What technical indicators do ISPs use to identify CSAM viewing versus accidental access?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
ISPs and related providers primarily rely on hash-matching (including fuzzy hashes and PhotoDNA), blocklists from organisations like the Internet Watch Foundation (IWF), and classifier/AI tools to detect known or likely CSAM; industry surveys report 89% of large tech members use at least one image hash-matcher and 59% use video hash-matchers [1]. Governments and vendors also promote DNS/blocklist blocking and network-level filtering; voluntary guidance recommends hash lists such as the IWF hash list and cites ISPs blocking millions of access attempts in past COVID lockdowns [2] [3].
1. Known-content detection: the “fingerprint” tools ISPs use
The dominant, concrete technical indicator is hash-based matching: a hash is a digital fingerprint of an image or video that allows an ISP or service to match content against a database of previously verified CSAM. Tools and lists named across reporting include PhotoDNA, MD5, PDQ, CSAI Match and the IWF hash list; industry reporting says these hash-matchers generate the majority of CSAM identifications reported to authorities [1] [4] [3]. Providers supplement exact hashes with “fuzzy” or perceptual hashing to catch altered images that would defeat traditional hashes [5].
2. Beyond exact matches: AI classifiers and risk indicators
When material is novel or altered so it lacks a stored hash, platforms apply classifiers and machine-learning models that score content for CSAM likelihood. Vendors such as Safer by Thorn offer “Predict” classifiers that analyze thousands of visual attributes to flag probable CSAM for human review [6]. Industry surveys indicate 57% of surveyed members use at least one classifier to detect unhashed CSAM, reflecting an acceptance that hashing alone cannot find everything [1].
3. Network-level blocking and DNS-level signals
ISPs and DNS providers routinely apply blocklists sourced from trusted partners like the IWF and can implement network-level blocking to deny access to known CSAM domains. DNS filtering vendors and guidance recommend these lists as a first line of defence; one UK guidance noted ISPs blocked 8.8 million attempts to access child sexual abuse content in a single month during the 2020 lockdown [3] [2]. Commercial tools — advertised to ISPs — package blocklist enforcement with scanning capabilities [7].
4. Distinguishing accidental access from intentional viewing: limited public detail
Available sources describe the technical signals used to detect content (hashes, classifiers, blocklist hits) but do not provide a clear, public recipe ISPs use to declare “accidental” versus “intentional” access. Vendors emphasize thresholds and human review to balance false positives and negatives, and Cloudflare’s tool documentation notes customer-configurable thresholds and trade-offs [8] [5]. M3AAWG warns detection systems will not capture all CSAM and that implementation places operational burdens on ISPs [9].
5. Policy and legal context shapes detection, not pure technical certainty
Legal and policy frameworks determine whether and how ISPs must act on detections. UK government guidance encourages hash-list use and blocking, but many industry efforts are voluntary; EU-level proposals have shifted back and forth on mandatory scanning of messages and client-side scanning of encrypted communications, with recent political positions dropping mandatory scanning duties for some providers [2] [10] [11]. Thus a technical “hit” does not alone define legal responsibility—law and provider policy do.
6. False positives, thresholds and the trade-offs ISPs face
Vendors and platforms set detection thresholds depending on risk tolerance: a forum for new parents might choose a looser threshold and automatic blocking; a bank might require stricter thresholds and manual review to avoid false positives [8]. Fuzzy hashing and classifiers reduce missed detections but increase the need for human review and risk false identifications; industry groups note no system captures all CSAM and that balancing accuracy, privacy and operational cost is an intrinsic tension [5] [9] [1].
7. Competing perspectives and hidden incentives
Commercial vendors present scanning and filtering as turnkey solutions that reduce liability and protect users [7] [6]. Civil-society and privacy advocates have raised objections to mandatory client-side scanning and broad automated scanning of communications; EU debate over “chat control” exemplifies the clash between child-protection aims and privacy/encryption safeguards [10] [11]. Industry guidance and vendor marketing can reflect business incentives to sell filtering services as much as neutral technical necessity [7] [8].
Limitations: available sources document the detection technologies and policy debate but do not publish detailed ISP internal rules for deciding whether a single access event reflects “accidental” viewing versus intentional possession or distribution; therefore specifics about that decision-making are not found in current reporting (not found in current reporting).