Which companies have publicly reported sending CSAM reports to NCMEC and what details did they provide?

1. Who legally must report and why that matters

U.S. law requires electronic communication and remote computing providers to report apparent CSAM to NCMEC’s CyberTipline and sets obligations around preservation and disclosure to law enforcement, making the CyberTipline the legal clearinghouse for these provider reports ^{[4] [5]}. That statutory regime explains why platform reporting is both a compliance activity and a public-policy touchpoint: it channels company detections into law‑enforcement workflows and into NCMEC’s aggregate statistics ^{[4] [2]}.

2. Google: the most specific public disclosure and what it contains

Google has publicly reported detailed numbers and some methodological notes: in a company post it said that from January 2020 through June 2022 it provided 1,044,277 CyberTipline reports to NCMEC, that roughly 90% of imagery they report matches previously identified CSAM, and that they rely on hash lists from NCMEC and other trusted sources while independently reviewing hashes before reporting ^[1]. Those disclosures include both a headline count and claims about detection technique and false‑positive management, giving researchers a rare platform‑level view of both volume and process ^[1].

3. NCMEC’s aggregate picture—and its limits for identifying which firms reported

NCMEC’s public CyberTipline data show massive volumes—over 32 million CyberTipline reports in 2022 and more than 36.2 million reports (containing over 100 million files) in 2023—and assert that the bulk of those reports came from a small number of very large social, communications, cloud, and search providers ^{[2] [3]}. However, those NCMEC publications do not systematically list every reporting company alongside the counts they generated, and NCMEC itself notes that “the majority of companies did not report at all,” a claim that underscores both concentration of reporting and the practical difficulty of deriving a definitive public list from NCMEC’s aggregates ^[3].

4. What details appear in CyberTipline reports and common shortfalls

NCMEC data and child‑safety NGOs note that CyberTipline submissions vary in content: reports can include file counts, user identifiers, contextual metadata, and whether imagery matches known CSAM hashes, but some provider reports lack sufficient locating or identifying details for law enforcement to act—NCMEC and partner organizations have flagged that a portion of industry reports contain too little information to route to the appropriate agency ^{[3] [6]}. Advocacy groups and industry explain that matching to known hashes drives most detections, but that new‑content detection remains more complex and often yields less actionable metadata ^{[1] [6]}.

5. Policy shifts and why companies’ public disclosures may change

Recent legislative attention—such as the REPORT Act and related bills—expanded reporting categories, lengthened preservation periods, and placed new expectations on vendors who process CSAM, which could change what companies collect, preserve, and disclose publicly about CyberTipline submissions ^{[5] [7] [8]}. Advocacy groups and NCMEC argue these changes will improve investigations and reporting fidelity, while privacy and civil‑liberties observers have pressed for clarity about what platforms are required versus what they voluntarily disclose ^{[7] [2]}.

6. What can be stated with confidence and what the public record lacks

It is provable from the available reporting that Google publicly disclosed a specific aggregate count and described detection methods ^[1], and that NCMEC’s public statistics show enormous, concentrated reporting volumes without attributing them to a full roster of named companies ^{[2] [3]}. What cannot be asserted from the provided sources is a comprehensive, source‑verified list of every company that has publicly said “we sent X reports to NCMEC” beyond Google; NCMEC’s summaries and NGO commentary point to a handful of major providers but do not substitute for company‑level public disclosures ^{[2] [3]}.