Image forensics, the dark web, and why we do it
By Freddie Lichtenstein
Data privacy legislation is often characterised as being in conflict with effective crime detection and prevention, but is this the truth?
Legislation such as the General Data Protection Regulations (GDPR) confer essential rights to individuals, and impose responsibilities on organisations that process personal data. At the same time large scale data processing is a powerful tool for law enforcement. Victims of Internet Crimes Against Children (ICAC) have a right to be safeguarded, and society demands that investigators are equipped to bring perpetrators to justice.
At CameraForensics we don’t see these principles as mutually exclusive. When combined, they provide us with a powerful ethical framework for maximising the benefits of our work – not just for the investigators and victims we are seeking to help, but also for the wider public as well as ourselves and our customers.
Our primary mission is to assist Investigators of ICAC, modern slavery, human trafficking and counter-terrorism (and similar crimes or offences) in the identification of victims and to resolve investigations more quickly and efficiently. These benefits are only worth it if we can collect and process data in a way that does not present unacceptable risks to the general public, our customers or ourselves.
Our approach to data privacy, proper use, and user confidence is multi-faceted and assessed regularly.
Probably the most obvious risk when processing data is a data breach leading to the loss of control of the data, and the potential for misuse by unauthorised parties.
To control this risk, we use a range of defensive measures to protect our search index and activity on our systems, covering the data in transit and at rest.
Additionally, we employ periodic third-party tests to check for vulnerabilities and continually harden our systems against unintentional or malevolent threats.
Identifying individuals from the data contained in our search index requires additional information from elsewhere to establish clear links. Our platform is designed in a way to only be useful when combined with investigators’ research. Without initial metadata and a focal point to start from, our data on its own won’t be beneficial, which significantly limits the potential impacts of a data breach and any subsequent misuse.
Another key principle of sound data management is minimisation - we’re very cautious to steer clear of any data collection and storage that isn’t necessary for our core mission.
Our index is regularly reviewed to ensure that redundant or out-of-date information removed. The GDPR define several types of “Special Category” data – those data relating to the protected characteristics of an individual and sensitive data such as biometrics. As Special Category data is not relevant to our search process, we do not, for example, store any crawled images themselves, and we don’t store or process biometrics of any kind. Put simply, if it can’t help further the investigations of law enforcement agencies, or it can’t help find and safeguard potential victims, we don’t store it or use it.
One of the big challenges when working in the counter-ICAC domain is the risk of exposure to potentially illegal and distressing material.
Recent research has emphasised the significant emotional, cognitive, social, and behavioural consequences faced by investigators who need to review ICAC material as part of their vital work.
We design our system in such a way as to minimise inadvertent exposure to harmful material. By generating new leads and links that help solve cases more quickly, we also reduce the need for investigators to review additional harmful material thus mitigating consequential harm wherever possible.
When it comes to ethical data management, the way we collect our data is almost as important as the data itself. As well as adhering to several data privacy regulations throughout our work, we also enforce our own internal regulations for ethical data collection and processing.
‘Polite crawling’ is just one of these additional steps. It means that we always index sites while paying close attention to their preferences and regulations.
If a domain on the open web prefers not to be crawled, we’ll also bear this in mind – making sure that we always work ethically, morally, and responsibly – following our ‘lead by example’ mindset.
Read more: What is web crawling and how do we do it?
Data privacy legislation is always evolving, as lawmakers around the world strive to keep up with new technological trends and techniques.
Different rules apply in different regions of the world, and our law enforcement users must also adhere to additional constraints and requirements when it comes to data protections and individual rights for greater protection than ever.
The web is global, and we operate across international borders. As a result, we continually review and update our understanding of incoming legislation around the world. We strive to meet or exceed the requirements of the most rigorous frameworks – and see this as key to protecting our users.
Our greatest priority is helping to safeguard victims of online exploitation in any, and every, way we can. Due to the work that we do, collecting and processing publicly available data is unavoidable.
But, by adhering to strict governance policies and our own ethical standards, we ensure that any data we use provides a clear societal benefit while minimising any risks to personal rights, and protecting all of our stakeholders.
To discover more about the work that we do here at CameraForensics, and to read more of our industry insights, visit our blog.