Obviously I already removed all media, banned all the users and prevented account creation. I have ip addresses and metadata of the users
DO NOT call the police. They will confiscate the server as evidence, and lacking any other suspect, you will be their primary lead. Police aren’t about convictions or justice, they want to consider a case solved.
By law, you are not liable. But because of law enforcement incentives, it will absolutely become your problem.
By law, you are not liable.
There are hundreds or thousands of different jurisdictions in the world. I don’t think you can say this confidently unless you know exactly where OPs server is located.
Nah, the police are not your friend.
The openSUSE matrix server had this happen last year, and the admins came up with a good solution of bots that seems to keep things very clean now. I’m sure they might be happy to help if you asked in their admins group
Anonymously report them. Don’t call police they will come and take the server
Probably should have given all of the evidence to the police instead of deleting some of it.
In most western jurisdictions platform operators are not liable for user content, (as long as they cooperate with the authorities) so nothing for you to worry about.
Next time, don’t do anything, no deleting, no blocking, contact the police and ask them what they would like you to do. Maybe they’d even would want to letting them keep posting for a while to gather more data on the offenders, but idk how they deal with selfhosted stuff tbh…
(this is not legal advice)
(Also I totally understand that you don’t want your other users seing that kind of stuff. I know nothing about the matrix moderation tools, so maybe the media is on the server db somewhere … might be relevant to figure that out)
Edit: this does not apply if you live in an authoritarian police state or third world country, like OP apparently does.
I would think very carefully before contacting the police. I am not suggesting that you should provide a safe harbor for people sharing CSAM, or obfuscate their crime. You absolutely should take action, but carefully weigh your options before calling the police.
While it may (possibly!) be true in your jurisdiction that platform operators are not liable for user content, police aren’t on “your side”. Even if you assume the highest standards of professionalism from them, they need to represent the interests of the victims (not you) and need to diligently investigate the crime. That means they need to confirm beyond reasonable doubt that you are not involved beyond operating the host.
Just because you self-disclose does not mean that you are innocent. You could’ve been actively participating and when threatened with blackmail you’ve decided to self-disclose to avert guilt.
Another consideration is what else I have on my server. I’m catch and release for pirate movies and TV these days so there’s only 100gb or so. I do have several hundred pirate audiobooks though. Deleting all that before handing my server over will look very suspicious.
With all of this in mind, the only course of action is to talk to a lawyer. A lawyer will know exactly what laws are relevant, and can guide you through the process of self-disclosure while minimising the imposition on you.
I would consult with a lawyer even now after the fact.
Horrible advice. Atrociously bad. Dont talk to the cops without consulting a lawyer.
“Hello police I have a server full of cp, oh get in the van? OK.”
I mean…I get where you’re coming from, but fuck that!
I’d have deleted the entire matrix server entirely. Washed my hands of the entire thing.
Because you can go to the police, and say “There’s child porn on MY server”, and the cops MIGHT work with you to catch the people actually posting it.
They might take the easy way. There’s a guy here, saying he’s hosting a server with child porn. Arrest him, because we know who he is, and call it a win in the media. Yes thats not how the law works…but it’s how lazy and corrupt cops work.
Cops are never your friend. I’d avoid any interactions with them that you can.
Yeah, I’d dban the drives and everything.
If you have a problem and call the police, now you have two problems. That’s not just cliche, it’s true.
Don’t call the cops, call a lawyer.
Probably should have given all of the evidence to the police instead of deleting some of it.
Or maybe not. …
In most western jurisdictions platform operators are not liable for user content
Around here, OP would then automatically be a suspect for possession of the material. Possession is a crime. And that is far from funny. Better have a very good lawyer from minute 1.
deleted by creator
Legally, the platform isn’t liable for what the users do on it. But I wouldn’t want to test that in court.
That doesn’t count for this kind of crime.
It’s not even certain whether or not it applies at all for fediverse systems.
This is bad advice. Do not listen to this guy.
Search for posts or contact db0. IIRC they worked with LW admin and others to create a filter for this using a very small AI model. It should be on their Git.
I didn’t work an lw admin. I built this one my own (well as part of Haidra)
Are you thinking of Lemmy? OP had it on their Matrix chat server.
Abstract solutions for content recognition with a bot on a server is not a platform specific issue. The dev is skilled and likely on Matrix too.
How would that “admin” be helpful on matrix?
It is a bot that identifies CSAM images. They are a very skilled dev. The problem is content recognition on a server. So in abstract, it is the same problem.
You can try this https://www.iwf.org.uk/en/uk-report/
I would suggest doing it with the tor browser as to not be associated with it in any way.
Sadly without the actual content and giving your server away for forensics, this might not go anywhere. But! It can help build a case, especially if any of the pii (ip, username, etc) you provide is already being investigated.
Lots of good responses here. That’d be a really scary find, OP, and I’m sorry you’re dealing with that. :(
As much as I also long for justice, I also totally understand the inclination towards just nuking and paving the whole thing and moving on. Some factors that occurred to me:
- Those posting it might be outside your nation’s jurisdiction.
- They might just be bots set loose by unknown actors.
- The above, plus they might be using “zombie” machines to bounce this material around unguarded servers wherever they can. It could be very difficult to ascertain who is behind this.
I agree with others that you should only move forward under the guidance of a good lawyer, because you don’t want to be the most convenient potential suspect they have access to.
If you could log their IPs or other identifying data and anonymously forward suspicions to authorities that would take action on them, that could potentially be a viable option. But again I’d ask a lawyer.
Contact a gym, delete a lawyer, hit the Facebook.
If you deleted the content the authorities have no evidence a crime was committed other than one witness saying “yes, totes CSAM”. They’re not going to be able to pursue the uploaders on that alone, and reporting it will only draw attention to yourself. If it was me I’d shut down or lock down the server and move on.
Good point but I have to add technical details. The content I deleted was replicated media from federated rooms. Authorities could still join the group and get all the original information from the original server
Out of curiosity, did you host your server as a public one that is advertised as open to all? Or did you just not set access controls and someone just found it?
No, it was not advertised nor listed anywhere. They found it
deleted by creator
HelloRoot is correct. You should not have deleted anything. You should have simply shutdown the server and contacted the FBI (not the police). Child porn is a serious federal offense and because they committed the offense across state lines (or aren’t in the US at all), FBI wold have jurisdiction. Because you deleted the evidence (a crime, by the way) there’s nothing for them to go on now.
If this ever happens again, shut down the server so no one can connect, and contact the FBI Criminal Division who has their own child crimes division that specifically deals with child pornography.
I’m in France though, keeping it would make me a criminal
TBH, this sounds like something to ask a lawyer. Since you’re in France, there may or may not be statutes that protect witnesses or people trying to cooperate with law enforcement, and a lawyer who’s familiar with your laws would be able to give you correct advice.
And in the event they give you bad advice, there may also be protections regarding “following the advice of counsel.” In the US, following in good faith some bad advice from lawyers can result in protections or immunity from certain charges.
So do yourself a favor and get some proper legal advice.
statutes that protect […] people trying to cooperate with law enforcement,
I don’t know exactly about France, but such a concept is rare in Europe in general (except England), and even more so when it comes to possession of such materials.
In Germany, I know the tolerance is absolutely ZERO, and the excuses too. You can carry the material to the police to deliver it, and with that you have proven that you were in possession one second before (it is very different with illegal weapons btw.). Private investigators or journalists have tried to do reports about the topic, seriously and neutrally without any doubt, but got punished for possession then.
I second this opinion. The parties responsible absolutely need to be held accountable but due to the severe nature of the crime you absolutely have to protect yourself.
Take the above comment and replace references to “FBI” with the French equivalent.
Though, if you keep registration closed, you’re unlikely to have this problem again.
Then definitely don’t follow my advice. lol I have no idea what french law is.
Va à la Gendarmerie / Police Nationale et vois avec eux directement.
Better delete it in the same minute when you found it.