Technical problems with child porn hotline operations

About this document

This page is maintained by Matti Nikki, with intent to participate in discussion of child porn filtering on the internet and the problems related to it.

This document relates to my findings about the Save The Children Finland's internet hotline Nettivihje, although it's likely that the same could apply to other hotlines and possibly even (although hopefully not) criminal investigations.


Some facts about the Nettivihje hotline operation

Observed behaviour

Browsers used at Nettivihje in January 2008

Problems

Web browser

194.197.245.XXX - - [25/Jan/2008:08:36:29 +0200] "GET /suodatuslista/?link=pela HTTP/1.1" 200 117192 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fi; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

Nettivihje uses an ancient version of Firefox from 2006 to check the tips. It would thus be fairly straightforward to craft a targeted attack towards them, considering they will check all URLs sent to them. Similar problems will affect other hotlines as well, and it would be wise for any commercial child porn operator to try to hijack a tipline to gather business intelligence. Who knows, this might already have happened.

A version of IE 6.0 has also been spotted browsing my pages, though I'm not sure if these accesses have been tip verification or if Save The Children Finland has just been researching who I am and what I do.

Operator mistakes

194.197.245.XXX - - [10/Nov/2006:12:11:53 +0200] "GET /http://teensminipussy.com/art/ HTTP/1.1" 404 1156 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fi; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"

I found the above gem from logfiles of one of my side projects. Apparently someone sent a tip about my site to them, and after checking that there was nothing wrong, they copypasted the next URL into the browser. Unfortunately for them, the address bar wasn't cleared and the URL was instead sent to my server. I didn't notice this until recently, as I obtained their IP address and decided to check if they had visited any of my other sites in the past.

Although this incident happened in 2006, I have no reason to believe they have changed practices. Afterall, they still use the same old browser as back then, so it's unlikely they have had significant changes in their operations system. In this case they accidently revealed a suspected child porn site to me, and who knows how often this kind of thing happens with them.

IP address

inetnum:      194.197.245.48 - 194.197.245.63
netname:      PELASTAKAALAPSET-NET
descr:        Pelastakaa Lapset - Radda Barnen ry
descr:        Helsinki
address:      Save the Children Finland

Save The Children Finland operates several netblocks under the netname PELASTAKAALAPSET-NET, which identifies all their IP addresses. It would also seem that all their hotline browsing goes through a web proxy at a single address in the above netblock. Child porn sites, especially commercial ones, could easily check against this and return less offending material when the page is viewed by a hotline operator. Nettivihje thus faces the same problem as pedophiles do, they need to remain anonymous when accessing the material.

Information retrieval tools

194.197.245.XXX - - [10/Nov/2006:12:01:53 +0200] "HEAD / HTTP/1.1" 200 - "http://www.johnru.com/active-whois/" "Active Whois 4402 http://www.johnru.com/active-whois/"

During end of 2006, Nettivihje used an active lookup tool to check information from one of my websites. Combined with the IP address, this is a telltale sign to the target website that they're being investigated by a hotline. It's probably not a good idea to use tools that leave marks like this, and child porn sites could easily collect a blacklist of addresses from which probes like this originate.

Recommendations for hotlines

Keep your software up to date!

There is no excuse for running Firefox 1.5.0.6 when it has several known vulnerabilities in it. Also, use of Internet Explorer 6 at the office is slightly questionable now that IE 7 is out, although I don't know if it's been used to check the tips. It has however been used to read my pages, and it is thus possible it's been used to verify tips as well.

Anonymize your browsing

A lot of child porn traffic is moving on anonymous networks and anonymity services, so it'd be a perfect disguise for a child porn hotline as well. This way the child porn site operators can't block out access from hotlines, as they cannot distinguish them from real customers.

This could be tricky to implement though, as new attacks to reveal identities of anonymous users are constantly found and child porn sites could be built to depend on technologies such as java applets, flash or javascript which are often involved in the privacy breaching attacks.

Clear browser before checking a new tip

In the simplest, this could be implemented by setting homepage to about:blank and hitting "home" and clearing private data each time before pasting in a new link. Perhaps a Firefox extension could be developed to automate these tasks and to ensure operators cannot make simple mistakes.

No matter how this is achieved, it should be clear it is unacceptable that the child porn hotline accidently reveals reported sites to wrong parties.

Review your toolset

Know what tools you are using and what exactly they do. Make sure all personnel are only using authorized tools to do their work. Ideally the investigation should look like any average net user, not letting the illegitimate business know they're being watched. The tools used should reflect this, and unusual tools should be avoided unless they're known to be passive towards the target of investigation.

Closing words

Investigating child porn sites is a difficult job that's easy to get wrong. There are a lot of potential problems with practices currently used by the Finnish Nettivihje hotline, many of which would be easily remedied. I'm releasing this document to shed light to these problems with expectation of seeing some improvements both here in Finland and globally in related operations.