What information does ncmac forward in regards to csam tips

1. What NCMEC receives and reviews: media, metadata, and categories

NCMEC’s CyberTipline intake routinely includes the underlying media alleged to be CSAM (images, videos, other files), an incident summary describing the alleged offense, internet details such as URLs or platform identifiers, and reporter information when provided, and NCMEC staff review that material to determine whether it falls into CSAM, exploitative content, or other categories before taking next steps ^{[1] [7] [2]}.

2. Structured data and annotations NCMEC forwards

Provider-submitted CyberTipline reports—whether delivered via the technical reporting API or web forms—contain structured fields that can include incidentType (e.g., “Child Pornography”), reportAnnotations (tags like sextortion, csamSolicitation, minorToMinorInteraction, sadisticOnlineExploitation), incidentDateTime, internetDetails (URLs, web page incidents), and reporter identity fields, and that structured data is part of the packet NCMEC uses when sharing reports with law enforcement ^{[7] [1]}.

3. Notifications to platform hosts and sharing with law enforcement

When NCMEC staff determine the reported imagery meets one of its categories, the agency makes a notification to the electronic service provider where the content is located and, as required by statute and practice, makes provider reports available to law enforcement agencies for investigation; that forwarding and notification workflow is a core CyberTipline function ^{[1] [3] [2]}.

4. How legal and policy changes shape what gets forwarded

The REPORT Act broadened the list of mandatory reporting triggers to include child sex trafficking and enticement and authorized NCMEC to issue guidance to providers on identifiers for those crimes within 180 days of enactment, meaning NCMEC’s guidance (and therefore what providers are likely to detect and forward) now explicitly covers additional categories beyond traditional CSAM ^{[4] [5] [6]}.

5. Who sends the majority of the content and limits on proactive searching

The bulk of CyberTipline submissions come from tech companies rather than the public, and while many firms now proactively detect and report suspected CSAM, federal law historically has not required providers to affirmatively search for CSAM—rather, the statutory duty is to report what they detect or otherwise become aware of, a distinction that affects both the volume and nature of material NCMEC receives and forwards ^{[8] [3] [1]}.

6. Trends, special flags, and the rise of AI-related reports

NCMEC’s data and public materials show rapid changes in report composition—examples cited by the Center and industry reporting note surges in AI-generated or AI-related exploitative content and large year-over-year increases in generative-AI–flagged reports, and NCMEC’s review process and annotations have adapted to incorporate such flags when forwarding actionable information ^{[5] [1]}.

7. Operational outcomes and transparency constraints

After review NCMEC “forwards” or makes reports available to law enforcement and notifies ESPs where appropriate, and it may add contextual or supplemental information to assist investigations, but public-facing transparency about individual forwarded items and downstream law enforcement actions is limited by privacy, investigative sensitivity, and statutory protections that also shield NCMEC’s CyberTipline activities in many respects ^{[2] [3]}.

8. Caveats and remaining unknowns

Reporting describes the fields and workflows NCMEC uses and the policy changes that expand reportable conduct, but public materials do not fully disclose the internal thresholds or triage algorithms NCMEC applies when deciding what extra contextual information to add before forwarding, nor the complete breakdown of what exact elements are included in every forwarded packet to law enforcement in every case ^{[1] [2] [3]}.