Front  /  Privacy

A Judge Just Recommended Congress Force Apple to Build iCloud Photo Scanning

The judge admits the law “prioritizes privacy,” then treats that like a bug for Congress to patch.

A Judge Just Recommended Congress Force Apple to Build iCloud Photo Scanning

Stand against censorship and surveillance: join Reclaim The Net

A federal judge has handed Apple a victory that anyone wary of surveillance should welcome, and attached a request that should worry them. Apple cannot be sued for refusing to scan everyone’s iCloud for child sexual abuse material, U.S. District Judge Noel Wise ruled on July 13, dismissing a proposed class action with prejudice. She then asked lawmakers to compel the very scanning Apple abandoned.

We obtained a copy of the order for you here

The women behind the suit, using the pseudonyms Amy and Jessica, were photographed and filmed as young children while being abused.

They filed in 2024 on behalf of roughly 2,680 people with similar histories, seeking up to $32.8 billion and a court order requiring Apple to change how iCloud works.

Their case rested on a single theory: that Apple’s refusal to monitor everyone’s content and deploy detection tools was a design defect. As their complaint framed it, “Apple’s failure to implement any known CSAM detection is a design defect.”

Apple’s rivals took a different route. Microsoft and Google run a Microsoft-built tool called PhotoDNA across their services to flag known abuse images and report them to authorities. Apple went its own way, announcing a proprietary system called NeuralHash in August 2021 and promising it would guard privacy better than the competition.

That promise collapsed fast. Within a month, after it became clear that NeuralHash was “significantly less precise than PhotoDNA,” Apple delayed the rollout. By December 2022 the company had scrapped on-device CSAM scanning entirely and switched on end-to-end encryption for iCloud instead, making it far harder for anyone, Apple included, to inspect what users store.

Judge Wise never had to weigh whether that was the right call. She ruled that Section 230 of the Communications Decency Act shields Apple no matter what, because deciding whether to run a scanning tool “is a choice related to content moderation,” and content moderation decisions are immune.

A significant part of her order is a plain statement of where the law sits. She wrote that “nothing in the law prevents any company, including Apple, from utilizing available technology or creating new technology to identify and report child pornography stored and distributed on their traditional servers or through their cloud services.” Then she added, “Conversely, there is no law that obligates companies to proactively do so.”

What followed reaches well past Apple. Wise wrote that “lawmakers can fix this problem that is contributing to the exploitation of children,” and, “This Court cannot.”

She was candid about the price of such a fix, conceding that legislation of this kind “would come at a cost of at least some loss of privacy for millions of people.” Her order goes further, granting that as the law stands, it “prioritizes privacy.”

The scanning she invited Congress to require is the same scanning security researchers keep finding to be broken. Apple’s own explanation for walking away is like a brief against the mandate.

Erik Neuenschwander, the company’s director of user privacy and child safety, told a child-safety group that after consulting widely, Apple “concluded it was not practically possible to implement without ultimately imperiling the security and privacy of our users.” Scanning private iCloud content, he warned, “opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types.”

The alarm was there from the start. When Apple unveiled NeuralHash in 2021, Edward Snowden warned that “if they can scan for kiddie porn today, they can scan for anything tomorrow.” Johns Hopkins cryptographer Matthew Green cautioned that the hashing behind such tools is “imprecise” “on purpose,” and that harmless images could be doctored to “match” flagged ones and get innocent people reported.

The technical case against mandated scanning has only hardened since. A study published in March 2026 by researchers at KU Leuven and Ghent University reverse-engineered PhotoDNA, the tool the plaintiffs held up as the industry standard, and reached a one-word verdict. The software is “unreliable.”

The researchers showed that criminals can hide illegal images from the scanner with changes as small as adding a border, while ordinary photos can be manipulated to trip false alarms and route innocent users to the police.

Europe already ran this experiment. The European Union spent years pushing “Chat Control,” a plan to scan private messages and photos across the bloc.

The European Parliament rejected the mass-scanning version by a single vote in March 2026, after the EU’s own evaluation found no measurable link between the surveillance and actual convictions, and after German police reported that 48% of flagged chats were criminally irrelevant.

Patrick Breyer, the former MEP who fought the plan for years, compared it to “desperately trying to mop up the floor while leaving the faucet running.” The proposal has not died. Negotiations over a permanent version continue, and a push for mandatory age verification is close behind.

That is the future the judge’s request would usher in. Congress could answer by ordering Apple and everyone else to install scanning systems that researchers call unreliable, that Europe’s police found buries them in false leads, and that Apple’s own engineers said could not be built without endangering the people they claim to protect.

Stand against censorship and surveillance: join Reclaim The Net

Reclaim The Net is reader-supported. Every contribution widens the reach, helping more people see the threat to privacy and free expression, and push back.