Google Detects Cartoon Child Abuse | Log4j Chaos | Facebook Vs. Surveillance-For-Hire

Plus: Iranian Hackers Abuse Slack For Cyber Spying

In this week's edition of The Wire In Real Life, I look at how Google deals with child sexual abuse imagery when it doesn't contain real minors, but cartoon and animated material.

Erotic depictions of children are potentially illegal to own under U.S. law and can be detected by Google's anti-child sexual material (CSAM) systems, a fact not previously discussed in the public domain. Google has long acknowledged that its code can look out for child abuse using two technologies. The first uses YouTube-designed software that looks out for "hashes" of previously-known illegal content. Such hashes are alphanumeric representations of a file, meaning a computer can scan files within, for instance, a Gmail email and it'll raise a flag if there's a file with the same hash as the illicit photo or video. Google also uses machine learning tools to look at files and analyze them for any sign they contain CSAM.

It's not clear which of those two technologies were used in Kansas in late 2020, when Google detected “digital art or cartoons depicting children engaged in sexually explicit conduct or engaged in sexual intercourse” within a Drive account. This is according to a search warrant discovered by Forbes, that goes on to detail the graphic images, which included what appeared to be sexually explicit cartoons of underage boys. As per its legal requirements, Google handed information on what it found, as well as the IP addresses used to access the images, to the National Center for Missing and Exploited Children (NCMEC), which then passed on the findings to the DHS Homeland Security Investigations unit. Investigators used the IP addresses to identify the suspect as the alleged owner of the cartoons, and searched his Google account, receiving back information on emails to and from the defendant.

It appears the suspect may actually be a known artist. As no charges have been filed, Forbes isn’t publishing his name, but a Google search for that name and a small town in Kansas, where the suspect was identified as living, showed an artist who had previously won some small, local competitions. His artwork also picked up headlines on the West Coast in the 1990s.

The law around cartoon imagery is worded so as to provide some degree of protection for anyone owning or sharing animations of children engaging in sexual conduct for the sake of art or science. A prosecutor trying to convict anyone possessing such material would have to prove that the CSAM was “obscene” or that it “lacks serious literary, artistic, political, or scientific value.”

Google, meanwhile, has in recent years released transparency reports showing how many times it reports issues to NCMEC. The figures reveal a disturbing trend. In the first six months of 2021, it found more than 3.4 million pieces of potentially illegal content in 410,000 separate reports. That was up from 2.9 million in 365,000 reports in the last six months of 2020, and well over double that from January to June 2020, when 1.5 million pieces of CSAM material were discovered and reported to NCMEC in 180,000 reports. 

At the time of publication, Google hadn’t provided comment on the cartoon case and how it detects animated imagery in Google accounts.

Given the recent furore over how Apple planned to scan iPhone images for CSAM, a move it ended up delaying after criticism that it was compromising user privacy, the spotlight has been turned on how other tech giants deal with the issue. As Google doesn't end-to-end encrypt its communications tools like Gmail or its file storage tech like Drive, it's still possible for the tech company to scan for illegal content. And as it has no plans to introduce those features, law enforcement can still rely on Google to warn NCMEC when potential abuse happens on its servers.

Whether the majority of users will want Google to scan people's accounts so it can help find child abusers, or have improved privacy with end-to-end encryption instead, the Mountain View, California-based business will have to struggle with that balance in perpetuity. The same goes for any one of its rivals. 

A version of this story will go up on Forbes later today.

If you have any tips on government surveillance or cybercrime, drop me an email on tbrewster@forbes.com or message me on Signal at +447782376697.

The Big Story

The Stories You Have To Read Today

On the same day Facebook fired back at spyware vendors, Citizen Lab researchers revealed a former Egyptian presidential candidate and a friend of murdered journalist Jamal Khashoggi had allegedly been hacked by both NSO Group technology and that of little-known entity Cytrox. I interviewed Nour and heard about his fears he was in genuine danger because of the hacks. (NSO claimed the Citizen Lab report was false.)

Talking of NSO, it's reportedly considering a sale or a complete shutdown of its Pegasus spyware business in light of actions by the U.S. Commerce Department, which banned American companies from working with the Israeli company without the right license.

A vulnerability in widely-used app logging code known as Apache Log4J is being widely exploited and dubbed one of the most dangerous software flaws in recent memory. All federal agencies are now required to address the issues.

We may finally know why Huawei is persona non grata in the U.S. and elsewhere: a Bloomberg report citing multiple intelligence sources claimed that Chinese hackers breached an Australian telecoms provider via "a software update from Huawei that was loaded with malicious code."

Winner Of The Week

It might be in the middle of copyright litigation with Apple, but Floridian startup Corellium announced a $25 million funding round. None of the funds from Paladin Capital and Cisco Investments will be going on Corellium’s copyright fight with Apple, as the startup looks to expand.

Loser Of The Week

A 63-year-old defense contractor, John Murray Rowe Jr, allegedly sent hundreds of messages to undercover FBI agents, believing they were Russian government officials. He was caught handing over information about electronic countermeasure systems used by American military fighter jets, according to the Justice Department.