Skip to content

Child Safety Standards Policy

1. Policy Purpose & Scope

Objective:

This policy establishes a zero-tolerance stance against Child Sexual Abuse and Exploitation (CSAE) across all organizational operations. Its primary aim is to create a safe digital environment by systematically preventing the creation, distribution, or access to Child Sexual Abuse Material (CSAM), while safeguarding minors from predatory behaviors such as grooming, sextortion, or coercion. The policy ensures alignment with global legal frameworks (e.g., the PROTECT Act, GDPR, and COPPA) and emphasizes proactive detection, rapid reporting, and victim support.

Scope

The policy applies universally to all users, employees, contractors, and third-party partners interacting with the platform. It governs all digital touchpoints, including mobile apps, websites, chat systems, user-generated content (UGC) platforms, cloud storage, and APIs. This comprehensive coverage ensures no loopholes exist where CSAE-related activities could occur undetected.

2. Prohibited Activities

Explicitly Forbidden:

  • CSAM: Any involvement with material depicting minors in sexual acts—including creation, storage, distribution, or consumption—is strictly banned. This applies even to “self-generated” content shared by minors.

  • Grooming: Building trust with minors through deceptive emotional manipulation to exploit them sexually, such as sending explicit messages or coercing them into offline meetings.

  • Sextortion: Threatening minors with exposure of private content (e.g., intimate images) to force compliance with sexual demands.

  • Age Misrepresentation: Adults posing as minors (e.g., fake profiles) or minors lying about their age to bypass safeguards.

  • CSAE Advocacy: Content promoting CSAE normalization, including coded language (“CP,” “Lolita”), fictionalized depictions, or extremist ideologies.

3. Content Moderation & Detection

Automated Tools:

  • PhotoDNA: Microsoft’s proprietary tool generates unique “hashes” (digital fingerprints) of known CSAM, cross-referencing all uploaded media against global databases to block matches.
  • AI Detection: Machine learning models analyze visual content for indicators like nudity, age-inappropriate poses, or altered imagery (e.g., deepfakes). Text analysis flags grooming patterns, such as requests for personal information or sexualized language targeting minors.
  • Metadata Analysis: Examines timestamps, geolocation, and device IDs to identify suspicious activity (e.g., adults frequently messaging minors late at night).

Human Review:

  • Trained Moderators: Specialized teams review AI-flagged content using a standardized checklist (e.g., assessing background settings, clothing, or body proportions indicative of minors). Moderators receive trauma-informed training to handle graphic material responsibly.

  • Escalation Protocol: Confirmed CSAM is immediately quarantined, and law enforcement (e.g., NCMEC, INTERPOL) is notified within 1 hour.

4. User Reporting Mechanisms

In-App Reporting:

  • Dedicated CSAE Report Button: Positioned prominently on profiles, posts, and chat interfaces, this feature allows users to report concerns in one click. Reports trigger automatic evidence preservation (e.g., screenshots, message logs) while keeping the reporter’s identity confidential.

  • Anonymous Reporting: Users may submit reports without linking to their accounts to protect whistleblowers from retaliation.

Post-Report Actions:

  • Triage: Automated systems categorize reports by severity (e.g., Priority 1: active grooming) and route them to human moderators for review within 1 hour.

  • NCMEC Reporting: Verified CSAM cases are submitted to the National Center for Missing & Exploited Children via their CyberTipline, including contextual data (IP addresses, timestamps).

  • User Notification: Reporters receive anonymized updates (e.g., “Action taken based on your report”) without compromising investigations.

5. Legal Compliance

  • Mandatory Reporting: Legal obligations require reporting CSAM to authorities like NCMEC (U.S.) or the Internet Watch Foundation (UK) within 24 hours of detection. Under U.S. law (18 U.S.C. § 2258A), platforms must retain evidentiary data (e.g., metadata, hashes) for 90 days to aid prosecutions.

  • Data Retention: Non-evidentiary user data (e.g., unrelated chat logs) is deleted within 30 days to comply with privacy laws like GDPR. CSAM hashes are stored indefinitely in a secure, access-controlled database to prevent re-uploads.

6. Employee & Contractor Training

  • Annual Training: Staff undergo mandatory workshops to recognize CSAE indicators, such as slang terms (“teen,” “jailbait”), transactional offers (e.g., “gifts” for images), or behavioral red flags (e.g., adults frequently searching for minors). Training includes protocols for reporting internal misconduct via a 24/7 encrypted whistleblower portal.

  • Background Checks: Employees with access to minor accounts undergo rigorous screenings, including criminal history checks and continuous monitoring against international sex offender registries.

7. User Education & Safeguards

  • Age Verification: Combines self-reported birthdates with AI age estimation tools that analyze facial features in profile photos. Discrepancies trigger mandatory ID checks or parental consent workflows for under-13 users (COPPA compliance).

  • Parental Controls: Allow guardians to disable messaging, limit screen time, or block content uploads for minor accounts. Parents receive weekly activity summaries.

  • In-App Resources: Minors receiving messages from adults see pop-up warnings (e.g., “This account may not be who they claim”) and are directed to helplines like Childline or RAINN.

8. Victim Support

  • Immediate Assistance: Partner NGOs (e.g., Thorn, NCMEC) provide 24/7 crisis counseling and legal aid. Victims can request immediate account deletion, and all associated data is permanently erased to prevent re-victimization.

  • No Re-Victimization: In legal proceedings, victim identities are protected by blurring faces in CSAM evidence and prohibiting public disclosure of case details.

9. Incident Response Protocol

  • Identification: Use a CSAE Severity Matrix to prioritize cases (e.g., active grooming > historical CSAM).

  • Containment: Suspend implicated accounts, block associated IPs/devices, and geo-restrict content in regions where it violates local laws.

  • Investigation: Forensic teams analyze payment records, device fingerprints, and cross-platform activity to map perpetrator networks.

  • Reporting: Share evidence packs with law enforcement via secure portals (e.g., NCMEC’s Law Enforcement Portal).

  • Remediation: Update AI models to address detection gaps (e.g., new grooming tactics).

  • Post-Incident Review: Document findings in a CSAE Case Log to refine future responses.

10. Data Protection & Privacy

  • End-to-End Encryption: Limited to non-CSAE contexts (e.g., financial transactions) to allow lawful CSAM scanning.

  • Privacy by Design: Collect minimal data from minors (e.g., no geolocation tracking) and anonymize analytics to prevent misuse.

  • Transparency Reports: Published annually, detailing CSAE reports received, content removed, and law enforcement referrals.

11. Third-Party Partnerships

  • Vendor Vetting: Third parties (e.g., cloud providers, ad networks) must pass annual CSAE compliance audits demonstrating adherence to PhotoDNA integration and mandatory reporting.

  • API Restrictions: Third-party apps accessing minor accounts require parental consent and are barred from collecting sensitive data (e.g., chat histories).

12. Continuous Improvement

  • Quarterly Audits: Ethical hackers (“red teams”) attempt to bypass detection systems to identify vulnerabilities. Findings are used to patch gaps.

  • Industry Collaboration: Share anonymized threat data with groups like the Technology Coalition to combat cross-platform CSAE networks.

13. Disciplinary Actions

  • Users: Permanent bans, device/IP blacklisting, and legal referrals.

  • Employees: Termination, revocation of system access, and mandatory reporting to authorities for deliberate policy violations.

  • Third Parties: Contract termination and public disclosure of breaches to deter negligence.

14. Policy Acknowledgment

All users and employees must electronically sign the policy during onboarding, confirming understanding of prohibited behaviors and consequences. Annual re-acknowledgment is required to ensure compliance with updates.

Policy Review: Revised biannually or following major incidents (e.g., new exploit tactics). A Chief Trust & Safety Officer oversees implementation, supported by a 24/7 legal team for cross-border coordination.