Apple discovered child porn in user’s email account, tipped off police, warrant reveals

A search warrant filed against tech giant Apple last month offered new insight into how the technology company helps law enforcement in child sex abuse cases.

The warrant, first noticed by Forbes contributor Thomas Brewster, was filed by a federal law enforcement officer in western Washington state earlier this year, according to documents obtained by The Desk. The warrant is being published here in full for the first time.

Late last year, an individual using the iCloud account slave524@icloud.com reportedly sent multiple files depicting child pornography, according to a law enforcement affidavit. iCloud accounts are offered by Apple to users of their devices like Mac computers and iPhones.

Apple and other tech companies are known to use databases that contain previously-identified images of child pornography. Those databases are used in combination with machine learning techniques that “scan” a user’s email messages for hashes, or digital tags, when someone attempts to send an image that resembles one in the databases.

That’s apparently what happened in September 2019 when several messages reportedly sent from the slave524@icloud.com account were intercepted and quarantined by Apple. An employee reviewed the files and sent a tip to the Seattle Internet Crimes Against Children Task Force, who then forwarded the information to the Department of Homeland Security.

In the tip, an Apple employee said eight email messages containing a total of 16 image files were intercepted by the company. Some of the files contained the same image, the employee said, who suspected slave524@icloud.com sent the same files over and over again and eventually gave up when they weren’t being delivered.

A total of three images were used as the basis for the search warrant.

The affidavit, filed by Department of Homeland Security Special Agent Toby Ledgerwood, names Jon Lakey as the suspect in the case.  An internet search conducted late Tuesday evening for the username slave524 returned a Twitter account under Lakey’s name. A text message sent on Tuesday to a phone number listed for Lakey in the search warrant was not returned.

Federal authorities have not announced charges against Lakey, and a search of federal court records did not return any criminal cases filed against him, though the court records are likely under seal pending an indictment. Lakey was not in custody at either the Whatcom County or King County jails, according to a search of inmate logs, though federal marshals may have him in custody somewhere else.

The warrant demanded unencrypted account information from Apple related to the iCloud account slave524@icloud.com, including subscriber and payment information as well as whether the account was registered on any other Apple device. It was executed at Apple’s headquarters in Cupertino on January 28; a copy of the data was provided to federal investigators in a Zip folder, according to documents reviewed by The Desk.

Apple’s use of scanning techniques was not exactly a secret. During a keynote address at this year’s Consumer Electronics Show, Apple’s Chief Privacy Officer Jane Horvath acknowledged the company used scanning techniques to flag images of suspected child exploitation.

Horvath said the company scanned files sent via iCloud email addresses or uploaded to Apple’s cloud storage services against a database containing digital fingerprints associated with known child pornography. If there’s a hit, the email or file is quarantined and the user is locked out of their account, Horvath said.

The system used by Apple is similar to one developed by Microsoft called PhotoDNA that electronically tags known images of child pornography so they can be found when users send or receive those photographs electronically, even if a person modifies the original image file.

The software is used by Microsoft’s own Bing and OneDrive services. The company licenses the technology to Google, Facebook, Twitter, Adobe and others for free.

Horvath said the system does not conflict with Apple’s strong encryption protocols on its hardware devices and software-based services, which Apple rolled out to users by default following disclosures of warrantless mass surveillance by federal authorities in 2013. Since those disclosures, Apple has rejected calls from the FBI and other law enforcement agencies to help break into devices uses by suspected terrorists, saying it could weaken security for tens of millions of innocent users.

That resistance has earned Apple a reputation of being unwilling to cooperate with federal authorities in criminal matters, but Horvath’s comments last month and the warrant revealed last week show Apple is willing to cooperate — and even tip off the police — when it suspects its users are committing child sex crimes.