What are the elements of a NCMCE Cybertipline report of an image made by Google?

1. Reporter identity and required contact fields

Every CyberTipline submission includes information about the person or entity making the report, with the reporter’s email required by NCMEC’s schema and serving statutory notification duties for electronic service providers (ESP) under U.S. law; the API documentation explicitly lists reporter/contact elements as root elements of a report ^[1]. Guidance and historical summaries note that reports come from the public and predominantly from ESPs—platforms that have a legal duty to report apparent child sexual abuse material—so contact and source fields are central to the report structure ^{[5] [6]}.

2. Incident classification and motivation for the report

Each report must specify the incident type and the content that motivated the report (for example, CSAM, online enticement, or trafficking), and the API schema requires a field describing the relevance or relation of the file to that chosen incident type; NCMEC’s public materials and the API documentation make clear that incident categorization is a core element used for triage ^{[1] [6]}.

3. File-level elements: metadata, accessibility, and status

At the file level, the CyberTipline schema records whether the reporter viewed EXIF metadata, whether the entire file was publicly accessible, and the file’s reported status (reported by default unless specified otherwise); these specific file attributes are enumerated in the CyberTipline Reporting API documentation ^[1]. NCMEC’s labeling of files (e.g., tags for violence, age categories) and subsequent robust hash-matching depend on receiving such file-level descriptors from reporters ^{[7] [8]}.

4. Technical artifacts: hashes, contextual logs, and evidence provided

Google and other providers include technical artifacts—such as perceptual or robust hashes generated by tools like Google’s Hash Matching API—to allow NCMEC to recognize future versions of the same images and to prioritize urgent cases; Google frames its Hash Matching API as a contributor to NCMEC’s capacity to process millions of files and speed analyst workflows ^{[3] [4] [7]}. NCMEC and legal practice notes also explain that reports often include service-provider logs and contextual information that can identify users or victims and that such contextual data is sometimes necessary for law enforcement action ^{[2] [5]}.

5. Report categorization, urgency flags, and law enforcement referrals

After submission, NCMEC categorizes reports (for example, as referrals when sufficient information for law enforcement is provided) and flags urgent, time-sensitive reports involving imminent danger; NCMEC’s public data and reporting explain that referrals usually include user details, imagery, and possible location information and that urgent cases are prioritized by analysts ^{[7] [8]}. Google’s transparency materials confirm that reports may include identifying data about users and victims and that Google may take product-level actions in parallel with reporting ^[2].

6. What is not fully specified in public sources

Public documentation covers the schema fields and high-level content of reports but does not publish every internal decision rule or the exact payload Google sends for each image in all cases; the API schema lists many elements (contact, file attributes, incident type, hashes) but operational thresholds, internal heuristics, or the complete set of logs sent in every report are not exhaustively disclosed in the cited public materials ^{[1] [2]}. It is therefore accurate to say that a Google-submitted CyberTipline report for an image will include contact details, incident classification, file metadata (EXIF view status, public accessibility), hashes/technical identifiers, and contextual data where available, while acknowledging that some platform-specific fields and internal triage rules are not spelled out in the public sources ^{[1] [3] [2] [7]}.