61.8 Million Files. One Year.
Child Sexual Abuse Material — known as CSAM — is any image or video depicting the sexual abuse or exploitation of a child. It is not abstract. Every file is a record of a real crime against a real child. And when that file is shared, the child is victimized again.
In 2025, the National Center for Missing & Exploited Children (NCMEC) received 21.3 million reports of suspected child sexual exploitation. Those reports contained 61.8 million images, videos, and files.
If a human analyst spent one second on each file, it would take nearly two years of unbroken work. No sleep. No meals. Just file after file.
Over 1.5 million of those reports involved generative AI — abuse images that never happened to a real child, manufactured by algorithms. A new horror, made on demand.
No human can review this volume. No one should have to.
Can a machine recognize an abusive image without understanding what it's looking at? The answer depends on whether the material has been seen before.
Source: NCMEC 2025 Impact Snapshot
This Is Bigger Than You Think
Child safety is a much bigger problem than CSAM detection alone. It includes online grooming (1.4 million enticement reports in 2025 — up 156%), sextortion, child sex trafficking, victim identification, and survivor support. Each is a discipline with its own tools and challenges.
This essay focuses on one critical piece: how machines detect abuse material at internet scale. This is the engineering foundation. Without detection, there is nothing to report, nothing to block, no one to rescue.
But before we look at any technology, there is something more fundamental to understand.
Privacy, dignity, and the constraint that shapes everything
Every person who uploads a photo online — a family picture, a selfie, a sunset — has a right to privacy. Detection systems scan billions of these images. The overwhelming majority are completely innocent. The system must protect children without violating everyone else's privacy in the process.
This is the design constraint that shapes every technology in this essay. Perceptual hashing — originally developed for content identification and duplicate detection — turns out to have a remarkable property: no human or machine ever needs to see the original image. The image is reduced to a short numerical fingerprint — a string of bits that cannot be reversed back into the image. Only the fingerprint is compared. Only the fingerprint travels through the system.
An analogy: imagine airport security could check your luggage by scanning its weight and density profile, without ever opening it. If the profile matches a known threat signature, the bag is flagged. If it doesn't match — which is 99.99% of the time — no one ever looks inside. Your privacy is preserved not because the system trusts you, but because the system was designed to never need to look.
This is why perceptual hashing became the foundation of CSAM detection. It is the only approach where the privacy of billions of innocent users and the safety of exploited children are not in fundamental tension. The system works because it doesn't look.
The Image You've Seen vs. The One You Haven't
There are two fundamentally different kinds of abuse material, and they require different technologies to detect. Understanding this distinction is the most important concept in child safety engineering.
Material that has been seen before. Reported, verified by a human expert, and fingerprinted. A database of digital mugshots.
Detection: perceptual hashing. Compute a fingerprint of the new image, compare it against the database. If it matches — the image is known CSAM.
Very low false positive rate (matching against verified material, not classifying). Runs at massive scale. No one views the content.
Completely blind to material that has never been seen before. False positives can still occur with collision-prone images (blank/solid color images whose hashes happen to be close to database entries).
Material that has never been seen. Newly produced abuse. AI-generated content. First-time uploads. Nothing in any database matches it.
Detection: machine learning classifiers. A model trained to recognize what abuse looks like — not by matching, but by learning patterns.
Can detect genuinely new material, including AI-generated content.
Higher false positive rate. More compute. Harder privacy and policy questions.
Most real-world systems combine both. Hashing catches the known material cheaply. Classifiers catch the unknown at higher cost. Together, they form a layered defense.
256 Bits That Describe Any Image
A photograph is made of millions of colored dots — pixels. A computer sees it as a giant grid of numbers: the exact red, green, and blue intensity of every single dot. A typical 12-megapixel photo is about 36 million numbers.
Now imagine you could describe that photo using just 256 ones and zeroes. Not 36 million numbers. Two hundred and fifty-six. These 256 bits wouldn't tell you the color of any specific pixel. Instead, they'd capture something deeper: the image's structure. The overall pattern of light and dark. Where the big shapes are. Whether the top half is brighter than the bottom. Whether there are strong horizontal lines or mostly smooth gradients.
That's what a perceptual hash is. It's a compact description of what an image looks like to a human eye — its visual essence — stripped of every detail that doesn't matter for recognition.
And here's the critical property: if you resize the photo, those 256 bits barely change. Add a watermark? Barely change. Screenshot it, re-save it as JPEG at lower quality, crop the edges slightly? The bits stay almost the same. Because the visual essence — the arrangement of light, dark, shapes, and structure — survives these transformations.
This is the opposite of how cryptographic hashes work. A cryptographic hash like SHA-256 is designed so that changing a single pixel produces a completely different output — the "avalanche effect." A perceptual hash is designed so that visually similar images produce similar outputs. Two images that look the same to your eye will have hashes that are nearly identical, even if every single pixel value is technically different.
This means we can compare these short descriptions against a database of known abuse material without ever storing, transmitting, or viewing the actual images. Only the 256 bits — 32 bytes — travel through the system. The image itself never leaves the device where it was scanned.
Drag the slider to add noise. Watch two completely different behaviors: the cryptographic hash (SHA-256) changes completely with any modification — that's by design. The perceptual hash — computed using a real DCT algorithm right here in your browser — stays stable until the image is damaged beyond recognition. This is the property that makes CSAM detection possible.
The algorithms
Several perceptual hashing algorithms exist, each making different tradeoffs between hash size, robustness, and computational cost. The industry standard for CSAM detection is PhotoDNA (Microsoft, 2009) — it produces a 144-byte hash using gradient analysis and is deployed at Facebook, Google, Twitter, and most major platforms. But it's proprietary: you need a license from the Technology Coalition to use it. The most widely deployed open-source alternative is PDQ (Meta, 2019) — a 32-byte hash based on frequency analysis. Others include pHash, aHash, and dHash — simpler algorithms with higher collision rates that are useful for general duplicate detection but not suitable for safety-critical applications where false positives have serious consequences.
| Name | Author | Year | Hash Size | Media | License | Notes |
|---|---|---|---|---|---|---|
| PhotoDNA | Microsoft | 2009 | 144 bytes (1,152 bits) | Images | Proprietary (Tech Coalition) |
Industry standard since 2009. Deployed at nearly every major platform. |
| PDQ | Meta | 2019 | 32 bytes (256 bits) | Images | Open source (MIT + patents) |
Deep-dived below. Also the frame-level hash used inside TMK for video. |
How PDQ actually works
PDQ takes any image — a photo, a screenshot, a scan, any resolution, any format — and reduces it to exactly 256 binary decisions. Not an approximation. Not a summary. A precise sequence of yes-or-no answers about the image's visual frequency content. Here's the complete pipeline.
Bits
You have two 256-bit hashes. Line them up, position by position. Count the bits where they disagree. That count is the Hamming distance — a number from 0 (identical) to 256 (every bit different). If the two images are versions of the same photo — resized, watermarked, re-compressed — only a handful of bits will differ: maybe 3, 8, or 12. If they're completely unrelated images, probability theory predicts that about half the bits will differ: ~128 out of 256 (since each bit is essentially a coin flip relative to another random image). Set a threshold — PDQ's recommended default is 31. Below the threshold? Match. Above? Different image. A single comparison is just an XOR of two 32-byte values followed by a popcount (count the 1-bits in the result). On modern CPUs with SIMD instructions, this takes roughly 10 nanoseconds — fast enough to compare against millions of known hashes in under a second.
Distance, bit by bit
Two fingerprints, aligned. Each column is one bit position. Gold highlights show where the two hashes disagree. The total count of disagreements is the Hamming distance — the single number that decides match or no match.
Gold = the two hashes disagree at this bit position. The more noise you add, the more bits flip — but notice how the hash is remarkably stable for moderate changes.
The threshold decides everything
Every image in a database sits at some Hamming distance from your query. The threshold draws a line: everything to the left is called a match. Drag it and watch what happens to the verdicts.
Green bars = known CSAM variants (should be flagged). Gray bars = innocent images (should not). Move the threshold and watch the tradeoff: too tight misses real matches, too loose creates false positives.
Five modifications, five distances
The same image, altered five different ways. Small visual changes (resize, watermark, compression) produce small Hamming distances — they stay well inside the match zone. Destructive changes (heavy crop) or unrelated images land far outside. The threshold cleanly separates them.
Video: When Time Becomes a Dimension
Images are hard. Video is exponentially harder.
A 10-minute video at 30 frames per second is 18,000 individual pictures. You can't hash the file itself — re-encoding to a different codec, re-compressing at a lower bitrate, or changing the container from MP4 to MKV changes every byte of the file while leaving the visual content identical. You need an algorithm that understands what the video looks like over time — and that's invariant to how the video is encoded.
The most widely deployed open-source solution is TMK+PDQF (Temporal Match Kernel, Meta AI Research). The "+PDQF" means it uses PDQ as its per-frame hash — the same algorithm from Chapter IV. Other approaches include vPDQ (which stores individual per-frame PDQ hashes with timestamps — better for finding clips inside longer videos) and proprietary systems like Videntifier (used by NCMEC and Interpol for victim identification). We'll focus on TMK, because its design reveals a deep insight about how to compress time itself into a fixed-size fingerprint.
| Algorithm | Approach | Best For | Limitation |
|---|---|---|---|
| TMK+PDQF | Averages per-frame PDQ hashes (Level 1) + Fourier decomposition of temporal signals (Level 2) | Full-video matching at scale | Cannot match clips or excerpts from longer videos |
| vPDQ | Stores individual PDQ hashes per frame with timestamps | Clip and segment matching via subsequence search | Variable-size output (proportional to video length), harder to index |
How TMK turns a video into a fixed-size fingerprint
Every frame of a video gets hashed with PDQ, producing a 256-bit vector per frame. A 10-minute video at 30fps becomes 18,000 hash vectors — a sequence of 256-dimensional binary points unfolding over time. TMK's job is to compress that entire sequence into a fixed-size descriptor that is the same size regardless of whether the video is 10 seconds or 2 hours. It does this in two levels, each capturing a fundamentally different kind of information.
If someone asks you "what does this song sound like?", you might answer two ways:
This describes the overall tonal palette — what instruments are present across the whole song. But two completely different jazz songs might both use piano, bass, and drums. This description alone can't tell them apart.
This describes the temporal structure — the rhythm, the phrasing, how the energy rises and falls. Now you can distinguish the songs, even if they use the same instruments.
TMK works exactly this way. Level 1 captures what the video looks like on average — the "tonal palette." Level 2 captures how the visual content evolves over time — the "rhythm and melody." Together, they form a complete fingerprint.
Level 1: The visual average (128 bytes)
Remember: each frame has a 256-bit PDQ hash — 256 values that are either 0 or 1. TMK treats each of those 256 bit positions as a separate measurement. For bit position #1, it looks at the value across all 18,000 frames and computes the average. Then it does the same for bit #2, bit #3, all the way to bit #256. The result is 256 averaged values — each one a number between 0.0 and 1.0 — packed into 128 bytes.
Think of it as describing a movie by blending every frame into one ghostly composite. Titanic would be a blue-ish blur (lots of ocean and sky across 3 hours). The Matrix would be a dark green-ish haze (dark interiors, green-tinted digital rain). The composite is blurry and abstract, but it captures the video's overall visual character.
Comparing two Level 1 descriptors is trivial: compute the cosine similarity — a dot product of two 256-element vectors, normalized by their magnitudes. One arithmetic operation. On a modern CPU, this takes about 1 nanosecond. You can scan a Level 1 query against millions of known videos in under 100 milliseconds.
Level 1 eliminates 99%+ of candidates instantly. But it has a blind spot: a video played backward has the exact same Level 1 descriptor as the original. The average of all frames is the same regardless of the order. Two videos with identical scenes in a different sequence? Same Level 1. That's why we need Level 2.
Level 2: Temporal structure via Fourier analysis (15,360 bytes)
Level 1 throws away all information about when things happen. Consider: Video A shows a dark room for 5 minutes, then a bright outdoor scene for 5 minutes. Video B shows the bright scene first, then the dark room. Identical Level 1 averages. Completely different videos.
Level 2 captures temporal structure by applying Fourier analysis — the same mathematical tool that decomposes a musical chord into individual notes. Here's how it works, step by step.
Take bit position #1 of the PDQ hash across all 18,000 frames. You get a time series: a sequence of 0s and 1s that fluctuates as the video plays. This time series has a rhythm — maybe it flickers rapidly during action sequences and stays steady during dialogue. Now do the same for bit #2, bit #3, all the way through bit #256. You now have 256 separate time series, each one a different "channel" that tracks a different visual property over the life of the video.
For each of these 256 time series, TMK asks: how much does this signal correlate with a cosine wave at frequency f? And: how much does it correlate with a sine wave at frequency f? It asks this for multiple frequencies — typically around 30 different periods. The correlation with cosine captures symmetric temporal patterns; the correlation with sine captures asymmetric ones (like a gradual brightening vs. a gradual darkening).
A key detail: the time axis is normalized. Whether the video is 30 seconds or 3 hours, the temporal coordinates are mapped to a 0-to-1 range before the Fourier analysis. This is why TMK is naturally invariant to frame rate differences — a video at 24fps and the same video at 30fps will produce nearly identical Level 2 descriptors, because the temporal patterns are the same when measured in relative time.
The result: for each of 256 bit positions × ~30 frequency pairs (cosine + sine) = roughly 15,360 bytes of temporal fingerprint. This is the video's "melody" — its complete temporal signature. Two videos with the same scenes in a different order will have completely different Level 2 descriptors.
In practice, Level 2 is only computed for the handful of candidates that survive Level 1 pre-filtering. You scan millions of videos in milliseconds using Level 1's cheap dot product, then confirm the ~50 survivors with Level 2's richer comparison.
High correlations at fast frequencies mean rapid visual changes; high correlations at slow frequencies mean gradual shifts over the video's duration.
What TMK cannot do: clips and excerpts
TMK matches whole videos: the same video re-encoded, re-compressed, watermarked, resolution-changed, or frame-rate-converted. It does not match clips — a 30-second excerpt cut from a 2-hour video will not match the original.
Why? Both levels break down. Level 1 averages all frames — so a 30-second clip has a completely different average than the 2-hour video it came from (the clip sees only one scene; the full video's average is diluted by hours of other content). Level 2 also fails: the Fourier analysis is computed over the entire normalized timeline, so the temporal frequencies of a clip describe a completely different temporal structure than the full video. A scene that occurs at the 5% mark of a 2-hour film occurs at the 100% mark of a 1-minute clip — the Fourier coefficients won't match.
For clip matching, the industry uses vPDQ — which stores the individual per-frame PDQ hashes with their timestamps rather than compressing them into a fixed-size descriptor. Finding a clip becomes a subsequence search: look for a consecutive run of matching frame hashes inside the longer video's hash sequence. It's like searching for a sentence inside a book, word by word, instead of comparing the book's summary to the sentence's summary.
In practice, the vast majority of CSAM video redistribution involves uploading the whole file re-encoded — which TMK catches reliably. Clip-based evasion is a known gap. Real-world systems deploy both TMK (for whole-video matching at massive scale) and vPDQ (for clip detection where the variable-size index is manageable).
What If It's Never Been Seen Before?
Everything we've discussed so far — PDQ, PhotoDNA, TMK — works like a police lineup. You have a suspect (the uploaded image). You have a book of mugshots (the NCMEC database). You flip through the book, page by page, asking: is this one a match?
But what if the suspect isn't in the book? What if the image has never been seen before?
In 2025, NCMEC received 1.5 million reports involving generative AI — abuse images manufactured by algorithms, depicting children who don't exist, in scenes that never happened. No mugshot exists. No fingerprint is in any database. Perceptual hashing is completely blind.
Detecting unknown CSAM requires a fundamentally different approach.
From matching to judging
Instead of comparing against a book of mugshots, a classifier is more like training a detective. You show the detective thousands of examples: this is CSAM, this is not, this is, this isn't. Over time, the detective learns to recognize patterns — not specific images, but the characteristics of abuse material.
Now you can show the detective an image they've never seen before, and they'll give you a probability: "I'm 94% sure this is CSAM." That's what a machine learning classifier does.
This is fundamentally harder than hashing. A hash comparison is binary: the fingerprint matches a known entry, or it doesn't. A classifier is making a judgment. And judgments can be wrong — in both directions.
Approaches
Neural networks trained to directly classify images. Google's Content Safety API is the best-known example.
Can detect never-before-seen material, including AI-generated CSAM.
Higher false positive rate. Privacy implications of classification.
A chain of lightweight models: Is this a person? → Is there nudity? → Does this appear to be a minor? Only survivors are escalated.
Reduces volume dramatically. Each stage is cheap.
Each stage can miss. Age estimation is unreliable.
Layer 1: Perceptual hashing (fast, cheap, catches known). Layer 2: Classifier (catches unknown). Layer 3: Human review for confirmed matches. Each layer catches what the previous missed.
Best overall coverage. Industry-recommended approach.
Most complex to implement and operate.
Why 99.99% of the Work Is Proving Nothing Matches
You have a fingerprint. The database has millions. Now what?
Most explanations stop at the hash. But the search is where the real engineering challenge lives.
The instinct is to treat this as a nearest-neighbor problem: find the closest match. But that's the wrong framing.
Nearest-neighbor search asks: "What's closest?" You can use clever data structures, stop early, prune branches.
CSAM detection asks the opposite: "Is anything close enough?" And when the answer is no — which is 99.99% of the time — you must have checked every single entry. There is no shortcut for proving absence.
This asymmetry is the heart of the engineering challenge.
The threshold defines everything
Each point is a known fingerprint. Drag the slider to change the threshold radius around your query.
Two different questions
Nearest Neighbor
"Find the closest point." Stops early.
Threshold Proof
"Prove nothing is close enough." Must check everything.
The brute-force scan
Watch a query scanned against the full database. 99.99% of the work is confirming what isn't there.
At scale, this happens thousands of times per second. Each comparison: nanoseconds. But proving absence still means visiting every point.
The hardest question in child safety
You've now seen the threshold slider. You know that moving it changes who gets flagged. This is where the engineering meets the ethics.
Every false positive means an innocent person's content was flagged — a family photo, a medical image, a piece of art. It means unnecessary investigation, potential harm to reputation, and erosion of trust in the system. At scale, even a 0.01% false positive rate means thousands of wrongful flags per day.
Every false negative means a child's abuse was missed. An image that should have been caught slipped through. That child continues to be victimized every time the image is viewed, shared, or traded. The distribution never ends.
There is no threshold that eliminates both. Setting the threshold is a moral decision, not just a technical one.
In practice, the industry errs heavily toward minimizing false negatives — catching every possible match — and then uses human review to resolve false positives. This means the system flags aggressively but confirms carefully. The cost of a false positive is an investigation. The cost of a false negative is a child.
This is also why the hybrid approach from Chapter VI matters. Perceptual hashing against a verified database has a low false positive rate — but not zero. Certain images (blank, solid-color, simple gradients) produce hashes that collide with database entries by coincidence, not because they depict abuse. Production systems include collision detection to filter these out before matching. Classifiers for unknown material have a higher false positive rate still (the model is making a judgment, not a comparison). By layering them — hashing first, then classifiers, then human review — the system can be both aggressive and precise. But no layer is perfect, and the threshold remains a human decision.
Three Steps. No One Sees the Image.
Across the industry, CSAM detection follows a three-stage pattern that Meta open-sourced as the Hasher-Matcher-Actioner (HMA).
Compute the fingerprint wherever content enters — at upload, at cache, in a processing pipeline. The hasher never sees the CSAM database. It only produces a fingerprint.
Edge servers, upload endpoints
PDQ library, PhotoDNA SDK, TMK pipeline
Compare the fingerprint against the database of known CSAM hashes. The brute-force scan from Chapter VII. The matcher never sees the original content — only fingerprints.
Central infrastructure
SIMD matcher, FAISS index, Hamming scan
When a match is found: block the content, report to authorities, preserve evidence, notify the platform operator. This is where detection becomes protection.
Backend services, workflow engines
NCMEC CyberTipline reporting, content blocking, evidence preservation
Why this pattern works
Swap anything: Replace the hash algorithm without changing the matcher or actioner.
Scale independently: The hasher runs on billions of images. The matcher runs millions of comparisons. The actioner handles hundreds of events. Each scales on its own.
Privacy by design: The original image never leaves the edge. The matcher only sees fingerprints. The actioner blocks a URL without viewing the content.
Your Platform Probably Isn't Scanning. These Tools Are Free.
If your platform hosts user-generated content — images, videos, files — these tools are available right now. Some are free. Some are open source. None require you to view the content.
Free for all Cloudflare customers. Enable it in your dashboard under Caching > Configuration. Cloudflare automatically hashes images as they enter the cache and compares against NCMEC's database of known CSAM. If a match is found, the URL is blocked and you're notified. No credentials required — just a verified email address.
developers.cloudflare.com/cache/reference/csam-scanningFounded by Ashton Kutcher and Demi Moore. Thorn's Safer platform provides CSAM detection as a service for platforms of any size. Has processed over 658 billion files and helped 700+ law enforcement agencies identify victims. Purpose-built for child safety.
www.thorn.org/solutions/for-platformsUses machine learning to classify images — can detect both known and unknown CSAM, including AI-generated content. Returns a confidence score without requiring a hash database. Free tier available.
protectingchildren.googleAWS's content moderation API. Detects explicit content, violence, and other unsafe categories in images and video. Pay-per-use, no upfront commitment. Integrates with Amazon A2I for human review workflows.
aws.amazon.com/rekognition/content-moderationA nonprofit building open-source safety infrastructure for the AI era. Partners include Google, Discord, OpenAI, Roblox, Microsoft, Mozilla, and Bluesky. ROOST provides modular, free building blocks for child safety — including hash matching, case management, and review tools — specifically designed for organizations that can't afford expensive commercial solutions.
roost.toolsOpen-source toolkit: PDQ and TMK hash algorithms, a complete Hasher-Matcher-Actioner pipeline, and hash-sharing database integration. Deploy on your own infrastructure. This is what powers detection at Facebook and Instagram scale.
github.com/facebook/ThreatExchangeThe original perceptual hashing service, in production since 2009. Available as PhotoDNA Cloud for platforms that don't want to manage their own infrastructure. Requires licensing through the Tech Coalition.
www.microsoft.com/en-us/photodnaThe mandatory reporting destination for US platforms. Also provides the hash-sharing API that distributes PhotoDNA and PDQ fingerprints to participating platforms worldwide.
www.missingkids.org/gethelpnow/cybertiplineAI Can Now Generate Abuse Images. What Happens Next?
Generative AI has opened a new front: synthetic abuse material with no prior fingerprint. Hashing catches what has been seen. The next generation must learn to recognize what has never been seen.
But every year, the net gets tighter. Open-source algorithms make detection accessible to any platform. The Hasher-Matcher-Actioner pattern provides a proven architecture. Classifiers improve at detecting novel content.
The technology is imperfect. There are false positives, false negatives, adversarial attacks, and edge cases. But behind the engineering — behind the algorithms and the distance thresholds and the confidence scores — there is a simple, stubborn truth: