AI doesn’t understand context either — it can’t tell the difference between an innocent photo of a baby in a bathtub with a parent, a telehealth photo, or something malicious. Google is using AI in addition to hashing, and both systems can get it wrong. With AI you’re always dealing with confidence levels, not certainty. No model in history has ever had 100% confidence on anything.
A scanning system will never be perfect. But there is a better approach: what the FTC now requires Pornhub to do. Before an image is uploaded, the platform scans it; if it’s flagged as CSAM, it simply never enters the system. Platforms can set a low confidence threshold and block the upload entirely. If that creates too many false positives, you add an appeals process.
The key difference here is that upload-scanning stops distribution before it starts.
What Google is doing is scanning private cloud storage after upload and then destroying accounts when their AI misfires. That doesn’t prevent distribution — it just creates collateral damage.
It also floods NCMEC with automated false reports. Millions of photos get flagged, but only a tiny fraction lead to actual prosecutions. The system as it exists today isn’t working for platforms, law enforcement, or innocent users caught in the blast radius.
I’m the person who got banned. And just to be clear: the only reason I have my account back is because 404 Media covered it. Nobody else would touch the story because it happened to a nobody. There are probably a lot of “nobodies” in this thread who might someday need a reporter like Emanuel Maiberg to actually step in. I’m grateful he did.
The dataset had been online for six years. In my appeal I told Google exactly where the data came from — they ignored it. I was the one who reported it to C3P, and that’s why it finally came down. Even after Google flagged my Drive, the dataset stayed up for another two months.
So this idea that Google “did a good thing” and 404 somehow did something wrong is just absurd.
Im the developers who actually got banned because of this dataset. I used NudeNet offline to benchmark my on-device NSFW app Punge — nothing uploaded, nothing shared.
Your dataset wasn’t the problem. The real problem is that independent developers have zero access to the tools needed to detect CSAM, while Big Tech keeps those capabilities to itself.
Meanwhile, Google and other giants openly use massive datasets like LAION-5B — which also contained CSAM — without facing any consequences at all. Google even used early LAION data to train one of its own models. Nobody bans Google.
But when I touched NudeNet for legitimate testing, Google deleted 130,000+ files from my account, even though only ~700 images out of ~700,000 were actually problematic. That’s not safety — that’s a detection system wildly over firing with no independent oversight and no accountability.
Big Tech designed a world where they alone have the scanning tools and the immunity when those tools fail. Everyone else gets punished for their mistakes.
So yes — your dataset has done good. ANY data set is subject to this. There needs to be tools and process for all.
But let’s be honest about where the harm came from: a system rigged so only Big Tech can safely build or host datasets, while indie developers get wiped out by the exact same automated systems Big Tech exempts itself from.
I want to add some technical details, since this is a peeve I've also had for many years now:
The standard for this is Microsoft's PhotoDNA, a paid and gatekept software-as-a-service which maintains a database of "perceptual hashes." (Unlike cryptographic hashes, these are robust against common modifications).
It'd be very simple for Microsoft to release a small library which just wraps (1) the perceptual hash algorithm and provides (2) a bloom filter (or newer, similar structures, like an XOR filter) to allow developers to check set membership against it.
There are some concerns that an individual perceptual hash can be reversed to a create legible image, so I wouldn't expect or want that hash database to be widely available. But you almost certainly can't do the same with something like a bloom filter.
If Microsoft wanted to keep both the hash algorithm and even an XOR filter of the hash database proprietary, that's understandable. But then that's ok too, because we also have mature implementations of zero-knowledge set membership proofs.
The only reason I could see is that security-by-obscurity might be a strategy that makes it infeasible for people to find adversarial ways to defeat the proprietary secret-sauce in their perceptual hash algorithm. But I that means giving up opportunities to improve the algorithm, while excluding so many ways it could be useful to combat CSAM.
I’m not a CSAM-detection expert, but after my suspension I ended up doing a lot of research into how these systems work and where they fail. And one important point: Google isn’t just using PhotoDNA-style perceptual hashing.
They’re also running AI-based classifiers on Drive content, and that second layer is far more opaque and far more prone to false positives.
That’s how you get situations like mine: ~700 problematic images in a ~700k-image dataset triggered Google to delete 130,000+ completely unrelated files and shut down my entire developer ecosystem.
Hash-matching is predictable.
AI classification is not.
And Google’s hybrid pipeline:
isn’t independently vetted
isn’t externally audited
isn’t reproducible
has no recourse when it’s wrong
In practice, it’s a black box that can erase an innocent researcher or indie dev overnight. I wrote about this after experiencing it firsthand — how poisoned datasets + opaque AI detection create “weaponized false positives”:
https://medium.com/@russoatlarge_93541/weaponized-false-posi...
I agree with the point above: if open, developer-accessible perceptual hashing tools existed — even via bloom filters or ZK membership proofs — this entire class of collateral damage wouldn’t happen.
Instead, Big Tech keeps the detection tools proprietary while outsourcing the liability to everyone else. If their systems
are wrong, we pay the cost — not them.
> There are some concerns that an individual perceptual hash can be reversed to a create legible image,
Yeah no. Those hashes aren't big enough to encode any real image, and definitely not an image that would actually be either "useful" to yer basic pedo, or recognizable as a particular person. Maybe they could produce something that a diffusion model could refine back into something resembling the original... if the model had already been trained on a ton of similar material.
> If Microsoft wanted to keep both the hash algorithm and even an XOR filter of the hash database proprietary
That algorithm leaked years ago. Third party code generates exactly the same hashes on the same input. There are open-literature publications on creating collisions (which can be totally innocent images). They have no actual secrets left.
They're not very good at all (it just uses a GAN over a recovered bitmask), but it's reasonable for Microsoft to worry that every bit in that hash might be useful. I wouldn't want to distribute all those hashes on a hunch they could never be be used to recover images. I don't think any such thing would be possible, but that's just a hunch.
That said, I can't speak on the latter claim without a source. My understanding is that PhotoDNA still has proprietary implementation details that aren't generally available.
> They're not very good at all (it just uses a GAN over a recovered bitmask),
I think you're making my point here.
The first one's examples take hashes of known headshots, and recover really badly distorted headshots, which even occasionally vaguely resemble the original ones... but not enough that you'd know they were supposed to be the same person. Presumably if they had a better network, they'd get things that looked more human, but there's no sign they'd look more like the originals.
And to do even that, the GAN had to be trained over a database of... headshots. They can construct even more distorted headshots that collide with corporate logos. If they'd used a GAN trained on corporate logos, they would presumably get a distorted corporate logo when they tried to "reverse" any hash. A lot of the information there is coming from the model, not the hash.
The second one seems to be almost entirely about collisions. And the collisions they find are in fact among images that don't much resemble one another.
In the end, a PhotoDNA hash is 144 bytes, made from apparently a 26 by 26 pixel grayscale version of the original image (so 676 bytes). The information just isn't there. You might be able to recover the poses, but that's no more the original image than some stick figures would be, probably less.
Here's [the best "direct inversion" I can find](https://anishathalye.com/inverting-photodna/). That's still using machine learning, and therefore injects some information from the model... but without being trained on a narrow class of source images, it does really badly. Note that the first two sets of images are cherry picked; only the last set is representative, and those are basically unrecognizable.
Here's [a paper](https://eprint.iacr.org/2021/1531.pdf) where they generate collisions (within reasonable values for the adjustable matching threshold) that look nothing like the original pictures.
> That said, I can't speak on the latter claim without a source. My understanding is that PhotoDNA still has proprietary implementation details that aren't generally available.
For original PhotoDNA, only for basically irrelevant reasons. First, actually publishing a complete reverse-engineering of it would be against many people's values. Values aside, even admitting to having one, let alone publishing it, would probably draw some kind of flak. At least some and probably dozens of people have filled in the small gaps in the public descriptions. Even though those are unpublished, I don't think the effort involved in doing it again is enough to qualify it as "secret" any more.
Indeed, it probably would've been published regardless of those issues, except that there's no strong incentive to do so. Explanations of the general approach are public for people who care about that. For people who actually want to compute hashes, there are (binary) copies of Microsoft's actual implementation floating around in the wild, and there are [Python](https://github.com/jankais3r/pyPhotoDNA) and [Java](https://github.com/jankais3r/jPhotoDNA) wrappers for embedding that implementation in other code.
There are competitors, from openly disclosed (PDQ) to apparently far less fully reverse engineered (NeuralHash), plus probably ones I don't know about... but I think PhotoDNA is still dominant in actual use.
[On edit: but I probably shouldn't have said "third party code", since the public stuff is wrapped around Microsoft's implementation. I haven't personally seen a fully independent implementation, although I have reason to be comfortable in believing they exist.]
So, given your high technical acumen, why would expose yourself to goggle's previously demonstrated willingness to delete your career's and your life's archive of communications?
Stop using goggle!
It's as simple, and as necessary, as that.
No technically astute person should use ANY goggle services at this point...
I don't self-host everything. For example, I use Fastmail with custom domains. I think this spreads the risk.
Unfortunately, Google has a policy of "greylisting" domains it had not yet seen, so this increases friction with people on Google. I'm not even running my own email server :(
I'm running my email server on some famous VPS provider, and with properly configured server (SPF, DCIM), I didn't really get any problems sending emails.
Perhaps these folks should work together to make patches to the dataset to remove the problematic images?
E: But also make sure every image in the dataset is properly licensed. This would have eliminated this entirely from the get go. Playing fast and loose with the distribution rights to these images led to this problem.
700 CSAM images, even one is damning, but hundreds are often referred to as a cache or horde, normally anyone caught with that can wave bye-bye to thier life.
google should be fully accountable for possesion and distribution, perhaps even manufacturing.
Couldn't agree more. People thought that may happen when Google lost its case against the DOJ, but they got a tap on the wrist. Hopefully independent developers will file FTC complaints and prompt action.
You hit the nail on the head. Google now has buts on a hair trigger banning developers for life--I filed a complaint with the FTC, I hope all developers do
I’m not a developer but signed your change.org petition. Cant believe there are only 10 signature. there should be millions! These Oligarchs have us under their thumb — get moving people https://c.org/b8sLJX89Qq
Thank you so much -- it's tough for people to grasp that why i wrote the Medium post. To show the trend against amongst and the historical context of Big Tech icing out competition
On July 31, Google permanently disabled my account after alleging CSAM was in my Drive. The trigger: I had downloaded and unzipped NudeNet, a dataset hosted on Academic Torrents, which has been used in multiple academic studies.
When Google briefly restored my account weeks later, I discovered that ~136k files had been removed from the “nude” folder — but I was never told which ones. Using Drive Activity logs, I identified at least two specific file IDs that existed in July but were gone after restoration. Then my account was suspended again before I could complete full verification.
This creates a rare opportunity: * If these images are truly CSAM, the dataset owner needs to be notified immediately so researchers stop using it. * If they are false positives, that casts serious doubt on the reliability of Google’s detection methods — and highlights the risks for any researcher working with sensitive datasets.
I’m asking other researchers who have downloaded NudeNet to help: 1. Cross-check whether the missing file IDs I identified exist in your local copies. 2. If found, review whether they are actual violations or misclassifications. 3. If violations exist, notify the dataset owner. If not, this may be a critical case study of a false positive at scale.
It’s important because, in an era where science and research are under increasing scrutiny, researchers need places where they can safely download and share datasets without fear of retribution. If platforms or automated systems treat legitimate research datasets as contraband, it threatens not just one account, but the broader ecosystem of open science.
I built an on-device NSFW detector and used NudeNet, a public dataset hosted on Academic Torrents and cited in multiple research papers, to benchmark it. After uploading the dataset to Google Drive, my account was permanently suspended for “inappropriate material.”
When Google briefly reinstated my account, I discovered 130,000+ files had been silently deleted compared to the original ZIP. While verifying with the Drive Activity API, I was suspended again.
Before losing access, I confirmed actual filenames Google flagged — something they never disclose to users. Example (filename only — not an image):
nude_sexy_safe_v1_x320/training/nude/prefix_reddit_sub_latinasgw_2017! Can't believe it. Feliz año nuevo!-.jpg
This file exists in the public NudeNet dataset, which is widely cited in academic content moderation research.
Because in research circles, it is a good idea — or at least standard practice. Academic Torrents is a public data-sharing platform run for researchers, and the dataset is cited in peer-reviewed AI papers and used in university projects.
I wasn’t browsing porn — I was benchmarking an on-device NSFW detection model. I never reviewed every file; my workflow was automated preprocessing. The only “mistake” was unzipping it in Google Drive, not realizing Google scans those files automatically and can flag them without context.
If Google truly cares about stopping harmful content, why not give researchers the exact file names so they can verify and have dataset maintainers remove it? That’s how you improve the data and prevent future issues — assuming it was a violation at all and not a false positive.
The real issue is that whether it’s for research, unintentional, or a false positive, there’s no fair process outside of Google to resolve it. Instead of an immediate, irreversible account ban, they could quarantine the suspected files while preserving access to the rest of the account. That would protect both children and innocent users.
You’re making a serious accusation without evidence. I don’t know if the file in question was CSAM—because Google won’t tell me. We just have Google’s word for it.
What I do know is that I used publicly available datasets—like NudeNet and COCO—for benchmarking an NSFW detection model. These datasets have been used by researchers for years. If there was anything questionable in them, that should be addressed openly—not used as a reason to erase someone’s digital life without transparency or due process.
I’m not claiming academic immunity. I’m saying it was unintentional, and I had no idea anything I processed could have been flagged. And if there was something problematic in a dataset, I would absolutely want to identify and report it—but I can’t do that if Google refuses to disclose what was flagged.
This isn’t just about me. When a private company has the unchecked power to destroy someone’s livelihood overnight, it stops being a simple platform—it becomes a de facto utility. There needs to be a path for review, correction, and accountability.
A scanning system will never be perfect. But there is a better approach: what the FTC now requires Pornhub to do. Before an image is uploaded, the platform scans it; if it’s flagged as CSAM, it simply never enters the system. Platforms can set a low confidence threshold and block the upload entirely. If that creates too many false positives, you add an appeals process.
The key difference here is that upload-scanning stops distribution before it starts.
What Google is doing is scanning private cloud storage after upload and then destroying accounts when their AI misfires. That doesn’t prevent distribution — it just creates collateral damage.
It also floods NCMEC with automated false reports. Millions of photos get flagged, but only a tiny fraction lead to actual prosecutions. The system as it exists today isn’t working for platforms, law enforcement, or innocent users caught in the blast radius.
reply