Society Issue #118 ·

Korea Walks the Path Apple and the EU Abandoned

From July 1, every image uploaded to Korean communities gets AI-scanned — at operators' full expense, with no government subsidy.

Korea Walks the Path Apple and the EU Abandoned

This piece was originally for paid subscribers only, but at a reader’s request — and with the sentiment that it deserves a wider audience — it has been opened to everyone. Please share and subscribe. My thanks to James, who suggested making it public.

Opening

On April 30, Jin In-hwan, the operator of Ruliweb, posted a notice: “Starting July 1, every image must pass through AI filtering.” To post a single photo on a gaming community, you hit the upload button and an AI looks at it first.

The rationale is preventing the distribution of illegally filmed material. Few people dispute the goal itself. But the moment the measure became public, Korea’s major online communities — FM Korea, DC Inside, Clien — pushed back in unison. Around the same time, posts claiming “Korea is censoring all images with AI” began spreading abroad on Hacker News and Privacy Guides.

Let me give you the conclusion up front. This is not just a domestic regulatory issue. Apple and the EU both examined the same technology — and both stopped. Today, let’s trace where this road, which Korea alone is walking, actually leads.

July 1: What Happens to the Korean Internet

On April 28, 2026, the enforcement decree of the Telecommunications Business Act was amended. The core change fits in one line: the scope of mandatory pre-upload blocking of illegally filmed material was expanded from videos to images.

It takes effect July 1, with a 6-month grace period through year-end. The Broadcasting, Media and Communications Commission says it briefed operators on the schedule at a December session last year and sent multiple official notices since, but on the ground, operators are pleading that “sourcing the equipment is realistically difficult.”

The rule covers roughly 80 value-added telecommunications operators with annual revenue of ₩1 billion (~$730,000) or more, or an average of 100,000 daily users or more. Foreign operators like Google, Meta, and X are included if they have 100,000 or more Korean users — as are domestic communities like Ruliweb, FM Korea, and DC Inside. Here is how it works. The Broadcasting, Media and Communications Standards Commission provides operators with digital identifiers (hash values) of illegally filmed material it has already reviewed and ruled on; when a user uploads an image, the operator checks it against those identifiers. If there is a match, the post is blocked. The AI is not interpreting the content of every image — it is matching against the digital fingerprints of previously confirmed illegal content. But whether it is matching or interpreting, every uploaded file still has to be checked server-side. The infrastructure burden is the same.

The problem is the infrastructure required to actually run this. The government’s recommended server specifications, published in 2021, are startling. You need a 3.7GHz 16-core CPU, 128GB of RAM, and at least 1 datacenter-class GPU with 48GB or more of VRAM. The GPU alone draws 250–300W, and the whole server draws over 2,000W. And there is one more critical condition. Under NVIDIA’s licensing policy, consumer GPUs — GeForce cards like the RTX 2060 or RTX 3060 — are restricted from datacenter use. The government’s own document recommends Quadro-class workstation products. Models like the NVIDIA A6000 fall into this category, and with semiconductor prices soaring in 2026, a single GPU runs several million won, and building one server costs anywhere from tens of millions to over a hundred million won.

And this cost is borne entirely by the operators. There is no government subsidy. The electricity and maintenance costs of running the servers also fall squarely on the operators.

This burden is not a new story, either. When AI filtering for video came into force first, FM Korea’s operator publicly complained back in 2022 that the resource burden was substantial. Now, with the expansion to images, the cost jumps again.

Ruliweb’s operator pointed out that “images or videos that would qualify as illegally filmed material almost never get uploaded to the sites covered by this mandate.” That cuts to the heart of it. FM Korea’s operator issued an official statement on May 28, this time raising the fairness problem head-on. Telegram and X (formerly Twitter), where illegally filmed material actually circulates, are also covered by the regulation. The commission has said it has “already issued corrective orders to more than 10 foreign operators.” But for platforms like Telegram that never register as businesses in Korea in the first place, there is no realistic means of forcing compliance. The operators’ core objection is that the actual distribution channels for illegally filmed material are concentrated precisely in these blind spots.

Of course, there is another view: the criticism that “mid-sized and large communities have borne no responsibility all this time.” Major foreign platforms at least operate age verification or content moderation systems of their own, while Korean communities have grown up without any such safeguards. The bigger problem, this argument goes, is that they effectively left illegally filmed material unattended — and this much obligation is one they should shoulder, even now. The view is not without merit.

But “they should take responsibility” and “how should we make them take responsibility” are different questions.

Here is the resulting picture. Domestic communities that have played by the rules face an infrastructure mandate costing upward of a hundred million won, while the foreign platforms at the epicenter of the problem sit outside the reach of the law. And the same GPUs — resources that could be powering local AI services or image-generation models — end up locked into what is effectively censorship infrastructure.

Apple and the EU Stopped at This Same Technology

The idea of automatically scanning images to catch illegal content is not unique to Korea.

In August 2021, Apple moved first. It announced a technology that would check photos on an iPhone against a database of child sexual abuse material (CSAM)1​ on-device, before they were uploaded to iCloud. The approach is called “client-side scanning.” The purpose was clear: protecting children.

Immediately after the announcement, the situation flipped. Starting with cryptographer Matthew Green, security researchers, the EFF2​, and privacy organizations issued a wave of opposing statements. The core concern was singular: “Once a scanning infrastructure is built, its search targets can be expanded at any time.” Today it serves child protection; tomorrow it could be used to search for political dissent or perfectly legal content.

Apple shelved the plan and has never officially revived it.

The EU followed a similar path. In 2022, the European Commission proposed legislation mandating automatic scanning of messages and images — the so-called “Chat Control.” Germany’s digital civil society groups and the European digital rights organization EDRi mounted organized opposition, calling it “opening the door to mass surveillance.” The bill drifted for over 3 years until, in late 2025, it effectively retreated — mandatory scanning was replaced with the roundabout phrase “risk mitigation measures.” The forced-scanning order was dropped, but room was left to pressure platforms into “voluntarily” monitoring content. On the surface it stepped back; it was never fully abandoned.

The wall Apple and the EU both ran into is what security experts call “mission creep”: a tool built for the narrow purpose of protecting children gradually broadens its search targets over time. From child sexual abuse material to terrorist content, from terrorism to copyright infringement, and on to political expression. Once a scanning infrastructure exists, changing the list of “what to search for” is all it takes to turn it into an entirely different tool.

The academic grounding for this argument came from “Bugs in our Pockets,” a 2021 paper by 14 international security researchers. Its conclusion is striking: even with Apple deploying top-tier security and cryptography experts, it failed to arrive at a system design that was safe, trustworthy, and effective. It demonstrated that “technically possible” and “safely operable” are entirely different questions.

Same Technology, Different Choices… What Made the Difference

Apple, the EU, Korea. All three had the identical goal of “blocking illegal content.” The underlying technology is nearly the same, too: automatically scan uploaded content, check it against a database, and determine whether it is illegal.

The outcomes diverged completely.

At Apple and in the EU, organized pushback from civil society and the tech community did its work. Security researchers published papers on the technical risks, civic groups ran campaigns, and the media covered it intensively. A consensus formed that “even if it is technically possible, it is socially unacceptable.”

In Korea, a different context was at work. The 2020 Telegram Nth Room case left a deep scar on society and forged a social consensus around forceful responses to digital sex crimes. The amendment to the Telecommunications Business Act (the so-called “Nth Room Prevention Act”) was promulgated in June 2020 with bipartisan agreement, and video filtering took effect in 2021. This enforcement-decree amendment now extends it to images. The civic group Open Net filed a constitutional complaint, but in October 2025 the Constitutional Court dismissed it, holding in essence that the scheme “does not constitute prior censorship.”

Note the speed. The image-expansion decree was amended on April 28, and just 2 weeks later, on May 14, a related follow-up bill passed the National Assembly plenary: 252 in favor, 12 against, out of 272 present. Overwhelming. It means both ruling and opposition parties agree on this direction — and it also means that voicing opposition on this issue is itself politically difficult.

What is interesting is the temperature of domestic opinion around this. There is buzz only in a handful of IT communities like GeekNews and Clien; the mainstream press and general public are astonishingly quiet. If anything, it is louder abroad. It hit the Hacker News front page, and a debate is running on Privacy Guides. The reason domestic pushback is muted is simple. The post-Nth Room consensus is so powerful that saying “I oppose this regulation” can be heard as saying “I am willing to stand by while digital sex crimes happen.” It has become an issue that is politically impossible to oppose.

The stronger a social consensus, the narrower the space for counterarguments. That is natural. The problem is that the strength of a consensus does not guarantee the effectiveness of a regulation.

The irony is that if you look at where illegally filmed material actually circulates, Telegram and platforms hosted on foreign servers dominate. On paper, foreign operators are covered, and the government has indeed issued corrective orders. But against platforms that never register as businesses in Korea, there is effectively no tool to force compliance. The net is tightly woven — but in the waters where the most fish swim, the net does not work. The real weight of the regulation lands on the domestic operators who were already following the rules.

What worries me more is what happens once this structure hardens. As domestic communities’ operating costs rise, users migrate to unregulated foreign platforms. As foreign platforms gain users, the surface area where illegal content can circulate actually grows. The regulation ends up undermining its own purpose — a genuine paradox.

Oswarld’s Take

To be honest, watching this unfold reminded me of a failure pattern I have seen countless times in my years of building technology strategy.

“Pouring resources into the channel you can control, rather than the channel where the customers are.”

There is a mistake companies make constantly when entering a market. The channels where actual customers gather are hard to touch, so they concentrate resources on the channels they can control. Investing where you have control produces clean reports — but no actual results.

This regulation has the same structure. Domestic communities are the territory the government can control. Telegram is the territory it cannot. Imposing obligations where you have control produces the administrative achievement of “measures were taken.” But the place where the problem actually happens remains untouched.

And there is one more thing I want to flag. How the international community sees this. Do you know how Hacker News is describing Korea right now? “The only democracy running blanket AI image scanning.” AI is an industry that has to attract global talent and investment, and once the perception of “a country that surveils its citizens with AI” spreads through the tech community, it does not wash off easily.

Digital sex crimes must be eradicated. I have no quarrel with the regulation’s purpose. But a regulation whose effectiveness is unproven, whose costs are simply shifted onto the private sector, and which cannot touch the core distribution channels — that is bad design in service of a legitimate goal.

Closing

To sum up: Korea has put into practice the automatic image scanning that Apple and the EU halted over privacy concerns. But the targets of the regulation (domestic communities) and the location of the problem (foreign platforms) are misaligned, and the international community is watching Korea as “a precedent for surveillance infrastructure.”

The legitimacy of a goal does not excuse flaws in the design. If you want to dig deeper into this topic, I recommend starting from Chapter 2 of the “Bugs in our Pockets” paper below.

What do you make of this measure? Between the goal of eradicating illegally filmed material and the means of blanket surveillance, where should the line be drawn? I would love to hear your thoughts in the comments.

References & Further Reading

Primary sources

Background

The author, Kwangseob Ahn, is a professor of business administration at Sejong University and lead consultant at OBF (Oswarld Boutique Consulting Firm). He teaches statistics and data analysis — including business data management and business analytics — at the university, while leading GTM strategy and AI strategy consulting in the field, designing the interface between technology and business. He has published academic research on memory architecture for AI conversational systems (HEMA) and runs Daily Arxiv, a project curating global AI papers every day. He completed a master’s program at Korea University’s Graduate School of Technology Management and its KMBA. He is the author of “Those Who Outsource Their Thinking: Homo Brainless”.

Footnotes

  1. CSAM (Child Sexual Abuse Material): The international standard term for material depicting the sexual exploitation of children. The older term “child pornography” is being phased out in favor of CSAM to prevent secondary harm to victims.

  2. EFF (Electronic Frontier Foundation): A US digital rights organization founded in 1990. It advocates for internet freedom, privacy, and free expression, leading related litigation and campaigns.