Hacker News new | ask | show | jobs
by faustomorales 2418 days ago
Thanks for asking these important questions!

* What are the challenges surrounding verification that your system functions properly, given that the test material is illicit?

You're right that storing child sexual abuse material (CSAM) is illegal, unless you are the National Center for Missing and Exploited Children (NCMEC) or law enforcement. What is legal is to maintain a hash of known CSAM. NCMEC, Law Enforcement, and large tech companies maintain their own data sets of known CSAM hashes and, where appropriate, share them. The Technology Coalition [1] has more information on this. All that said, we can and do simulate the system to verify that it works properly using bench testing with non-illegal content [2].

* Can you speak to the reliability of the system in a sensitivity/specificity kind of way? In other words, what are the false positive and false negative rates?

The false positive rate in practice is very low. We set our thresholds based on bench tests with an expected false positive rate of less than 1/1000 (the thresholds vary based on which hash function was used). Different hash functions are more resilient to some transformations than others (e.g., cropping, watermarks, etc.).

For the false negative rate, it depends entirely on the kind of modification made to the image. For many common operations, it is close to zero.

* Are you aware of any large organizations leveraging your solution?

Thorn builds technology to defend children from sexual abuse, one of the products we build for this purpose is Safer [3]. Perception provides an easy way to get started using the Safer matching service. Safer provides a more robust and complete solution including handling a queue of content and reporting tools. Some organizations using Safer include Imgur, Flickr, and Slack.

But this technology (perceptual hashing) is used by many companies who don't use our tools. Our goal is just to make it easier for more people to get started.

* Do you feel that the availability of these tools obligates service providers to use them, either morally or legally?

Not being a lawyer or a public policy expert, what I can say is that the law, as I understand it, requires companies to report CSAM once they are aware of it. Working in this field I’ve learned two things pertinent to this question: (1) Most people don’t know how pervasive of an issue this is, and (2) There aren’t a lot of easy ways to start protecting your platform from this abuse. No one wants the cool new products and platforms they make to be used to abuse children. Privacy is important too, which is why solutions that preserve privacy and avoid leaking private information to third parties are critical, and perceptual hashing allows us to do both.

[1] https://www.technologycoalition.org/

[2] https://perception.thorn.engineering/en/latest/examples/benc...

[3] https://getsafer.io

EDIT: Line breaks
2 comments
nieve 2418 days ago
A false positive rate of 1/1000 is hard to assess without actual prevalence stats, but with a decent-sized userbase it seems likely you're still going to get a significant number of false positives. Is it intended that users of your system would have employees manually vet all positives (with legal and mental health concerns) or just submit them without review? I'm coming from having built tools to support a large manual sweep in the 2000s and watching the toll it took on my coworkers.
link
faustomorales 2418 days ago
Great question — organizations decide how to handle reviews internally. So the answer to your question on “review all” versus “automatically submit” is a, perhaps unsatisfying, but honest: it depends. We provide a guide [1] to help organizations formulate their own policies. And we're currently working on a content moderation tool that focuses on helping organizations operationally handle problematic content and considers the wellness and resiliency of reviewers.

[1] https://www.thorn.org/sound-practices-guide-stopping-child-a...

link
nieve 2418 days ago
Oh good, I'm sure most organizations can use something like that guide as well as the tools. There's a lot of legitimate worry about both the wellness side & the legal exposure issues, but it seems like beyond the common wisdom to be very careful (somehow) I think in a lot of minds there's a lack of clarity as to what exactly that means. Is there a particular reason access to the guide requires handing over contact information?
link
mayniac 2418 days ago
>I'm coming from having built tools to support a large manual sweep in the 2000s

Any chance you're one of the devs behind C4All?

link
nieve 2417 days ago
No, thank god. I was hired as technical lead for the team put together when my new employers inherited a medium-sized low profile social network primarily popular in SA and SEA from their parent company. We got a report on something in the supposedly mostly unused photo sharing feature and discovered there were no moderation tools at all, so the first thing I had to do was build something to even verify the reports. At that point it turned out to be necessary to do a sweep and legal thought it should be done by hand, so my coworkers spent days going through it. It would have been grueling for them even if they hadn't run into the awful material.

(I escaped having to help because my sole minion was the kind of guy who decompresses a several gb bzipped log file as root in _/root_ and wanders away while it's running.)

link
ALittleLight 2418 days ago
It seems like an image classifier would work in this field. Are you aware of ML based image recognition and its utility here?

I'm imagining training data would be a hurdle, but surely you could give instructions or suggestions on how to train a model to people already authorized to work with the images.

link