Illegal activities prevention system (child pornography, animal cruelty, …)

security datacenter

It is a very sensitive topic that requires a solution from our end. I have few servers that I rent to few people. I have all legal permissions and rights to scan over the servers.

I want to prevent people from storing child pornography, animal cruelty or other videos of similar nature. The first priority is to be able to prevent child pornography since it is the most sensitive issue.

I tried searching online for solutions but couldn't find many people even discussing about this issue, I believe mainly because it is considered Taboo topic of discussion.

One of my thoughts was to search the servers for signatures of known files. Is there such a database anywhere?

I know big companies like GoDaddy have such prevention system but as a small company owner what can I do?


There are various Government and Industry programs that will provide Hashes of "Known Bad" material (eg CP) to hosting providers. You can then hash the files on your servers and compare. Below are a few that I know of:

  1. HashKeeper
    Discontinued, ran by the US DoJ
    http://www.nsrl.nist.gov/RDS/rds_2.44/Hashkeeper-RDS244-split.zip
  2. DCMEC HVSI
    Run by the Missing Kids non-profit
    http://www.missingkids.com/Exploitation/Industry
  3. NIST NSRL
    Hashes for software files, mostly for avoiding software piracy
    http://www.nsrl.nist.gov/Downloads.htm

Other Notes:

  1. It's going to be called "CP" everywhere to avoid using the actual term. It's that taboo.
  2. The law in the US are very reasonable when it comes to holding service providers accountable for what their clients put on their servers. Make minimal efforts to prevent abuse, communicate abuse policy to users, and have procedures to deal with policy violations.
  3. CP is about as "sensitive" as it gets. Be sure your response includes contacting authorities immediately upon any known CP violations - do not tamper with the data or server, contact authorities first. Authorities will advise you as to what steps you should follow from there.

In addition to Chris's answer about CP, I'd point out that the way the big guys handle this is:

  1. Using databases containing hashed values of known bad material
    • This isn't even a particularly effective solution, because the slightest change changes the hash
    • They will generally, or often maintain their own database, in addition to any publicly-accessible ones
  2. Reporting from users
    • In the form of email contacts ([email protected])
    • Reporting links for sites with user-generated contact (click here to report this)
  3. Paying actual human beings to review content, or authorize content before it's uploaded
    • The MPAA and RIAA, for example, employ dozens of people to scour the web for their copyrighted materials

So, for you, that basically means there's not going to be a great way for you to filter out objectionable material that isn't illegal, because objectionable material needs to be identified by a person. Most of what is identified doesn't ever find its way into publicly-accessible database, and even that which does is pretty easily altered to get around hash checks. So the bottom line is you can't really prevent this type of behavior, and all you can do is react once it happens.

And do be aware, if you start scanning content for one type of objectionable material, you'll be expected to scan for other types. The law varies from place to place, of course, but if you're scanning for CP, animal cruelty videos, and etc., but don't scan for pirated media, if someone uses your server to host copyrighted materials, you'll have a hard time avoiding liability for that. So... well, nothing's ever simple, is it?


Unfortunately, though as Chris S mentioned hashlists do exist, they are useless. The following command will change the hash of a file but leave it completely playable:

$ echo '0' >> pornfile.mp4

The truth is that many companies who deal primarily in user-uploaded video have humans review each and every file. See this related question for the consequences! Therefore if your primary business is user-uploaded video, I highly recommend that your company install such a human-review system.

Related

How do I exclude directories when listing files?
Can a program tell it is being run under sudo?
How can I use rsync to duplicate a directory tree, creating hardlinks to files?
How do I install 'convert' on a linux system?
Don't need the whole line, just the match from regular expression
Nginx add_header for a 50* page
Windows 2019: can't figure out why my drive is full
check port open without telnet [closed]
How to get a list of drive letters on a system through a windows shell (bat, cmd)?
How can you do a one liner with sftp to login with the password on the same line?
How to get the Linux OOM killer to not kill my process?
Block employee access to public cloud