Google turns in child porn owner who used its cloud services

I heard a presentation on this topic from a computer forensics expert who handles child porn cases at the HOPE conference last summer. I assume that this article, despite being worded somewhat vaguely, operated in the manner that he described.

Essentially: some governmental authority (in the US, I believe the FBI) maintains a database of specific image and video files that are either confirmed or strongly believed to be child pornography. Investigators are able to obtain a database of the metadata and hashes of those files, but not the images themselves. When an investigator is examining an archive of data that may contain child pornography (for example a seized hard drive) they run scripts that hash each file using the same algorithm and compare them with the database of hashes of known child pornography files. The investigator does NOT open the files in any viewer program or examine them directly. If any hashes match, the flagged files are then forwarded to the proper authority (such as the FBI), where the person with the most depressing job ever then opens the files and examines them visually to see if the file with a matching hash is, in fact, the same file as the file in the governmental archive of verified child pornography. If child pornography is then positively identified, the remainder of the archive in which it was located may be forwarded to that office to be visually scanned by child pornography expert in order to determine whether or not there are more images or videos that appear to be child pornography, which have not been previously identified and added to the archive.

Note that the initial forensic investigator will also do other work, such as examining file metadata, system usage logs, browsing history, searching for various worms and other malware, etc. to try and determine if the owner of that archive was, in fact, viewing the images deliberately, or whether it may have been an accidental or incidental download.

One key idea in this system is that the initial forensic examiner will under no circumstance ever VIEW the file, or - in fact - ever see any child pornography whatsoever.

In the scenario described in this article, it sounds to me like Google has implemented some automatic scanning tool that takes the place of this initial investigator, but assuming it is based on the procedure I heard described, there is absolutely zero chance that they are scanning for similar images, since a) the algorithm is only comparing hashes, not actual file data and b) Google would not have the actual images that are being compared against, so they would have no valid data for their image search algorithms to work on.

In fact, it would almost certainly be highly illegal for Google to have such data to work with, although I presume that it would be both legally and technically possible for Google to arrange a system where images were sent to the FBI and scanned on their servers, but that would clearly be an overwhelming amount of data, and an extremely wasteful use of resources for bulk scanning, rather than targeting some particular account, as described above in the procedure for human investigators.

But it does not seem terribly inefficient for Google to have a copy of the hash database, and for them to scan that against hashes of the image files, and then to automatically forward positive hits to the FBI.

A cop around here was busted a few years ago after downloading, viewing, and masturbating to child porn in the police evidence room (apparently, he left video evidence of the latter). There were also pictures of local kids (thankfully, clothed) mixed in with the porn. Yeah, I feel real safe knowing he out there “Protecting and Servicing”.

This point is very very important. First they detected the pornographers, and I said nothing because I was not a pornographer. But could the day ever come when it’s anti-government images, or something similar? Or does that only happen in “backward” countries?

Sure. But that sort of slippery-slope argument can be made about ANYTHING. The proper answer is to make an active decision about what is and isn’t appropriate and draw those lines clearly in advance, rather than to throw up our hands because if we don’t do something there is an eventual risk of abuse.

Don’t kill the puppy. Kill the folks who stage dog fights.

Even if he had CP photos on his phone, he might not have realised that they were synching to Picassa; we’re obviously not dealing with the brightest or most cautious paedophile here. Why upload CP photos to Tumblr though?

I’m sure that whatever your kid did at the beach or in the bathtub was cute as hell, but DON’T EMAIL ME THE PICS!

That… is so far over on the begging-to-be-caught end of the scale that it is almost hard to believe he could be that stupid or arrogant. It makes me wonder if he was unconsciously wanting to be caught before he molested a kid.

The real pisser; as I was Googling around to remember the specifics of the case, I realize that his two-year sentence (!!) should have been over about four months ago. But, small town, only a couple of people who had any access to that particular computer; I think he just figured no one would ever look at what he was doing.

I wonder if they could just delete the photos that come up as a positive match, or reject them for storage with a warning message. That doesn’t seem like a high price to pay to avoid having contractors look through photos, and it would give them an incentive to continuously hone their algorithm. In this case, they would not be complicit, and the worst that would happen is your bathtime photos and/or adult nudity false-positives would potentially be rejected. Many people don’t understand when they are “backing up” vs “sharing” in this landscape anyway, so it might even bail a few people out of a mistaken share.

It’s not a slippery slope - it’s a problem of handing too much unaccountable power to our leaders. Imagine the NSA and the Patriot act in the hands of a man like Joe McCarthy. For a long time the answer has been checks and balances, but since 2000 we’ve been throwing out those quaint ideas, as if it could never happen here.

Contact your congresscritter and get out the vote and and work to put the controls back in, then. Postulating the extreme is a fine thought exercise to motivate that, but isn’t reason to panic over a benign – and arguably desirable – case.

Living in a functioning society does involve giving up some freedoms and privacies. The trick is hitting the right balance. I have a hard time getting exercised about this one – and that’s despite my favoring the thought exercise that going after the folks who create kiddy porn with the biggest hammer possible is a Good Thing, but that once created there might be arguments for leaving the least-abusive versions available as a pressure relief valve. (There’s another thought experiment, and one I don’t actually advocate trying… but I do think that we’ve gone overboard when any photo of an underage body is automatically considered abuse until proven otherwise. As far as I’m concerned, simple bathtub photos shouldn’t even be questioned; it shouldn’t be news to anyone that humans have bodies under their clothes.)

((My lady’s position was that her parents could show me the bathtub photos of her as long as she didn’t have to look at the album again… but that’s about boredom and dislike of one’s own photos, not about skin.))

I cannot imagine having that job at the FBI. Even if 1% of my time was spent confirming child pornography and 99% spent lounging on a couch being fed cheesecake by Christina Hendricks and playing with puppies, forget it. I can’t think of anything more soul-wrenching. And you don’t get lots of public support and esteem, either. If you tell people what you do, they immediately think you’re a freak- and yet without these people doing this job, how do you prosecute?

A friend of mine sat on a jury for a child porn trial, and had to see some pictures. He said it was one of the worst experiences of his life.

I think they were more focused on people bringing in stacks of CD ROMs. Remember, this was 10-15 years ago and high volume content was harder to move around on the web.

I also suspect they looked at the CD ROMs of people they had flagged - not every single one. But maybe, what do I know. I just know that he hated that part of the job. (and the part that involved having to be very careful about what was in his pockets because he worked with drug dogs.)

I studied digital forensics briefly (till I realised what it had done to my prof working in that field, and that I could never, ever go through with it). Most of the people who you investigate aren’t that sharp tech-wise. Like, ‘attrib +h’ = ‘hidden forever’ not sharp…
Gah. That was meant to be a reply to @jsroberts. Had no caffeine yet today…

That’s it - particularly since 9/11, we’ve been told, ‘oh, this class of person is just so bad you’re going to let us ignore the most fundamental rules of our society, and there’s obviously no argument’ kinda thing, and it’s plainly fucking bogus.

And that sort of shit is the thin end of the wedge; an apposite harbinger of the downfall of our very civilisation. We’ve begun renegotiating basic human rights, with the elite in a box seat and the rest of us without a say. My country’s government (of either flavour) smugly ignores human rights in its treatment of refugees, just to pander to xenophobes.

It’s this sort of divide and conquer crap that serves as another layer of distraction for anyone poking their head above the sport/paparazzi level, keeping the vast majority of us from being aware of how we’re being systematically fucked over en masse, and it paves the way for an encroaching police state to sweep away anyone deemed inconvenient.

I see two problems:

a) The possession and distribution is usually a crime (otherwise no need to check for it), so only certain agencies are exempt.

b) Color me a liberal, but I want these people in therapy, if possible. Though I admit that as far as we know, pedophilia is a condition like heterophilia or homophilia and this not “curable”.

Man, you’ve gotta admire the utilitarian streak of the Danes…

“The proper answer” sounds a bit like TIA.

The thing is, you can’t establish an automated infrastructure to automatically check for one variant of a thing and one thing only. When you can scan for child porn, you can also scan for unwanted political messages.

This is already happening, btw, as quite a few people with critical posts about the current US n behaviour found out when they wanted to cross the border to visit the land of the free.

And even with the best intentions: As soon as certain technical mechanisms are in effect, the erosion of any promise to use them only for so and so will begin.

Because it’s convenient, because lobbyists smell money and because bureaucrats need a new job.

Danes? I don’t get the reference.

Well, you were replying to @fmedvedik, who mentioned that in Holland they pay drunks in booze to clean the streets.

And possibly fmedvedik is Danish him(?)self, and came up with the radical yet elegant notion of a CP analogy.