search

eosnetworkfoundation / engineering

A workspace for documentation by Engineering primarily regarding process
MIT License
0 stars 0 forks source link

Setup Cloudflare CSAM Scanning Tool #93

Open kj4ezj opened 5 months ago

kj4ezj commented 5 months ago

[!WARNING]

Trigger Warning
This ticket discusses child abuse.

[!IMPORTANT]

The contents of this ticket is not legal advice, does not reflect official policy of the EOS Network Foundation, and is not a formal statement by the EOS Network Foundation including but not limited to a statement of intention. This ticket is a proposal from the author to the larger organization provided according to the terms of the license in this repository. This disclaimer also applies to all comments and metadata surrounding this ticket, including but not limited to the GitHub Projects status.

From issue 88, this ticket is to setup the free Cloudflare CSAM Scanning Tool for the eosnetwork.com "website." Cloudflare's use of the term "website" includes eosnetwork.com and any *.eosnetwork.com domain or subdomain.

The Cloudflare CSAM Scanning Tool compares all of our web content proxied by Cloudflare to fingerprints of known child sexual abuse material (CSAM) provided by various child safety advocacy organizations.

If matching content is found, Cloudflare will automatically:

  1. Block the content, preventing it from being served to clients.
  2. File a report on our behalf to the National Center for Missing and Exploited Children (NCMEC), a private non-profit funded by the United States Congress, using their CyberTipline API.
  3. Email the report ID along with technical information necessary for incident response to the EOS Network Foundation using an email address created for this purpose.

The NCMEC will review Cloudflare's report, inform the US government, and initiate an investigation.

The EOS Network Foundation is then responsible for responding to the incident in compliance with United States and International law, informed by internal policy and any legal advice. Such a response might look like this.

  1. Escalate Cloudflare's report internally to relevant Engineers, Lawyers, and Executives.
  2. Determine whether the content identified by Cloudflare is CSAM, or a false-positive.
  3. Collect forensic information, potentially including but not limited to:
    • The offending content.
    • External access logs.
    • Internal access logs.
    • System logs.
    • Server images.
    • Specific software versions being used.
    • Current web architecture and relevant documentation.
    • Recent server backups.
  4. Encrypt the collected data using modern cipher suites, such as AES-256 and SHA-512, to protect the privacy and identity of victims.
  5. Store the encrypted copy of the collected data and the decryption key, separately, with a retention policy as required by law.
  6. Cooperate with the corresponding law enforcement investigation.

The EOS Network Foundation does not host adult content, nor do they currently host user-uploaded content as far as the author is aware. However, illegal content could still become present on our infrastructure in the event of a cybersecurity incident or similar.

kj4ezj commented 5 months ago

I have requested CyberTipline API credentials from the National Center for Missing and Exploited Children via email.

kj4ezj commented 5 months ago

This ticket is currently blocked, waiting on CyberTipline API credentials to be issued by the National Center for Missing and Exploited Children.

The NCMEC asked us to fill out a form about two weeks ago. I collected the necessary information from relevant stakeholders and submitted that form this afternoon.