It is interesting that an incumbent UK Agency should announce that the circulation of ‘Child Abuse’ Images is growing, and is now a matter of grave concern – in other words the controls that have been put in place thus far would seem not to be working. However, if I recall, not so many months back our own Prime Minister, based on what he had been ‘wrongly’ informed announced that we [the UK] had made good progress to counter the circulation of such disgusting materials, and so all would seem to be getting better. That said, let me be very clear with two corrections, a/ the scale of this trade has not increased that much, it has always been rife, but it is more a case of increased detection, and awareness, and b/ when it comes to ingenuity and preserving the security of a dark-population, this deviant group by inference are what one may term at ‘HIGH RISK’, and so they do practice what we as a security profession refer to as ‘ ‘Safe Hex’ – but the simple fact of the matter is, whilst the public agencies feel that they can stem this tide of circulation though the use of conventional tracking methodologies, and detection, this tactic is sadly flawed, as the members of these sub-community of deviants utilise Darknet’s, Smart Secure P2P, and other forms of secure distribution to circulate such Photo-People-Trafficking imagery which prays on innocents, the vulnerable, and ruins lives – a matter which I admit is very close to my heart, and is a practice I will do all I can to counter whilst I am able.
There are however a number of issues we need to understand to appreciate the ignorance around this plague. Here a little history from the past when myself and another party located file servers deployed in the US which were very explicit in the ‘description’ as to what they were hosting, yet did not display any images. Armed with this information, and the related acquired artifacts [Screen Scrapes, and IP addresses – See Fig 1] myself and my erstwhile partner immediately notified CEOP of our discovery, but to our amazement and surprise were informed by return that as no images were displayed, there was not offence. This opinion was [is] however not only badly informed, but is contrary to the Protection of Children Act 1978 c.37 Section 1 which states that It is an offence for a person to:
(a) Take, or permit to be taken [or to make], any indecent photograph [or pseudo-photograph] of a child; or
(b) To distribute or show such indecent photographs [or pseudo-photographs] or
(c) To have in his possession such indecent photographs [or pseudo-photographs] with a view to their being distributed or shown by himself or others; or
(d) To publish or cause to be published any advertisement likely to be understood as conveying that the advertiser distributes or shows such indecent photographs [or pseudo-photographs], or intends to do so.
So for myself on that occasion of this report, I was wondering just how the incumbent agency [CEOP] had arrived at this interpretation of legislation, as clearly this case was in breach of sub-paragraph (d)!
Fig 1
In the past we have also heard much from Government Ministers who have talked-a-good-talk, but when they [let us call them JB-MP] were made aware of the aforementioned case, the only question their office came back with was ‘where is the related report being published’, and showed no interest whatsoever in the case, circulation or presence of such materials! And by the way, as far as I am aware the servers stayed on-line for a further 6 months!
And that brings me to the very Corporate Firewall that could assist with countering this abuse – the commercial world – but here sadly, in my experience, there are few who understand their legal obligations, not to mention ethics, when it comes to these materials. In fact to make matters worse, when I was visiting a well-known UK based Anti-Virus company, they were discussing the detection and parking of images, and I asked the question as to how this category of imagery should be dealt with when encountered. However, I was astonished to learn it was their understanding that they should be treated just like any other form of ‘Pornography’ [reminder – these are Child Abuse Images] – clearly here, we even had an issue with the Security Industry.
The bottom line is, when we see [and I wish not to] such images, we must remember this is not a passive photograph of a trapped moment in time, but is a mirror into a world of continuous abuse and suffering. Thus we must remember that if this category of material enters our systems or infrastructures, it is incumbent on us ‘all’ to do the right thing both legally, and ethically and report the discovery via the correct channels. And we should also remind ourselves as Agencies, Ministers, or whatever other capacity we are working in in this field, no matter how busy we are, when it comes to placing a priority against taking action, these cases should be at the top priority.
I am hopeful with sinking heart that someone will read this, and show it to a Government Minister who will take real action – and if nothing else comes out of these words of complete frustration, push those in power to ask the questions as to what the ‘real’ position is when it comes to such matters which allow the continuous abuse of innocents to go unfettered when they are reported.
Professor John Walker FMFSoc FBCS FRSA CITP CISM CRISC ITPC
Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia[to 2015], CTO and Company, Director of CSIRT, Cyber Forensics, and Research at INTEGRAL SECURITY XASSURNCE Ltd, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts, an Associate Researcher working on a Research Project with the University of Ontario, and a Member, and Advisor to the Forensic Science Society
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.