Switched to GrapheneOS just in time - UK user

6s5xz

I have recently moved over to GrapheneOS and I'm happily running it on my Pixel 10 Pro XL.

It would appear that I made the switch just as the erosion of our privacy in the UK picks up pace.

The UK's 'Children's Wellbeing and Schools bill' was brought in in September 2025, they now want to add all sorts of clauses to it, such as needing I.D. to use a VPN. The most concerning part relating to privacy though is;

Pg.20;
"(2) The “CSAM requirement” is that any relevant device supplied for use in the UK must have installed tamper-proof system software which is highly effective at preventing the recording, transmitting (by any means, including livestreaming) and viewing of CSAM using that device.

TL;DR
Phones sold within the UK will scan all your photos & video to check that they are allowed, if something is flagged then the Police are notified.

Link to the amendments;
[https://bills.parliament.uk/publications/63901/documents/7465?fbclid=IwY2xjawOnvYZleHRuA2FlbQIxMABicmlkETBPejB0RXVZUmlJbFZzcHFOc3J0YwZhcHBfaWQQMjIyMDM5MTc4ODIwMDg5MgABHjIJlOjSLE2EgKrH3Vs3X_3tqMEQAt6Ig5nNYGP3r5mjDM02CZSmLlOt9HDu_aem_UQXML12aspdhGirKYkiSzw]

xxx

6s5xz Phones sold within the UK will scan all your photos & video to check that they are allowed

Expect the EU to follow. Sigh ...

Delaney

Assuming this were to pass as is...

6s5xz Pg.20;
"(2) The “CSAM requirement” is that any relevant device supplied for use in the UK must have installed tamper-proof system software which is highly effective at preventing the recording, transmitting (by any means, including livestreaming) and viewing of CSAM using that device.

I could be wrong, but this would not be applicable to GrapheneOS, since it is not an operating system that's shipped with devices.
Also, the wording suggests this only needs to be a software-based implementation, so when the stock OS is removed in place of GrapheneOS, so does the CSAM scanning software. Strictly speaking, this would not be tampering the software, either.

oci3o

6s5xz

TL;DR
Phones sold within the UK will scan all your photos & video to check that they are allowed, if something is flagged then the Police are notified.

This is already done if you use something like Google Photos.
Let me explain what usually happens in terms of collecting info about CSAM.

NCMEC have a database of known CSAM, its called the IWF hash list, which is their hash list and is updated manually, daily, by 2 people for each picture (what a horrific job, I feel for someone who has to carry this out).
Google also contributes to this database, and in fact are one of the largest contributors (Well done Google, finally your doing something for the greater good it seems), however, I suspect they scan photos hashes in Google products (not the actual image) and if it is a match, report it, this is how Apple was going to do it.

I've had a very quick scan of that doc, and I'm not seeing anything on page 20 which matches your TLDR?, I suspect it would be done on hash, yes it's not great as its still technically scanning your photos, but its not viewing it, a hash is a much more efficient way of doing it also, it gives better accuracy, and doesn't require a lot of compute to do a hash check (think like doing an MD5 check)

I would say, a better solution (and how it may have been designed by OEMs, I dunno) is to have a secure element (think Titan M) and download the hash list to this element, the hash list won't be massive, and you could put storage into the chip to hold it, that way it is tamper proof, doesn't need to transmit data outbound unless absolutely required, but can be updated, similar to a firmware update, and can enforce and prevent viewing / potential creation and distribution of CSAM using maybe a native API or function of the OS.

The alerting of the police would be fairly simple, but it is potentially quite a privacy invasive way, you could use the IMEI of the phone (which isn't a great way, but gives a high degree of accuracy of the device / owner) and bind it to the reported hash value flagged, who this data would be sent to before being reported to the police, I dunno, but I suppose also, if your involved in CSAM outside of a legitimate reason (law enforcement case for example), you should be outed.

However, regardless, this is not a fix to the root cause here, parents need to parent, kids shouldn't be exposed to things like Roblox at such a young age, but this is the parents job, not tech companies, its very hard without real ID (and that's proven to be a trivial bypass) to prove someone is an age, platforms like Facebook, Roblox etc should be 18+ only, but how to verify a user in a private way is a hard problem to solve, credit cards are an okay way to do it, as it exposes a small amount of info in comparison to photo ID, and it has protection from the bank who issue it, as it is their account.

I am all for finding predators, I have a family member who was a judge who signed warrants to arrest people for this stuff, and you could tell when it was bad as he had to view the content, so whoever decides its okay to ruin a persons life (adults are affected also, be it child abuse or abuse as an adult, as child abuse like this never leaves them), should face the full extent of the law, but I think the govt saying this is to "protect the children" is bullshit, if it really was, they would be looking at ways to do it in a privacy respecting way, and engaging communities and experts to help architect this.
But lets also not forget, we have had some extremely high profile people in the UK (and other countries) in institutions like our media, and govt who have been outed for doing this, so will they face the same rules because of this? time will tell.

TLDR, I'm all for tools and systems which can help prevent CSAM, if its done in the right way, privately, exposes the absolute minimum amount of data if any way actually required outside a hash, ideally is open source (so we can make it better, as well as see what's happening), and goes to approved institutions like NCMEC when flagged ONLY, which is encrypted, however, I don't think this is why the govt is doing this, the online ID thing has already stopped people going to sites which may provide information which is not "safe" and could be classed as censorship.

starglider

Delaney It seems almost certain that this will be implemented via locked bootloaders (bootloaders are software). Of course it'll likely be possible to import one with an unlockable option, but for most people that won't be easy.

The goal here isn't catching criminals; it's mass surveillance. That's achievable by just making it hard to run alternative OSes, not impossible.

Vincent96

UK Pixel 10 Pro XL user here too. Switched last week from IodéOS.

Assuming the Pixel 11 series will have to follow these tamper-proof content scanning rules, does this mean GrapheneOS could be banned in the UK?

xxx

Vincent96 does this mean GrapheneOS could be banned in the UK?

We just don't know now.

Byku

oci3o So are they already doing that hash matching on device or when you upload to Google backup? They scan the ones in the cloud for sure (that incident with a father sending a picuture of his kid to the doctor). Stock PixelOS scans your photos for nudes but they claim it's only on device and only to remind you if you're sure whenether you are sending a nude picture. Nothing mentioned about CSAM being reported though.

6s5xz

oci3o

I completely agree, there's a special place in hell for those sorts of predators. How best to go about identifying these people, I honestly don't know. But I am tired of waking up each day to find that everyone's privacy has been chipped away just that little bit more.

I spoke with a friend earlier today and explained what the UK government is pushing through, he gave the generic response; 'well if someone has got nothing to hide, then what's the problem?' I asked him what if instead of his phone being automatically scanned, he was given a monthly appointment to go to his local Police station for his phone to be examined in person, he told me that would be rediculous and would never happen. 🤦‍♂️

oci3o

Byku I think it depends on what is happening.

I suspect they are already doing some form of scanning on device, but warning a user they are sending nudes, and scanning for CSAM are two different techniques to me.
Hash for CSAM, actual image checks (maybe using a local model or something else) to detect for "legitimate and legal nudes".

Cloud, I would say they are doing, they contribute a total of 74% to the IWF has list, how do you think they are getting that info?, it won't be devices alone.

But remember, I don't think they look at the picture, that would be computationally inefficient, instead they will be scanning all hashes of every image within Google cloud (anything that can handle images, be it photos, YouTube, docs etc) and then doing likely something similar to an MD5 check against either a locally stored IWF which is synced daily, or maybe an API call to NCMEC which allows real-time checks, and I suspect it is done at upload time, file modification time, or a random interval given a hash may already exist in Google Photos, but not in IWF until a later date.

I might look into the architecture of how its done if its available, its peaked my interest.

oci3o

6s5xz

6s5xz 'well if someone has got nothing to hide, then what's the problem?

Why do they shut the curtains or close the bathroom door?
I don't have anything to hide, I'm a fairly boring person, 90% of my pictures are of my family, the other 10% is crap like food, receipts and the back of servers.
However...
I do it because corps and now govt's shouldn't have unfettered access to it, so 3rd parties can scan it, store it in a database which is poorly secured (UK Govt doesn't follow their own CE+ guidelines even as a baseline) for someone to hack into it and leak my private files, I should chose who has access to my own generated files, in a lawful investigation, if I need to provide files I will, but for day to day (and I've never been in trouble with the police) they have no lawful reason to look at them.

And now, we as GOS users are potentially at more risk of checks because we use a phone which values privacy and security, which makes me use it and promote it more!

6s5xz I asked him what if instead of his phone being automatically scanned, he was given a monthly appointment to go to his local Police station for his phone to be examined in person, he told me that would be rediculous and would never happen. 🤦‍♂️

This happens in North Korea already, they have a system level function which scans content, not hashes, actual content, and if it detects say, a South Korean film, it will alert the authorities, that is usually punishable by death there, it can also stop the user from using words and reword them, they also run a country wide "intranet" to stop info from leaking out, think MDM but by the govt for surveillance, not compliance and security, MrWhosTheBoss did a great video the other week about 2 North Korean phones, China isn't far behind either.

6s5xz

oci3o

I forgot to mention in my reply, excellent writeup, thank you for taking the time to explain.

oci3o

Well that didn't take long to find, Google tells you how it works in a high level.

So it works in a few parts, they have specialists (they will be NCMEC certified and IWF members as these are the only people who can look at the hash list, you don't just get access, its approved), AI (likely a purpose built / trained model), blocking and filtering technologies, and hash-matching.
So I was right, they use the hash value to detect, but use AI to detect new CSAM, hence the doctor thing you mentioned, so it can get things wrong.

Humans also verify all new SCAM apparently, don't know how much of that I buy.

Once they detect CSAM in any of their platforms (again, basically anything Google Cloud and potentially Android / ChromeOS), they will automatically remove it and then use the NCMECs Cyber Tipline to report it, and inform the required authorities regardless of location, this includes identifiable information of the user of the Google account, and potentially the victim.

They may then add additional monitoring to the account if CSAM is identified, which launches a bigger scan including surrounding content, metadata and other information.

So, back to your original post, on Android and Google ecosystem, its seems to already be a thing, but until it triggers, its somewhat private, but it can trigger on false information.
GOS could create their own I suspect fairly easily and quickly if required, but the issue becomes linking it to a user, given GOS doesn't have user accounts, they could link to IMEI, but this to me is a terrible way of doing it.

I wouldn't worry about this too much at the moment, the method for detection is well established, and the "holders" are as follows.

NCMEC - US,
IWF - UK based, this is the team who handles Tipline also.
Thorn / Safer - Non-Profit, helps NCMEC & IWF.
Google - US.
INTERPOL - Global.
Semantics 21 (S21 GAD) - Europe.

Yes, this has the ability to be used for nefarious purposes, but it's not built to scan photos on your phone, Google does that via their cloud platforms, but if architected properly, this could be fairly safe, while helping protect more children.

de0u

Recently there is a fair amount of text here describing what Google may be doing, but not links to supporting information.

oci3o

de0u You mean my text?
https://support.google.com/product-documentation/answer/15464420?hl=en#:~:text=How%20Google%20detects%20and%20reports%20online%20CSAE

de0u

oci3o Thanks for posting the link!

de0u

Graph10 UK government [...] propaganda [...] sabotage [...] censorship [...] corrupt, evil and malicious [...] Open your eyes to the evil we have to fight.

I think this is a GrapheneOS support forum, not a politics forum.

MineralWater

The problem with any kind of on device scanning is the totalitarian aspect.

Assumed you are criticizing a/your government and have to go underground. The political regime could take a picture of You, hash it and put it in the database.

So they would be alerted when somebody has pictures of you on their phone. Whether these are old photos or new, it can give hints whereabouts you are at the moment.

That is also how public surveillance works, this is no ai, they simply have hashes and they can identify someone in the crowd.

So understanding this, the problem isn't that big, it's just another piece in the puzzle.

If You don't want to be under surveillance, throw your smartphone away, there are numerous ways to track you when it is running. Via cell towers, through apps, through WiFi networks, Bluetooth, microphones and so on.

It's like it is, we all chose that it comes to this.

oci3o

MineralWater Its not, in the UK for example, they use CCTV to track users if they need to, they can also get logs from ISPs etc, a hash is a terrible method of tracking someone through places, especially when you have as many cameras as the UK does, plus cell towers, free wi-fi so on.

You triangulate when tracking a user, cell towers are excellent here, 5G allows you to triangulate down to I believe meters, if not closer, 4G couldn't do this, you can then link them to a place by using CCTV.

A hash is good when you have a static piece of content like a video or image (say CSAM) and you need to compare it as it is "known", its a very quick, easy way to know it exists.

AI does play a part also, it is used with CCTV systems, more now than ever.

But I agree with your statement, we shouldn't need scanning at all ideally as CSAM or any abuse material shouldn't exist, but sadly it does, but then another excuse would be made in its place.

user2025

How many times I have to taken a picture of myself to "not" keep same hash ( not the smelly herb) ?
How does that hash stays the same even if I repeatedly taken picture of a person's face profile?
Thanks

oci3o

user2025 Hash is more than just the photo taken, think of it like a Minecraft world seed, it uses a lot of other things, date / time is part of it, even if you take the photo which is exactly the same in terms of the cameras sensor, it will generate a new hash because of the date / time for example.