Hello again! Figure I'd get an article out for January. That, and it's been months now since I tried to sign up with the International Watch Foundation (IWF). So, what's going on with them, you may ask? Not a whole lot, and that's the problem.
On December 3rd, sometime around the Ramnode incident, I sent an email to the IWF Development Team (members@iwf.org.uk) inquiring about how to become part of their membership for internet service providers, so that I can gain access to hash lists and various other resources for defending Pomf against the scourges of the internet. Thankfully, the NCMEC was way, way better about this, so I'm still getting my hash lists (Including the IWF lists. Ha!), but the IWF? Nothing. Nada. Hell, if they didn't email me at all I'd be happier, but no. They felt the need to declare me "insignificant" and leave me on read. So my conclusion is:
The IWF takes a holier-than-thou stance when it comes to assisting smaller website operators in the universal mission to prevent the spread of child abuse material, possibly so they can operate an extortion racket or waste UK public funds.
Big fat claim, right? Well. Let's break down why I think this, and then let's toss them an olive branch afterwards.
Exhibit A: IWF Abuse Emails
IWF abuse emails are fun. They're a bit more threatening than your usual abuse emails. Here's an example from my transparency log: https://ghostbin.lain.la/paste/o2snb. Now, the language in this email is a bit distressing. Let's cherry pick a few key lines.
- "The IWF has downloaded a copy of the above-referenced material and alerted NCMEC of the details." - Great! You're an ESP. Congrats. So am I. Why would you bother saying this in a takedown message to another hosting provider that has nothing to do with the NCMEC? What purpose does it serve other than to threaten?
- "For more information regarding the CyberTipline and how to report to NCMEC please visit NCMEC information for ESPs on http://www.missingkids.com/cybertipline/." - This link 404s. I even TOLD THEM this link 404s, and they emailed me back, said "Yep, it's broken" then didn't fix it. Incredible.
- "those professionally involved in the management, operation or use of electronic communications networks and services need to be reassured of protection where they are acting to combat the creation and distribution of images of child abuse." - You'd be more re-assured if you worked with me, which you didn't. So.
The rest of the email contents I don't have much of a problem with, but these lines are pretty silly and stand out as ineffective posturing. Don't get me wrong - I understand the severity of serving CSAM, that's why I go through all this effort, but you catch more flies with honey than vinegar, no?
Exhibit B: My Emails with the IWF Membership Department
This email right here is a real kick in the pants, and the core focus of my complaint in Exhibit B. I didn't include my initial outreach which was something along the lines of "Please may we work together towards a common beneficial cause" as it's not relevant. This response tells all. https://ghostbin.lain.la/paste/hvqsu
- "Due to the sensitive nature of our work, our membership is not designed for individuals. Our services can only be offered to companies and organisations under licence." - I can assure you, I'm more qualified than you are, bucko. I have to handle your abuse reports, after all.
- "Its completion will provide us basic information about your interest and hence the support we could provide with access to IWF services. It will also help us to determine the membership cost which is according to member sector and size." - You bastards CHARGE? Are you KIDDING me? You'd think stopping child abuse from spreading the internet would be a charitable cause worthy of dedicating resources to. You are a charity that gets paychecks from massive corporations and even got funds from the EU (maybe not anymore after Brexit, lol). It's ridiculous to have a mandatory charge. Fuck off.
- "We conduct strict due diligence checks for all prospecting members; hence it is important that we have as much information from you as possible in order to complete these checks." - I'm sure gatekeeping the protection of children is a GREAT idea. I didn't even have to sign anything to begin making reports with the NCMEC. Maybe have a look over the pond for what you should be doing, eh?
Exhibit C: The IWF's Previous Mandates and Behavior
This is a bit of a low blow, but we need to talk about the previous mandates that the IWF had, and the incidents that they caused.
- Incidents can be found here. They're not pretty. https://en.wikipedia.org/wiki/Internet_Watch_Foundation#Incidents
- There's one about someone writing some nasty erotica. Writing is not a crime last I checked, except if you threaten to kill someone I suppose.
- There's one about blocking an album released in 1976. Music is not a crime last I checked too.
- There's one about blocking the entire Wayback Machine / Internet Archive. Archiving the Internet, except when it comes to CSAM, is also not a crime.
- Apparently there is a mandate in the UK as of 2010 that all sites that the IWF says should be blocked, are to be blocked by ISPs. This gets implemented via a transparent proxy server. Can you imagine YOUR service provider man-in-the-middling your internet? Invasions of privacy are NOT valid just because CSAM is involved. See: the Apple iPhone CSAM scandal.
- There is a treasure trove of criticisms here as well. https://en.wikipedia.org/wiki/Internet_Watch_Foundation#Criticism. In fact, someone tried to knock them off their charity status due to some of the same concerns!
- "The IWF used to also take reports of criminally obscene adult content hosted in the UK.". What does "Criminally Obscene" even mean? This was going on as late as 2017! Anything could have been on that list, and ISPs would be legally forced to block it. This could have been easily abused, and I bet it was.
Exhibit D: Les De Ridder.
Yeah sure I'll use a person as an exhibit. Anybody remember this particular incident? https://fuwafuwa.moe/nr/freeme/
This was the #1 most worrying thing about running a Pomf clone. That one day, some chucklefuck is going to upload something they shouldn't, and the local constabulary is going to come by, bust down your door, shoot your pet, and cart you away. Now, in short, that's exactly what happened to him (minus the pet part), but this particular paragraph is the most relevant:
"I have contacted the IWF in the past to see if they can perhaps work something out so smaller service providers like me can make use of their services (e.g. hash lists of child sexual abuse material to detect and remove abusive content earlier), which was discussed by their Directors and might hopefully become a reality at some point in the future."
This was in 2018. It has been almost FOUR YEARS and the IWF still has not gotten their act together, and continues to show no indication of ever wanting to get their act together. That leads me to believe their "Directors" went "harumph." and promptly placed Les's request in the circular file.
So, with all four exhibits laid bare in front of you, what can we conclude?
- The IWF threatens website operators and hosting providers with nebulous and condescending claims instead of submitting a reasonably worded takedown request.
- The IWF wants nothing to do with anything except corporations, likely because of financial incentives that those corporations provide, marrying charity with capitalism in a most problematic way.
- The IWF acts as an arm of the UK government, and that's usually not a good thing considering their previous... problems.
- The IWF will never change their ways, based on past behavior, and may continue to cause problems internationally for innocent hosting providers or website operators.
So, how can the IWF improve?
- Adjust the language in the email to be more respectful. Assume good faith. Provide resources in the email that don't 404.
- Start a program, or expand the existing program, to assist smaller website operators in defending their services against the spread of CSAM.
- Do not charge for these services and assistance unless the corporation makes a boat load of cash, and even then, don't make it mandatory except where actual hands-on-keyboard assistance is required for bigger systems and companies. You're a charity, remember that. Act like it.
- Ensure accountability around what material gets reported, how ISPs consume IWF data, and make sure that freedom of speech is protected while accomplishing the primary goals of the IWF.
I am happy to work with the IWF at any time. I do not hold grudges, and I welcome the assistance of any entity, person or company willing to pitch in to make the internet a better place. But until they clean up their act, we will not have correspondence outside of their abuse mailings, and that's a shame.
P.S If they escalate anything to the NCMEC instead of to my abuse mailbox, the NCMEC will happily send those details to me for analysis regardless, to which I will do my own report. So their threats of alerting the NCMEC, at least in Lain.la's regard, are toothless and should not result in the aforementioned constabulary visit. The NCMEC registration was as much as a public good as it was an insulating layer for my own protection and service uptime.