Do mandatory reporter laws work like that? I was under the impression that you had to report something if you saw it, but you had no obligation to be actively scanning or to compromise encryption to do so. For example, I don’t think S3 does any active scanning and you can definitely shove any encrypted blob you want onto their servers with no obligation to give them a decryption key.
IMO this appears to be Apple either a) trying to preempt future criticism or regulation or b) responding to some behind-closed-doors pressure/bargaining with US authorities.
I think you have to be aware of what is happening, before you can say that nothing criminal happens. This is where scanning steps in. You can’t turn blind eye.
There is a big jump from reporting criminal activity if you happen to see it, to actively searching it out. It is the jump from police arresting you if they see you smoking a joint to police searching your rooms to make sure you don’t have any cannabis in there.
I read the law and you are correct, there is explicitly mentioned that provider is not required to enforce seeking of CSAM evidence.
However, they might be required to comply the demands of NCMEC if they ask to stop redistribution of certain visual depictions by providing hashes. This is were scanning steps in.
IMO this appears to be Apple either a) trying to preempt future criticism or regulation or b) responding to some behind-closed-doors pressure/bargaining with US authorities.