What is on a ncmec esp cybertip
Executive summary
A CyberTip submitted by an electronic service provider (ESP) to NCMEC’s CyberTipline typically contains descriptive incident metadata, any suspected images or videos, account identifiers and network data, reporter and platform details, and NCMEC analyst labels and law‑enforcement referral information; these elements are used to route, prioritize, and preserve potential child exploitation cases for investigators [1][2]. Public reporting and technical documentation show ESP submissions can also include file‑level metadata (EXIF), accessibility flags, and links to related reports, while legal rules require certain preservation and disclosure practices under 18 U.S.C. §2258A [1][3][4].
1. What the CyberTip form and API accept: incident types and narrative
ESP CyberTips capture the reason for reporting—categories like online enticement, child sexual abuse material (CSAM), child sex trafficking, unsolicited obscene material, misleading domain names, or child sexual molestation—and a narrative describing what triggered the report so NCMEC and law enforcement can understand context and motive for the submission [5][2][1].
2. The files themselves: images, videos, hashes and EXIF
Most ESP reports attach the suspected content (images, videos or links) or include hash values; the CyberTipline API and reporting guidance show fields for whether the ESP viewed file EXIF, whether file contents were publicly accessible, and the relevance of each file to the incident—details used to identify duplicates and map material across platforms [1][6].
3. Account and technical metadata: usernames, IPs, timestamps
Reports commonly include account identifiers (email, screen name), timestamps and event dates, IP addresses and any URLs involved; the technical documentation and practitioner guides note ESPs can supply time and date of incident, email address, screen name, IP address and reported files to aid law enforcement tracing and preservation [1][4].
4. Reporter, platform and legal flags: who reported and preservation obligations
A CyberTip records the reporting entity’s contact, which may be a member of the public or an ESP, and flags about whether the reporter is an ESP subject to statutory duties; 18 U.S.C. §2258A codifies ESP responsibilities to report “apparent child pornography,” to preserve content for a statutory period, and to share certain information with NCMEC and law enforcement [3][7].
5. NCMEC analyst work: labeling, bundling and law‑enforcement referrals
After submission, NCMEC analysts review and label content—estimating child age range, content type and other descriptors—to prioritize cases and create law‑enforcement referrals; NCMEC also bundles duplicate tips tied to the same viral incident to reduce redundancy, and sends reports and additional analysis on to appropriate investigative agencies [2][6][8].
6. Limitations, ambiguity and incentives to read cautiously
Public and expert sources warn CyberTip contents sometimes mix ESP classifications and unverified public information, and it may not be clear whether an ESP manually reviewed a file or used automated detection tools like PhotoDNA; this ambiguity leads to misreading of CyberTips by investigators and the public and reflects platform incentives to comply with reporting law while minimizing cost or legal exposure [9][4][7].
7. What CyberTips are used for — and what they are not
CyberTips are a clearinghouse tool: they are meant to notify law enforcement and help platforms remove content, inform NCMEC’s prevention work, and preserve evidence, not to adjudicate guilt or provide exhaustive investigative file packages—some fields will be missing or unverified depending on ESP practices and what the reporter supplied [2][6][1].