my opinion. Again, as I noted yesterday, I don’t fault Apple for this — a private company can’t guarantee rights that don’t exist — but I do think the company’s assurances in this regard are overstated.
I do recommend reading the whole interview.
NFTs and Status
If it seems irrational that people would spend millions of dollars on pixelated jpegs of apes, well, “analyzing social capital dynamics can help to explain all sorts of online behavior that would otherwise seem irrational”…
NFTs are social capital with skin in the game. It’s “Investment-as-a-Status.” There are only 10,000 CryptoPunks and Apes, and within that limited set, there are some that are particularly valuable, and therefore high status. Owning a CryptoPunk or a Bored Ape, and often displaying it as your Twitter or Discord or Telegram profile pic, says something about you. They say that you were either early, or you’re rich, or you were early and now you’re rich. Using high-priced things to increase social capital is not new — look at fine art, expensive cars, yachts, private jets, handbags, or any number of scarce things that very rich people buy to signal status. It’s just that NFTs are even more legible and public.
I made a similar argument about NFTs when I first wrote about them in February:
What is so interesting about this concept is that you can actually say with certainty who owns that particular piece of digital art, despite the fact that said art, by virtue of being digital, can be replicated endlessly and costlessly. There is still only one specific manifestation of that file that is on the blockchain, and the blockchain publicly tracks every transaction associated with that file, so you not only know who owns it now, but anyone who ever owned it.
Now to be fair, I get why this sounds silly: there is no actual difference, particularly to the naked eye, between the NFT-secured piece of digital art and the one you might rip off of Google Images. But then again, what is the actual difference between an original piece of art and a perfectly executed replica? The knowledge of authenticity is itself a huge part of the value, which is to say that Christie’s assurance that the piece you bought at auction is the real deal is a huge part of the price; in this case the assurance of legitimacy is the blockchain itself.
On the flipside, an NFT-secured piece of digital art is still digital! That means you can not only transfer it anywhere in the blink of an eye, you can also display it anywhere — multiple locations at once, even. It’s as if every replica in the world were in fact the property of whoever owned the original. This has its downsides: that a piece of art is everywhere decreases the specialness and status that comes from owning a single physical object; on the other hand, the fact that ownership is public means that whatever status comes from owning a piece of digital art is transmitted as easily as the art itself.
McCormick opens his article with a perfect example — CryptoPunks:
A few other things to know about CryptoPunks:
- Owning a Punk is a status symbol, like owning a Ferrari or an expensive handbag.
- Punk owners often use the image of their Punk as their profile picture (PFP).
- Displaying a Punk that you don’t own as your profile picture is frowned upon.
This weekend, hundreds of people changed their profile picture to that one single Zombie Punk, which sold for 1,201.725 ETH ($3.75 million) at auction on Friday. No one frowned upon so many people displaying the Punk, wearing a deconstructed party hat emoji, because they all owned it.
For Friday’s auction, 478 people joined forces on PartyBid, a new product created by Anish Agnihotri and the PartyDAO crew that lets people form teams to bid on NFTs, to pool their resources and go after the multi-million dollar Punk against rich whales. They called themselves the Party of the Living Dead. And they won.
Again, note the similarity to luxury goods: an Hermès bag is a status symbol, even though you can buy a knock-off, which is definitely “frowned upon”, and you’ll feel terrible carrying it. However, because CryptoPunks are digital, ownership can not only be shared, but so can the status-flaunting aspects of it. Everyone in the Party of the Living Dead can display the Zombie Punk with pride; owning 1/478 of an Hermès bag isn’t nearly so compelling.
NFTs and Standard Formats
One additional point: NFTs have long been considered an important piece of a future Metaverse. McCormick notes:
NFTs will clearly play a role in the Metaverse. When everything is digital, proving that you own something and being able to bring it with you across the internet will be key. But this isn’t a Metaverse piece. It’s a social network piece.
As I explained last week in my very deliberately-titled Metaverses — note the pluralization! — I don’t think that there is going to be “The (Singular) Metaverse”:
What I am skeptical of is the idea of there being one Metaverse to rule them all; we already have that, and in this case the future is, in William Gibson’s turn of phrase, here — it’s just not very evenly distributed. I speak from personal experience: for two decades I have lived and worked primarily on the Internet; it’s where I experience friendship and community and make my living. Over the last year-and-a-half hundreds of millions of people have joined me, as the default location for work has switched from the office to online.
In this view, the Internet, which is built on standarized protocols like TCP/IP and HTTP, is the “Street”, that is, the connective tissue between richer experiences that function as walled gardens; if this ends up being correct, then what makes an NFT valuable is precisely the fact that the manifestation of the scarce resource is a standardized format, and is distinct from the record of ownership.
This means that NFTs are already interoperable, not just in a future Metaverse-type experience but, as McCormick notes, today’s social networks. After all, everyone supports JPEGs! What secures the value of the JPEG in different networks today, and different metaverses tomorrow, is not a direct application of the blockchain, enabled by some sort of convoluted interoperability standard, but rather the status of the item in question, itself a derivative of the status retaining aspects of the underlying social network combined with the blockchain record assertaining ownership. A CryptoPunk avatar, in other words, already works everywhere, and is valuable thanks to the combination of the CryptoPunk blockchain and the fact that lots of people on Twitter know and care what that is.
The future is here, it’s just not very evenly distributed.
This Daily Update will be available as a podcast later today. To receive it in your podcast player, visit Stratechery.
The Daily Update is intended for a single recipient, but occasional forwarding is totally fine! If you would like to order multiple subscriptions for your team with a group discount (minimum 5), please contact me directly.
Thanks for being a supporter, and have a great day!