Solving the starfish problem

Solving the starfish problem
November 1, 2022 Gabriela Badea

Solving the starfish problem

How CyberTip ONE will transform the management of NCMEC CyberTips for law enforcement worldwide

For police forces around the world, managing the rising flood of CyberTip reports from NCMEC (National Center for Missing & Exploited Children) is like trying to drink from a firehose. Without the manpower or technology to quickly assess and prioritize the thousands of cases pouring in each day, agencies are drowning in growing backlogs. To understand the impact of this, we sat down with Arnold Guerin, Director of Child Protection at Hubstream, and Olle Ejerblad, Law Enforcement Liaison at Griffeye. They told us about their personal experience in law enforcement working with CyberTips – and about what makes the new solution CyberTip ONE a game changer for both investigators and the children they are sworn to protect.

Despite living halfway around the world from one another, Arnold Guerin and Olle Ejerblad are good friends with a lot in common, including a shared love of barbecue and an easy sense of humor. But most importantly, they have both spent much of their law enforcement careers at the technological forefront in the fight against online child exploitation.

The two got to know each other at a training course for Griffeye’s Analyze DI software, but when asked how they first met, Arnold can’t resist a joke:

“There was an ABBA-themed battle of the bands in Sweden. I was there with the Waterloo Wonders and Olle was there with his band, the Björn Bad Boys. We were both dressed as Björns, and we got along immediately.”

A career in the service of children
Child protection is Arnold’s life’s work. Having started his policing career on a Canadian aboriginal reserve working with victims of abuse, he spent many years running a program called CETS (Child Exploitation Tracking System) with the Royal Canadian Mounted Police (RCMP). His expertise in computer forensics also brought him to Interpol and eventually the United Nations Office on Drugs and Crime in Thailand, where he trained police in the region to combat online child exploitation.

“The UN job was a good way to start my transition out of law enforcement. I knew my training in Canada would apply everywhere else, and that region is one that needs all the help we can give it. It’s a problem that requires an international response,” he says.

Driven to make a difference
Like Arnold, Olle also has a background in computer forensics. And though he had many different responsibilities in his 31 years with the Swedish Police, he spent the last 12 years combatting child exploitation – a decision he made after stumbling across CSAM (child sexual abuse material) during an unrelated computer investigation:

“Before then I had never been exposed to it or even thought about it, but when I saw that it changed my life. I was appalled that this was happening to children, and I knew I had to do something. Everything else seemed less important,” he says.

Since then, Olle has worked in victim identification at the national level with the Swedish police and lent his expertise to CEPOL (Europol’s educational arm) to educate about the problem of CSAM.

Now Arnold and Olle have retired from the force and begun a new chapter in their lives, with Arnold joining Hubstream and Olle taking a position at Griffeye. As committed as ever to safeguarding the welfare of children, they dedicate themselves now to providing agencies with technology to streamline the workflow of CSAM investigations.

Overwhelmed with intelligence
“At the most recent Interpol conference, one of the chief questions everyone was asking was, ‘What are you doing with NCMEC CyberTips?’ and no one had a solid answer,” says Arnold.

The first challenge is the sheer volume of reports coming in. In 2021, NCMEC’s CyberTipline received 29.3 million reports of suspected child sexual exploitation, an increase of 35% from 2020. These reports are sent to law enforcement for investigation, where each one must be assessed and prioritized manually.

“Canada is getting around 60,000 reports per year,” says Arnold. “The Philippines is getting 8,000 per day. From a practical standpoint, there’s no difference between the two. Either way, you’re going to need tools to automate the workflow so you can deal with the priority cases first.”

“Some people think this is a beautiful story, but for me, it’s about adopting a survival mentality.”

Finding the needle in the haystack
The second challenge with CyberTips is noise. Each report contains an enormous amount of textual and visual intelligence, which often includes historical CSAM and legal content mixed together.

“In one instance, an investigator got a referral from Twitter,” says Arnold. “Twitter was trying to be very thorough, so they sent all the images this person had shared historically. There were 5,000 images – and only one was CSE (child sexual exploitation) content”.

Without the proper technology, investigators trying to identify first-generation material are faced with the time-consuming burden of filtering out the irrelevant subject matter manually. Arnold continues:

“We would store media and files on a network shared drive. Our intelligence tools were Windows Explorer and Microsoft Excel, and we were getting so much data that we actually hit the row limit of Excel. When this happens, you have to open a second Excel spreadsheet and link it to the first one. So, you end up with this spiderweb of linked spreadsheets, which is like a house of cards. When something goes wrong, you have to find an Excel expert just to locate something as simple as an email address. And in the case of that Twitter referral, we had a Windows Explorer page of 5,000 icons and no way of filtering through them to find the CSE content.”

Working in such a disconnected manual way also leads to an enormous amount of redundancy, as Olle explains: “As an investigator, you only know what you’ve seen – not what your colleagues have seen. This means you spend a lot of time examining images that may have already been dealt with by someone else.”

These combined inefficiencies slow down investigations and cause case backlogs to grow. Olle remembers, “We had these paper files on a bookshelf, and they were piling up because we didn’t have the manpower or computer support to go through it all. A couple of years ago, Sweden created a national cybercrime center. They’ve worked hard to get these reports under control and have done a fantastic job. But today they’re still piling up, just in digital form. And this isn’t unique to Sweden – it’s a universal problem.”

Failing the most vulnerable
The tragedy of such a dysfunctional process, of course, is that children are left behind. For investigators, this has a devastating effect on morale.

“It’s called the starfish story,” says Arnold. “A man is walking his dog on the beach, and he sees a girl taking starfish off the hightide mark and returning them to the ocean. The man asks her what she’s doing, and she replies, ‘Well, the tide went out and all these starfish are stuck here, so I’m going to save them.’ The man looks down the beach and sees thousands of starfish. ‘You can’t possibly save all these starfish,’ he says. ‘No,’ she says, ‘But I can save this one.’ Some people think this is a beautiful story, but for me, it’s about adopting a survival mentality. And this is how investigators have to think: ‘I’m going to get through the day by achieving this one thing.’”

Olle agrees: “People go into this work with a lot of energy. They want to save children. But sitting there manually opening zip files drains your energy after a while. To get by, you have to put blinders on and shut out the enormous pile of cases waiting for you.”

“(…) instead of focusing on 1,000 CyberTips in a day, you can start with the 10 that need your attention most.”

Fixing a broken system
As two sides of the same coin, the Hubstream and Griffeye platforms each support different key parts of the CyberTip workflow: Hubstream analyzes the textual data found in a NCMEC report, while Griffeye analyzes the visual data.

CyberTip ONE brings together the intelligence capabilities of the two platforms, giving agencies one solution that streamlines the entire collaborative workflow from receiving the CyberTip to taking action. Crucially, it automates much of the work to assess and prioritize cases, reducing manual labor and noise, minimizing exposure to CSAM, and most importantly, helping investigators identify victims and uncover high-quality leads.

“To go back to the Twitter example,” says Arnold, “Now you could import the complaint into CyberTip ONE. The Hubstream software would extract the data – an email address, IP address, GPS coordinates, and perhaps a URL linking to a deactivated account. Then you would use Griffeye’s artificial intelligence to quickly burn through the 5,000 images in there. The software will tell you whether an image is CSAM and whether it’s already been categorized. This helps you prioritize the report, so now instead of focusing on 1,000 CyberTips in a day, you can start with the 10 that need your attention most.”

This would give investigators a much-needed sense of accomplishment, as Arnold explains:

“They’re going to go home healthy, knowing that they not only made it through the day but escalated cases and got them out to the right jurisdictions. That’s a mental health boost everyone whose doing this work needs.”

Olle agrees. “Being able to prioritize lets you put your resources into the right cases from the beginning, which means you safeguard children quicker. Everyone wins.”

For Arnold and Olle, there is no greater reward than continuing to support their former colleagues and protect children.

“Olle and I are in service to the people that are in service to children,” says Arnold. “It’s up to us to provide these national units with the insight and consulting advice they need to have maximum impact. We believe in the companies we’re working for. We believe in what we’re doing. And we believe in these tools because they help investigators do their jobs to the best of their ability.”

“It’s the truth,” says Olle. “I’m using my knowledge and experience to help my colleagues around the world get better results from their work. And that means a lot to me. It really does.”

Other news

  • Release of Analyze 23.2

    Analyze 23.2 is now available! This release highlights the introduction of Enterprise GID and the implementation of Processing Nodes in…

  • Webinar: Introducing Griffeye Orchestrate

    Live webinar: August 30th @16:00 CEST

  • NCMEC Griffeye Partnership

    Griffeye and NCMEC join forces

    We are thrilled to announce that we are joining forces with the National Center for Missing and Exploited Children (NCMEC),…