Google tips off cops after spotting child abuse images in email

http://nakedsecurity.sophos.com/201...s-after-spotting-child-abuse-images-in-email/

 

Darwin

 

As much as I'm against all this scanning emails for content crap, this guy had it coming. I don't just mean he was a bad guy and needed some "time out" in jail, as I'm against jailing a lot of these people who probably need professional help more than confinement. I mean he had it coming because he left the crap in his online email, and he picked Google to do it with. Anyone that damned stupid gets what they get.

 

How would you spot c-porn in an email?
Can an algorithm be created to do that or are some emails being looked at by humans?

Dave: Not sure the end justifies the means as the road to hell is paved with good intentions.

 

I find this interesting as well. It seems possible that an algorithm could identify child porn using some advanced young/nude recognition feature or maybe google has been provided with something like md5 hashes of all the child porn images already known and checks images recived/sent to see if their hash matches (and if so contacts the law).

Nobody is going to say that childporn is a good thing. But I still find it a bit disturbing that all we do has to be scanned and matched against some database, mail used to be you communicating with a friend, now you communicate with a friend and several third parties listens and reads that information as well.

 

There will be an algorithm that will forward suspicious images to a team of reviewers. I think a while back there was some article about some review team who pretty much give up their sanity to help filter this? Maybe I'm mistaken.

You'd think people that are registered on the offenders list would not be allowed internet access without a live wiretap with MITM on their line, sigh.

 

Probably file hashes or automated image comparison of known images. That's what other sites do. The problem with gmail would be that message wasn't encrypted from the host, so it'd allow anyone else to read the emails.

As terrible as that Jurassic Park III movie was, that one line "Some of the worst things imaginable have been done with the best intentions." wasn't too far off. Like with Tor, open wifi, ect, no one wants to put their name at risk for combating censorship.

I'd say that would go for alcoholics and drug addicts but sex addicts are worse when affecting the lives around them. Treatment for any disorder is far from perfect- the drugs are far from perfect and the psychologist are far from perfect. They can be 10 years in treatment and lapse. So I get why they would want to monitor and track certain people who are known to committed crimes before. No one else though should have to pay the price because of other people's behavior though and have their own privacy threatened as a result.

This guy had known issues back in 1994, probably had various "treatments" and probation officers. Let them control the sick freak, leave the rest of us alone.

 

Most likely no human spotted the images, more likely the image was scanned automatically by Google's child abuse filter.

This has gone on for years, and though I applaud the legal effort to catch the ppedophiles, I can easily see how such a system could be extended and abused.

It's little overhead for a big cloud service provider to compare a file to a large hash database and report any matching hashes to the police.

Google may already for its own reasons retain a hash database of all files uploaded or transmitted through its system forever, and no one will know until the police comes knocking or an opposing party seeks the data during discovery.

Updated: How Verizon found child pornography in its cloud
http://arstechnica.com/information-...izon-found-a-child-pornographer-in-its-cloud/

The takeaway from the story is that email is not private, and that encryption works.

How many similar file hash databases consisting of legal pornography, piracy or political sedition are out in the wild, and how secure are they in case of hacking, blackmail or abuse?

I'll state something I have thought of for some time, a large database of file hashes correlated with IP addresses, billing information and browsing history is a forensic landmine.

https://torrentfreak.com/copyright-troll-demands-comcasts-six-strikes-data-for-lawsuit-140425/
https://torrentfreak.com/comcast-mu...ings-with-copyright-troll-court-rules-140627/

If a file is uploaded to an online cloud, and the service keeps a log of IP addresses, timestamps and file hashes, this log can later be used to reconstruct what the user did.

If the file hash is already on someone's blacklist for copyright infringement, pornography or disloyalty, both the uploader and downloader can get in trouble.

And once people have been conditioned to accept the child pornography filter it's inevitable that other special interests will demand their share.

https://www.techdirt.com/articles/20100427/1437179198.shtml
https://www.techdirt.com/articles/2...es-to-new-zealands-child-porn-blacklist.shtml

Like the suspect in the Boucher case, this idiot only got caught due to his own stupidity.
Sending any sensitive file through a Gmail account leaves a trace forever.

But even the most stringent filter can't recursively follow, auto download and extract all links within an email.

If Bob wants to send a file to Alice, he can easily avoid Google's hash retention by uploading the file to a cyberlocker and email Alice the link

And if he is more smart, he doesn't email the link to cyberlocker.com directly to Alice but rather uses a temporary link expiring after a short time.

If the email is not flagged within a short time, what happens is that the temporary link expires, and the file on cyberlocker.com gets deleted.

Just an example:

Hello Alice
Here is a link to my super secret loveletter:

http://www.urltemp.com/xxx

This link expires after 48 hours.

---
If Alice opens her browser
http://www.urltemp.com/xxx and retrieves the link.

she can retrieve the link to the file stored on cyberlocker.com.

But if she is too slow, the contents of the email will not be of any use, and any third party trying to reconstruct the history after 48 hours can't necessarily prove which file Bob sent, or if she ever downloaded it.

 

Ok, good file hashes seem to be a good way of comparing things that are known hopefully that is how they did it.

As to help for known pedophiles, I am aware from a conversation on bbc radio5 in the uk that these people contacted the radio station to say they have tried to get help for their problems but there really is no help in the uk only punishment.

That i find very sad, children have to suffer and someone who wants to change their ways is also not able to prevent their bad compulsions thus suffering happens which could of been prevented.
This is why we need a sensible conversation (like we are having in this thread) rather than the castrate and burn them that seems to predominate in the media.

 

But a cloud service can only compare file hashes, if it scans and retains this information in the first place.

In other words, in order to compare a hash to a database the provider must already have a retention policy going beyond what is strictly necessary for serving the transaction.

This is really the hard logical issue; should a private corporation act as internet cop and save everyone's metadata in order to make law enforcement easier?

My own opinion is an emphatical no.

A cloud provider should only keep data for so long it's technically necessary for serving the data exchange.

 

I hesitate to comment, because I don't want anyone to think that I'm defending those who prey on children, in whatever manner.

However, I feel compelled to note that this is yet another problem for Internet governance. Age of consent varies, in various nations, from low to high teens. Given that the EU and US have asserted global Internet jurisdiction, what's to stop some nation with an age of consent at the upper end of the range from going after Google for handling messages with images of younger children, who were above the age of consent where the correspondents were located?

 

Yes i agree, there should be no data retention for the innocent user, registered sex offenders then yes there should be.
Data is leaked frequently by companies thorough carelessness,ignorance as well as making a quick buck off peoples information.

 

This is why its difficult to have a rational debate because it is seen (and rightly so) as the most heinous of crimes.
We need to try and keep emotion out of it.

 

What I find most concerning is that the suspect was already a convicted sex offender.

No doubt that he should not enjoy the freedom to walk the streets or use the internet.

I am convinced that society could avoid most Surveillance of the innocent, if those already convicted of serious crimes were incarcerated for life.

It's simply perverse that mass Surveillance of the innocent is driven by the need to track the very small number of dangerous recidivists.

Lock them up for life and restore liberty for the innocent!

 

My money are on the police sending lists to the tech companies who to follow.

 

I would agree about the rest of us are suffering because of the few but its seems to be the way of authorities to try to control and spy on their population it didnt used to be to protect the kids.
Its been to prevent terrorists, communists and no doubt others.

I dont like the idea of throwing away the key on anybody if there is any way to rehabilitate them.
Then we can monitor the few when they are out.

 

It has to go a step further- to encrypt the messages so that no one but the message percipients can view them. The problem is thinking "well it's the good guys and the bad guys, and the good guys have to just protect my data from getting in the hands of the bad guys". No, your information is yours.

As evident as Snowden says the guys in the datacenters which were freely swapping nudes of various people they came across: http://www.theguardian.com/world/video/2014/jul/17/edward-snowden-video-interview
Any information not encrypted is an easy free for all for anyone between where you sent the information from and wherever the percipient is. And I've always felt for as long as I've used the internet that stuff must bounce through quite a few servers and the like for it to get to its destination.

Encryption is a better deterrent than betting on people's good morals to not peak at your stuff.

 

Maybe Google didn't identify pictures but instead something that was written in message raised alarms. When they examined those mails they found pictures attached to them. Who knows?

 

You need secure endpoints as well for a secure connection. If one endpoint that does the decryption is potentially tapped then the connection can't be seen as secure.

Close to none home user has a safe setup. And if one end is easily hacked then its easily hacked, if the encryption is made server side it should be seen as cracked as well.

 

Note to self: Never upload unencrypted naked pictures of myself and my girlfriend on Google drive. Even though we are both above 18 I don't want some creepy Google employee ~ Snipped as per TOS ~ to my pictures and sharing them with all their other creepy collegues. No matter what company say about privacy they can't control 100% all their employees.

 

That's the problem with so called sex offenses, especially those that involve a minor. Intent is assumed, then treated as fact. When kids are involved, innocent until proven guilt isn't how it works. I was once accused of molesting a teenager, outside, on my own front porch. There was no evidence, no witnesses, just the word of the "victim" and my own. In court, the underage "victim's" word was treated as gospel, putting me in the position of having to prove my innocence. How do you prove that you didn't do something? The only thing that saved me is the "victim" couldn't keep their story straight regarding what happened. After offering half a dozen versions of the events, the judge concluded the testimony was fabricated. Even then, they tried to get me to plead guilty to disorderly conduct. I refused. They eventually dropped the charges without prejudice. I avoided being wrongfully convicted, but the costs of defending myself bankrupted me.

Many years later, I was called for jury duty. I was dismissed when the prosecutor brought up that I had once been charged with a sex crime. Over 10 years later, the fact that I was once accused of such a crime, not convicted of it, was used against me at jury selection. The accusation alone is sufficient to ruin peoples lives. I don't condone child porn, but I oppose its being used as an excuse, a means of coercion, and at times a weapon to frame people. Don't believe a lot of what you hear on the mainstream news on this subject.

 

To be honest, when using web services like GMail it would be naive to think that your info is safe from third parties. So I´m not really worried about it, I´m not doing anything illegal anyways. And I also think it´s a good thing that this sick ~ Snipped as per TOS ~ got nailed, I´m glad to give some of my privacy up for this kinda stuff.

 

Okay, I tend to avoid topics like this, but I have to ask: how much of this stuff has the NSA's spying campaign found, and not turned over to law enforcement authorities?

If you're going to throw out all pretense of online privacy, you might as well take it as an opportunity to find and incarcerate pederasts, sex traffickers, etc. And looking at what various NGOs are saying, it seems like there hasn't been much of that.

In this case I'm glad the Google employees followed through with their ethical obligations, but I think that might be an exception rather than a rule.

Edit: but NB, I could be misinformed. Sex crimes disturb me in the extreme, so I usually avoid discussions and articles on such topics.