Best Practices for Reducing the Availability of CSAM on Internet Based Services

Offenders seeking to distribute CSAM on the internet carefully seek out online services with design characteristics they view as favourable for their harmful objectives.

Through research and direct feedback from industry, Project Arachnid has identified a number of best practices that dramatically reduce the risk of having internet users exploit online services for the purpose of CSAM distribution. Although some recommended practices may vary in their effectiveness based on the unique characteristics of any given online service, in general, when deployed as a layered approach, they have been shown to be extremely effective at curbing the spread of CSAM.

The following are some of the most common recommended practices:

The upload of known CSAM can be prevented using content scanning APIs such as the no-cost CSAM scanning service provided through Shield by Project Arachnid. High volume services requiring a local scanning solution can make use of hash databases to scan content locally rather than using a content scanning API. Known CSAM hash databases are available from several data sources such the Project Arachnid Hash list, and the IWF image hash list. Please contact us for information and how to apply for access to the Project Arachnid Hash list.

Users attempting to upload CSAM often use anonymization networks like Tor to prevent the exposure of their true IP address. The Tor Project publishes a current list of exit nodes which allows online service providers to identify users accessing their service via the Tor network. This allows an internet-based service to restrict access to features prone to abuse such as file upload or reject requests from Tor users entirely.

To prevent exposing their true IP address, users attempting to upload CSAM may use VPNs and/or anonymous proxies. Service providers can leverage several commercial APIs and databases to identify IP addresses involving VPNs and anonymous proxies, allowing them to limit access to abuse-prone features such as file upload, or reject VPN/Anonymous proxy users entirely.

Allowing anonymous, non-registered users to upload content increases an online service’s risk of inadvertently facilitating the distribution of CSAM due to user activities. Requiring user registration, including details such as name and email address before allowing an upload creates a disincentive which may discourage users from attempting to use a service provider for CSAM distribution. Services that offer automation services in the form of an API should employ robust user registration practices due to the increased potential volume of CSAM distribution enabled by automation.

Even if a service provider implements the recommendation user registration which includes requiring a valid email address, those uploading CSAM content may make use of temporary or disposable email services to successfully register without divulging an identifiable email address. When used together with other anonymization tactics, this creates opportunities for anonymous CSAM distribution on internet-based services that require user registration. Operators can implement a process to actively block disposable email domains from registration or make use of free publicly available lists.

CAPTCHAs are typically implemented to prevent automated form submissions by scripts or bots, but they can also serve as an effective prevention mechanism for CSAM distribution.

Users attempting to upload CSAM to internet-based services will use various techniques to remain anonymous — sometimes including disabling JavaScript within their web browser. As such, the inclusion of a JavaScript based CAPTCHA requirement for uploads can serve as a deterrent for CSAM distribution.

Online service providers implementing Proactive detection of known CSAM (upload prevention) should consider the periodic retroactive scanning of historical content for the following reasons. Proactive detection is typically applied to content as it is uploaded, meaning all content uploaded prior to implementation is not scanned. In addition, since hash databases are continuously updated, content that went undetected in the past may be found to match with known CSAM at a later date. By periodically scanning all previously uploaded content, service providers can detect and remove this newly identified CSAM content.

Some internet-based services have a limited ability to view or control content by virtue of platform design decisions. This can hinder the effectiveness of certain recommended best practices. For example, many hosting and virtual private server providers do not have the ability to directly scan their customer’s content. In these cases, service providers can still make a difference by including and enforcing these best practices for reducing the availability of CSAM as part of their terms of service and/or acceptable use policies with their customers.