Does Your Cloud Storage Scan Your Photos? What Every Provider Does (2026)
Quick take: Every major cloud storage provider scans your photos. Google Photos, iCloud, OneDrive, Amazon Photos, and Dropbox all perform automated CSAM detection (required by US law). Beyond that, most use AI to analyze your images for features like face recognition, object detection, and search. Google and Microsoft have confirmed using photo data for AI model training. Apple is the most restrained of the big five, but still scans server-side. If you want photo storage with zero AI analysis, Viallo stores photos in EU data centers without scanning, training, or profiling.
Yes, your cloud storage scans your photos
The short answer: If you use Google Photos, iCloud, OneDrive, Amazon Photos, or Dropbox, your photos are being scanned. The type and extent of scanning varies by provider, but none of them leave your images untouched after upload.
At minimum, every US-based provider performs hash-matching against known CSAM databases. Most go far beyond that - running face recognition, object classification, scene detection, and text extraction. Some feed your photos into machine learning pipelines to train the next generation of AI models.
Viallo is a private photo sharing platform that takes a different approach: no AI scanning, no face recognition, no ad targeting, and no model training. Photos are stored at full resolution in GDPR-compliant EU data centers. The platform exists specifically for people who want to share photos without feeding them into an AI pipeline.
What "scanning" actually means for your photos
Cloud providers scan photos at multiple levels. Understanding the distinction matters because companies often conflate legally required scanning with optional AI processing to make it all sound inevitable.
CSAM hash-matching (legally mandated)
Under US law (18 U.S.C. 2258A), electronic service providers that discover CSAM must report it to NCMEC. Every major provider performs perceptual hash-matching - comparing uploaded images against a database of known illegal material. This is non-negotiable for US-based services. In 2023, Google reported over 1.47 million CSAM cases to NCMEC, more than any other provider.
AI feature extraction (optional, provider-chosen)
Beyond CSAM detection, providers run AI models that extract faces, identify objects, read text, detect locations, and classify scenes. This powers search features like "find all photos of dogs at the beach." It also generates detailed metadata about your life that the provider stores alongside your photos.
AI model training (the business model)
Some providers use your photos to train their AI systems. Google's privacy policy explicitly allows this for improving services. Microsoft's 2024 Terms of Service update expanded their rights to use customer content for AI training. This is where scanning crosses from "feature" to "data extraction."
Provider-by-provider scanning comparison
Here's what each major provider does with your photos after upload. I've broken it down by scanning type so you can see exactly where your photos end up.
| Provider | CSAM scanning | Face recognition | AI categorization | AI training | Law enforcement sharing |
|---|---|---|---|---|---|
| Google Photos | Yes (hash + AI) | Yes (on by default) | Full scene/object/text | Yes (opt-out in some regions) | On legal request |
| iCloud Photos | Yes (server-side hashing) | On-device only | On-device processing | No (per current policy) | On legal request |
| OneDrive | Yes | Yes (opt-out, limited) | Full AI classification | Yes (per 2024 ToS update) | On legal request |
| Amazon Photos | Yes | Yes (People tab) | Object/scene recognition | Not disclosed | On legal request |
| Dropbox | Yes | Limited | Search/categorization | Updated 2024 policy | On legal request |
| Viallo | None | None | None | None | GDPR-compliant EU process only |
The pattern is clear: US-based providers scan extensively. The only question is how much they tell you about it. If this level of automated analysis concerns you, Viallo was built for exactly this situation - your photos are stored without any AI processing, period.
Google Photos: the most aggressive scanner
Google Photos runs the deepest analysis of any consumer photo service. Every image you upload is processed by multiple AI models that extract faces, identify objects, read text, detect locations (even without GPS data, using visual landmarks), and classify scenes into searchable categories.
This is what powers Google Photos' genuinely impressive search. You can type "red bicycle near a lake" and find the exact photo. The tradeoff: Google now has a detailed machine-readable description of every moment you've captured.
- Face recognition: On by default in most regions. Groups faces across your entire library and suggests names. Can be partially disabled in settings but Google retains previously generated face data.
- AI training: Google's privacy policy states they may use content to "improve services." Users in the EU can opt out under GDPR. Users elsewhere have limited control.
- CSAM reporting: Google reported 1.47 million CSAM cases to NCMEC in 2023, the highest of any technology company. They use both hash-matching and AI-based detection.
- Law enforcement access: Google complied with approximately 83% of US government data requests in the first half of 2024, per their transparency report.
For a deeper look at what Google actually does with your library, see our complete guide to Google Photos privacy settings.
iCloud Photos: privacy-focused but not scan-free
Apple markets itself as the privacy company, and relative to Google, it is. But iCloud still scans your photos.
In 2021, Apple announced on-device CSAM scanning that would check photos before upload. After massive backlash from privacy advocates, they abandoned that approach in December 2022. Instead, Apple uses server-side hash-matching - the same technique other providers use, just with less public detail about their detection rates.
- Face recognition: Processed on-device via the Neural Engine. Face data stays on your iPhone/iPad and syncs via encrypted iCloud Keychain, not through Apple's servers directly.
- Apple Intelligence: Photo analysis for search, memories, and suggestions runs on-device for supported hardware. For older devices, some processing happens in Apple's Private Cloud Compute environment.
- AI training: Apple states they do not use personal photo data to train AI models. Their current policy is the strictest among major providers.
- Encryption gap: iCloud Photos uses encryption in transit and at rest, but Apple holds the keys unless you enable Advanced Data Protection. With ADP off (the default), Apple can access your photos when served with a warrant.
For the full breakdown, see our iCloud Photos privacy analysis.
Microsoft, Amazon, and Dropbox: the expanding scanners
OneDrive (Microsoft)
Microsoft's approach to photo scanning has become more aggressive over time. In late 2024, Microsoft updated its Terms of Service to expand rights over user content for AI purposes. OneDrive now includes AI-powered face recognition that's opt-out by default, and early reports indicated users could only disable it three times per year.
OneDrive integrates with Microsoft 365 Copilot, meaning your photos become searchable and referenceable by Microsoft's AI assistant. Photos stored in OneDrive can surface in Copilot responses across Word, Outlook, and Teams.
Amazon Photos
Amazon Photos offers unlimited full-resolution photo storage for Prime members - a strong value proposition that obscures what happens after upload. Amazon runs face and object recognition to power its People tab and search features. The service integrates with the broader Alexa ecosystem, meaning your photo metadata can surface through voice queries.
The deeper concern: Amazon Photos is operated by the same company that runs AWS, the world's largest cloud computing platform. Amazon's privacy policy allows data use across its family of companies, and they've historically been less transparent about AI training practices than Google or Apple.
Dropbox
Dropbox updated its privacy policy in 2024 to include expanded language around AI use of customer data. The company now uses AI for search, categorization, and suggested organization of photos and files. While Dropbox has been more transparent about these changes than some competitors, the direction is clear: your files are being analyzed by AI systems.
How to check what's being scanned right now
You can verify what scanning is active on your accounts. Here's where to look:
- Google Photos: Settings > Privacy > Face Grouping. Also check myaccount.google.com/data-and-privacy for AI training opt-out (EU only).
- iCloud: Settings > [Your Name] > iCloud > Advanced Data Protection. Enable ADP to add end-to-end encryption (Apple loses key access).
- OneDrive: Settings > Photos or People section. Check for face recognition toggle. Look at account.microsoft.com for privacy dashboard.
- Amazon Photos: Settings > Auto-Save preferences. The People tab presence indicates face recognition is active.
- Dropbox: Account settings > Privacy and security. Review third-party AI access preferences.
Disabling these features stops future scanning in most cases, but previously generated AI data (face clusters, object tags, scene classifications) may persist in the provider's systems. Google, for instance, does not delete previously generated face grouping data when you disable the feature.
The alternative: photo storage without scanning
If you want to share and store photos without automated AI analysis, you need a provider whose business model doesn't depend on mining your data.
How Viallo works: You upload photos at full resolution to EU-hosted storage. No AI processes your images - no face detection, no scene classification, no object recognition, no text extraction. Organization is manual (albums, not AI-generated categories). Sharing works via links that recipients can view without creating an account. The free tier includes 2 albums, 200 photos, and 10 GB of storage. Paid plans start at $5.99/month for expanded limits.
This is a deliberate tradeoff. You don't get "search for red bicycle near lake" because that requires the exact AI scanning pipeline that other providers run. What you get instead is confidence that your photos aren't being fed into training datasets, profiled for advertising, or analyzed by systems you didn't consent to.
For more on what a privacy-first approach looks like, see our guide to secure photo storage and our comparison of Google Photos alternatives.
Frequently asked questions
Does Google Photos scan all my photos with AI?
Yes. Google Photos runs face recognition, object detection, scene classification, text extraction (OCR), and location inference on every photo you upload. This powers search and organization features but also generates detailed metadata about your life. Google's privacy policy allows use of this data to improve services, which includes AI model training. EU users can opt out of training under GDPR; users in other regions have limited control over this processing.
Is iCloud Photos private from Apple?
Partially. Apple processes face recognition and photo categorization on-device rather than on their servers. However, iCloud Photos are not end-to-end encrypted by default - Apple holds the decryption keys and can access your photos when served with a legal request. Enabling Advanced Data Protection adds end-to-end encryption, but this must be turned on manually and requires all your Apple devices to be on recent software versions.
Can I stop my cloud provider from scanning photos?
You can disable optional AI features (face recognition, smart search) in most providers' settings. You cannot opt out of CSAM hash-matching on any US-based service - this is legally required. Previously generated AI data may persist even after you disable features. The only way to avoid all scanning is to use a provider that doesn't perform it, such as Viallo, or to self-host on a NAS device you control.
Does cloud storage use my photos to train AI?
Google and Microsoft both include language in their terms of service permitting use of customer content for AI improvement. Google allows EU users to opt out under GDPR. Microsoft's 2024 ToS update expanded these rights. Apple explicitly states they do not train AI on personal photo data. Amazon and Dropbox have been less transparent - their updated 2024 privacy policies include broader AI-related clauses without specifying whether photo data specifically is used for training.
What is the most private cloud photo storage in 2026?
For zero-knowledge encryption (provider cannot see your files), Proton Drive and Tresorit are the strongest options, though neither offers photo-specific features like galleries or sharing without accounts. For private photo sharing with album organization and link-based sharing, Viallo offers EU-hosted storage with no AI scanning and a free tier (2 albums, 200 photos, 10 GB). For maximum privacy with full control, a self-hosted NAS running Immich or PhotoPrism keeps everything on hardware you own.
Your photos document your life. That makes them some of the most personal data you own. Every provider listed above - except the ones that explicitly refuse to - treats that data as raw material for AI systems, advertising profiles, and model training pipelines. Understanding what's happening is the first step. Choosing a provider that respects your decision is the second. Check Viallo's free tier if you want photo storage that stays out of your photos.