This is an excerpt from the Internet Organized Crime Threat Assessment by the European Union Agency for Law Enforcement Cooperation (Europol), 2017, EC3, European Cybercrime Centre. Download the full report here: https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017
CRIME PRIME: CHILD SEXUAL EXPLOITATION ONLINE
- Coercion and sexual extortion are increasingly being used to victimise children. Offenders use these methods to obtain further child abuse material, for financial gain or to get physical access to the victims.
- While peer-to-peer (P2P) networks continue to remain a key platform for the sharing and distribution of CSEM, reports indicate that every-day communication and social media applications are increasingly being used for the same purpose.
- Online offender communities operating from within the Darknet remain a primary concern, providing an environment for offenders to legitimise their behaviour, and to share both access to CSEM and OPSEC knowledge. The largest and most prolific offenders and communities identified by law enforcement had a significant presence on the Darknet.
KEY THREAT – SEXUAL COERCION AND EXTORTION (SCE) OF MINORS
As the internet becomes more accessible and available to younger generations, so do the tools and services for socialising and communicating online. Today children increasingly have access to the social media and messaging platforms which were undoubtedly designed and largely intended for adult use. As a consequence, social media sites are a key environment for online perpetrators to find, contact and groom potential victims. There is no one platform abused in this way; offenders will use whichever one suits them based on their language or location, whether it is popular social media sites or even some online dating sites.
For minors as well as adults, internet access is increasingly accomplished via mobile devices, which not only provide access to the social portals typically accessed via browsers on home computers, but also a continuously expanding range of social media, chat, and media sharing apps. These provide additional channels by which offenders can contact potential victims, in an environment where parents may have less visibility or control over their children’ activities.
In order to initiate contact with a child, offenders use fake profiles representing either other minors or celebrities, and will often be in contact with large numbers of potential victims at the same time. Offenders will typically maintain multiple profiles across multiple social media platforms, allowing them to target different victims with an appropriate fake persona. Some offenders still use their own profiles or those of an adult depending on their modus operandus, preferences and the platform they are using.
Once online contact has been made between an offender and a potential victim, offenders are much more likely to attempt to obtain sexually explicit material from them, rather than aspiring to arrange an actual meeting. The offender will groom the victim, encouraging them to send compromising images or videos. Once these are in the possession of the offender, the offender will aggressively coerce or extort the victim, typically threatening to share the images with family, friends, or other peers, or post them publically on the internet unless their demands are met. Such offenders can be extremely persistent, maintaining their threats for months or, in some cases years. Predominantly the offender seeks to obtain increasingly sexual and explicit material from the victim; this may be images, or in some cases the offender may demand the victim display themselves live via the internet. While most offenders simply seek to obtain CSEM from their victims, the threat of coercing a minor into meeting for hands-on abuse still exists.
In a smaller number of cases a financial payment is demanded. There is evidence that this activity is increasingly carried out by organised crime groups running their operation akin to a call centre; targeting, manipulating and extorting their victims in an industrialised, systematic way in order to extract money from them.
Almost 70% of European countries report cases involving the sexual coercion and/or extortion of minors, with more than half indicating that this is a growing phenomenon. While sexual extortion is not exclusive to minors, some reports indicate that over 70% of sexual extortion cases brought to the attention of law enforcement involve only minors. Moreover, once a victim has conceded to an ultimatum, they are more likely to be subjected to continuing, repeated demands by the offender. The motivation of the offender often differs depending on the victim. When targeting another adult, the motive is typically financial; when the victim is a minor the offender more often seeks control over the victim.
In June 2017 Europol’ EC3 launched its ‘ay NO’campaign . The campaign aims to help potential victims recognise prospective attempts to coerce or extort them, provides online advice, and highlights the importance of refusing the demands of the attacker, seeking help, and reporting the crime to the competent national authorities.
KEY THREAT – THE AVAILABILITY OF CSEM
While the volume of CSEM produced via sexual coercion may be growing, it is still assessed to be grossly overshadowed by the volume produced by hands-on abusers. Moreover, the nature of the material produced by hands-on abusers is, by definition, of a much more serious nature. The trend of increasingly younger victims, including babies and toddlers, and increasing levels of violence continues .
The dominance of peer-to-peer (P2P) networks for the sharing and distribution of CSEM remains unchanged from previous years. One country alone initiated over 700 new cases stemming from P2P networks; mostly from private groups on networks such as Gigatribe, but also from a significant number of public depositories such as eDonkey or Bit Torrent. In March 2017, European law enforcement launched the Police2Peer initiative to reach offenders operating on these networks . Law enforcement record video messages, name them and other files that are empty or contain image warnings so that they appear to be CSEM, and make them available on file sharing networks. Anyone downloading and viewing these files will receive a message by the police informing them that their activities are neither safe, invisible nor untraceable, and urging them to seek help.
A perhaps more worrying trend than continued P2P use is the growing complacent use of conventional, every-day communication and social media applications for the same purpose. The growing number of apps incorporating media sharing which also provide end-to-end encryption provides offenders with a wide range of easily accessible, popular and ostensibly safe tools by which they can share child abuse material. Almost all commonly used mobile messaging or communications applications feature repeatedly in law enforcement investigations. To a lesser extent webhosting and traditional email services are also used to distribute CSEM. Most offenders will combine the use of multiple platforms to gather and share, or attempt to generate, CSEM .
In April 2017, Europol and INTERPOL provided support to the Spanish National Police with Operation Tantalio, a complex investigation targeting the distribution of CSEM through Darknet platforms and invitation-only WhatsApp groups.
The joint action in Europe, against more than 30 suspects across five countries, was coordinated by Europol, with more than 100 targets focused on through INTERPOL in 13 countries across Central and South America. Altogether 18 different law enforcement agencies worldwide launched coordinated legal activities aimed at tackling this interconnected criminal network. The operation resulted in the arrest of 39 suspects in Europe and South America .
While some countries maintain that the majority of CSEM is still found on the open/surface web, several European countries continue to report an increased use of the Darknet by offenders to store and share material, and to form closed communities where offenders can discuss their sexual predilections with like-minded individuals and legitimise their behaviour. In February 2017, hacking group Anonymous hacked Freedom Hosting II, a hosting provider which hosted 10 000 Darknet web pages. In a public message left by the hackers, they indicated that 50% of the content related to CSEM .
Data from INTERPOL’ International Child Sexual Exploitation (ICSE) image database highlights that the majority of victims in CSEM appear to originate from Europe and North America. It also recognises a growth in the volume of new CSEM coming from South America and Russia as well as a rapid rise in the amount of new material originating from China. 
The phenomenon of self-generated indecent material (SGIM) also referred to as self-generated sexually explicit material (SGSEM), which was highlighted in previous year’ reports, continues to grow with over 60% of European law enforcement agencies indicating an increase in the number of cases involving SGSEM. This is partly attributable to the growing number of sexual extortion cases in which such material is generated. SGIM is images or videos which minors have produced themselves; either voluntarily or as a result of coercion. However, even material produced voluntarily, perhaps to be shared with partners, friends or even on social media, can end up in the hands of offenders. As an example, in a 2012 study by the Internet Watch Foundation (IWF) which assessed images believed to be SGSEM, 88% of those images were found on websites other than that where they were originally published This highlights the activity of offenders actively searching for, and collecting such images to add to their collections, the loss of control an individual has once such an image is shared, and the lack of awareness minors have as to what can happen when they produce such material.
The discovery of SGSEM by an offender, or other media which suggests a minor is already extrovert or comfortable posting material about them, can act as a catalyst for the subsequent targeting, manipulation and coercion of the producer of that material.
Some countries highlight the continuing activities of ‘fake’ modelling agencies or photo studios run by offenders to influence minors into producing SGSEM.
KEY THREAT – COMMERCIAL SEXUAL EXPLOITATION OF CHILDREN
The majority of CSEM is produced by hands-on offenders not only to satisfy their own sexual appetite, but also to share and trade with other offenders. The commoditisation of this material continues to be a powerful means of reinforcing offenders’ status in their communities. However, there is another aspect of CSEM production –that for financial gain.
While on the whole this does not appear to be a growing industry, some European countries do report an expansion of the Crime-as-a-Service business model, which supports other areas of cybercrime, into CSEM-as-a-Service –the production of CSEM on demand. This can include demands to produce sexual abuse material using different age groups, genders, or containing particular abuse acts or actions.
The full extent to which pay-per-view CSEM material is available and distributed is not fully understood, and requires further research. One aspect of the commercial distribution of CSEM that is more widely investigated however is that of live-distant child abuse (LDCA), or the live streaming of child abuse.
LDCA is the live broadcast of video footage of a child being sexually abused, where the actions of the hands-on offender are directed by the viewer or viewers who are observing remotely.
There is no shortage of applications for streaming live video feeds. Some of the applications used for contacting victims or sharing material can also be used for this purpose, including many well-known and widely used applications, which often provide end-to-end encryption. Some countries also report the use of online conference facilities.
While cryptocurrencies such as Bitcoin may be used between offenders involved in the commercial distribution of CSEM, these currencies are less accessible to those performing the hands-on abuse in LDCA. Consequently, payment tends to rely on more centralised or traditional means such as online payment service providers, or money service bureaux.
With comparatively wealthy Westerners as the main ‘customers’ or this type of activity, the financial incentives for a poor family in Southeast Asia or Africa who are prepared to subject children (even their own) to this can be considerable, while for the consumer the costs are negligible.
Investigation of these cases can be additionally problematic due to the environments in which the abuse occurs. In the Philippines for example, there is free public wi-fi widely available even in poor neighbourhoods, making location via IP data very difficult. Moreover, the crowded and often temporary neighbourhood constructions in poor districts make physical location equally difficult.
While most countries report that growth of this activity is stable, one third still report an increase in the number of cases.
KEY THREAT – BEHAVIOUR OF OFFENDERS
The operational security (OPSEC) of CSE offenders differs little from that of cybercriminals. The use of VPNs, proxies and other anonymising solutions is commonplace if not standard practice. Where public wi-fi or the unprotected wi-fi signal of a neighbour is available, these are also exploited.
Encryption is widely used to safeguard communications and stores of child abuse material, potentially frustrating investigations and forensic analysis. Offenders also continue to form communities and forums on the Darknet where they not only share CSEM and benefit from a high level of anonymity, but learn and share OPSEC.
While these developments are neither new nor unexpected, over two thirds of European countries report that the general level of OPSEC among offenders is improving, and over half report that this causes significant impact on their investigations.
FUTURE THREATS AND DEVELOPMENTS
A key challenge for law enforcement, and one which continues to grow each year, is the volume of material to analyse for any one investigation. Some reports suggest that a ‘normal’case has between 1-3 terabytes of material to analyse, including 1-10 million images and thousands of hours of video footage, although there are claims of some cases as large as 100TB, with over 100 million images and thousands of hours of video material  It is clear that using traditional, manual methods of analysis for these numbers are not sustainable. Several tech companies are making great leaps in developing solutions for image recognition, using novel and advanced methods that would likely be of considerable benefit should they be applied to the analysis of CSEM. It is therefore necessary that such solutions are available to law enforcement. This requires effective public-private partnerships and strong cooperation with industry and academia.
In January 2017 Europol’ EC3 hosted its third Victim Identification Task Force (VIDTF). The VIDTF 3 saw 25 experts in victim identification from 16 countries and 22 agencies coming together to identify victims of child sexual abuse and exploitation using advanced techniques, software and their knowledge and expertise. As a result, victims of this damaging crime were located living in several countries in the EU and beyond .
The ‘top Child Abuse – Trace an Object’campaign  was launched by Europol in May 2017. Tracing a victim by their image alone is challenging, however child abuse images are often seeded with objects, from beer bottles to bed linen, the identification of which could be invaluable in narrowing down the location of the abuse, which in turn may be crucial in identifying the victim or the offender. Such an approach has, in the past, yielded significant results. The campaign shares images of such objects with the public, opening them to a wider audience, and allows anyone with information to leave a comment.
The Darknet will continue to become increasingly relevant in terms of the types of offenders operating there and the more extreme nature of the activities they are engaging in; creating a key environment for offenders to legitimise their behaviour, and to share both access to CSEM and OPSEC knowledge.
Due to network speeds and storage limitations the majority of shared access to CSEM takes place through links posted on Darknet forums to file hosting sites on the clearnet. As a result, the majority of CSEM will likely continue to be hosted on the surface web, in such file hosting sites, on P2P networks and in cyberlockers.
There will continue to be steady growth in not only the number and availability of mobile applications which can be used to chat, meet and share media, and the devices to access them on, but also in the access to these by minors. While this will create greater opportunity for offenders, it is slowly being countered by the growing momentum of coordinated EU-wide prevention and awareness campaigns aimed at educating minors on how to stay safe online. There is a requirement for these initiatives to be incorporated into classroom education, which we could then expect to lead to a decline in the number of minors falling victim to extortion and coercion or other online solicitations.
While it is expected that minors will become better equipped to stay safe online, the same can unfortunately be said for offenders. Communication and storage applications and devices increasingly come with encryption by default, which, along with data protection and privacy issues, means that law enforcement can increasingly be denied access to the relevant data it needs to locate and identify offenders and to secure evidence.
Member States should ensure that any investigative tool or measure used for combating serious and/or organised crime is also made available and used to full effect in investigating online CSE… It should also be considered that prosecutions under organised crime statutes should be pursued for dealing with the key individuals creating, supporting and driving communities related to CSE crimes.
Further research within European law enforcement and beyond is required to identify the involvement of OCGs in the financially motivated sexual extortion of children and to form a coordinated response to this threat.
Crime recording and analysis systems in the Member States should be upgraded to better reflect and capture the different types of online sexual crimes being reported by or associated with child victims. This is particularly true for online sexual coercion and extortion but also applies to other types of CSEM related crime.
Europol should enable and coordinate the targeting, by Member States and partners, of key individuals creating, supporting and driving communities focused on child sexual abuse and exploitation and promoting operational security to their members.
The strategic and political commitments made by Member States through frameworks such as EMPACT and the WeProtect Global Alliance should be matched by the allocation of sufficient resources in the Member States.
Member States should strongly consider cooperating through Europol with agencies and bodies including the European Financial Coalition and other regional Financial Coalitions to tackle the increasing abuse of legitimate payment systems enabling child sexual abuse and exploitation.
Law enforcement agencies in the Member States should continue exploring through Europol how online resources, including electronic service providers, can help in diverting offenders from offending behaviour to resources that will help them cope with their sexual attraction to children.
Education is the best defence that can be provided to minors. It is therefore essential that the momentum for joint, EU-wide prevention and awareness activity is maintained so that strong and effective messages can reach those that need it. Integration in education, and the education of parents is also essential. In addition every opportunity must be made available to enable victims to report abuse. This will require the right legislation, environment, culture, reporting mechanisms and support network to be available.
53. The Brookings Institution, 2016, Sextortion: Cybersecurity, teenagers, and remote sexual assault, p12.
55. NetClean, 2016, The NetClean Report 2016: 10 important insights into child sexual abuse crime, p14.
57. NetClean, 2016, The NetClean Report 2016: 10 important insights into child sexual abuse crime, p16.
60. NetClean, 2016, The NetClean Report 2016: 10 important insights into child sexual abuse crime, p14.
61. Internet Watch Foundation, 2012, Study of Self-Generated Sexually Explicit Images & Videos Featuring Young People Online, p5.
62. NetClean, 2016, The NetClean Report 2016: 10 important insights into child sexual abuse crime, p12.
From the 2016 Netclean Report: Younger children and more violence
Several police officers commented that they see an increasing trend of images and videos with infants and toddlers. They also said that the images and videos are becoming increasingly violent. The same trend was reported in the NetCleanReport 2015.
“Every case the amount of infants/toddlers is increasing. It started where an occasional case would have a high volume of infants/toddlers. Now each case has it and some have thousands of them.”
“I have seen an increase in sadomasochistic “torture porn” of children; there also appears to be a greater number of images/videos depicting the sexual abuse of non-verbal children, i.e., infants and toddlers.”
“Continues to be a rise in more graphic material, highest category, and younger/youngest age, particularly babies/toddlers.”