AI-Generated Content: The New Frontier

The Internet Watch Foundation's 2026 report documents an alarming escalation: 8,029 AI-generated CSAM images and videos were assessed in 2025, with AI-generated CSAM videos surging from 13 in 2024 to 3,443. Among AI-generated videos, 65% depicted Category A content (the most extreme), and 97% depicted girls (IWF).

NCMEC's 2025 data revealed 21.3 million total CyberTipline reports, with 1.5 million indicating a generative AI nexus, over 7,000 reports of users generating or possessing AI-generated CSAM, and 145,000+ reports of users employing AI to alter CSAM (NCMEC). The real-world impact on minors is tangible: 1 in 10 minors know someone who has used AI tools to generate nude images of other children (Thorn).

A critical nuance emerged in January 2026 when Stanford's Center for Internet and Society analyzed the NCMEC reporting data. The frequently cited figure of 485,000 “AI-related” NCMEC reports from the first half of 2025 was found to be misleading: 380,000 of those reports originated from Amazon, and none of Amazon's reports involved AI-generated CSAM. Instead, they were hash hits to known CSAM found in AI training data.

Stanford concluded that “nearly 80% of all 'Generative AI' CyberTipline reports involved no AI-generated CSAM at all” (Stanford CIS). This finding underscores the importance of data integrity in shaping policy responses — inflated statistics risk misallocating resources and distorting public understanding of the actual threat landscape.

Traditional hash-matching systems like Microsoft's PhotoDNA — which compares file fingerprints against verified CSAM databases with a false positive rate of approximately 1 in 50 billion — are fundamentally unable to detect AI-generated CSAM since it constitutes novel material with no existing hash signature (Microsoft). This gap has driven investment in AI-based detection: the DHS Cyber Crimes Center awarded a $150,000 contract to Hive AI specifically for AI-generated CSAM detection (MIT Technology Review).

Thorn's Safer platform represents the most scaled detection effort. In 2025, Safer processed 415.4 billion files, detected approximately 1.5 million known CSAM files through hash matching, and used AI to flag 3.84 million potential novel CSAM files for human review. The platform serves over 80 platforms and maintains a hash library of 6.3 million image hashes and 64 million video hashes (Thorn).

Apple's abandoned NeuralHash system illustrates the detection dilemma. Announced in August 2021, paused a month later, and formally abandoned in December 2022, NeuralHash would have performed client-side CSAM scanning of iCloud Photos. Apple concluded it “could not implement without ultimately jeopardizing the security and privacy of our users.” A class-action lawsuit filed in December 2024 alleges that Apple's abandonment facilitates CSAM proliferation on iCloud (CNET). Meanwhile, the EU backed down on mandatory CSAM detection orders in November 2025, opting for mitigation measures instead (9to5Mac).

The legislative response to AI-generated harmful content has been swift. The TAKE IT DOWN Act, signed May 19, 2025, criminalizes non-consensual intimate imagery including AI deepfakes, with penalties up to three years imprisonment and a 48-hour takedown requirement for platforms. The ENFORCE Act passed the Senate unanimously on December 16, 2025, equalizing criminal penalties for AI-generated CSAM with traditional CSAM (Thorn; Senator Cornyn).

Internationally, the UK's Crime and Policing Bill (February 2025) creates a new criminal offense for making, adapting, possessing, or supplying a “CSA image-generator.” First Amendment challenges are already emerging. In U.S. v. Anderegg, a court dismissed possession charges for wholly AI-generated CSAM citing Stanley v. Georgia, while allowing production and distribution charges to proceed — the first federal case heading to appellate court on AI CSAM and the First Amendment (Tech Policy Press).

The generation pipeline in practice: open-weight checkpoints, LoRA adapters, and node-based workflows

The volume figures are by now familiar, and the research covers them: the Internet Watch Foundation assessed 8,029 AI-generated images and videos as showing realistic child sexual abuse in 2025, with AI-CSAM video rising 26,385 percent year over year. What those numbers obscure is a concrete technical pipeline. Offenders are not prompting commercial products; they are running open-weight Stable Diffusion checkpoints locally, layering on small LoRA adapters trained on as few as twenty photographs of a specific child, and chaining the steps in node-based ComfyUI workflows. This section traces that pipeline — the models, the 2023 LAION-5B contamination that seeded part of it, the nudification economy adjacent to it, the detection problem it creates, and the unsettled US law that now distinguishes possessing such an image from making one.

The defining feature of the AI-CSAM problem is that the capable models are open-weight and run offline. Closed systems such as DALL-E and Midjourney process every request behind a provider's firewall with input and output filters applied; an open-weight model like Stable Diffusion can be downloaded in full, and the community circulated a filter-disabled build within days of the original v1 release. Running a local interface such as AUTOMATIC1111 ships with the safety checker off by default, and disabling it elsewhere can be a single command-line flag (--disable-nsfw-filter). Once the filter is gone, the residual safety of a model depends entirely on what was — or was not — scrubbed from its training data.

The re-victimization mechanism is fine-tuning. The IWF's 2026 report states plainly that "generative models can be trained and fine-tuned using photographic abuse imagery, directly re-victimising survivors," and that Low-Rank Adaptation "can create realistic deepfakes of specific children using as few as 20 existing images in as little as 15 minutes." A LoRA is a small adapter file — often a few hundred megabytes — that steers a base checkpoint toward a narrow concept without retraining the multi-gigabyte model itself. The IWF's forensic analysis found a single corpus of over 1,000 images that bore evidence of a specific freely-downloadable checkpoint model, with CSAM-finetuned LoRA models applied on top of it. The accompanying academic literature, including a March 2025 study correlating SafeLine hotline reports with dark-web forum discussion, emphasizes "the crucial role that the open-source AI models play" and documents how forum members share techniques to circumvent technological safeguards.

In practice these components are assembled in node-graph tools — ComfyUI is the dominant one — and the checkpoints and adapters themselves are traded through model-sharing hubs. The result is a modular kit: a base model trained for photorealism, an adapter trained for the prohibited concept, and a reproducible workflow that requires, in the IWF's words, that "single applications can now generate abusive imagery with minimal effort, removing the need for technical expertise."

LAION-5B: what the Stanford Internet Observatory found, and what remains in the wild

The clearest documented link between mainstream training data and this pipeline is the LAION-5B finding. In December 2023, the Stanford Internet Observatory, led by chief technologist David Thiel, reported that LAION-5B — the 5.85-billion-pair image-text dataset used to train Stable Diffusion — contained suspected CSAM. Using perceptual and cryptographic hash matching against known-CSAM hash lists held by NCMEC and the Canadian Centre for Child Protection, the team identified more than 3,200 suspected items, of which at least 1,008 were externally validated. Thiel's conclusion was that anyone who downloaded the full dataset for training "would absolutely have CSAM unless they took extraordinary measures." LAION took the dataset offline in response.

The remediation is documented but partial. In August 2024, LAION published Re-LAION-5B, described as "the first web-scale, text-link to images pair dataset to be thoroughly cleaned of known links to suspected CSAM." The cleaning matched URL and image MD5/SHA1 hashes against precomputed hashes "WITHOUT ever having to touch suspected links or even having to inspect content," removing 2,236 suspect links flagged across three sources — 18 from the IWF, 1,129 from the Canadian Centre, and 1,714 from Thiel's Stanford report (a set that subsumes the original 1,008). LAION characterizes this as 0.000038 percent of the dataset and stresses that "the datasets of LAION only contain links and metadata" and that it "has never distributed image content itself."

Two caveats matter for anyone assessing residual risk. First, LAION urges labs to migrate to Re-LAION but cannot recall copies already downloaded; the original index and unmaintained mirrors continue to circulate outside any central control, and a model already trained on the contaminated set is not retroactively cleaned by a fixed dataset. Second, hash-based scrubbing only removes known CSAM with a prior hash signature — novel or borderline material that was never catalogued would not have been caught.

The nudification and deepfake economy: tooling marketed elsewhere, adapted for abuse

A parallel supply runs through "nudify" applications and face-swap deepfake tooling that is nominally marketed for adult or novelty use and is trivially adaptable to minors. The Institute to Address Commercial Sexual Exploitation notes the San Francisco City Attorney sued sixteen such sites in August 2024 out of at least ninety similar websites, with marketing prompts such as "Have someone to undress?" Reporting collated alongside the IWF figures found that in 2025, nudify-related sites drew over 24 million visits in a single month. Telegram has removed some of the most popular bots, but many resurface on bespoke domains or under new usernames.

The adaptation risk is not hypothetical even for guard-railed commercial products. Between December 25, 2025 and January 1, 2026, AI Forensics researchers analyzed roughly 12,500 image-generation requests and 20,000 images produced by Grok, the generator integrated into X; common prompts included "remove," "bikini," and "clothing," and two percent of the resulting images depicted apparent minors, including children under five, in some cases in "translucent or dental-floss bikinis." The episode illustrates how a general-purpose editing tool with image upload becomes a de facto nudification engine without any model ever being explicitly built for it.

The scale of the downstream reporting burden is now substantial. NCMEC's CyberTipline received more than one million reports tied to generative AI between January and September 2025, and the DHS contract filing discussed below cites NCMEC data showing a 1,325 percent increase in generative-AI incidents during 2024.

The synthetic-from-real-victim hybrid category

The most legally and ethically fraught material is neither fully synthetic nor a conventional photograph but a hybrid: AI tooling used to extend, age-shift, or otherwise modify imagery of a real, identifiable child. The Stanford HAI policy brief on AI-CSAM draws this distinction explicitly, separating synthetic-only content generated from text prompts from victim-derived material — AI-generated deepfakes built on real photographs of actual minors — which it frames as a compounded harm because it exploits an identifiable individual.

The LoRA mechanism is what makes this category cheap. Because an adapter can be trained on roughly twenty images of one child, an offender can take innocuous photographs — from a family member, a school, or social media — and produce an unlimited stream of novel abusive images of that specific minor. The same technique applied to existing CSAM allows offenders to generate new poses and scenarios of a known victim, directly re-victimizing survivors whose original abuse imagery is already in circulation. This collapses a distinction that older law and older detection both relied on: that an image either depicts a real abuse event or it does not. A victim-derived synthetic image depicts a real child who may never have been in the depicted situation, which complicates both the harm assessment and, as the next subsection shows, the question of whether a real victim is currently at risk and needs rescue.

Why detection breaks: no hash baseline, and the classifier problem

The detection architecture that governs most of the CSAM field — perceptual hashing such as PhotoDNA, matched against curated hash lists — is structurally defeated by generative AI. PhotoDNA works by matching a query image to the fingerprint of a previously catalogued illegal image; every AI-generated image is novel, so it has no prior signature and clears hash-matching entirely. The Stanford HAI brief states the problem directly: traditional tools rely on matching known illegal images, and "novel AI content bypasses these systems entirely." Detection therefore shifts from deterministic hash lookup to probabilistic machine-learning classifiers that attempt to recognize abuse content from pixels alone — a fundamentally less certain and more error-prone basis, and one that can be adversarially probed.

This classifier dependence is the technical premise of the September 2025 DHS contract with Hive AI. The Department of Homeland Security's Cyber Crimes Center awarded Hive a $150,000, three-month trial for a tool that detects whether an image is AI-generated at all — not whether it is CSAM. Hive's detector was not trained on CSAM; per the company's CEO, "there's some underlying combination of pixels in this image that we can identify" as machine-generated, and the model is meant to generalize across image types. The investigative point is triage: the filing argues that flagging AI origin "ensures that investigative resources are focused on cases involving real victims, maximizing the program's impact." A 2024 University of Chicago study found Hive's detector outranked four competitors at identifying AI-generated art, and Hive holds a separate Pentagon deepfake-detection contract — though the procurement filing itself was heavily redacted. The implicit logic is telling: because content-based CSAM classification is hard, agencies are investing first in the narrower, better-validated task of separating synthetic from real so that scarce human and rescue resources flow to images depicting children actually in danger.

Commercial guardrails: where the closed models hold and where the gaps are

Guardrails vary sharply by release model. Closed, API-only generators apply filters at both input and output and never expose their weights. Research probing these systems finds Midjourney robustly flags most hazardous prompts, while academic jailbreak work (SneakyPrompt, SurrogatePrompt) has shown DALL-E-class filters can sometimes be bypassed through prompt substitution — a containable gap, since the provider can patch the filter and the weights stay private. OpenAI, Google, Meta, and Microsoft also now embed provenance signals (discussed below), which closed deployment makes enforceable.

The open-weight frontier is where the gaps live, and the FLUX family from Black Forest Labs illustrates the genuine tension. Black Forest Labs filtered its pre-training data for NSFW content and CSAM, partnering with the Internet Watch Foundation to filter known CSAM from training data and running targeted fine-tuning rounds intended to prevent synthetic CSAM and non-consensual intimate imagery. The FLUX.2 [dev] repository ships with input and output NSFW filters and a non-commercial license requiring filtering or manual review. But these are the same dynamics as Stable Diffusion: once weights are public, downstream users can strip the filters, and users reported FLUX could still produce NSFW output with the safety checker nominally enabled. A November 2025 discussion thread on the model's own repository contested even the IWF partnership. The structural conclusion is consistent across the open-weight field — pre-training data hygiene is the durable safety layer because it cannot be removed after the fact, whereas any post-hoc filter on a downloadable model is optional for the end user.

Apple's NeuralHash: announcement, pause, abandonment, lawsuit

No question in child-safety technology is more contested than whether companies should scan end-to-end encrypted (E2EE) communications for child sexual abuse material. The debate is not a contest between people who want to protect children and people who do not; it is a genuine collision between two technically literate camps. On one side, the National Center for Missing & Exploited Children (NCMEC) and child-safety NGOs warn that encryption without a detection mechanism erases the reporting that rescues children. On the other, most of the world's leading cryptographers argue that client-side scanning cannot be built without creating a mass-surveillance infrastructure that will be abused and will not even work well. Between 2021 and 2026 the argument was litigated through three landmark episodes — Apple's NeuralHash, the EU's "Chat Control," and the UK Online Safety Act — each of which ended in a retreat from mandatory scanning, and each of which left the underlying problem unresolved.

The canonical case study is Apple's. On 5 August 2021, Apple announced a system to detect known CSAM in iCloud Photos using NeuralHash, a perceptual-hashing algorithm that would compare images on the device against a database of hashes supplied by NCMEC before upload. The design was an attempt to thread the needle: scanning would happen client-side, with a cryptographic "threshold secret sharing" scheme so Apple learned nothing until a user crossed a set number of matches. Within weeks the security community had demonstrated NeuralHash hash collisions and warned of false matches and government abuse. Roughly one month later, on 3 September 2021, Apple paused the rollout "to take additional time over the coming months to collect input and make improvements."

The pause became permanent. In December 2022, Apple formally abandoned the plan, stating it had concluded after consulting privacy and security experts that it was "not practically possible to implement [CSAM-scanning] without ultimately imperiling the security and privacy of our users." In a fuller statement to the advocacy group Heat Initiative, an Apple executive wrote: "Scanning every user's privately stored iCloud content would in our estimation pose serious unintended consequences for our users... Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types." Apple instead shipped opt-in Communication Safety features (on-device nudity detection in Messages that never reports outward) and, in 2022, Advanced Data Protection, which extends E2EE to iCloud backups — moving in the opposite direction from scanning. The reporting is documented by CNN.

In December 2024, this reversal produced a novel lawsuit. In "Amy" and "Jessica" v. Apple Inc. (N.D. Cal., Case No. 5:24-cv-08832, filed 7 December 2024), two survivors depicted in long-circulating abuse series sued on behalf of a proposed class. The complaint reframes the abandonment as a product-liability question: it alleges Apple's devices and iCloud are "defectively designed" products, that Apple "announced [it] would not implement NeuralHash or any other child pornography detection tools," and that this "affirmatively" choosing not to act "amplif[ied] the already significant risk and harm." The suit pleads liquidated damages of $150,000 per victim under 18 U.S.C. § 2255, with reporting putting the potential class at up to 2,680 victims and exposure near $1.2 billion (plaintiffs' announcement). The case sets the two values — a victim's interest in detection and a user's interest in confidentiality — directly against each other in a U.S. court.

The EU's "Chat Control": from mandatory detection orders to a November 2025 retreat

The European Union's Regulation to Prevent and Combat Child Sexual Abuse (CSAR) — proposed by Commissioner Ylva Johansson on 11 May 2022 and nicknamed "Chat Control" by critics — was the most ambitious attempt to mandate detection. As drafted, national authorities could issue detection orders compelling platforms, including E2EE messengers, to scan all users' content for both known and previously unseen CSAM and for grooming (text). Because no method exists to scan inside E2EE without breaking it, the mechanism implied client-side scanning on every device.

The proposal stalled for three and a half years against a wall of opposition. The European Parliament's LIBE committee voted on 14 November 2023 to strip mandatory detection, exclude E2EE services, and limit scanning to targeted orders against specific suspects. The Council could not assemble a qualified majority: votes were pulled in June 2024 and repeatedly in 2025 as Germany, and ultimately Denmark's own presidency, backed away from a scanning mandate. The turning point came on 26 November 2025, when the Council finally adopted a general approach that removed mandatory scanning entirely. Detection of CSAM became voluntary — the Council instead made permanent the temporary "ePrivacy derogation" (set to expire in April 2026) that lets providers scan if they choose, and replaced detection orders with a tiered risk-classification regime in which services are rated low-, medium-, or high-risk and high-risk services face "strengthened risk assessment and mitigation obligations."

The retreat did not end the fight. Digital-rights groups, led by EDRi and MEP Patrick Breyer, warn that Article 4's open-ended duty to take "all appropriate risk mitigation measures" is a back door: a high-risk designation could be used to pressure providers into de facto scanning, and a built-in review clause lets the Commission revisit mandatory detection later. The Council position now enters trilogue negotiations with the Parliament and Commission, so the final text remained unsettled going into 2026.

The UK's "spy clause": Section 122 and Apple's threat to pull iMessage

The United Kingdom's Online Safety Act 2023, Section 122 empowers the regulator Ofcom to issue "technology notices" requiring a messaging provider to use "accredited technology" to identify and remove CSAM — language critics dubbed the "spy clause," because for an E2EE service the only way to comply is client-side scanning. The provision triggered an unusually public confrontation: in 2023 Apple, WhatsApp (Meta), and Signal all indicated they would rather withdraw their encrypted services from the UK than build a scanning backdoor. Apple stated in June 2023 that compelling such capability "could put UK citizens at greater risk" and threatened to pull iMessage and FaceTime from the UK rather than weaken encryption.

The government climbed down in early September 2023, days before the Bill's final Lords stages. A minister told Parliament that Ofcom would only require scanning "where technically feasible" and where a technology had been independently accredited as meeting minimum accuracy standards — and conceded that no such technology currently exists for E2EE. Crucially, Section 122 was not removed from the statute; the power remains on the books, dormant, pending a feasibility that researchers argue cannot be met without breaking encryption. The Electronic Frontier Foundation and Amnesty International characterized the move as a face-saving deferral rather than a genuine repeal — a pattern that recurs across all three jurisdictions.

The researcher consensus: client-side scanning as a security own-goal

The most striking feature of this debate is the near-uniformity of expert opinion against client-side scanning. In October 2021 — directly in response to Apple's NeuralHash — fourteen of the world's most senior cryptographers and security researchers published "Bugs in our Pockets: The Risks of Client-Side Scanning" (later in the Journal of Cybersecurity). The authors include Hal Abelson, Ross Anderson, Steven Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter Neumann, Ron Rivest, Bruce Schneier, Vanessa Teague, and Carmela Troncoso — a roster that includes inventors of public-key cryptography and the RSA algorithm. Their conclusion is blunt: client-side scanning (CSS) "neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite... CSS by its nature creates serious security and privacy risks for all society, while the assistance it can provide for law enforcement is at best problematic." Their central worry is scope creep: once a scanning client is installed on every phone, the hash list is a control point that can be silently expanded — by a government, a court, or a coerced provider — from CSAM to copyrighted material, dissident speech, or political imagery, with no way for users to verify what is being matched.

This was not a one-off. Against the EU CSAR, an open letter from over 300 (ultimately 465) scientists and researchers was published on 4 July 2023 (EDRi), followed by a refreshed letter signed by 270 experts across more than 30 countries on 2 May 2024, including Harvard's Bruce Schneier and Johns Hopkins's Matthew Green. Their technical claim is categorical: "Detection in end-to-end encrypted services by definition undermines encryption protection," and the detection technologies are "deeply flawed and vulnerable to attacks." The breadth of the signatory base — spanning academia and researchers at IBM, Intel, and Microsoft — is itself the argument: this is not a fringe civil-liberties position but the considered view of the field that builds the systems in question.

The other camp: NCMEC and the child-safety sector

The opposing case is made most forcefully by NCMEC, which sits at the center of the U.S. reporting system and sees the consequences of encryption in its own data. NCMEC's position is more careful than "ban encryption." It states it "support[s] efforts to improve online privacy" but opposes E2EE deployed "with no exceptions for detecting child sexual abuse material," warning that otherwise "millions of incidents of abuse will remain hidden" (NCMEC, End-to-End Encryption). NCMEC has estimated that more than half of its CyberTipline reports would be lost if major platforms encrypt without a detection mechanism — a number that drives the entire child-safety argument.

The most-cited empirical support is Meta. After Messenger moved to default E2EE in December 2023, NCMEC reported that the CyberTipline received reports of roughly 7 million fewer incidents in 2024 than in 2023, with Meta's encryption the likeliest cause (NBC News). To the child-safety sector, this is the debate's hardest fact: encryption demonstrably shrinks the funnel through which abuse is discovered, and the cryptographers' objections do not, on their own, replace the reports that go missing. NGOs such as the WeProtect Global Alliance and (in the UK) the NSPCC press the same point — the NSPCC noted Apple was implicated in 337 recorded CSAM offences in England and Wales in 2022–23 while making a tiny number of NCMEC reports, arguing the gap reflects a deliberate choice not to look. The child-safety camp frames the cryptographers as solving for one value (confidentiality) while externalizing the cost onto a population — abused children — that cannot advocate for itself.

The technical reality: false positives, the base-rate problem, and the signal-to-noise gap

Underneath the politics is a measurable engineering problem. Perceptual hashing (matching known CSAM) is comparatively reliable but vulnerable to adversarial collisions and to silent hash-list expansion. The harder problem is detecting unknown CSAM with classifiers, which is where false positives explode. Because real CSAM is a vanishingly small fraction of all messages, even a very accurate classifier triggers enormous numbers of false alarms — the classic base-rate problem. The 2024 scientists' letter put concrete numbers on it: WhatsApp alone carries ~140 billion messages per day, so even if only 1 in 100 were image messages run through a detector, a 0.1% error rate would generate roughly 1.4 million false positives every single day (TechCrunch). Each false positive is an innocent person's private photo surfaced to a human reviewer or to police.

Real-world reporting bears out the noise. Data cited from the Irish national police (An Garda Síochána) found that of 4,192 NCMEC referrals reviewed, only 852 (20.3%) were confirmed actionable CSAM, with the remainder either non-actionable or outright false positives — meaning roughly four in five referrals consumed investigative resources without identifying illegal material. Researchers argue this cuts against the child-safety case on its own terms: more scanning does not straightforwardly mean more rescued children if the additional signal is buried in noise and the people who traffic CSAM migrate to channels (custom apps, dark-web forums, the open Tor services tracked by Project Arachnid) that are not covered by consumer-app scanning at all.

This is the signal-to-noise crux of the debate, and it is where the two camps genuinely talk past each other. NCMEC's "half of all reports would vanish" and the cryptographers' "1.4 million false positives a day" are both true, because they measure different things: the first measures how much detection mainstream-platform scanning currently produces, and the second measures the cost of forcing that detection through encryption at population scale. The unresolved empirical question — how much of the CSAM that actually moves through E2EE channels would be caught by scanning that determined offenders can evade — is the one neither side can yet answer with confidence.

Where the debate stands in 2026

By 2026 the legislative score is three-for-three in favor of the cryptographers — but only on the surface. Apple abandoned NeuralHash and now litigates the consequences; the EU Council retreated to voluntary detection on 26 November 2025; and the UK left Section 122 on the books but acknowledged it cannot be used until an accredited, accurate technology exists. In every case the mandate to scan was defeated or deferred, not because legislators were persuaded children don't need protection, but because no one could rebut the claim that the technology cannot be deployed safely.

Yet none of the underlying powers were truly repealed. Section 122 is dormant, not deleted. The EU's voluntary regime is heading into trilogue with critics warning that "risk mitigation" obligations could reintroduce scanning by another name, and the ePrivacy derogation keeps voluntary scanning legal indefinitely. The U.S. has no scanning mandate, but the Amy v. Apple litigation, the EARN IT Act's periodic revivals, and state-level suits keep pressure on providers. The likely 2026 equilibrium is therefore not resolution but stalemate plus displacement: mandatory client-side scanning stays politically and technically blocked; the policy energy shifts to voluntary detection, age verification, default-on safety features for minors, and offender-side interventions; and the volume of genuinely E2EE traffic — and of AI-generated CSAM that hash-matching cannot catch — keeps growing. The encryption debate has not been won by either side. It has been postponed, and the gap between what detection systems can see and what abuse actually occurs is widening inside it.

The CyberTipline: 20.5 million reports, and why that number went down

Almost everything the public knows about the scale of child sexual abuse material comes from a handful of counting institutions — the U.S. CyberTipline, the Internet Watch Foundation, Project Arachnid, and a small number of detection vendors — and almost every figure they produce is an artifact of detection capacity, statutory reporting duties, and platform behavior rather than a direct measure of how much abuse material exists or is being produced. The headline statistics are real, but they are downstream of where the searchlights happen to point. In 2024 and the first half of 2025 this gap produced a textbook failure: a single ambiguous checkbox on a reporting form generated six months of "AI-CSAM is flooding the internet" headlines that a Stanford researcher and two Bloomberg reporters later showed were built on data that, in roughly four of five cases, involved no AI-generated material at all. This section sets out what the major counting systems actually report, why year-over-year deltas are mostly noise about methodology, and what can and cannot be inferred about true prevalence — the "dark figure" of unreported abuse.

The U.S. National Center for Missing & Exploited Children (NCMEC) reported that its CyberTipline received 20.5 million reports of suspected child sexual exploitation in 2024, containing 62.9 million files — approximately 33.1 million videos, 28 million images, and nearly 2 million other file types, per Thorn's analysis. On its face this is a 43% decrease from the 36.2 million reports filed in 2023, and a naive reading would suggest the problem is shrinking. It is not.

The decline is an accounting artifact. NCMEC introduced a "bundling" feature allowing platforms to consolidate reports tied to a single viral incident — for example, a piece of abusive meme content shared by thousands of users — into one report or a smaller set, rather than filing a separate report per user. When the 2024 data is re-expressed as discrete incidents rather than reports, the figure rises to 29.2 million separate incidents. Bundling reduces redundant paperwork for both platforms and NCMEC's analysts, but it severs the year-over-year comparability of the raw report count. The 43% "drop" is therefore not evidence of less abuse; it is evidence that the unit of measurement changed.

This is the recurring lesson of CyberTipline data. The count is overwhelmingly a function of how many platforms are scanning, how aggressively they scan, what the law obliges them to forward, and how those reports are aggregated. U.S. providers are required under 18 U.S.C. § 2258A to report apparent CSAM they become aware of, but the statute does not require them to look for it — so the volume reflects the diligence of a self-selecting set of large platforms far more than it reflects the underlying population of offenders or images.

The dark figure: what detection cannot count

Every figure above shares one limitation: it measures detected material, and detection is non-random. Criminology calls the gap between recorded and actual offending the "dark figure" of crime, and for CSAM that figure is both large and unquantifiable in principle. Detection is concentrated where scanning is deployed and content is hash-matchable; it falls off sharply for end-to-end encrypted channels, peer-to-peer file sharing, the Tor-based dark web, self-hosted infrastructure in non-cooperating jurisdictions, and — most consequentially — for abuse that is never recorded as media at all, or recorded and never shared online. Contact abuse that produces no distributed file generates no CyberTipline report, no IWF assessment, and no hash hit.

This makes "prevalence" and "detection" categorically different quantities that are routinely conflated. A rise in detected volume is consistent with at least four distinct underlying realities — more production, more sharing of existing material, better or more widely deployed detection, or a change in reporting/statutory obligations — and the data almost never distinguish among them. Thorn's own framing is the appropriate epistemic stance: "Lower numbers don't necessarily mean less abuse. In some cases, they mean less visibility into it." The 2024 CyberTipline decline (a bundling artifact) and the 2025 AI surge (a checkbox artifact) are the same error in opposite directions.

For journalists, policymakers, and compliance leads, the operational rule that follows is narrow but firm: a year-over-year percentage change in any CSAM metric should be presumed to reflect a methodology, deployment, or statutory change until proven otherwise. Where production is genuinely changing — as the IWF's bounded AI figures and survivor reports of recirculated material suggest in specific subdomains — the evidence comes from careful, definitionally-stable, manually-verified counts, not from the largest and most-quoted aggregate numbers.

Geography and platform concentration

Hosting of CSAM is geographically concentrated and, importantly, concentrated in cooperative Western jurisdictions rather than lawless ones — because that is where cheap, reliable, high-bandwidth hosting exists and where the IWF can actually see it. In 2024 the IWF traced 62% of the webpages it actioned to hosting services in EU countries — 181,112 webpages, an 11-percentage-point rise on 2023. The single largest host country remained the Netherlands at 29% of the global total (83,037 URLs), down from 33% in 2023, with sharp increases in Bulgaria, Romania, Lithuania and Poland; Poland's actioned URLs jumped from 94 in 2023 to 8,077 in 2024.

These host-country league tables, published annually by the IWF, are frequently misread as showing where offenders or victims are located. They show neither. They show where abusive content is stored, which tracks the global data-center industry and the IWF's UK/EU-centric vantage point. A country topping the list is generally a country with abundant commercial hosting and reasonable cooperation, not a country with permissive law; jurisdictions that host content but do not cooperate are systematically under-represented because their content is harder to detect, attribute, and action.

By platform type, the distribution is consistent year to year: dedicated image hosts and cyberlockers dominate distribution of catalogued material (per the IWF site-type analysis), large mainstream social and cloud platforms generate the bulk of CyberTipline reports precisely because they scan and are legally obliged to report, and the most severe and novel material disproportionately lives on dedicated dark-web forums and encrypted channels that the reporting systems can barely reach. The asymmetry is the point: the platforms that report the most are not necessarily where the most or the worst material is — they are where detection and legal duty overlap. Whoever scans, reports.