Deciphering NCMEC Cybertips

NCMEC Cybertips are frequently misread or misunderstood due to the complex language used in them. This misunderstanding is shared by law enforcement, prosecutors, and defense attorneys alike. In this article, I aim to clarify some key aspects of NCMEC Cybertips.

What is a CyberTip?

Under 18 U.S.C. 2258A, electronic service providers (ESPs) such as Snapchat, Instagram, Facebook, and X are required to report “apparent child pornography” to the National Center for Missing and Exploited Children (NCMEC).

What is NCMEC?

NCMEC is a non-profit organization established by Congress. One of its key functions is managing the CyberTipline, which serves as a clearinghouse for complaints of child sexual exploitation and child pornography. NCMEC reviews incoming reports and refers them to the appropriate law enforcement agency, typically a regional Internet Crimes Against Children (ICAC) task force.

How do ESPs report "apparent child pornography"?

While not all providers have direct access to NCMEC’s system or permission to submit tips electronically, the CyberTipline Reporting system serves as the central point for ESPs to report incidents. Companies can submit details such as the time and date of the reporting incident, email address, screen name, IP address, and all suspected images and videos.

What is the retention policy for ESPs?

NCMEC requests that ESPs retain a copy of the reported files for 90 days.

How do ESPs locate potential child pornography?

There are several methods:

Method 1: User complaints. A user submits a complaint about another user, and the file is sent to a content moderation system where a moderator flags it as suspected child pornography. Content moderation is often outsourced to companies like Concentrix, which employs workers in countries such as the Philippines, Taiwan, and South America at rates as low as $5.00 per hour.
Method 2: Hash list matching. ESPs use hash lists to match against their files. The only validated hash list is the one provided by the Internet Watch Foundation. It’s worth noting that some non-profit organizations hire former law enforcement officers to gain access to hash lists, which they then sell to ESPs or require ESPs to sign agreements mandating the reporting of matches. This practice is often justified by claiming that each detected image represents a child saved from exploitation, thereby leveraging fear to raise funds.
Method 3: Artificial Intelligence (AI). This method is highly flawed and unreliable.
Method 4: PhotoDNA. This service, operated by Microsoft, analyzes files by breaking them into smaller pieces, hashing those pieces, and comparing them to hashes of known child sexual abuse material.

Anatomy of the CyberTip

CyberTip - Executive Summary

Please pay special attention to the following details.

CyberTip - Section A

This section contains a brief description of the incident, the time of the incident, the webpage involved, and the email, username, and IP address of the reported individual. The IP address provided is directly related to the report, such as the address used to upload the offending files. It’s crucial to note that the incident time refers to when the file was detected on the ESP’s network, not the date and time of the alleged crime.

For example, if a suspect has a file of child pornography in their Dropbox from February 2022 to the present, and NCMEC distributes a new hash list in January 2025 that includes the hash of that file, the incident date would be in January 2025. This date does not reflect the actual time of the alleged crime.

Uploaded File Information

At the end of Section A, information about each uploaded file is provided. For each file, it should indicate whether the reporting ESP viewed the file and whether it was publicly available. If the ESP did not provide this information, it will state “(Information Not Provided by Company)”. This is significant because if the file was not publicly available, a distribution charge may not be appropriate.

Pay particular attention to the “Image Categorization by ESP”. Although it appears in Section A as if it came from the ESP, the files are not actually categorized by the ESP. The statement “See Section B for further explanation” indicates that NCMEC adds this categorization. This is done to assist law enforcement, who can then state in search warrants that the ESP categorized the file as child pornography, even though the process is entirely automated.

CyberTip - Section B

This section includes geolocation information for the IP address associated with the report. The location provided is approximate and should only be used to identify the appropriate law enforcement agency or task force, not for securing a warrant or identifying a suspect. The latitude and longitude are typically based on the state or city linked to the IP address and often represent a central point in the city rather than a specific address. The Internet Service Provider (ISP) that owns or controls the IP address is also listed. If the IP address is associated with a residential ISP, investigators can use a subpoena to obtain subscriber information and the service address for the account at the time of the offense.

Cybertip - Section C

This section contains any additional information, which may include references to other CyberTipline Reports linked to the same username or IP address. It may also include unverified information from public websites.

A point of confusion is that the ESP may state they did not review the file’s contents but still provide a categorization. Meanwhile, NCMEC claims they did not review the contents but attributes the categorization to the ESP. In reality, ESPs receive hash lists without categorizations, and it is NCMEC that adds this information. The language in Cybertips is designed to suggest that the ESP or NCMEC reviewed the file, but the process is automated. Law enforcement often requests search warrants without accessing the ICAC Data Systems VPN to view the files. If you need assistance in proving that the files were not accessed prior to applying for a search warrant call us.

CyberTip - Section D

This section provides the contact information for the law enforcement agency to which NCMEC submitted the report.

How are CyberTips sent to local law enforcement entities?

The Department of Justice’s Office of Juvenile Justice and Delinquency Prevention (DOJ OJJDP) developed a system to route Cybertips and associated contraband files to the appropriate local law enforcement entity based on the IP address of the alleged offender. This system is known as the ICAC Data Systems or Deconfliction. Through this system, it is possible to determine when an officer downloaded the Cybertip and the contraband files, as well as whether the investigation was initiated within or outside their jurisdiction. Below is a sample showing the download of a Cybertip.

Why choose Garrett Discovery experts for your next child pornography case?

We are the leading service in the U.S. for defending against charges involving sex crimes.
Our CEO is a speaker at the National Association of Criminal Defense Attorneys’ Sex Crimes Seminar in 2023.
We are the only forensic firm in the nation with access to the software used by law enforcement to detect peer-to-peer (P2P) file sharing, known as Torrential Downpour Receptor.
We have handled over 500 cases involving the possession and distribution of child sexual abuse material.
We achieve not guilty verdicts or voluntary dismissals in cases across the U.S. almost weekly, with a success rate of over 57% last year.
Our experts have never served as law enforcement officers and have testified more than 800 times in U.S. and international courts.
We are the NACDL’s 2024/2025 Affinity Partner.
We accept indigent service rates (JAC, CJA, Panel).