Child abuse: How and why tech companies look the other way
Tech companies are far more likely to review files on their platforms for facial recognition, malware detection and copyright enforcement
F and E (Identities withheld), 17 and 21-year-old sisters and survivors of child sexual abuse. Photograph: Kholood Eid/The New York Times
The two sisters live in fear of being recognised. One grew out her bangs and took to wearing hoodies. The other dyed her hair black. Both avoid looking the way they did as children.
Ten years ago, their father did the unthinkable: He posted explicit photos and videos on the internet of them, just seven and 11 at the time. Many captured violent assaults in their home, including him and another man drugging and raping the seven-year-old.
The men are now in prison, but in a cruel consequence of the digital era, their crimes are finding new audiences. The two sisters are among the first generation of child sexual abuse victims whose anguish has been preserved on the internet, seemingly forever.
This year alone, photos and videos of the sisters were found in more than 130 child sexual abuse investigations involving mobile phones, computers and cloud storage accounts.
The digital trail of abuse – often stored on Google Drive, Dropbox and Microsoft OneDrive – haunts the sisters relentlessly, they said, as does the fear of a predator recognising them from the images. “That’s in my head all the time – knowing those pictures are out there,” said E, the older sister, who is being identified only by her first initial to protect her privacy. “Because of the way the internet works, that’s not something that’s going to go away.”
Horrific experiences like theirs are being recirculated across the internet because search engines, social networks and cloud storage are rife with opportunities for criminals to exploit. The scope of the problem is only starting to be understood because the tech industry has been more diligent in recent years in identifying online child sexual abuse material, with a record 45 million photos and videos flagged last year.
But the same industry has consistently failed to take aggressive steps to shut it down, an investigation by The New York Times found. Approaches by tech companies are inconsistent, largely unilateral and pursued in secret, often leaving paedophiles and other criminals who traffic in the material with the upper hand. The companies have the technical tools to stop the recirculation of abuse imagery by matching newly detected images against databases of the material. Yet, the industry does not take full advantage of the tools.
Amazon, whose cloud storage services handle millions of uploads and downloads every second, does not even look for the imagery. Apple does not scan its cloud storage, according to federal authorities, and encrypts its messaging app, making detection virtually impossible. Dropbox, Google and Microsoft’s consumer products scan for illegal images, but only when someone shares them, not when they are uploaded.
When asked about its video scanning, a Dropbox spokeswoman said it was not a “top priority”
And other companies, including Snapchat and Yahoo, look for photos, but not videos, even though illicit video content has been exploding for years. (When asked about its video scanning, a Dropbox spokeswoman in July said it was not a “top priority.” In November, the company said it had begun scanning some videos.)
The largest social network in the world, Facebook, thoroughly scans its platforms, accounting for more than 90 per cent of the imagery flagged by tech companies last year, but the company is not using all available databases to detect the material. And Facebook has announced that the main source of the imagery, Facebook Messenger, will eventually be encrypted, vastly limiting detection. “Each company is coming up with their own balance of privacy versus safety, and they don’t want to do so in public,” said Alex Stamos, who served as chief of information security at both Facebook and Yahoo. “These decisions actually have a humongous impact on children’s safety.”
Tech companies are far more likely to review photos and videos and other files on their platforms for facial recognition, malware detection and copyright enforcement. But some businesses said looking for abuse content is different because it can raise significant privacy concerns.
The main method for detecting the illegal imagery was created in 2009 by Microsoft and Hany Farid, now a professor at the University of California, Berkeley. The software, known as PhotoDNA, can use computers to recognise photos, even altered ones, and compare them against databases of known illegal images. Almost none of the photos and videos detected last year would have been caught without systems such as PhotoDNA.
But this technique is limited because no single authoritative list of known illegal material exists, allowing countless images to slip through the cracks.
Even if there were a single list, however, it would not solve the problems of newly created imagery flooding the internet or the surge in livestreaming abuse.
For victims such as E and her sister, the trauma of the constantly recirculating photos and videos can have devastating effects. Their mother said both sisters had been hospitalised for suicidal thoughts. “Every hope and dream that I worked towards raising my children – completely gone,” she said. “When you’re dealing with that, you’re not worried about what somebody got on a college entrance exam. You just want to make sure they can survive high school or survive the day.”
And because online offenders are known to seek out abused children, even into adulthood, the sisters do not speak publicly about the crimes against them. Their emotional conversations with the Times were the first time they’ve spoken publicly about the abuse. “You get your voice taken away,” E said. “Because of those images, I don’t get to talk as myself. It’s just like, Jane Doe. ”
Joshua Gonzalez, a computer technician, was arrested this year with more than 400 images of child sexual abuse on his computer, including some of E and her sister. He told authorities that he had used Microsoft’s search engine, Bing, to find some of the illegal photos and videos, according to court documents.
Many criminals have turned to Bing as a reliable tool of their own
Microsoft had long been at the forefront of combating abuse imagery, even creating the PhotoDNA detection tool a decade ago. But many criminals have turned to Bing as a reliable tool of their own.
The Times created a computer program that scoured Bing and other search engines. The automated script repeatedly found images – dozens in all – that Microsoft’s own PhotoDNA service flagged as known illicit content. Bing even recommended other search terms when a known child abuse website was entered into the search box. While the Times did not view the images, they were reported to the National Center for Missing and Exploited Children and the Canadian Center for Child Protection, which work to combat online child sexual abuse.
Similar searches by the Times on DuckDuckGo and Yahoo, which use Bing results, also returned known abuse imagery. In all, the Times found 75 images of abuse material across the three search engines before stopping the computer program. Both DuckDuckGo and Yahoo said they relied on Microsoft to filter out illegal content. After reviewing the Times’ findings, Microsoft said it uncovered a flaw in its scanning practices and was re-examining its search results. But subsequent runs of the program found even more.
A spokesman for Microsoft described the problem as a “moving target.”
The same computer program, when run on Google’s search engine, did not return abuse content. But separate documentation provided by the Canadian centre showed that images of child sexual abuse had also been found on Google and that the company had sometimes resisted removing them.
One image captured the midsections of two children, believed to be under 12, forced into explicit acts with each other. It is part of a known series of photos showing the children being sexually exploited. The Canadian centre asked Google to take down the image in August last year, but Google said it did not meet its threshold for removal, the documents show. The analysts pressed for nine months until Google relented.
Another image, found in September 2018, depicts a woman touching a naked two-year-old girl. Google declined to take down the photo, stating in an email to the Canadian analysts that while it amounted to paedophilia, “it’s not illegal in the United States”.
When the Times later asked Google about the image and others identified by the Canadians, a spokesman acknowledged that they should have been removed, and they subsequently were. The spokesman also said that the company did not believe any form of paedophilia was legal, and that it had been a mistake to suggest otherwise.
The problem is not confined to search engines.
Paedophiles often leverage multiple technologies and platforms, meeting on chat apps and sharing images on cloud storage, according to a review of hundreds of criminal prosecutions. “The first thing people need to understand is that any system that allows you to share photos and videos is absolutely infested with child sexual abuse,” said Stamos, the former security chief at Facebook and Yahoo, who is now a professor at Stanford.
Criminals often discuss in online forums and chat groups how to exploit vulnerabilities in platforms, the criminal cases show. They carefully follow the prosecutions of people who have been found with explicit imagery and learn from them. There are even online manuals that explain in graphic detail how to produce the images and avoid getting caught.
The digital trail that has followed one young abuse victim, a girl who was raped by her father over four years, starting at age four, is sadly representative of the pattern.
The girl, now a teenager, does not know that footage of her abuse is on the internet. Her mother and stepfather wish it would stay that way.
“We’re just afraid of all the negative impacts that it might have – because I’ve spoken with other mums whose daughters know their images are online, and they’re train wrecks,” her mother said. “She doesn’t need to be worrying about most likely the worst part of her life available on the internet.”
Her stepfather also worries. “To her, the internet is looking up puppies.”
When the girl turns 18, she will become the legal recipient of reports about the material. At that point, her mother and stepfather hope, she will be better able to handle the news. They also hold out hope that the tech companies will have managed to remove the images from the internet by then. “I would love to be able to tell her they were online,” her mother said, “but they are not anymore”.
It has been 10 years since PhotoDNA was developed at Microsoft, yet the industry’s efforts to detect and remove known illegal photos remains uneven and cloaked in secrecy.
The industry’s response to video content has been even more wanting, according to interviews, internal company emails and reviews of thousands of court records. There is no common standard for identifying illegal video content, and many major platforms – including AOL, Snapchat and Yahoo – do not even scan for it. AOL and Yahoo did not respond to requests for comment about their video policies. A Snap spokesman said the company was working with industry partners to develop a solution.
Tech companies have known for years that videos of children being sexually abused are shared on their platforms, according to former employees at Microsoft, Twitter, Tumblr and other companies. One former Twitter employee described gigabytes of illegal videos appearing more quickly than they could be taken down on Vine, the video service since shuttered by Twitter.
Efforts to tackle the urgent problem of video content have run into roadblocks of the companies’ own making. Google, for example, developed video-detection technology that it makes available to other companies, and Facebook also has a system. But the two cannot share information because the fingerprints generated by each technology are not compatible.
In 2017, the tech industry approved a process for sharing video fingerprints to make it easier for all companies to detect illicit material, according to confidential emails and other documents that were part of a project run by the Technology Coalition, a group focused on child safety issues that includes most major companies. One document notes the project’s justification: “Video has become as easy to create as images, and no standard solution/process has been adopted by industry.”
But the plan has gone nowhere.
The lack of action across the industry has allowed untold videos to remain on the internet.
Photos and videos are each being handled in ways that give criminals great leeway. None of the largest cloud storage platforms – including Amazon Web Services, Dropbox, Google Drive and Microsoft’s OneDrive and Azure – scan for abuse material when files are uploaded, according to law enforcement officials, former employees and public statements by the companies.
While the files may be scanned later – when users share them, for example – some criminals have avoided detection by sharing their account logins rather than the files themselves.
A spokesman for Amazon, which does not scan for abuse imagery whatsoever, said that the “privacy of customer data is critical to earning our customers’ trust” and noted that the company had a policy that prohibited illegal content. Microsoft Azure also said it did not scan for the material, citing similar reasons.
Privacy concerns were raised by other companies, including Dropbox and Google. A Dropbox spokeswoman said scanning raised a spectre that privacy advocates could take issue with. Some companies, such as Dropbox and Google, invoked security concerns when asked about their detection and removal practices. A spokesman for Apple declined to specify how it scanned its platforms, saying the information could help criminals.
Several digital forensic experts and law enforcement officials said the companies were being disingenuous in invoking security. Stamos, the former Facebook and Yahoo security chief, said the companies just “don’t want to advertise that they are open for business” to criminals.
“If they’re saying, ‘It’s a security problem,’ they’re saying that they don’t do it,” Stamos said.
A heinous case in Pennsylvania warns of a tsunami of new, hard-to-detect abuse content through livestreaming platforms. More than a dozen men from around the world were logged in to the business conference software Zoom. They were chatting while watching a livestream that had nothing to do with work: A man was sexually assaulting a six-year-old boy.
None of the major tech companies is able to detect, much less stop, the livestreaming through automated imagery analysis, although a technology executive at Zoom said the company had made significant improvements since the Pennsylvania case using other methods.
And while Facebook, Google and Microsoft have said they are developing technologies that will find new photos and videos on their platforms, it could take years to reach the precision of fingerprint-based detection of known imagery, according to interviews.
The 20-year-old assailant received a sentence of up to 90 years
Men in the Pennsylvania case were caught in 2015 only because Janelle Blackadar, a detective constable with the Toronto police, discovered the broadcast while conducting an undercover investigation. The detective recorded the stream using screen-capturing technology and within hours alerted Special Agent Austin Berrier of Homeland Security Investigations. The six-year-old boy was rescued the next day, and 14 men from multiple areas have since been sentenced to prison. Last January, the assailant, 20-year-old William Byers Augusta, received a sentence of up to 90 years.
The Pennsylvania state prosecutor in the case, describing the offenders as monsters, said in court that Augusta had “encouraged people all over the world to tune in”. – New York Times