67. Given the concern about the growing scale of offending, the Inquiry considered the ways in which industry and government currently prevent perpetrators from accessing indecent images of children and the proposals for future technological developments.

Hash list

68. As explained above, the IWF operates a hash list. This is a separate list to the list of hashes within CAID. At present the IWF cannot share CAID hashes with any UK company but can share CAID hashes with six US companies. Ms Hargreaves explained that the hashes cannot be shared because the Information Commissioner’s Office (ICO) has classified hashes as personal data within the meaning of the General Data Protection Regulation (GDPR).^[1] The IWF is working with the Home Office, the NCA and the ICO to see if this obstacle can be overcome, which has the potential to increase the pool of known child sexual abuse images that can be detected in proactive searches.^[2]

Blocking access to URLs

69. The IWF’s URL list identifies those web pages where the IWF has found images or videos of child sexual abuse. The URL list is provided to industry members so that they can block access to those web pages. It is used by around 70 companies, including Google, BT and Microsoft. Once the indecent imagery is removed from the web page, the web page is removed from the URL list. The URL list is updated twice a day. Ms Hargreaves said that on the day she gave evidence, 17 May 2019, there were 5,800 URLs on the list “which is pretty average”^[3] but that there had been as many as 12,000 URLs on the list.

70. Kevin Brown, Managing Director of BT Security, explained that by 2004 BT had developed a blocking tool called Cleanfeed, which downloaded the latest IWF URL list. If a BT customer tried to access a website that was on the URL list, access to that website would be blocked. Since approximately 2013, a warning message is displayed on-screen “alerting customers to the fact that they have accessed a site that has been deemed as hosting indecent images”.^[4]

Example of warning message for blocked website
Source: BTG000003_018

71. In 2015, BT conducted a one-off exercise to try and establish the number of times that BT blocked access to child sexual abuse imagery in the UK. Between January and November 2015, “the average number of attempts to retrieve the CSA image was 36,738 every 24 hours”.^[5]

72. Cleanfeed is automatically applied to all internet traffic delivered by BT, including BTnet customers such as Plusnet. Mr Brown told us that EE uses a blocking platform called Wolf which works in the same way as Cleanfeed.^[6]

73. Facebook began discussing the use of the URL list with the IWF in 2014 but as at the public hearing in May 2019 still had not adopted the list. Both Facebook and the IWF were asked why it seemed that little progress had been made in the intervening five years. Ms de Bailliencourt said that it was a UK-based employee who in 2014 first started discussions with the IWF but that:

“At some time, there were other projects which were implemented ahead of the list … so I reinitiated those conversations, probably a year and a half ago, and we have been working on making this happen.”^[7]

Ms Hargreaves stated that when Facebook first approached the IWF in relation to the URL list it was because Facebook “wanted to use it for monitoring purposes, which is not a designated use of our list”.^[8]

74. On 25 September 2019, Facebook stated that it had reached an agreement with the IWF and “look forward to deploying [the URL list] soon”.^[9]

75. The use of the URL list is vital in the efforts to prevent access to child sexual abuse imagery. It is difficult to understand why Facebook did not deal with this matter sooner.

Keywords lists

76. Perpetrators often create their own search terms for finding and hiding indecent images of children. Ms Hargreaves told us that this language can include “a series of numbers or exclamation marks or different languages or weird terms”.^[10]

77. The IWF has therefore created a list of keywords which is available to its members, particularly those who operate internet search facilities or moderate content. This enables organisations to block a search for such material. Ms Hargreaves told us that, by May 2019, there were “just under 500 key words” on the list.^[11] The IWF has another “8500 that we just do not have the resource to assess at the moment”.^[12]

Other measures

78. The Inquiry also heard about work undertaken between the NCA and Visa Europe, whereby Visa Europe sponsored NCA financial investigation officers to help prevent the use of payment cards to purchase indecent images of children. Mr Jones told us that “the use of mainstream payment mechanisms … has been virtually eradicated from the mainstream providers”.^[13] This appears to be an example of good collaborative practice.