Cloudflare CSAM Scanning Tool

A couple of weeks ago, Cloudflare announced their new CSAM scanning tool, and the fact that there were making it available to all customers, even those on the Free tier.

For those who the acronym is not familiar to, it’s Child Sexual Assault Material.  If you host a site that allows users to upload images (such as a forum or message board), then you have a bit of a job on your hands moderating this content.  An automatic scanning tool like this could be very useful indeed, especially a free one.  Even if you don’t allow users to upload images, if your site is hacked then they could be maliciously added and potentially go unnoticed for some time (unless you use my Better Detection plugin for WordPress).

The way that Cloudflare’s tool works is to scan the images that are cached by Cloudflare and use a fuzzy hashing algorithm to detect similar images, checked against a list of known hashes that will grow over time (currently the NCMEC  NGO and Industry lists).  When an image is detected, it is expunged from the cache and instead a 451 “blocked for legal reasons” status code will be returned.  You will also get an email notification so that you can take any appropriate action, such as banning the user who posted it.

It’s super easy to setup in Cloudflare (isn’t it always?) with a simple On/Off toggle and a popup box to enter an email address for the notifications.

Once you’ve enabled it, you can change the email address if required, and also select which lists you want to include.  In future they have said there may be different lists for different jurisdictions, which is most likely why this is available, but it makes sense to me to always have all lists included.

It’s one of those things that you hope you never need, especially as my site falls into the category of no user content, and therefore my site would need to be hacked for any CSAM content to appear on it.  However, at least I can feel safe that this fallback is in place to protect my users and my site’s reputation.

There’s a lot more detail in their announcement blog post, if you’re interested in the technical details of how this works.