On March 9 of this year, a piece of Facebook software spotted something suspicious.
A man in his early thirties was chatting about sex with a 13-year-old South Florida girl and planned to meet her after middle-school classes the next day.
Facebook’s extensive but little-discussed technology for scanning postings and chats for criminal activity automatically flagged the conversation for employees, who read it and quickly called police.
Officers took control of the teenager’s computer and arrested the man the next day, said Special Agent Supervisor Jeffrey Duncan of the Florida Department of Law Enforcement. The alleged predator has pleaded not guilty to multiple charges of soliciting a minor.
“The manner and speed with which they contacted us gave us the ability to respond as soon as possible,” said Duncan, one of a half-dozen law enforcement officials interviewed who praised Facebook for triggering inquiries.
Facebook is among the many companies that are embracing a combination of new technologies and human monitoring to thwart sex predators. Such efforts generally start with automated screening for inappropriate language and exchanges of personal information, and extend to using the records of convicted pedophiles’ online chats to teach the software what to seek out.
Yet even though defensive techniques are now available and effective they can be expensive. They can also alienate some of a site’s target audience — especially teen users who expect more freedom of expression. While many top sites catering to young children are quite vigilant, the same can’t be said for the burgeoning array of online options for the 13- to 18-year-old set.
“There are companies out there that are doing a very good job, working within the confines of what they have available,” said Brooke Donahue, a supervisory special agent with an FBI team devoted to Internet predators and child pornography. “There are companies out there that are more concerned about profitability.”
The smartphone factor
Two recent incidents are raising new questions about companies’ willingness to invest in safety.
Last month the maker of a smartphone app called Skout, designed for flirtation with strangers in the same area, admitted its use had led to sexual assaults on three teenagers by adults. The venture-backed firm had not verified that users of its now-shuttered teen section were under 20, giving predators easy access.
Also in June, a teen-oriented virtual world called Habbo Hotel, which boasts hundreds of millions of registered users, temporarily blocked all chatting after UK television reported that two sex predators had found victims on the site and that a journalist posing as an 11-year-old girl was bombarded with explicit remarks and requests that she disrobe on webcam.
Former employees said site owner Sulake of Finland laid off many in-house workers earlier this year, leaving it unable to moderate 70 million lines of daily chat adequately. Sulake said it had kept 225 moderators and is still investigating what went wrong.
The failures at Skout and Habbo shocked child-safety experts and technology professionals, who fear they will lead to a renewed panic about online safety that is not justified by the data.
By some measures, Internet-related sex crimes against children have always been rare and are now falling (as are reports of assaults on minors that do not involve the Net). Most sex crimes against children are committed by people the children know, rather than strangers.
The National Center for Missing and Exploited Children processed 3,638 reports of online “enticement” of children by adults last year, down from 4,053 in 2010 and 5,759 in 2009.
Even those companies with state-of-the-art defenses spend far more time trying to stop online bullying and attempts to sneak profanity past automatic word filters than they do fending off sex predators.
Still, as the Skout case showed, there are several recent trends that have heightened the concerns of child-safety experts: the rise of smartphones, which are harder for parents to monitor; location-oriented services, which are the darling of Net companies seeking more ad revenue from local businesses; and the rapid proliferation in phone and tablet apps, which don’t always make clear what data they are using and distributing.
A solid system for defending against online predators requires both oversight by trained employees and intelligent software that not only searches for improper communication but also analyzes patterns of behavior, experts said.
The better software typically starts as a filter, blocking the exchange of abusive language and personal contact information such as email addresses, phone numbers and Skype login names. But instead of looking just at one set of messages it will examine whether a user has asked for contact information from dozens of people or tried to develop multiple deeper and potentially sexual relationship, a process known as grooming.
Companies can set the software to take many defensive steps automatically, including temporarily silencing those who are breaking rules or banning them permanently. As a result, many threats are eliminated without human intervention and moderators at the company are notified later.
Sites that operate with such software still should have one professional on safety patrol for every 2,000 users online at the same time, said Sacramento-based Metaverse Mod Squad, a moderating service. At that level the human side of the task entails “months and months of boredom followed by a few minutes of your hair on fire,” said Metaverse Vice President Rich Weil.
Metaverse uses hundreds of employees and contractors to monitor websites for clients including virtual world Second Life, Time Warner’sWarner Brothers and the PBS public television service.
Metaverse Chief Executive Amy Pritchard said that in five years her staff only intercepted something terrifying once, about a month ago, when a man on a discussion board for a major media company was asking for the email address of a young site user.
Software recognized that the same person had been making similar requests of others and flagged the account for Metaverse moderators. They called the media company, which then alerted authorities. Other sites aimed at kids agree that such crises are rarities.
Naughty users, nicer revenues
Sites aimed at those under 13 are very different from those with large teen audiences.
Under a 1998 law known as COPPA, for the Children’s Online Privacy Protection Act, sites directed at those 12 and under must have verified parental consent before collecting data on children. Some sites go much further: Disney’sClub Penguin offers a choice of viewing either filtered chat that avoids blacklisted words or chats that contain only words that the company has pre-approved.
Filters and moderators are essential for a clean experience, said Claire Quinn, safety chief at a smaller site aimed at kids and young teens, WeeWorld. But the programs and people cost money and can depress ad rates.
“You might lose some of your naughty users, and if you lose traffic you might lose some of your revenue,” Quinn said. “You have to be prepared to take a hit.”
There is no legal or technical reason that companies with large teen audiences, like Facebook, or mainly teen users, such as Habbo, can’t do the same thing as Disney and WeeWorld.
From a business perspective, however, there are powerful reasons not to be so restrictive, starting with teen expectations of more freedom of expression as they age. If they don’t find it on one site, they will somewhere else.
The looser the filters, the more the need for the most sophisticated monitoring tools, like those employed at Facebook and those offered by independent companies such as the UK’s Crisp Thinking, which works for Lego, Electronic Arts, and Sony Corp’sonline entertainment unit, among others.
In addition to blocking forbidden words and strings of digits that could represent phone numbers, Crisp assigns warning scores to chats based on multiple categories of information, including the use of profanity, personally identifying information and signs of grooming. Things like too many “unrequited” messages, or those that go unresponded to, also factor in, because they correlate with spamming or attempts to groom in quantity, as does analysis of the actual chats of convicted pedophiles.
The highest scores generate color-coded “tickets,” with those marked red requiring the quickest response from moderators.
Facebook’s software likewise depends on relationship analysis and archives of real chats that preceded sex assaults, Chief Security Officer Joe Sullivan told Reuters in the company’s most expansive comments on the subject to date.
Like most of its peers, Facebook generally avoids discussing its safety practices to discourage scare stories, because it doesn’t catch many wrongdoers, and to sidestep privacy concerns. Users could be unnerved about the extent to which their conversations are reviewed, at least by computer programs.
Catching one in 10?
In part because of its massive size, Facebook relies more than some rivals on such technology.
“We’ve never wanted to set up an environment where we have employees looking at private communications, so it’s really important that we use technology that has a very low false-positive rate,” he said. In addition, Facebook doesn’t probe deeply into what it thinks are pre-existing relationships.
A low rate of false positives, though, also means that many dangerous communications go undetected.
Some adults have used Facebook to target dozens of minors before assaulting one or more and then being identified by their victims or the victims’ parents, court records show.
“I feel for every one we arrest, ten others get through the system,” Florida’s Duncan said of tips from Facebook and other companies.
Another pillar in Facebook’s strategy is to limit how those under 18 can interact on the site and to make it harder for adults to find them. Minors don’t show up in public searches, only friends of friends can send them Facebook messages, and only friends can chat with them.
The gaping hole in the defense of Facebook and many other sites popular with teens is that minors can easily make up a birth date and pretend to be adults — and adults can pretend to be minors, as happened with Skout, which declined an interview request.
Technology is available for verifying the ages of Web and app users. One of the providers is Aristotle International Inc, which offers a variety of methods, including having a parent vouch for a child and make a token payment with a credit card to establish the parent’s identity.
Yet even in the wake of the Skout disaster, no site aimed at minors has hired Aristotle for age checks. “We could do real parental consent with 14-year-olds, but no one has asked,” said Aristotle Chief Executive John Phillips.
Such checks would cost money and alienate teens who don’t want their parents involved.
Barring a wave of costly litigation or new laws, it is hard to see the protections getting much tougher, experts said. Instead, the app and location booms will only add to the market pressure for more freedom on youth sites and greater challenges for parents.
“For every Skout that shuts down, there are ten more that popped up yesterday,” said the FBI’s Donahue. “The free market pushes towards permissiveness.”