How paedophiles use cookies and keywords to hide sexual abuse images in innocent-looking sites
Content is being hidden behind legitimate-looking blogs and fake 404 error pages, and can only be unlocked by following a trail of clues
Your support helps us to tell the story
This election is still a dead heat, according to most polls. In a fight with such wafer-thin margins, we need reporters on the ground talking to the people Trump and Harris are courting. Your support allows us to keep sending journalists to the story.
The Independent is trusted by 27 million Americans from across the entire political spectrum every month. Unlike many other quality news outlets, we choose not to lock you out of our reporting and analysis with paywalls. But quality journalism must still be paid for.
Help us keep bring these critical stories to light. Your support makes all the difference.
Tech-savvy paedophiles are using a series of digital techniques known as “masking” and “breadcrumbing” to hide illegal materials from regular web users online, while allowing others to track down criminal images and film by following a series of covert clues.
The trend was exposed by the Internet Watch Foundation (IWF) in its latest annual report, which covers new information on how child sex abuse images and videos are being hosted, distributed and identified online. Normally used by cyber-criminals, the tricks are used to hide illegal material in plain sight.
“If you access the site directly, you just get legitimate content,” Sarah Smith, a technical researcher at the IWF, told The Independent. “If you follow the pathway through links from other sites, then it unlocks the child sexual abuse imagery.
“It’s stored in the browser, and it drops a cookie into the browser so it can see the trail that you’ve come along to actually access the site. Once you’ve followed that pathway through, you can see the child sexual abuse imagery.”
The illegal content can be hidden behind what appear to be legitimate blog sites, news sites or even fake 404 error pages. The IWF first discovered the approach in 2011, and says it makes the detection and removal of child sexual abuse imagery from the internet more difficult – and its use is on the rise. In 2016, some 1,572 websites were found to be using this method to hide child sexual abuse imagery, an increase of 112 per cent since 2015 (when 743 sites were identified). Just 353 websites were found to be using the techniques in 2013.
Ms Smith said there are two main reasons for the rise in popularity of “masking” and “breadcrumbing”. “Firstly, from the perspective of IWF, our remit is to get the content taken down. None of these sites are hosted in the UK, so we’re working with our network of partners worldwide. Because the referring websites can change rapidly and the cookies do expire, by the time we’ve got our reports out to law enforcement in other countries, that information may have changed.
“When it is reported on, people are accessing that domain directly to have a look at the content, assess it and get it taken down, but they’re not seeing the child sexual abuse imagery. It means that that content can stay up a lot longer.”
“Every single one of these images depicts a child being sexually abused and knowing that this content is being reviewed really can have a terrible impact on a victim’s recovery,” said Ms Smith. “The quicker the content comes down, the better.”
It’s one of the main reasons why the UK now hosts less than 0.1 per cent of the global total of child sexual abuse imagery. The IWF aims to see abusive content removed from the internet within an hour, working with industry members, hosting companies and the National Crime Agency to get this done quickly.
Europe hosts the majority of child abuse web pages (60 per cent), with North America in second place (37 per cent). This is partly because this is where large providers choose to host their data centres.
The IWF said “cyberlockers”, or remote file-sharing services, and image hosting sites are being used significantly more than other online services to conceal illegal material shared and viewed by paedophiles. “A secondary reason we believe criminals use masking and breadcrumbing is that these sites are essentially commercial enterprises,” continued Ms Smith. “They’re distributing the content commercially, and the way they’re doing that is defrauding affiliate schemes from legitimate providers.
“The ‘Know Your Customer’ procedures for a lot of payment services that have been providing service to some of these sites would be to go directly to the websites and just make sure that the content looks legitimate. Obviously, if they’re not aware of the pathway they need to follow, they won’t know that these websites are in fact distributing child sexual abuse materials.”
Criminals distributing child sexual abuse imagery tend to discuss their activities relatively openly in forums on the dark web, which provides anonymity, but Ms Smith says the majority of the content the IWF deals with is available on the open web, and accessible through mainstream web browsers such as Google Chrome and Safari.
“There are a small number of very prolific dark web forums we’re aware of, which are distributing content. Most of that is actually a gateway to links to content, which is being distributed on the open web. Particularly in terms of these disguised websites, they are solely hosted on the open web. We’re not talking about dark web sites here.”
The IWF report also reveals that paedophiles are using codes and keywords for finding hidden child sexual abuse imagery.
“At IWF we maintain a keyword list of search terms, some of which are fairly straightforward, others that are extremely specialist in nature, which can be used to locate this content online,” said Ms Smith. “In terms of the discussions paedophiles are having, it could be clear that these codes are being used euphemistically, and will then grow out of that and start being used more widely.”
Though the IWF did not reveal any examples publicly, it is known that while many codes are obvious, others are increasingly obscure. “We’re seeing offenders who seem to have a much higher level of technical knowledge,” said Ms Smith.
IWF chief executive Susie Hargreaves, meanwhile, has called on internet companies to do more to combat the distribution of child sexual abuse imagery. “Criminals need to use good internet hosting services, which offer speed, affordability, availability and access. Services that cost nothing, and allow people to remain anonymous, are attractive,” she said. “While it’s positive that the UK continues to remain hostile to child sexual abuse material, the global picture isn’t good. We’ve opened reporting portals across the globe, with more planned. In other countries, internet companies are exploited and, worst of all, children who have been sexually abused are further exploited.
“Internet companies and large businesses who are doing nothing, or too little, to address online child sexual abuse imagery need to step up and work with us.”
Suspected child sexual abuse images and videos can be reported anonymously through the IWF website.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments