Hi HN! I'm a data scientist at Thorn, a non-profit dedicated to defending children from sexual abuse. We're excited to open source some elements of our perceptual hashing tooling as a Python package. We've tried to make it very flexible both for ourselves and hopefully also for others. Our aim with is to provide tools that (1) help more people eliminate child sexual abuse material from the internet and (2) assist with common tasks where perceptual hashing can be helpful (e.g., media deduplication). We hope you'll take a look, get some use out of the package (check out the example use cases), and even contribute feedback and/or code to make it better.
I just wanted to take the opportunity to thank you for what you and your colleagues do. I honestly don't know if I could work in a field like that without just being overwhelmed by it, but I'm really glad that others can and do.
If I may, I'm curious about your thoughts on few things, in the context of use case #1 (abuse), not #2 (reduplication):
* What are the challenges surrounding verification that your system functions properly, given that the test material is illicit?
* Can you speak to the reliability of the system in a sensitivity/specificity kind of way? In other words, what are the false positive and false negative rates?
* Are you aware of any large organizations leveraging your solution?
* Do you feel that the availability of these tools obligates service providers to use them, either morally or legally?
* What are the challenges surrounding verification that your system functions properly, given that the test material is illicit?
You're right that storing child sexual abuse material (CSAM) is illegal, unless you are the National Center for Missing and Exploited Children (NCMEC) or law enforcement. What is legal is to maintain a hash of known CSAM. NCMEC, Law Enforcement, and large tech companies maintain their own data sets of known CSAM hashes and, where appropriate, share them. The Technology Coalition [1] has more information on this.
All that said, we can and do simulate the system to verify that it works properly using bench testing with non-illegal content [2].
* Can you speak to the reliability of the system in a sensitivity/specificity kind of way? In other words, what are the false positive and false negative rates?
The false positive rate in practice is very low. We set our thresholds based on bench tests with an expected false positive rate of less than 1/1000 (the thresholds vary based on which hash function was used). Different hash functions are more resilient to some transformations than others (e.g., cropping, watermarks, etc.).
For the false negative rate, it depends entirely on the kind of modification made to the image. For many common operations, it is close to zero.
* Are you aware of any large organizations leveraging your solution?
Thorn builds technology to defend children from sexual abuse, one of the products we build for this purpose is Safer [3]. Perception provides an easy way to get started using the Safer matching service. Safer provides a more robust and complete solution including handling a queue of content and reporting tools. Some organizations using Safer include Imgur, Flickr, and Slack.
But this technology (perceptual hashing) is used by many companies who don't use our tools. Our goal is just to make it easier for more people to get started.
* Do you feel that the availability of these tools obligates service providers to use them, either morally or legally?
Not being a lawyer or a public policy expert, what I can say is that the law, as I understand it, requires companies to report CSAM once they are aware of it. Working in this field I’ve learned two things pertinent to this question: (1) Most people don’t know how pervasive of an issue this is, and (2) There aren’t a lot of easy ways to start protecting your platform from this abuse. No one wants the cool new products and platforms they make to be used to abuse children. Privacy is important too, which is why solutions that preserve privacy and avoid leaking private information to third parties are critical, and perceptual hashing allows us to do both.
A false positive rate of 1/1000 is hard to assess without actual prevalence stats, but with a decent-sized userbase it seems likely you're still going to get a significant number of false positives. Is it intended that users of your system would have employees manually vet all positives (with legal and mental health concerns) or just submit them without review? I'm coming from having built tools to support a large manual sweep in the 2000s and watching the toll it took on my coworkers.
Great question — organizations decide how to handle reviews internally. So the answer to your question on “review all” versus “automatically submit” is a, perhaps unsatisfying, but honest: it depends. We provide a guide [1] to help organizations formulate their own policies. And we're currently working on a content moderation tool that focuses on helping organizations operationally handle problematic content and considers the wellness and resiliency of reviewers.
Oh good, I'm sure most organizations can use something like that guide as well as the tools. There's a lot of legitimate worry about both the wellness side & the legal exposure issues, but it seems like beyond the common wisdom to be very careful (somehow) I think in a lot of minds there's a lack of clarity as to what exactly that means. Is there a particular reason access to the guide requires handing over contact information?
No, thank god. I was hired as technical lead for the team put together when my new employers inherited a medium-sized low profile social network primarily popular in SA and SEA from their parent company. We got a report on something in the supposedly mostly unused photo sharing feature and discovered there were no moderation tools at all, so the first thing I had to do was build something to even verify the reports. At that point it turned out to be necessary to do a sweep and legal thought it should be done by hand, so my coworkers spent days going through it. It would have been grueling for them even if they hadn't run into the awful material.
(I escaped having to help because my sole minion was the kind of guy who decompresses a several gb bzipped log file as root in _/root_ and wanders away while it's running.)
It seems like an image classifier would work in this field. Are you aware of ML based image recognition and its utility here?
I'm imagining training data would be a hurdle, but surely you could give instructions or suggestions on how to train a model to people already authorized to work with the images.
Given the kind of burn rate those people have at government agencies I would guess that they have some form of partnership with aforementioned agencies. I glanced through their FAQ and site but didn't see anything specifying that however.
Other than that I have no idea how you would even be able to have the images to classify in the first place without running into problems.
To build a classifier, yes, you are correct. But this isn’t a classifier to identify new content that has never been seen. This uses perceptual hashes to help organizations detect if known CSAM is being shared on their platform.
Was there discussion about the downsides of open sourcing the implementation? With an open source implementation, it becomes easier to test transformations that will change the hash without changing the image in ways a human can’t notice?
Great question -- all of the hashes we included in the package have been public for years (except for PDQ, which was open-sourced this year). So this package doesn't reveal anything new with respect to the algorithms themselves. What we add is an easy path to using at least one of them for the CSAM hashing / matching use case. Non-public perceptual hashes for this use case exist and, naturally, are not available in the package.
Great question! PhotoDNA is the most well-known and supported hash function for this use case. And we do support hashing and matching with PhotoDNA in the Safer product. However, the PhotoDNA hash function is non-public so we cannot include it in an open source package. We support pHash as an open source alternative so that companies without PhotoDNA licenses can get started with hashing.
It’s been a long time since I had to implement PhotoDNA (helped write a PHP native version of the PhotoDNA hash function at Tumblr), can you indicate if pHash creates compatible hashes to PhotoDNA’s output?
Cool (re: writing a PHP version)! Generally speaking, hashes from different hash algorithms cannot be used with each other.
By the way, would be glad to connect and chat, especially if you have any thoughts on pain points associated with perceptual hashing (email in profile).
Does NCMEC support collection and distribution of hashes for alternative functions these days? Six years ago they only supported PhotoDNA hashes (hence why we ported Microsoft’s version of the hash function).
My email is in my profile too, feel free to reach out if I forget.
> hashes from different hash algorithms cannot be used with each other
That’s what I thought, but your mention of pHash alluded to it maybe being an open source drop in replacement for PhotoDNA, so I wanted to clarify instead of assuming.
Thank you so much for asking! Naturally, part of why we wanted to share this with the broader community was to make it so interested people can jump in and help out in the open. And I would be remiss if I didn’t mention the fact that we’re hiring! [1]
We can always use help raising awareness. Advocating for more survivor resources is a great place to start. Help spread the word through your social networks by connecting with us on Facebook and Twitter. Learn about even more ways to get involved and subscribe to our newsletter for general updates [2].
If you dare to look into this topic, please also take a moment to look to another child protection non-profit[1] that (quite unusually) considers human and civil rights and sex positivity as one of its core values.
You might feel uneasy about "sex positivity" being associated with preventing child sexual abuse. They also have a lot of other messages that might initially repel you. But I also think that "when you associate shame and guilt with sex, you are facilitating sexual abuse"[2].
Here is a relevant Twitter thread about CSEM content filtering[3] and the secrecy around it. Secrecy that got them ejected out of a public National Center for Missing & Exploited Children meeting merely for tweeting about what was being said.
This Show HN open source project by Thorn seems to be an enormous improvement on that front. Would it be resistant to adversarial hashing (false positives)?
In my opinion, Thorn focuses way too much on technological solutions, and has an outright hollow message beyond that. Looking at 10+ of their website's pages, they don't dare to try to confront or explain the actual child sexual abuse itself, but only its most visible ill effects.
I think it's good you posted this; the goals listed on the first link seem very reasonable to get behind, and it's something both I and researchers in child sexual abuse material (e.g. Amy Adler's paper, which is one of the most cited in the field) have noticed. The rhetoric of "think of the children" can be and has been used many times to silence sexual activity between adults, including fictional representations (such as manga and comics, some of which are illegal to possess in the UK), kinks (online ageplay roleplay is often targeted under obscenity law, despite being between two adults), and other cases.
In my view, the protection of children based on hard evidence showing causal links is paramount, not suspicion and anecdota (it was, in fact, anecdota given before Parliament which was used in the creation of the bill in England and Wales to illegalize lolicon manga) based on the "social harms" that seem obvious at first sight but are refuted by cultural anthropology (e.g Patrick Galbraith and Mark McLelland have come to very interesting conclusions regarding how adults consume fantasy material). There is no group to fight for the few thousand people caught under this law so far (according to the English VAWG report 2017), nor do I imagine their being. The organization you linked seems, at least, to have this sort of thing on the agenda.
I don't get it. Sound nice but what exactly does Thorn do? what is this spotlight services they're providing? Seriously I've just spend time on their site but I don't get it beyond "using data". How they use it?
Lets say I have friends in a local DA office and I want to sell them this idea of using data they have. They just know that giving access to their data is a big legal headache. what exactly to I tell them to get them on-board with this? (exactly how the data / what data is handled?)
What are some of the ways you can improve on the n-squared nature of these distance calculations at scale?
In your use case you have a limited set of hashes you are comparing against, but I'm thinking of the more difficult use case of comparing every image against every other image (the context is ML training and weeding out overly similar examples so that overfitting doesn't happen, not related to CSAM). This quickly becomes untenable if you get, say, millions or billions of images.
"Don't do that" is one answer but are there any other ways you have come across to mitigate that?
Hi there! Our example on deduplication [1] takes the case of deduplicating of the Caltech256 [2] dataset for the purpose I think you're describing, which I interpreted as avoiding duplicates in a dataset so that you don't have images that end up in both your training and test sets. Even though the dataset contains >30K images, you can still do this in memory (and find a handful of duplicates!) because each category is relatively small and you probably don't need to deduplicate images of trains with images of dogs.
On the same page, we mention two tools (specifically, FAISS [3] and Annoy [4]) to help with doing approximate search for scales where computing the distance matrix is impractical.
One more thing: I tried the different hashes that would run on my system (some had a dependency on opencv-contrib that was not met, and which python -m pip couldn't find) and found they aren't what I'm looking for. They may be good at finding different versions of the same image, but what I want is more like environment similarity. So that two pictures taken on the same street would be closer than a picture of the street versus a picture of a forest. They don't seem to be tuned for this task at all. So, my search continues. Let me know if you have suggestions on this as well.
Perceptual hashes in this family will probably not be the right fit for that use case. There is work out there to build hashes that are intended to find find semantically similar content, typically using CNNs. Imagededup [1] seems to have one of these though I have never used it myself.
Yes looked at annoy previously and it is really impressive. Will probably revisit that as part of the solution here. You did interpret my use case exactly right. Thanks for the reply and especially for the links!
How do you defend against semi transparent overlaying ?
Take an image you want to censor, overlay with a very transparent offensive image. Also publish the original image (or a second image with a different transparency value), and an in-browser extension can reconstruct the offensive image.
Your hash database will be flooded with wrong values.
This is a general attack against perceptual hashing. It tries to achieve multiple objectives. Using stenography you could add any data in the image, like you would with encryption as you suggest. But here it is deeper.
By superposing a very transparent bad image with the good one, the perceptual hash won't be affected but the image would be still labelled as offensive by the poor guy labeling the data because the transparent offensive image is still visible. This mean that the good data will be marked as potentially offensive.
This allows anyone to target any individual user, or website. You take some of their published content, overlay offensive image and republish. The image will be reported as offensive, yet have a similar hash (i.e. a collision) to the good image which automated systems will pick-up as the original image being offensive and blacklisting its user or tanking down the website on search engine results.
Because this is sensitive data, by law it should be deleted as soon as it is detected which means the proofs get deleted automatically.
When I read about something like this, I can't help but wonder, how do you deal with error analysis and such? I personally would not be able to view such disturbing and revolting material. And if you don't do error analysis, how do you know this stuff actually works?
It only filters images already there - child porn isn't already among the chaff only thing it can find by definition would be false positives. Which could be an interesting vetting exercise in itself - feed in tons of cat pictures until it dings on one as inappropriate.
Technically you can always try cycling through image combinations match the hash/looks like child pornography and nothing could technically prevent it except that it would take a very, very, long time.
Even given adversarial networks I would be very surprised to get anything more than vague figures and I don't even expect the result to look human. In which case it is really generating instead of finding.
From what I've read, this is supposed to catch the bad thing after it happened, not to prevent it. Then you say that 1 in 1000 is an acceptable error rate. 1 in 7 billions is not an acceptable error rate!
If you catch people who have done bad things you prevent the bad things they are likely to do in the future.
1 in 1,000 does seem a bit high to me, but the prevalence of the bad images matters. You also have to think about the consequences of false positives versus admitting child pornography. If 0.1% of innocent meme pictures get removed from a site incorrectly - that's not ideal, but how much sexual exploitation of children do you need to stop to make that worth it?
For more information on the issue, I urge you to check out our CEO's TED talk here: https://www.thorn.org/blog/time-is-now-eliminate-csam/
Documentation for the package here: https://perception.thorn.engineering/