The scandal that keeps on harming kids

Behind the reflecting glass windows of a modern office block at 12025 Waterfront Drive, Los Angeles, are the people who have the power to end one of the great scandals of modern technology. The question is: why are they not using it?

The nature of the scandal is well documented. In all parts of the world the lives of an uncountable number of children are wrecked by illegal online child sexual abuse images, videos and stills – what used to be called “child pornography”.

The publication of the images magnifies and adds to the harm done by the abuse itself. The continued circulation of these images makes the possibility of  recovery from the abuse much harder to achieve and amounts to a serious, on-going breach of the victims’ legal right to privacy and human dignity. To the extent the same images encourage or sustain paedophile behaviour or networks they also put at risk other children as yet unharmed.

Billions not millions

A major glimpse of the scale of this type of criminal behaviour was provided in 2017 by the Canadian Centre for Child Protection. It’s Canada’s official internet “hotline”. They launched a proactive web crawler called, er, Arachnid which, in a six- week period, searched 230 million web pages and on 5.1 million of them they found child sex abuse material. Within the 5.1 million pages were 40,000 unique child sex abuse images. Once a new image goes online it tends to be copied and repeated a great deal.

Everywhere the phenomenon is investigated, the scale of the crime is appalling. In 2019 in the United States the National Center for Missing and Exploited Children, which works in a  very different way from and on a much bigger scale than the Canadians, received 16.9 million reports of child sex abuse material that had been found online.

Britain’s hotline, the Internet Watch Foundation (IWF), of which I was a Director, last month published its Annual Report. In 2019 they identified 129,111 web addresses containing child sex abuse material. In respect of each of address they had sent a notice to the hosting company asking that the material be deleted at source.  Every one of those pages could have had either a single image on it, or thousands with links to many more.

Earlier I said the number of children being harmed is uncountable. The same is true for the abusive images being circulated but few doubt we’re talking billions not millions. The challenge is colossal but it is by no means insurmountable. If there’s a will.

The cloak of invisibility

The images are pumped out by people and organisations who rely on being invisible.  Of course they do. Who would openly distribute child sex abuse material?

There are different online mechanisms which are used as distribution channels.  A key one, the major one, is the worldwide web, the  most widely and easily used bit of the internet. The bad actors use web sites they buy for themselves or they hijack or hack pages on other people’s.

The prosaic reality

To stop hijacking, minimal standards of security should be compulsory, not voluntary. Businesses which sell web site names or hosting services typically offer additional security as a paid for optional extra. That is wrong. It should be factored into the basic selling price. No exceptions. If this does not wholly eliminate hijacking it will greatly reduce it.

However, hijacking is probably the lesser of two evils. Straightforwardly buying sites is the easier pathway to child abuse.

When you buy a web site you will be forced to choose a unique name.  It will be within a particular domain e.g. .com. Your ownership of this piece of virtual property, along with your contact details, are meant to be checked, recorded and stored on a database known as “WHOIS”, ultimate responsibility for which is vested in the Internet Corporation for Assigned Names and Numbers (ICANN) domiciled in California. These are the guys on Waterfront Drive referred to earlier.

ICANN’s rules stipulate that checking and recording contact details are essential but, astonishingly, criminals are willing to tell lies about such matters and they do that with impunity because ICANN appears to be unwilling or unable to do anything to stop them. They quiescently float on a sea of mendacity, wringing their hands while children suffer.

It’s all about the money, money

Selling web site names is typically a low margins affair. Some can be bought for less than £1. This means achieving a high volume of sales is essential.

Around 98% of ICANN’s income  is derived from two sources: Registrars and Registries. Registrars  do the actual selling. Registries administer the systems that allow them to do that. Through contracts Registries and Registrars are authorised to act in their respective roles by ICANN to whom they both pay fees. So in the end the whole edifice is driven by the likes of you and me, companies and other organizations buying or renewing web addresses.  Nobody in the chain has an incentive to do anything which might suppress or in any way reduce sales or renewals of internet names.  Quite the opposite. The accuracy of ownership data counts for nought if the dollars keep rolling in.

For a few dollars more

Everyone in the chain should charge a few dollars more, do a proper verification job and that way they could still be profitable even on a volume of sales that was reduced because fewer crooks would be buying.

Accuracy is the exception rather than the rule

Emily Taylor is an English solicitor. ICANN commissioned her to look into how accurate the WHOIS  data were. She published her report eight years ago. She found that in only 23% of the cases were WHOIS data accurate in the way specified in ICANN’s rules.  In other words, by some margin accuracy was the exception rather than the rule.

Taylor found 21.6% of the WHOIS entries to be so defective as to render the owner completely unreachable if WHOIS data alone were relied on. At the time Taylor reported there were 220 million entries in WHOIS of which 47 million fell into this latter category.  Guess where most of the online criminals congregate, including those who trade in child sex abuse material?

How did  it come to this? No. 1 culprit is  the US Government.

Very easy answer.  Nerdy complexity, US politics and geo-politics.

Let’s start with the No.1 culprit, the US Federal Government. They pretty much “owned” the internet from Day 1.  As the number of web sites started to grow exponentially in the mid-1990s they gave ICANN a contract to start administering the naming system.

As the internet continued to expand and become internationalized pressure grew from other Governments and from parts of the internet industry to allow ICANN to become independent of any potential control by any US Administration.

The Chinese, the Russians, India, Brazil and others were very vocal. A case was made to kill off ICANN altogether and roll its functions into the International Telecommunication Union, in effect handing control of the internet to the United Nations. Replacing DC with Geneva. It didn’t go down well.

The suggestion was strongly resisted by most western Governments, but the effect was to strengthen the argument for the US Federal Government to find some way of withdrawing from its unique status.

The Federal Government gave in to this pressure and  in 2009 entered into a  solemn sounding “Affirmation of Commitments” with ICANN. In essence the Affirmation said the US Government would relinquish its role as long as ICANN agreed to do various things.

One of the “things” ICANN promised (para 9.3.1) was to implement measures to “maintain timely… accurate and complete” WHOIS data. That never happened and the Obama Administration chose to overlook this fundamental flaw when they finally did do the handover in October 2016.  No one had come up with a better alternative and an election was looming.

So since 2016 ICANN has gone its own sweet way.  Now unhindered by any kind of external oversight ICANN remains driven principally by the financial interests of Registries, Registrars and the ICANN bureaucracy itself. In fact, in a recent rule change, ICANN has further reduced Registries’ and Registrars’ obligations in respect of verifying ownership and contact data. Things are likely to get worse, not better.

Could this call into question the validity of the 2016 handover? Has ICANN acted in bad faith?  Could it lead to the US Government “taking back control”? And while the prime responsibility for the current mess must be laid at the door of the US Government in the first place, other Governments and major law enforcement agencies share part of the blame for having allowed such a monumentally awful system to evolve and survive.

Historically, the people in and around ICANN have denied any responsibility for matters of the kind discussed here, saying it is for law enforcement agencies to address illegal behaviours. Not them. This is wilful, self-interested blindness. It is ICANN’s rules and the way they are observed or not observed which, front and centre, creates the problem.

Enemies of reform

Nerdy complexity and geo-politics are proving to be the enemy of reform. At the request of the FBI and the British police I attended my first ICANN meeting in 2010 to plead the case for stronger action to eliminate child sex abuse material from the web. Zero impact. More recently Cherie Blair QC, a distinguished human rights lawyer, wrote to the authorities in California asking if they would look into ICANN’s manifest failings in respect of protecting children. Ms Blair received a polite reply from the Attorney General but no action followed. Big Tech is powerful and important in Californian politics.

Companies such as Google, Facebook, Microsoft, Amazon and Apple have zero interest in maintaining the status quo in respect of ICANN and its component parts  but the damage done to  Big Tech’s wider image by the continuation of these sorts of crimes against children impacts them all.  Badly.

The difficulty is precisely because none of these companies are individually, or even collectively, directly responsible for ICANN they are all hesitant about stepping forward to insist on creating a better system for fear of being branded as bullies with a hidden agenda to increase their own power.

Yet it is obvious the whole ICANN structure needs root and branch reform. If ICANN is to continue as the Regulator  a way must be found to free it of its financial dependence on Registries and Registrars.

The Registries and Registrars profiting from the shameful lassitude  described above should be brought to book. The Canadian Centre for Child Protection recently sent me some data analysing the concentration of child sex abuse material on web sites according to the Registrars that sold or renewed the name. I have combined this with data published by the IWF showing the same according to the Registries responsible for the affected domains. What this reveals is the problem is highly concentrated among a relatively small number of businesses. I intend to publish the data soon.