West Virginia’s Anti-Apple CSAM Lawsuit Would Help Child Predators Walk Free

from the a-huge-fuckup dept

West Virginia Attorney General JB McCuskey wants you to think he’s protecting children. His press release says so. His legal complaint opens with the genuinely horrific line that Apple has, in internal communications, described itself as the “greatest platform for distributing child porn.” He makes sure you know that Google made 1.47 million CSAM reports to the National Center for Missing and Exploited Children (NCMEC) in 2023 while Apple made just 267. He is, as politicians love to say, fighting for the kids.

What he is actually doing, if he succeeds, is building an extraordinarily effective legal defense mechanism for child predators.

This feels difficult for some people—including, apparently, the Attorney Freaking General of West Virginia—to mentally wrap their heads around, but it’s important: the legal approach he’s taking will help child predators massively if he succeeds. The fact that West Virginia’s AG office—staffed with actual lawyers, supplemented by outside private counsel—apparently didn’t bother to read the existing Fourth Amendment jurisprudence before filing this case is, frankly, staggering.

The complaint is a “first-of-its-kind government lawsuit,” as McCuskey’s office proudly announced, targeting Apple’s “failure to detect and report CSAM on iCloud.” It alleges strict liability for design defect, negligence, public nuisance, and violations of the West Virginia Consumer Credit and Protection Act. It demands injunctive relief requiring Apple to “implement effective CSAM detection measures.” It specifically points to the PhotoDNA detection system used by Google and Meta, and to Apple’s own abandoned NeuralHash client-side scanning project, as evidence of feasible alternatives that Apple is choosing not to use.

Here is the part McCuskey’s complaint does not engage with: the moment a court orders Apple to conduct those scans, any CSAM those scans find becomes evidence obtained through a warrantless government search—and under well-established Fourth Amendment doctrine, that evidence gets excluded. Defense attorneys will move to suppress it. They will win. And without the CSAM itself as evidence, convictions become nearly impossible.

The constitutional mechanics here are well-established, and were laid out in excruciating detail a year and a half ago right here on Techdirt by Stanford’s Riana Pfefferkorn when a very similar private class action lawsuit against Apple was filed in Northern California federal court. Her analysis deserves to be quoted at length, because it goes to the heart of why McCuskey’s lawsuit is not just misguided but actively counterproductive:

While the Fourth Amendment applies only to the government and not to private actors, the government can’t use a private actor to carry out a search it couldn’t constitutionally do itself. If the government compels or pressures a private actor to search, or the private actor searches primarily to serve the government’s interests rather than its own, then the private actor counts as a government agent for purposes of the search, which must then abide by the Fourth Amendment, otherwise the remedy is exclusion.

If the government – legislative, executive, or judiciary – forces a cloud storage provider to scan users’ files for CSAM, that makes the provider a government agent, meaning the scans require a warrant, which a cloud services company has no power to get, making those scans unconstitutional searches. Any CSAM they find (plus any other downstream evidence stemming from the initial unlawful scan) will probably get excluded, but it’s hard to convict people for CSAM without using the CSAM as evidence, making acquittals likelier. Which defeats the purpose of compelling the scans in the first place.

Read that again. If West Virginia wins—if an actual court orders Apple to start scanning iCloud for CSAM—then every image flagged by those mandated scans becomes evidence obtained through a warrantless government search conducted without probable cause. The Fourth Amendment’s exclusionary rule means defense attorneys get to walk into court and demand that evidence be thrown out. And they’ll win that motion. It’s not even a particularly hard case to make.

This is not a novel concern that McCuskey can plausibly claim he didn’t know about. As Pfefferkorn noted:

As my latest publication (based on interviews with dozens of people) describes, all the stakeholders involved in combating online CSAM – tech companies, law enforcement, prosecutors, NCMEC, etc. – are excruciatingly aware of the “government agent” dilemma, and they all take great care to stay very far away from potentially crossing that constitutional line. Everyone scrupulously preserves the voluntary, independent nature of online platforms’ decisions about whether and how to search for CSAM. 

There is a reason Congress, when it enacted the federal statute requiring providers to report CSAM when they find it, explicitly included a disclaimer that providers cannot be forced to search for it. The statute was deliberately written this way. Congress understood the constitutional trap.

This careful architecture matters. The people actually working to protect children from CSAM—prosecutors, investigators, NCMEC analysts, trust and safety professionals—have spent years building a legally sound framework where platforms voluntarily detect and report this material in ways that preserve prosecutorial viability. That framework depends entirely on the voluntariness of the detection. McCuskey’s lawsuit would bulldoze it.

Pfefferkorn put it bluntly about the earlier private lawsuit:

Any competent plaintiff’s counsel should have figured this out before filing a lawsuit asking a federal court to make Apple start scanning iCloud for CSAM, thereby making Apple a government agent, thereby turning the compelled iCloud scans into unconstitutional searches, thereby making it likelier for any iCloud user who gets caught to walk free, thereby shooting themselves in the foot, doing a disservice to their client, making the situation worse than the status quo, and causing a major setback in the fight for child safety online. 

That was written about private plaintiff’s attorneys making this mistake. Here we have an Attorney General—representing the State of West Virginia, invoking the state’s “parens patriae” authority over children—making the exact same mistake, only this time with the full weight of the government behind it. When the government compels a search, the state agent doctrine doesn’t just possibly apply. It almost certainly does. By definition.

The complaint makes much of Apple’s short-lived NeuralHash project, announced in August 2021 and quietly shelved by December 2022. The press release from McCuskey’s office frames Apple’s abandonment of NeuralHash as evidence of bad faith—the company caved to “a vocal minority of purported privacy advocates,” in the complaint’s framing, choosing brand value over child safety.

What the complaint skips over is why the security community reacted so strongly to NeuralHash in the first place. We covered it at the time: the core objection from security researchers wasn’t that detecting CSAM is bad. It was that you cannot build client-side scanning infrastructure that only scans for CSAM. Once you build the pipe, you have built the pipe.

The same mechanism Apple would use to match photos against an NCMEC hash database could be used—by Apple, under government compulsion, or by adversarial actors who compromise the system—to scan for political speech, religious content, or anything else a government wants to find. The EFF called it “a backdoor to increased surveillance and censorship around the world.” WhatsApp called it “a surveillance system that could very easily be used to scan private content for anything they or a government decides it wants to control.”

Apple’s own director of user privacy and child safety, Erik Neuenschwander, wrote in a letter explaining how dangerous the company’s scanning plan was:

Scanning every user’s privately stored iCloud content would in our estimation pose serious unintended consequences for our users. Threats to user data are undeniably growing – globally the total number of data breaches more than tripled between 2013 and 2021, exposing 1.1 billion personal records in 2021 alone. As threats become increasingly sophisticated, we are committed to providing our users with the best data security in the world, and we constantly identify and mitigate emerging threats to users’ personal data, on device and in the cloud. Scanning every user’s privately stored iCloud data would create new threat vectors for data thieves to find and exploit.

It would also inject the potential for a slippery slope of unintended consequences. Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types (such as images, videos, text, or audio) and content categories. How can users be assured that a tool for one type of surveillance has not been reconfigured to surveil for other content such as political activity or religious persecution? Tools of mass surveillance have widespread negative implications for freedom of speech and, by extension, democracy as a whole. Also, designing this technology for one government could require applications for other countries across new data types.

Scanning systems are also not foolproof and there is documented evidence from other platforms that innocent parties have been swept into dystopian dragnets that have made them victims when they have done nothing more than share perfectly normal and appropriate pictures of their babies.

McCuskey’s complaint calls these representations “false and/or misleading” because they contradict Apple’s earlier reassurances that NeuralHash was narrowly tailored. But those security concerns are real regardless of how Apple marketed the tool—and the fact that Apple made optimistic promises about NeuralHash in 2021 doesn’t mean the subsequent concerns that emerged were wrong.

The complaint’s treatment of encryption more broadly is where the legal theory becomes genuinely dangerous, not just to this case, but to security infrastructure generally. Count I—strict liability for design defect—alleges that by choosing to implement end-to-end encryption and not build surveillance capabilities into iCloud, Apple has defectively designed its product.

Think through what that means if it succeeds. Any company offering customers strong encryption becomes potentially liable for design defects unless it simultaneously builds government-accessible backdoors. Signal is a defective product. ProtonMail is a defective product. Any messaging app that doesn’t scan your conversations for the government is a defective product.

That’s not a narrow CSAM-specific argument. That’s a declaration that encryption itself is a tortious product choice—an existential threat to the security tools that protect journalists, activists, abuse survivors, and yes, children themselves. Security experts have been fighting this exact framing for decades, and here it is appearing in a West Virginia circuit court complaint dressed up as consumer protection law.

The consumer protection angle is also worth noting. The complaint argues that Apple’s privacy policy constitutes a material misrepresentation that misled West Virginia consumers. But look at what Apple’s policy actually says. It doesn’t promise comprehensive CSAM scanning. It lists circumstances under which Apple “may” access personal data, including the ability to “prescreen or scan uploaded content for potentially illegal content, including child sexual exploitation material.”

That’s disclosure of a capability, not a promise of comprehensive deployment—a CYA for what Apple might do, not a commitment to what it will do. McCuskey’s complaint pretends Apple promised universal scanning. No one reading the actual policy in good faith could reach that conclusion.

But even setting aside the misrepresentation of Apple’s policy language, the AG’s remedy gives the game away. He doesn’t just want Apple to clarify its privacy disclosures. He wants Apple to actually implement the scanning he claims the policy promised. Which brings us right back to the Fourth Amendment trap. The remedy is what makes this lawsuit dangerous.

There is something else worth noting about how this lawsuit was filed. The signature block on the complaint lists not only the West Virginia AG’s office but also outside private counsel—Troy N. Giatras and Matthew Stonestreet of The Giatras Law Firm—appointed as “Special Assistant Attorneys General.”

This arrangement is common in mass tort litigation: private lawyers sometimes pitch state AGs on filing suits that might generate large settlements, then take a cut when they do. Nothing about that is necessarily improper. But it does invite the question of whether the legal theory here was pressure-tested for constitutional viability or pressure-tested for settlement potential.

Here’s the cynical read: maybe no one involved actually expects this to go to judgment. Big Tech company + horrific subject matter + “first-of-its-kind” headline = a strong opening bid in a negotiation. If the goal is litigation pressure to extract voluntary changes from Apple—or just a settlement check—the Fourth Amendment analysis is irrelevant to the AG’s actual strategy. Apple pays something, McCuskey declares victory, gets his headlines, and everyone moves on.

But that calculation requires Apple to fold. And if Apple doesn’t—if this actually proceeds to the remedy stage—the constitutional trap springs shut on every subsequent prosecution. Apple should also recognize that folding here just invites 49 other AGs to file copycat suits demanding the same thing.

Did no one in West Virginia consider that the reason this lawsuit was a “first of its kind” is because everyone who actually knows what they’re doing knows this lawsuit would do real damage? As Pfefferkorn noted in her original piece for us in the summer of 2024 regarding the private class action lawsuit:

The reason nobody’s filed a lawsuit like this against Apple to date, despite years of complaints from left, right, and center about Apple’s ostensibly lackadaisical approach to CSAM detection in iCloud, isn’t because nobody’s thought of it before. It’s because they thought of it and they did their fucking legal research first. And then they backed away slowly from the computer, grateful to have narrowly avoided turning themselves into useful idiots for pedophiles. But now these lawyers have apparently decided to volunteer as tribute. If their gambit backfires, they’ll be the ones responsible for the consequences.

If the goal is actually to protect children, the path forward involves working with platforms on voluntary detection improvements, adequately funding NCMEC, prosecuting offenders whose crimes come to light through existing reporting mechanisms, and addressing the genuinely hard policy questions around encryption without destroying Fourth Amendment protections that also protect, among other people, children.

What the goal does not involve—cannot involve, under current constitutional law—is a state AG filing a headline-grabbing lawsuit to force mass warrantless surveillance of private cloud storage. That’s not child protection. That’s political theater with catastrophic potential consequences for the actual prosecution of the people the AG claims to be after.

McCuskey got his press conference and his headline. What he has not done is help any child in West Virginia. The only people who stand to benefit from his success are the predators whose prosecutions will collapse when the evidence gets thrown out.

Filed Under: 4th amendment, csam, encryption, icloud, jb mccuskey, west virginia

Companies: apple