Fighting the Good Fight: Preventing the Spread of CSAM with Software

Every hosting company has issues with resource and network abuse. Abuse can take many forms, ranging from DDoS attacks to the hosting of illegal materials on servers. AbuseIO was released in December 2014 as open-source software to aid in the prevention of Internet abuse. It began as SpamCheck at BIT, an Internet technology company. When others expressed interest in the software, the decision was made to turn it into an open-source project. The software (partly) automates the handling of abuse reports, making the entire process much faster. The software is open-source and free to use for anyone who wants to. It also continues to be developed.

“This tool has enormously increased the amount of work we can handle, by automating processes while taking into account security checks. SCARt helped us quadruple the number of URLs we can process. The result really signifies the importance of implementing smart IT when combating CSAM.” – Dutch CSAM Hotline

In the years following its release, the EOKM (Dutch Expertise Center for Online Child Abuse) expressed interest in anti-abuse software and asked if it was possible to develop a tool to help automate the process of CSAM (Child Sexual Abuse Material) reporting. SCARt was developed as a response to this request. SCARt is a piece of software that assists in the processing of CSAM reports and sends NTDs (Notice to Takedown) to site owners and/or hosters when CSAM is discovered on their sites and/or servers. SCARt also verifies whether or not illegal content was removed after the NTDs are sent. By (partially) automating this process, analysts who would normally have to manually verify each instance of CSAM are relieved of a significant amount of mental strain. In 2022, The Danish CSAM hotline (Red Barnet) also began testing SCARt.

SCARt is free to use for any organization that wants or requires it to aid the fight against the spread of CSAM on the Internet. It is not, however, freely available for download, because someone with malicious intent could modify the source code and maliciously use it for CSAM detection. Credentials must be checked to ensure that SCARt is only used by legitimate organizations and foundations. This is done by checking with other hotlines (such as EOKM) and determining whether or not the organization/foundation is a member of INHOPE (International Association of Internet Hotlines). As a result, the tool is open-source, but the anti-CSAM specific code is not available to the general public.

How does SCARt help

Every year, CSAM hotlines all over the world receive a large amount of information to process because, unfortunately, there will always be illegal content on the Internet. In 2021, for example, EOKM processed more than 800,000 URLs. By automating the system, more reports can be processed, which means that more CSAM can, will, and should be taken offline.

SCARt can receive URLs to process from multiple sources. ICCAM, a tool developed for INHOPE to aid the prevention of the spread of CSAM, can be linked to SCARt via an API. This connection then feeds all ICCAM reports for the relevant country (in the case of EOKM, the Netherlands; for Red Barnet, Denmark). Another option is to use an online form (so, with the help of the public). A hotline’s website can include a reporting form where concerned citizens can report URLs they come across that may contain CSAM. This form is then connected to SCARt, and the processing starts.

The URLs that are fed into SCARt via the different sources are scraped for images. The images are then hashed. If the hash of an image corresponds to a hash that was marked as illegal content before (either in SCARt, ICCAM or any other database), the image will immediately be classified as illegal. Images that are unidentifiable (so no hash on file) will be processed by human analysts to determine whether or not they contain illegal content. Any illegal content will be flagged and SCARt can then automatically send the NTDs to the website owner or hoster(s). SCARt will also check if the images get taken down after the NTDs are sent.

The future (and beyond)

SCARt is a highly modular piece of software. Image scraping can be enabled or disabled, and instead of images it can be configured to scrape text. More extensive logging, among other things, can also be enabled. As a result, the tool is suitable for use as a general abuse reporting tool. Government agencies can use it to prevent the dissemination of terrorist content online, banks can use it to stop phishing sites, and brands can use it to combat fake web shops. The open-source community adds features and improves the tool as it is used in more diverse ways. As a result, the CSAM hotlines will benefit.

Regrettably, the work of preventing CSAM is never done, so SCARt is already constantly being improved. One of the long-term goals is to improve the AI module to automatically classify CSAM images, making the process faster and less mentally taxing for the analysts who now still have to view this horrifying content on a daily basis. SCARt is a non-profit foundation that is supported by grants, donations, and the effort of the open-source community. Together, we can help keep children safe.

If you are interested in knowing more about SCARt and its implementation, contact Wido Potters at wido@bit.nl.

Els works as Marketing Coordinator for BIT. In her job, she is involved in all things marketing and contributes to publications for BIT.

Wido has been working in the internet industry for almost 20 years, since 2006 at BIT. He is an active member of the anti-abuse community. Wido is founder of the AbuseIO Foundation and co-founder of the Dutch Anti Abuse Network.