The US now hosts more child sexual abuse material online than any other country

The US hosts more child sexual abuse content online than any other country in the world, new research has found. The US accounted for 30% of the global total of child sexual abuse material (CSAM) URLs at the end of March 2022, according to the Internet Watch Foundation, a UK-based organization that works to spot and take down abusive content. 

The US hosted 21% of global CSAM URLs at the end of 2021, according to data from the foundation’s annual report. But that percentage shot up by 9% during the first three months of 2022, the foundation told MIT Technology Review. The IWF found 252,194 URLs containing or advertising CSAM in 2021, a 64% increase from 2020, 89% of which were traced to image hosts, file storing cyberlockers and image stores. The figures are drawn from confirmed CSAM content detected and traced back to the physical server by the IWF to determine its geographical location.

That sudden spike in material can at least partly be attributed to the fact that a number of prolific CSAM sites have switched servers from the Netherlands to the US, taking a sizable amount of CSAM traffic with them, says Chris Hughes, director of the IWF’s hotline. The Netherlands hosted more CSAM than any other country since 2016, but has now been overtaken by the US.

But the rapidly growing CSAM problem in the US is down to a number of more long-term factors. The first is its sheer size and the fact it is home to the highest number of data centers and secure internet servers in the world, creating fast networks with swift, stable connections which are attractive to CSAM hosting sites.

The second is that internet platforms in the US are protected by Section 230 of the Communications Decency Act, which means that they can’t be sued if a user uploads something illegal. While there are exceptions for copyright violations, and adult sex work-related material, there is no exception for CSAM. 

This gives tech companies little legal incentive to invest time, money and resources into keeping CSAM off their platforms, says Hany Farid, a professor of computer science at the University of California, Berkeley, and the co-developer of PhotoDNA, a technology that turns images into unique digital signatures, known as hashes, to identify CSAM.

The sheer scale of CSAM compared to the resources dedicated to weeding it out means that bad actors feel they’re able to operate with impunity within the US because the chance of them getting in trouble, even if caught, is “vanishingly small,” he says.

Similarly, while companies in the US are legally required to report CSAM to the National Center for Missing & Exploited Children (NCMEC) once they’ve been made aware of it or face a fine of up to $150,000, they’re not required to proactively search for it. 

To support MIT Technology Review’s journalism, please consider becoming a subscriber.

Besides “bad press” there isn’t much punishment for platforms that fail to remove CSAM quickly, says Lloyd Richardson, director of technology at the Canadian Center for Child Protection. “I think you’d be hard pressed to find a country that’s levied a fine against an electronic service provider for slow or non-removal of CSAM,” he says. 

The volume of CSAM increased dramatically across the globe during the pandemic as both children and predators alike spent more time online than ever before. Child protection experts, including anti-child trafficking organization Thorn, and INHOPE, a global network of 50 CSAM hotlines, predict the problem will only continue to grow. 

So what can be done to tackle it? The Netherlands may provide some pointers. The country still has a significant CSAM problem, partly thanks to its national infrastructure, geographic location, and its status as an internet hub for global traffic. However, it’s managed to make some major progress. It’s gone from hosting 41% of global CSAM at the end of 2021 to 13% by the end of March 2022, according to the IWF.

Much of that can be traced to the fact that when a new government came to power in the Netherlands in 2017, it made tackling CSAM a priority. In 2020 it published a report that named and shamed internet hosting providers that failed to remove CSAM within 24 hours of being alerted to its presence. 

It appeared to have worked—at least in the short term. The Dutch CSAM hotline EOKM found that providers were more willing to take down material quickly and to adopt proactive CSAM detection measures, such as committing to removing CSAM within 24 hours of its discovery, in the wake of the list’s publication. 

However, Arda Gerkens, chief executive of EOKM, believes that rather than eradicating the problem, the Netherlands has merely pushed it elsewhere.  “It looks like a successful model, because the Netherlands has cleaned up. But it hasn’t gone—it’s moved. And that worries me,” she says. 

The solution, child protection experts argue, will come in the form of legislation. Congress is currently considering a new law called the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act, that, if passed, would make open services up to being sued for hosting CSAM on their networks, and could force service providers to scan user data for CSAM.

Privacy and human rights advocates are fiercely opposed to the act, arguing that it threatens free speech and could usher in a ban on end-to-end encryption and other privacy protections. But the flipside to that argument, says Shehan, is that tech companies are currently prioritizing the privacy of those distributing CSAM on their platforms over the privacy of those victimized by it.

Even if the lawmakers fail to pass the EARN IT Act, forthcoming legislation in the UK promises to hold tech platforms responsible for illegal content, including CSAM. The UK’s Online Safety Bill and Europe’s Digital Services Act could result in tech giants being hit with multi-billion dollar fines if they fail to adequately tackle illegal content when the law comes into force. 

The new laws will apply to social media networks, search engines and video platforms that operate in either the UK or Europe, meaning that companies based in the US, such as Facebook, Apple, and Google, will have to abide by them to continue operating in the UK. “There’s a whole lot of global movement around this,” says Shehan. “It will have a ripple effect all around the world,” says Shelan. 

“I would rather we didn’t have to legislate,” says Farid. “But we’ve been waiting 20 years for them to find a moral compass. And this is the last resort.”