Skip to content
Naked Security Naked Security

Facebook settles after 14-year-old sues over nude image reposting

The alleged extortionist, still facing charges, reposted the image to shame sites multiple times. Why didn't Facebook use hashes to stop it?

This is the argument that Facebook tried to make in the case of a nude photo of a 14-year-old girl that was repeatedly published on a “shame page”: yes, Facebook said, that photo was published, but every time it was reported, we took it down.
Her lawyers’ response: Why was reposting possible at all? …given that there’s technology that can assign hashes to known child abuse imagery and prevent them from being reposted?
That’s a good question, and it well might have helped the Northern Ireland teenager and her legal team to prevail in out-of-court negotiations with Facebook.
On Tuesday, the BBC reported that the girl, who can’t be named, has agreed to a confidential settlement with Facebook that included her legal costs.
The teen also sued the man who posted the image in 2014 and 2016, claiming that he got the photo through blackmail. Before the settlement, Facebook had been facing charges of alleged misuse of private information, negligence and breach of the Data Protection Act.
This is what her lawyer told the High Court in Belfast on Tuesday, according to the BBC:

I’m very happy to be able to inform Your Lordship that the case has been settled.

I’m happy too. I’ll be happier when the alleged sextortionist is brought to justice. And I’m extremely happy that this case, or at least cases like it, undoubtedly pushed Facebook into adopting what sounds like photo hashing in order to stop this type of abuse.

In November 2017, Facebook asked people to upload their nude photos if they were concerned about revenge porn. It didn’t give many details at the time, but it sounded like it was planning to use hashes of our nude images, just like law enforcement uses hashes of known child abuse imagery.
A hash is created by feeding a photo into a hashing function. What comes out the other end is a digital fingerprint that looks like a short jumble of letters and numbers. You can’t turn the hash back into the photo, but the same photo, or identical copies of it, will always create the same hash.
So, a hash of your most intimate picture is no more revealing than this:
Since 2008, the National Center for Missing & Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images, provided by ISPs, that enables companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.
The hash originally used to create unique file identifiers was MD5, but Microsoft has since donated its own PhotoDNA technology to the effort.
PhotoDNA creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid. In each grid cell, the technology finds a histogram of intensity gradients or edges from which it derives its so-called DNA. Images with similar DNA can then be matched.
Given that the amount of data in the DNA is small, large data sets can be scanned quickly, enabling companies including Microsoft, Google, Verizon, Twitter, Facebook and Yahoo to find needles in haystacks and sniff out illegal child abuse imagery. It works even if the images have been resized or cropped.
Why so much detail on hashing? Because there was a lot of victim-blaming when the girl’s case first came to light. Hashing technology seems to be a far more productive approach than blaming victimized children who are under the age of consent for getting talked into nude photos.
It’s shocking to think of a 14-year-old being subjected to sextortion, but kids even younger – we’ve heard of those as young as 11 – have been victims of revenge porn.
As far as keeping your kids safe when they’re online goes, there are tools that can help us do it. These include parental controls that let you set your children’s privacy settings, control whether they can install new apps, enforce ratings restrictions on what they can buy on iTunes, and even limit what type of app they can use.
We’ve got more tips to keep your kids safe online here.
And if you’re not even sure what your kids are up to online, this could help.


IMO, Facebook moved much too slowly on this technology, so it’s right that they were forced to settle.
What concerns me is that the person who posted the image (repeatedly) isn’t also in hot water.
So, I would ask Facebook to add to their technology a tracking record each time their hashing software triggers on a hashed image. Then, they should freely offer the logs to law enforcement, and make a big splash about it in the media. The knowledge that they WILL get caught should cut down on the number of times this tech is needed, I would hope.


Lisa wrote “PhotoDNA creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid. In each grid cell, the technology finds a histogram of intensity gradients or edges from which it derives its so-called DNA. Images with similar DNA can then be matched.”
So how resistant is PhotoDNA to a really revengeful individual who crops one pixel off each of the four sides (to reset the grids) and decreases contrast by 5% and increases brightness (or gamma) by 5% (to decrease the intensity gradient and slightly blur the edges)?
A hash is an exact match. It doesn’t take much to break it. If you mess with the statistics it’s based on, it would be pretty fragile.


I’d be very interested to see how resistant PhotoDNA is to tinkering. But please do bear in mind that we don’t know exactly what technology Facebook is using. I refer to PhotoDNA details because it’s what’s widely in use, but Facebook never did (to my knowledge) give details about what it’s using.


I would like to think PhotoDNA would work on a percentage rather than a 100% match. So maybe if the picture matches over 50% then it will be flagged. If it had been altered so is under 50% then it will be for someone else or the victim to flag it as inappropriate and then this is then submitted into the database to check again.
Obviously the offender could keep changing the picture but it would become pretty tiresome…although there are people out there that will keep at it.


People do stupid things sometimes, it shouldn’t ruin their life just because they took a stupid photo when they were 14.


Unfortunately, any hashing technique can be rendered useless. However, the people who do this kind of thing aren’t exactly the brightest bulbs on the tree. I suspect the tech is pretty good at catching even modified images, when the modifier isn’t using state-of-the-art software to obfuscate the image.
I’ll be curiously watching this as it develops for Facebook. (And, probably Google’s YouTube as well, and others.)


Does Sophos compare the file hashes it collects (from peoples computers through Sopho’s antivirus) to the hash set at NCEMC?


Not as far as I know – our cloud lookups are performed to help us spot malware proactively, not to keep track of the files on people’s computers.
In fact, we try to minimise the number of lookups we do, for simple reasons of efficiency. So, we don’t collect data on every file; rather, we use lookups to see if certain file characteristics in certain files of special interest match likely malware.
Image files very rarely contain malware, so we don’t routinely do image lookups anyway. Generally speaking, we’ll only look up image files if they are already deemed dodgy – for example, malware deliberately disguised as an image, or an image that’s deliberately been modified to trigger a bug. That’s as I understand it, anyway.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!