Uncovering and Overcoming Offender Tactics for Distributing Child Sexual Abuse Material on File-Hosting Services

Abstract

File-hosting services play a major role in facilitating the online distribution of child sexual abuse material and child sexual exploitation material (CSAM/CSEM). For example, hundreds of file hosts across the globe have received millions of removal notices issued by the Canadian Centre for Child Protection since 2018. Yet no known research has investigated how offenders exploit file hosts for CSAM/CSEM distribution purposes, or the characteristics of the services they exploit. To address these gaps, we thematically analyzed offenders' posts on 15 Tor-based child sexual abuse and exploitation forums (Study 1) and quantified the characteristics of 93 clear web file hosts known to have hosted CSAM/CSEM (Study 2). Results bring to light several tactics offenders use to distribute CSAM/CSEM stored on file hosts, including sharing tutorials on how to safely upload CSAM/CSEM, ``link protection'' methods to hide CSAM/CSEM from automated detection (e.g., encryption, altering URLs), and creating Tor-based file hosts designed to store CSAM/CSEM. They have also created Tor-based web applications where offenders can employ all these tactics at once. Further, results demonstrate that offenders tend to use file hosts that facilitate easy, anonymous, and enduring distribution. As such, offenders preferred file hosts that retain files for long periods of time, accept archive files, allow uploads originating from the Tor network, and do not require that users enable JavaScript. These findings highlight several platform design risk factors and point to data-driven, practical, and cost-effective measures that policymakers and online service providers (including file hosts and the Tor Project) can implement to reduce the availability of CSAM/CSEM and the revictimization of children and survivors.