ICT companies should do more to remove child sexual abuse from the Internet

ICT companies need to do more to remove online child sexual abuse from the Internet. Delft University of Technology’s monitoring shows that many ‘hosting’ companies now take action when they receive a notification from the Online Child Abuse Expertise Centre (EOKM) that child sexual abuse images are on their servers. Nevertheless, the Netherlands’ excellent digital infrastructure continues to be abused. Hosting companies that rent out space to keep websites online for their national and international customers need to act faster to prevent child sexual abuse from spreading across public websites through their servers.

This was written in a letter that Minister Grapperhaus (Justice and Security) submitted to the House of Representatives today, based on Delft University of Technology’s findings. Delft University of Technology’s report shows that, on average, 84% of online child sexual abuse is removed within the agreed 24 hours following notification.

‘It’s a start, but it’s not yet good enough. The goal is to have a clean Internet without child sexual abuse images and a zero-tolerance policy on such imagery. We can only achieve this goal by working with the business community.’

Minister Grapperhaus maintains.

In 2018, Minister Grapperhaus agreed a covenant with the ICT sector to combat online child abuse. This public-private partnership is aimed at cleaning up the Internet. This will allow the police and the Public Prosecution Service to increase their focus on stopping acute abuse situations by tracing and prosecuting perpetrators. The vast majority of companies are cooperating well and have committed to a 24-hour standard for removing malicious content from their servers after a notification. To help these companies clean up, the police and the EOKM have created a HashCheckService. This enables ICT companies to detect online child sexual abuse images on their servers and to remove them proactively, using unique, anonymous codes for images known to the police.

Calling out hosting companies

The House of Representatives has previously called for a system of ‘naming and shaming’ to tackle online child sexual abuse. In June this year, the Minister wrote to 17 hosting companies that, according to a first measurement by Delft University of Technology, had child sexual abuse images on their Dutch servers. The Minister set them a deadline for taking measures; the companies were given until September 2020.

This has resulted in an enormous increase in the number of checks performed by the HashCheckService. In early July, 67 million images were checked, with 10,000 hits for child sexual abuse that were tagged for removal. By September, this had risen to 18.2 billion images with almost 7.4 million hits. This contributes enormously to preventing repeated victimisation.

‘We need to get on with tackling child sexual abuse. It’s of the utmost importance that children in our society can grow up safely and are protected. Child sexual abuse images that remain online ensure that victims are continually harmed and also create new perpetrators. Hosting companies must realise that they have a social responsibility to protect children online from abuse.’

says Minister Grapperhaus.

Based on Delft University of Technology’s report, there are serious doubts about two hosting companies in particular, regarding whether they are actually participating in the joint approach to online child sexual abuse: NForce and IP Volume. This mainly concerns doubts about the extent to which the hosting companies are complying with the aforementioned covenant with Internet companies: accepting the EOKM’s Internet Hotline against Child Pornography as a serious notifier and removing images within 24 hours of a notification.

Structural approach

Minister Grapperhaus wants the Delft University of Technology monitor to have a structural character and to lead to periodic reports. Legislation for administrative enforcement involving a regulator is in the making, so that malicious and lax Internet companies will soon risk a fine or a penalty if they do not respond to a notification of child sexual abuse images quickly enough by removing them from public websites. It is also being investigated whether the regulator will be able to enforce preventive measures against companies in order to prevent child sexual abuse images from spreading across the Internet.

Additional information

NForce: Delft University of Technology’s report shows that the hosting company NForce hosts an extreme amount of child sexual abuse images: from January to August 2020, the company received no fewer than 179,610 notifications from the EOKM’s Internet Hotline against Child Pornography about URLs containing such material. This puts NForce at the top of the ranking for hosting child sexual abuse images. Although the company deals with a large proportion of its reports within 24 hours, too many remain open. Ultimately, the number of images that remain available on the Internet is what counts, because that determines the impact in our society. Moreover, NForce’s share in all Dutch notifications of child sexual abuse images rose to 93.57% in the period mentioned. In short, NForce has an enormous role in the distribution of such images, despite only being a medium-sized hosting company.

IP Volume: based on Delft University of Technology’s report, there are doubts about whether this hosting company is doing its part to tackle online child sexual abuse. IP Volume is one of the larger hosts of child sexual abuse images. However, the Delft University of Technology researcher was unable to include the notifications to this company in the sample to measure the removal speed. Because the company did not cooperate and even threw up technical and other obstacles to avoid dealing with notifications from the Internet Hotline against Child Pornography, it was necessary to transfer these notifications to the police. Subsequently, the company had no choice but to address the notifications. This is at odds with the agreement that notifications should be taken seriously and images should be removed. Future measurements will explicitly focus on this hosting company in order to monitor its performance more closely.