In an alternative universe where they built a remotely updated database, yes. But that’s not this universe.
I’m going to go further and say that people are doing a very bad job articulating why the incremental privacy risk of the scheme is significant, over the always-existent privacy risk of a proprietary vendor updating software they entirely control to scan data uploaded to a cloud service which guarantees no protection from vendor access. A later software update to include more hashes or whatever could always regress privacy.
One is a proprietary third-party, optional service acting against you, the other is your own device acting against you. That's the difference and it should be pretty easy to understand.
They also could embed the whole database into iOS and activate certain hashes only for certain iCloud accounts. No one would know because the database is encrypted multiple times.
They could do a lot of things. They’ve told us what they do. It’s not this. The FAQ released yesterday specifically says that users cannot be targeted.
> The same set of hashes is stored in the operating system of every iPhone and iPad user, so targeted attacks against only specific individuals are not possible under our design.
The problem with this sentence is that Apple assumes that they can't target specific individuals because every iPhone and iPad user has the exact same database in their iOS device.
But what if they have a hash in the database where they know that only one person has this exact image on their device? This way you could single out one individual with the same database.
