Separating fact from fiction on the technology used to detect child sexual abuse

Public debate around online child sexual abuse material detection is dominated by myths, misunderstandings, and hypotheticals. The truth is that detection technology is built on established safety and security tools that have been embedded across the digital ecosystem for decades.

These technologies are neither new nor experimental. They cannot be used to facilitate mass surveillance and do not break encryption.

Ongoing misunderstanding, and misinformation, routinely overlooks the child sexual abuse at the heart of the issue as well as the industrial scale circulation of child sexual abuse images and videos online.

That’s why I was pleased to speak with with Dr Ahmed Abdullahi, a fellow co-author of the Privacy-preserving Moderation of Illegal Online Content report by the Centre for Emerging Technology and Security, to clear up these misconceptions.

The internet already runs on hashing technology

A common myth is that child sexual abuse material (CSAM) detection technologies use unprecedented techniques to identify content online. Hash matching, for instance, is the most tried and tested form of detecting known content, including illegal content such as malware and viruses, alongside images and videos of child sexual abuse.

Hashing algorithms such as MD5 or SHA256 are foundational tools used across digital systems worldwide. They help verify file integrity, secure passwords, synchronise databases and ensure that systems can compare data quickly and accurately without exchanging the files themselves.

At its simplest, hashing converts a file into a unique mathematical signature. If two signatures match, the underlying files match. That principle is not controversial and underpins much of modern computing.

Hashing is used in CSAM detection to identify illegal images and videos that are already known to child protection organisations or law enforcement. The system does not view personal content – in essence, hash matching asks “is this number in the database”. If it is, we know the content is an image of a child being sexually abused. Hashing is central to the efforts of IWF, and many other hotlines, efforts to tackle the spread of CSAM.

These technologies are not new

Another myth is that CSAM detection technologies are immature or unreliable. However, perceptual hashing technologies, which have been designed to identify near-duplicate images even if they have been cropped, resized or slightly altered, have existed for decades.

Technologies such as PhotoDNA were developed specifically to combat the persistent recirculation of known abuse imagery. They can recognise images even if they have been modified to evade detection.

Again, this is not new in the wider technology ecosystem. Similar forms of matching, detection and upload prevention are already used extensively in cybersecurity. Anti-virus software identifies malicious files using signature-based detection. Web browsers compare URLs against databases of harmful websites to protect users from phishing attacks and malware.

We accept these protections because they help keep digital environments safe. The principle behind CSAM detection is no different.

Why the myths persist

Misunderstanding exists partly because conversations about online safety often become entangled with broader anxieties about privacy, encryption, artificial intelligence, state surveillance and so-called “chat control”. Those are legitimate debates, but, too often, nuanced technical discussions are replaced by slogans and worst-case hypotheticals that obscure the reality of how detection systems work and how safeguards can be enforced to ensure the tech does what it was designed to do.

“CSAM detection” is often spoken about as though it were a single technology. It isn’t – the ecosystem includes different tools designed for different purposes:

• detection of known CSAM through hash matching;
• detection of previously unknown abuse imagery;
• behavioural signals related to grooming and solicitation;
• reporting and moderation systems;
• human review and safeguarding processes. 

In the video, I compare this to a “Swiss Cheese” model – just as individual slices of Swiss cheese have holes, no single detection method is perfect. However, when multiple distinct safeguards are stacked together, the “holes” are covered, preventing harmful content slipping through the system.

Public debate also overlooks the sheer scale of the problem. Every year, organisations like the Internet Watch Foundation assess and action vast quantities of child sexual abuse material. Those numbers reflect the limits of human capacity, not the true scale of abuse material circulating online. The amount detected is not the same as the amount that exists.

Known CSAM detection is essential to prevent the constant re-upload of material that, in some cases, has circulated for decades. Every re-upload represents the continued victimisation of children whose abuse is being repeatedly shared.

At the same time, newer technologies aimed at detecting previously unknown material are becoming increasingly sophisticated and effective. As the internet evolves, detection capabilities cannot be asked to stand still – or worse, rolled back entirely. The consequence is not a safer or more privacy-preserving internet. It would simply make it harder to identify abuse, protect victims, and intervene when children may be in immediate danger.

It is often said that there isn’t a “silver bullet” where CSAM detection is concerned. Detection systems still require safeguards, accountability, transparency and human oversight. There must be robust redress mechanisms for false positives. Privacy protections matter. Companies should be clear about how systems operate and how reports are handled.

Yet, rejecting detection technologies outright ignores a basic reality: platforms cannot tackle industrial-scale abuse using human moderation alone. Industry needs to deploy effective solutions at scale.

The IWF was deeply alarmed by developments in the EU earlier this year. At the very least, tech companies that want to do the right thing must be legally permitted to do so. The absence of a clear legal framework for voluntary detection in interpersonal communication services should spur policymakers to prioritise agreement on the robust long-term framework under the Child Sexual Abuse Regulation – one that supports stronger action against CSAM online and delivers meaningful progress.

Public trust depends on informed debate which means moving beyond rhetoric, acknowledging the advantages and disadvantages of technologies while not disregarding them entirely, and grounding discussions in the reality of what is actually happening online.

We all share the same vision of creating a digital environment that is safe for all users – we need clarity, evidence, and the willingness to act to make this so for children.