April 2025 / Reading Time: 6 minutes
STUDY H: Access denied: How blocklists are thwarting attempts to view CSAM
Introduction
Domain blocking, or webpage blocking, has existed since the early 2000s as a virtual no-entry sign preventing people from accessing webpages known to contain child sexual abuse material (CSAM). It relies on ‘blocklists’ of specific website addresses (identified by organisations including the Internet Watch Foundation), which internet service providers (ISPs) cannot connect their users to when people search for them (Hunter, 2004). This study is the first to examine the extent to which people attempt to access blocked websites containing CSAM, coupled with the use of anonymisation services, which are tools people use to attempt to hide their identity and activities online. In doing so, we highlight the role these anonymisation services play in the ongoing dissemination and sharing of CSAM online. This can help guide regulators and ISPs in better preventing access to CSAM by improving detection methods to stop attempts to bypass website blocking.
Glossary of terms
- Internet Protocols (IP addresses): Unique identifying numbers assigned to all devices that connect to the internet, including phones, laptops, tablets, modems and servers.
- Domain Name Service (DNS): A company that receives requests from users through internet service providers and connects the users with the requested webpages.
- Virtual private network (VPN): A service that allows users to send their request through an alternate route.
- The Onion Router (TOR): The most common browser used to connect to the Dark Web where CSAM is displayed on encrypted hidden pages.
- Proxies: A middle device used to connect a user with the website they are requesting.
- Internet service providers (ISPs): Companies that connect users to the internet.
- Electronic service providers: Companies that offer online services like messaging, payments or cloud storage.
- Web crawlers: Technological tools developed to visit large volumes of webpages simultaneously, without consideration of what is on the page, to scan and detect content for various purposes. As such, web crawlers often visit the same webpages daily or at times more frequently to gather as much data as possible.
Number of requests to CSAM blocked
0
Methodology
To gauge the blocking of attempts to access webpages known to contain CSAM using devices such as mobile phones and laptops, Childlight examined data from a global partner that operates the Domain Name Service (DNS). The DNS acts like both an address book for the internet and an operator, allowing users who search for a website through their ISP to be connected to where they wish to be. Blocked webpages are cross-referenced with regularly updated lists held by the Internet Watch Foundation as well as law enforcement agencies, including INTERPOL. In addition to looking at the number of search requests that are blocked (blocked requests), further data was analysed around additional requests by the same requesting users for a 48-hour period. This resulted in a dataset prepared for a consecutive two-day period in September 2024, which Childlight analysed. The dataset included all confirmed and suspected CSAM page requests, globally organised by indicators. These indicators included the geographic area where the request was first received, the number of requesting users seeking known CSAM webpages and the use of anonymisation services. Anonymisation services are web-based tools that users can employ in order to mask, mislead or misrepresent who they are and their location. These include proxies, where internet traffic first goes through another computer as an intermediary before reaching the website the requesting user wants to visit. They also include virtual private networks (VPNs), in which online activity is encrypted and routed through a server in another location. A third tool is The Onion Router (TOR), the browser and network that bounces a user’s internet connection through several different computers around the world and can be used to access the Dark Web.
Key findings
Over two days, more than 853,000 attempts to access webpages with CSAM were successfully blocked. This means there were about five attempts every second worldwide to reach illegal content or around 156 million attempts per year.
Many of the people trying to access CSAM used anonymisation services like proxies and VPNs to hide their identity. However, most of the requests studied did not use these such services. Only 15% of CSAM requests used proxies and 2.5% used VPNs, indicating that most of the users were not trying to hide their activities with anonymisation tools. Proxies and VPNs were used more often for other types of content, not specifically CSAM.
Figure 1: Anonymisation use for CSAM Domains by date
Figure 2: Anonymisation use for CSAM and non-CSAM requests
When it comes to TOR, a browser used to access the Dark Web, it made up less than 1% of all CSAM-related requests. This is different from accessing hidden websites on the Dark Web itself, where CSAM is more commonly found. However, in some countries, TOR was used more frequently for CSAM searches. For example, Germany had the most TOR requests for CSAM according to the blocked webpage data, although these only made up 1% of Germany’s total TOR activity as identified in this data. Moldova had a high percentage of TOR requests for CSAM, though the total number was very small.
In total, 12 countries had webpage activity linked to CSAM. The highest number of device requests from a specific country came from Singapore, with 223 cases of devices making CSAM-only requests over two days. This highlights the global nature of the issue.
Recommendations
Recommendation 1. All internet service providers should be required to block websites known to contain CSAM. Due to the way the internet operates, often a single webpage request will be carried out in part by multiple service providers. The more ISPs that utilise this service, the greater the likelihood that any individual query will be flagged to be blocked by one of the services.
Recommendation 2. Ensure that blocklists are shared more widely with internet service providers, electronic service providers and social media companies so they are able to block the sharing of links within their respective platforms. This will also help platforms better identify, and respond to, bad actors who are attempting to share access to CSAM through their services.
Recommendation 3. Put in place regulation and oversight of the points where users connect to, and exit from, the TOR network. This was the only anonymisation service that was used more often for known CSAM domain requests than other requests made by the same requesting users. By regulating the number of users able to access TOR, it will not only limit the number of users attempting to access blocked CSAM webpages, but also the known CSAM that exists on ‘.onion’ domains that can only be accessed through TOR.
Recommendation 4. Governments should monitor blocked access to CSAM domains to help identify areas for improvement in terms of security risks and online safety.
Recommendation 5. When blocked domain requests are relayed, provide an option for support services to those requesting the domain, such as StopItNow.org.uk.
Limitations
The data referred to in this study is limited by the short period it covers and because it only looked at users who had attempted to access at least one known CSAM webpage. The overall numbers may be inflated due to the possible inclusion of web crawlers, which seek access to numerous webpages every day without consideration of the content displayed on each requested domain. The data may also include multiple requests from the same user(s) within the period. Finally, it is important to note that this analysis does not consider attempts to view webpages containing CSAM which are not on active blocked lists.
More information
Suggested citation: Stevenson, J., Mclean, L., & Fry, D. (2025). Access denied: How blocklists are thwarting attempts to view CSAM. In: Searchlight 2025 – Childlight's Flagship Report. Edinburgh: Childlight – Global Child Safety Institute
Researchers: Mr James Stevenson, Mr Lewis McLean, Professor Deborah Fry
Study partners: Cisco Umbrella DNS
Registered study protocol: OSF | Web Anonymisation Service Access for Child Sexual Abuse Material
Ethics approval: University of Edinburgh, Childlight Research Ethics Sub-Committee (CATTU-JST-0060424CL)
Advisory committee members: Hugh Dixon (Nominet), Joanne Negrette (Cisco), Lloyd Richardson (Canadian Centre for Child Protection)
Funding acknowledgement: The research leading to these results has received funding from the Human Dignity Foundation under the core grant provided to Childlight – Global Child Safety Institute under the grant agreement number [INT21-01].