Counterabuse: multi-platform threat models

[jbradleychen]

As siloed defenses against abuse have improved, abusers have moved to multi-platform threat models. For example, a public discussion platform with a culture of anonymity may redirect traffic to YouTube as a video library, bypassing YouTube defenses that otherwise reduce exposure of potentially harmful content. Similarly, a minor could be solicited by an adult impersonating a child on a popular social media platform, then redirected to a smaller, less established and less defended platform where illegal activity could occur. There are many such cross-platform abuse models and they cause significant public harm. In a world with strong cross-platform privacy barriers, how should such threats be managed?

[sysrqb]

I realize these are only two examples, but digging into them may be helpful.

For the first concern about platforms redirecting to hosted content, can you provide more details about why IP addresses are helpful in mitigating this threat? If I understand correctly, at a minimum, the service provider (Youtube) only see the client's IP address and possibly a referrer. In a world with IP address privacy, the service won't see the client's true IP address and the browser may truncate the referrer. Are there specific mitigations you already have in place for this situation that you can describe?

For the second example, while these platforms should provide some oversight/protection within their walls, they cannot and should not be responsible for potential harm that occurs on other sites. In general, protecting a child is their guardian/parent's responsibility, and this is the case regardless of which site they're on.

Based on these two examples, I'm not sure there is a one-size-fits-all answer for this problem.

[jbradleychen]

For the YouTube redirect, YouTube will see a redirect from the discussion platform. Without a proxy, YouTube could better estimate the number of distinct users, geographic distribution, and other useful demographics. This isn't really about specific mitigations, it is more about the investigation that supports understanding a threat and designing specific mitigations. In the extreme, abuse fighting is reduced to waiting for a disaster and then cleaning up the mess. This is not a good outcome for public safety. There is no single counterabuse signal more important than IP address.

The above assumes high-traffic volumes. I think the second example is representative of the low-traffic case.

For the second example, parents have a responsibility for being responsible parents. Governments have a responsibility for making responsible parenting possible. When the environment for parenting includes features that are particularly dangerous, and that are harming children, at a certain point a legitimate government is compelled to mitigate the danger, lest they lose the confidence of the people. Such government interventions can avoided if the systems in question self regulate. The radio and the printing press are examples of revolutionary technologies that contributed to tremendous disruption and later became safer through regulation and through industry norms.

These threat models represent significant public safety risks and harms. Achieving safety is not so simple as IP address transparency, as we have that today, and things are still getting worse. That is driving the industry towards systems that are less available for anonymous, unverified users, a bad outcome for privacy. To preserve anonymous service access we need to recognize and mitigate features that threaten privacy or safety.

[chris-wood]

@jbradleychen is this out of scope? If not, perhaps you could prepare a PR with suggested text that addresses this point?

[jbradleychen]

I don't think it should be out of scope. I can work on a PR.

[jbradleychen]

Related discussion here: https://twitter.com/i/status/1430628745799421954?cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email

[bslassey]

I don't think it should be out of scope. I can work on a PR.

@jbradleychen have you had a chance to work on a PR?