
Google tips off cops after spotting child abuse images in email - skreuzer
http://nakedsecurity.sophos.com/2014/07/31/google-tips-off-cops-after-spotting-child-abuse-images-in-email/
======
patio11
Google, Microsoft, and Facebook have been reported as having a list of image
hashes which they very strongly do not want you sending through their systems.
If you attempt to do so, that won't work out well for you.

One writeup of many: [http://www.microsoft.com/en-
us/news/features/2009/dec09/12-1...](http://www.microsoft.com/en-
us/news/features/2009/dec09/12-15photodna.aspx)

~~~
bcoates
That's a nice, subtle way of fucking with someone: spoofing messages that trip
these pedo-sensors won't result in an obvious mistaken raid, because the
police will want something more solid to go on (like the case in the OP) --
the victim will just show up as 'pedophile, we just can't prove it yet' in a
bunch of police databases/background checks/opposition research, and won't
know why the random searches randomly choose them every time.

~~~
Ueland
I suspect that the "hash" actually is the following info per file: sha1-hash,
md5-hash, crc32-hash and file size. If a file matches the file size, hash1 is
checked, then hash2 and so on. I will be pretty impressed if you can fake that
somehow.

Edit: this is a normal algorithm for files in general, but it appears to be a
image-specific algorithm used in this case. (A la imageDNA)

~~~
lifeisstillgood
If you are the sort of person able and willing to screw with someone's life
like that, you will have no qualms using your stolen credit cards to buy child
porn images to use in this way.

I remember a episode of some legal drama where our hero the judge had his
laptop "hacked" and child poem images installed on it. (Luckily it was make
believe so he was able to "delete" them before the other judges arrived with
the tipoff but that's not the point)

I think we shall soon enter a legal landscape where mere possession of digital
products does not imply legal possession. It's going to be an interesting
world.

~~~
tomjen3
Alternatively you could put feathers from endangered birds inside peoples
cars. Mere possession of such feathers is a felony.

There are plenty of ways to screw with people.

~~~
lifeisstillgood
That probably comes under the "hmmm, weird" federal statutes.

------
higherpurpose
This is why we need end-to-end encrypted communications to become mainstream.
Why the hell are our service providers becoming Internet police these days? We
didn't join Gmail or Facebook to "protect us from the bad guys", nor to have
them turn people in for whatever arbitrary "serious crime" they decide they
should support. It could be "child abuse" today, and "terrorism" (with
whatever vague definition accompanying it) tomorrow.

It's bad enough that the US government and Courts now think they have access
to anyone's information in the world, if they use American services. But US
service providers acting like they work for the government makes it even
worse.

Just stay out of our _private_ communications. How hard can that be, really?

~~~
tptacek
Really? Detection of known instances of child pornography is the reason we
need end-to-end encryption? As an advocate for end-to-end security, I find
this disquieting, in the "I think you're doing more harm than good with that
argument" sense.

------
reuwsaat
Google's actions were legal. The problem is, we, as a country, have still not
come to an agreement on what 'privacy' should entail in this brave new world.
Given that Google was not breaking the law in reporting this person, I would
argue it would have been immoral for them to have sat on this information.

~~~
TehCorwiz
I do have one question. What if it wasn't child porn? Would it be right for
them to go looking through your email for evidence of tax fraud? How about
smoking weed? Where do you draw the line? The question isn't "do the ends
justify the means?" the question should be "What if they're mistaken?"

EDIT: While I stand by my questions I acknowledge the use of PhotoDNA as
opposed to simply rifling through someone's inbox.

~~~
lclarkmichalek
Your question doesn't seem to be "What if they're mistaken?"; it seems you are
more asking "will they stop at child porn?". Anyway, I'd agree with jfoutz, in
saying that society has dealt with these problems before, and has managed to
create a fairly good line as to where something must be reported, and where a
person's privacy becomes more important. That's not to say they will manage to
create that line again, but it's also not to say they won't. Regardless, I
don't think it's an unavoidable slippery slope.

As for "What if they're mistaken?", well I highly doubt anyone will be
convicted off the basis of an automated image recognition tool alone. If they
are mistaken from time to time, then the person will probably have a warrant
(ha) issued for their email, and any investigation would follow normally. If
they're mistaken very often (i.e. the PhotoDNA implementation turns out to be
shit), then the police (or whoever is receiving these reports) will probably
stop caring, and nothing will have changed.

~~~
PhasmaFelis
> _As for "What if they're mistaken?", well I highly doubt anyone will be
> convicted off the basis of an automated image recognition tool alone._

"Convicted" isn't the fear, post-9/11\. The fear is getting put on a secret
government watch list and being harassed for the rest of your life with no
chance to ever clear your name, or even to be told why you're being screwed.

~~~
lclarkmichalek
Isn't that mainly terrorism, not paedophilia? Anyway, at least in this case,
the tip was sent to the National Center for Missing and Exploited Children,
which, being a private non profit, doesn't seem too closely associated with
the NSA/DHS/whatever government organisation you believe maintains these
lists.

~~~
DanBC
The UK version - the Internet Watch Foundation - is also a charity but you'd
be a foolish UK ISP to ignore what they say.

[https://www.iwf.org.uk/](https://www.iwf.org.uk/)

~~~
lclarkmichalek
The UK equivalent would probably be the NSPCC. If Google had a tip of an
individual person distributing these images they would not contact the IWF.
That would be for a website that was distributing these images.

~~~
DanBC
In the UK the IWF provide information about what to block and take reports
about hosted images.

CEOP are the group that Google would report people to.

[http://ceop.police.uk/](http://ceop.police.uk/)

------
glynjackson
When you use Google (Gmail) you signup to their terms of service. It states
that incoming and outgoing emails are analysed by automated software. The
article makes it seems like staff at Google are reading peoples emails or
spying on its customers. They don't!

~~~
lcedp
Usually they don't. [1]

[1] [http://gawker.com/5637234/gcreep-google-engineer-stalked-
tee...](http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

~~~
DanBC
That case was very bad. It gets mentioned a lot. Is that because it happens
all the time, but that's the only case that was reported? Or is it because
it's very rare, and that's the only case there is to report?

(I doubt very much that Google has only had one employee who accesses user
data inappropriately and I really hope they take severe action when they find
it. I would really like to know the rates from similar large companies - FB,
MS, etc.)

~~~
lcedp
I'm not attacking Google in particular. It's just that the statement "Staff at
[X] aren't reading peoples emails or spying on its customers" is simply
logically false. Because sometimes they do it and we know it. Also, spying by
the means of automatic analysis is still spying. (Also, I believe the reason
it's done automatically is simply because it's more efficient, not ethics
issues)

------
s_q_b
Wait, what? Gmail is reading the content of email messages, and giving them to
law enforcement? There are a bevy of constitutional issues with this.

Now, I will preface this by saying that child molesters are despicable, no one
will argue that. But because they are so vile, they make great test cases for
pushing the boundaries of search and seizure law.

But the problem is that once the courts create a legal rationale to justify
Google reading the child molester's email, that rationale can be applied to
anyone.

So there's a whole host of defenses that could be raised:

1\. The Wiretap Act - prohibits interception of electronic communications by
private entity. Even Google's automated scanners, if applied to Gmail, could
fall afoul of this law.

2\. The Stored Communications Act - The Fourth Amendment creates very limited
protections for stored electronic communications like email under the "third
party doctrine." The third party doctrine essentially states that you have no
privacy rights under the Fourth for any information you voluntarily send to
another company or individual. The rationale being that, since you knowingly
transmitted it, there is no reasonable expectation of privacy. However, The
Stored Communications Act, part of ECPA, creates several statutory quasi-
Fourth Amendment rights for stored electronic communications, especially
email.

3\. Agent of the State This is the weakest argument, but essentially the
defendant could argue that Google was acting at the behest of the government,
and thus full constitutional protections would attach. The rationale here is
that Google and law enforcement were working so hand-in-glove that Google was
a de facto state agent. This would make it very messy, as more powerful
Constitutional protections would attach.

Now, the bottom line here is that Google is reading content and transmitting
it to law enforcement. I'm sure the right to read your email is in their ToS,
but that could be successfully challenged if the language is either too narrow
or overly broad as to be vague and thus void (two mistakes highly-paid
attorneys make quite often.)

EDIT: Forgot the exclusionary rule doesn't apply to evidence obtained
illegally by private parties. You'd need to show the public-private nexus to
have a chance in the criminal prosecution, but if you can brush Google back
off the plate a bit using the private causes of action in #1 and #2, you may
be able to get the discovery you need to prove the state-agent argument. For
example, I guarantee Google has government Powerpoints floating around about
activities certain agencies would like reported.

