Bob is found with a file of pseudo random data that matches a hash on the database.
There's no evidence of other images of child sexual abuse on his machine; there's no history of sites that distribute images of child sexual abuse; there's no history of the file being opened by Bob; Bob claims that he didn't know the file was there and he doesn't know what it is.
How does that benefit an attacker? How does that benefit an attacker more than just taking actual images of child sexual abuse and putting those on Bob's computer?
I don't know the laws in the US; is the police obligated to respond if someone warns them of this event? (Bob has a file matching a "bad hash".) How seriously - will there be a polite guy knocking on the door, or a SWAT team at 3 am? If nothing is found, and another such event occurs next month, will they have to check again?
People can come up with crazy scenarios for anything :)
>"[t]he duty to provide public services is owed to the public at large, and, absent a special relationship between the police and an individual, no specific legal duty exists."
That's not how this works. When a service provider detects a match, they send the file when they report the match. They don't just say "hey, some file matched this hash" and then SWAT kicks down the door, because that would be stupid. They send the file, NCMEC looks at it, and then forwards it to law enforcement who also looks at it. If it's a random file that happens to collide, NCMEC won't send it to law enforcement, and if they did, law enforcement wouldn't act on it.
There's no evidence of other images of child sexual abuse on his machine; there's no history of sites that distribute images of child sexual abuse; there's no history of the file being opened by Bob; Bob claims that he didn't know the file was there and he doesn't know what it is.
How does that benefit an attacker? How does that benefit an attacker more than just taking actual images of child sexual abuse and putting those on Bob's computer?