What technical metadata (IP addresses, timestamps) are providers required to preserve and submit with CyberTipline reports under current rules?

1. Legal frame: reporting and preservation, not a mandatory metadata catalog

Federal statute 18 U.S.C. §2258A requires providers to report instances of apparent child pornography to the CyberTipline when they become aware of them, and more recent legislative changes treat a completed CyberTipline submission as a request to preserve the submitted contents for an extended period—now generally one year—subject to secure handling standards like NIST’s Cybersecurity Framework ^{[1] [7]}. That statutory regime creates a preservation duty for content and associated materials furnished with the report, but the statute and related NCMEC materials do not enumerate a legally mandated list of discrete technical metadata fields—there is no single clause saying “providers must include IP addresses and timestamps” ^{[1] [2] [3]}.

2. What NCMEC and the reporting API actually accept and circulate

The CyberTipline Reporting API documentation and NCMEC’s operational descriptions show that reports commonly include company contact information, file relevance and classification, file hashes or unique identifiers, and Internet locations for visual depictions—elements that NCMEC may share back with providers to help stop further transmission ^{[4] [5]}. NCMEC explicitly cites hash values, Internet locations and “other elements” as items that can be used to identify or curtail transmissions, signaling these fields are operationally important even if not mandated by statute ^[5].

3. The practical gap: investigators still often need warrants/subpoenas for logs

Practice on the ground reflects a gap between what CyberTipline reports typically contain and what forensic investigators need: analysts and prosecutors frequently must obtain account details, server logs, and original timestamps or IP-to-subscriber mappings via legal process because CyberTipline reports—especially those submitted by providers without extensive logging or contextual detail—may only contain summarized or derived information ^{[6] [8]}. Legal guidance warns that logs summarized in NCMEC reports can raise evidentiary issues in court if originals are not produced, reinforcing why law enforcement seeks subpoenas and warrants after a CyberTipline submission ^[6].

4. Variation across providers and the voluntary-detection reality

NCMEC’s public materials and data make clear there is substantial heterogeneity in the volume, content and quality of CyberTipline submissions because providers are not legally required to proactively detect CSAM nor to include any particular metadata elements beyond reporting the material when they become aware of it, leading to wide disparities in what technical metadata actually arrives in reports ^{[2] [3]}. Observers including academic and industry commentators have flagged incomplete reporting as a systemic problem that undermines triage and investigation, and some legislative proposals (e.g., the REPORT Act) aim to standardize preservation and reporting practices to reduce those gaps ^{[9] [7]}.

5. What can reasonably be expected to appear in a report today

Operationally, CyberTipline reports often contain the date received and a report number, an executive summary, provider contact details, counts of files, and where available hash values and Internet locations for alleged CSAM; many industry guides and legal summaries also list timestamps and IP addresses among the “relevant metadata” providers include when they can, even if those items are not uniformly present or legally mandated ^{[8] [4] [10]}. Where such metadata are not present in the CyberTipline submission, law enforcement typically treats the submission as the trigger to seek preserved originals—server logs, network timestamps, and subscriber records—through legal process ^{[6] [1]}.

Conclusion: rules create preservation duties and accept key identifiers, but do not compel a single metadata checklist

The bottom line is that current rules obligate providers to report apparent CSAM and to preserve the materials they submit (with an extended preservation period), and NCMEC’s procedures and law authorize and make use of elements like hashes and Internet locations, but there is no statutory one-size-fits-all list forcing providers to include IP addresses and timestamps in every CyberTipline report; in practice such fields are often included if available, and when they are not, investigators rely on preservation and legal process to obtain original logs and timestamps ^{[1] [5] [6] [2]}.