If it uses a hash of an image, does that mean an edited image (eg cropped or resized) wouldn't be detected? Or is there a way to extend a single hash to multiple image variants? I imagine the answer is no, but I would also like to be optimistic and think even detecting the original version would stop a lot of NCII sharing (ie it's not a perfect solution, but still helpful).
Here's an article on how a few different image hashing algorithms work https://content-blockchain.org/research/testing-different-im.... I think in general they still function with resizing (and a few other image manipulations), but I don't think they handle cropping.
Cropping does seem like a harder problem, in the sense that there's no "clever" (high compute efficiency) solution available. The only thing that comes to mind is the brute-force approach of comparing normalized small tiles instead of whole images, which would involve exponentially more compute effort. Interestingly, the article you cite mentions rotation and skewing, which make both clever and brute-force approaches even more expensive and/or less effective. Certainly seems like a target-rich environment for research.
> does that mean an edited image (eg cropped or resized) wouldn't be detected?
Depends on the hash, and I also wouldn't be surprised if "fingerprint" turned out to be a more accurate term. This is a PR document, after all. ;) You can normalize things like resolution and color balance, and create a hash/fingerprint that's a concatenation of hashes for portions of the image, which would allow some degree of useful comparison despite many kinds of changes. Similar techniques have been used to detect copyright violations as well, so there are technological precedents. The real question is implementation quality.
While this article is on sound fingerprinting it does talk about image fingerprinting, the algorithm finds "significant" points in the image and as such can still work because it looks at their positions respective to each other, which will still hold after scaling or rotating. And cropping is likely to remove content lacking such features, so it can handle that as well.
Yup, PDQ (https://github.com/facebook/ThreatExchange/tree/main/pdq) and MD5- https://stopncii.org/faq/. MD5 is a cryptographic hash, which means that even a single bit changed gives you an entirely different hash. This usually precludes any attacks to try and deliberately generate collisions, but also means it's harder to match “benign” changes - for example, many platforms re-encode videos as part of the upload process (reducing resolution, changing formats, etc). However, many platforms skip re-encoding, so MD5 can have better results than you might think at first glance. The more bits you take from the original content, the harder you can make it to bypass, but the more you might have to worry about capturing enough that you might compromise the privacy of the original submitter. For the program, StopNCII picked a set of tradeoffs between those two tensions, and are keeping a close eye on how effective it is, and will iterate if need be.
