Slow removal of child sexual abuse image websites

June 11th, 2008 at 14:02 UTC by Richard Clayton

On Friday last week The Guardian ran a story on an upcoming research paper by Tyler Moore and myself which will be presented at the WEIS conference later this month. We had determined that child sexual abuse image websites were removed from the Internet far slower than any other category of content we looked at, excepting illegal pharmacies hosted on fast-flux networks; and we’re unsure if anyone is seriously trying to remove them at all!

It is perhaps timely that this week three large ISPs in the USA have announced that they have decided to block access to child sexual abuse image newsgroups on Usenet and remove sites hosting this material from their servers. This was initially inaccurately reported so as to imply the installation of blocking systems for other people’s websites; which is unlikely to be especially effective, and may even provide an “oracle” by which the people who seek illegal material can locate new websites to visit.

Our new paper, “The Impact of Incentives on Notice and Take-Down”, examines a number of different types of wicked Internet content and discusses how effective people are at getting the material removed by serving notices upon the website owners who host it. We have a number of interesting results, but perhaps the most striking is that although phishing websites impersonating banks are generally removed in a couple of hours, the mean lifetime for a website hosting child abuse images is almost a month and even the median (the time by which half of the sites are removed) is 12 days.

We believe that the reason that the child abuse image websites are removed so slowly is that the Internet Watch Foundation (IWF), who collate a list of illegal sites, is only prepared to talk directly with the hosting ISPs within the UK. If the site is hosted abroad (which is now 99.8% of all sites) the IWF informs the UK police, who pass the message on to law enforcement in the relevant country, and that clearly leads to considerable delays. Furthermore, the same parochial attitude appears to be taken by similar organisations in other countries.

The IWF are a member of INHOPE, an association of child sexual abuse image reporting hotline organisations operating in 29 countries, and the IWF will also pass reports to the appropriate INHOPE members. However, in the US, which hosts around half of all the illegal sites, IWF tell us that NCMEC the hotline operator there will only pass on notices to their members — and that means that American ISPs do not get a timely notice.

We think it is the close involvement with the police, who have to operate within a particular jurisdiction, which leads the IWF to believe that they would be “treading on other people’s toes” if they contacted ISPs outside the UK. I assume that this is why I was firmly told in an email this week that they “are not permitted or authorised to issue notices to takedown content to anyone outside the UK”. Indeed, this echoed in a letter to The Guardian today by John Carr who says “The IWF cannot issue a notice to a Polish or Irish internet service provider”.

We don’t think there is some magical international permission given to the people who try to take down any of the other types of content we studied — from phishing, to fake escrow sites, to illegal pharmacies. It only seems to be INHOPE members, dealing with child sexual abuse images, who are not prepared to make an attempt!

Besides this issue, we have a number of other interesting results in the paper (so do read it!) For example we looked at “mule recruitment websites” — with job adverts for payment processors who will be conned into handling the proceeds of phishing scams in the belief that they’re handling payments for legitimate companies. These sites are only taken down by volunteer (amateur) efforts — since they don’t attack any particular bank, but the whole industry, no particular bank is prepared to put in any effort to remove them. Unsurprisingly, their average lifetime is 13 days (mean 8 days) — far longer than the phishing websites — which is not good news for gullible consumers.

Entry filed under: Academic papers, Banking security, Legal issues, News coverage, Security economics

6 comments Add your own

  • 1. Justin Mason  |  June 11th, 2008 at 15:31 UTC

    This is disappointing. You can be sure the “bad guys” are exploiting this “bureaucratic security hole”, as well — I’ve seen screenshots of botnet command & control panels which take care to differentiate the countries that resources are hosted in, and if the spammers are doing this, I’m sure other types of “bad guy” do too.

  • 2. Clive Robinson  |  June 11th, 2008 at 23:20 UTC

    Richard,

    Although I think you are probably correct in your view point above (I will read the paper over the weekend).

    There is a (very small) posability there is another reason for some of the child abuse sites not being rapidly dealt with.

    That is unlike the majority of the other sites you mention which are run by criminals and visited in the main by non criminals, these sites are being both run and visited by criminals.

    So there is a (very small) possibility that some sites are being used indirectly to track down the criminals that visit them (say via ISP IP logs).

    Which begs the question have you seen any evidence either way on this point?

    As for INHOPE I have been left with the impression in the past that they where more of a “politicaly active lobying organisation” (I may be doing them an injustice). Which might account for why they take little preventative action as it is not realy in their interest to do so (if they solve the problem then there is no need for high profile political activities etc).

    With respect to the Police there is also another angle, as most will acknowledge they are very resource limited. And as has been noted in one or two newspapers recently there appears to be bonus scheams of around 15K for senior officers if their subordinates meet certain government set targets.

    So this begs the unseamly question of,

    Who are the victims of the respective site types and what leverage do the victims possess and with whom?

    To be horibly blunt children of sex crime have themselves little or no leverage and therefor there is little incentive to act quickly (sadly this is true for the child victims of most types of abuse)

    Whereas victims of fraud / impersonarion against a financial institution are generaly adults and make a lot of noise to the financial organisation.

    Also as you have noted it is in the financial organisations interest to get the sites taken down as quickly as possible.

    Therefore in effect you are not realy comparing like with like (as the lack of action on fake pharma sites tends to confirm).

    So perhaps the metric to use is in what direction the avarage take down time is going and at what rate is it changing against time.

    Then ask what the best way is to influence the process so that the metric moves more rapidly in the required direction.

  • 3. Richard Clayton  |  June 11th, 2008 at 23:52 UTC

    @Clive yes do read the paper — blog posts about papers necessarily leave out a lot of material which may answer your questions.

    Some child sexual abuse image sites have been run by the police (mainly the FBI I believe) to see who visits them. However, I don’t believe this is true of 2500+ sites a year (the current rate). So I think has a minor effect on the stats.

    Also, I don’t think financial fraud victims play any part in the removal of phishing sites — the victims never notice the site is fake!

  • 4. John Smith  |  June 13th, 2008 at 16:30 UTC

    It is perhaps timely that this week three large ISPs in the USA have announced that they have decided to block access to child sexual abuse image newsgroups [...]

    It is perhaps on-topic to note that Peter Whoriskey’s story in the Washington Post, which you linked to above (as reprinted in the Minneapolis-St. Paul Star Tribune) omits some details of the agreement with the NY Attorney General.

    TimeWarner will drop ALL Usenet service.

    Sprint will drop the entire alt.* hierarchy.

    Verizon will limit Usenet to the “big 8″ only.

    See Declan McCullagh’s most recent report. There also has been confirmation by the Associated Press, by Wired, and by others.

    According to the NY OAG press release above, Attorney General Andrew Cuomo said:

    “… I commend the companies that have stepped up today to embrace a new standard of responsibility, which should serve as a model for the entire industry.”

    Do you comprehend the model that the NY AG is commending?

  • 5. Clive Robinson  |  June 16th, 2008 at 04:05 UTC

    @ John,

    From what you have said it sounds like “broad brush stroke” censorship, which will block not just what it’s stated aim is but a good deal of free speach as well.

    Which is obviously just another freedom the NY AG is keen to “put on a war footing”

  • 6. Sally Libbons  |  June 16th, 2008 at 07:00 UTC

    This really is disappoinitng!

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

June 2008
M T W T F S S
« May   Jul »
 1
2345678
9101112131415
16171819202122
23242526272829
30