Apple Photos phones home on iOS 18 and macOS 15

Original Article ↗ Hacker News Discussion ↗

What the new Photos feature does

  • iOS 18 / macOS 15 add “Enhanced Visual Search” in Photos.
  • When enabled, the device creates feature vectors for suspected landmarks in photos, adds differential-privacy noise, encrypts them, and sends them via an OHTTP relay to Apple’s servers.
  • Servers perform homomorphic-encrypted nearest‑neighbor search against a global landmark index, return encrypted results, and the device tags photos locally.
  • Several users report the setting was enabled by default after upgrade; others say it was off or depends on other settings, so behavior is unclear.

Is this “sending your photos”?

  • One side: this is not uploading photos or readable metadata but non‑reversible, noisy, homomorphically encrypted vectors that Apple cannot decrypt, and relays hide IPs.
  • The other side: any derived data tied only to one’s photos is “my data”; exfiltrating it without explicit consent is a privacy violation regardless of cryptography.
  • Some argue even if the design is sound, bugs, implementation mistakes, or future changes could leak real data.

Consent, defaults, and user agency

  • Strong theme: anything leaving the device should require explicit, up‑front opt‑in; “privacy by math” does not replace informed consent.
  • Others counter that most users won’t understand HE/DP and already suffer from consent fatigue; for features believed to be mathematically safe, default‑on may be acceptable.
  • Many see default‑on as violating Apple’s own “what happens on your iPhone stays on your iPhone” marketing, and as a trust‑eroding pattern alongside other telemetry (e.g., “Help Improve Search”).

Trust, closed implementations, and threat models

  • Pro‑Apple commenters emphasize multiple privacy layers, open‑sourced HE libraries, and Apple’s comparatively strong stance vs. Google/Meta/Microsoft.
  • Skeptics point out:
    • The OS and service code are closed; users cannot verify what actually runs.
    • Cryptography can be misused or quietly repurposed (e.g., revived CSAM‑style scanning).
    • Powerful actors or future Apple policies could weaken protections or exploit metadata over time.

Broader reactions and alternatives

  • Some view the outrage as overblown “rage‑bait”; others see it as justified pushback against creeping client‑side scanning.
  • A minority argue that owning a modern smartphone is already a fundamental privacy failure (cell towers, apps, clouds), so this is marginal.
  • Coping strategies discussed:
    • Turning the feature off where possible.
    • Using self‑hosted photo solutions (Immich, LibrePhotos, PhotoPrism, Ente).
    • Moving to privacy‑focused Android variants (e.g., GrapheneOS) or Linux, with firewalls and no cloud backups.