Preventing Intimate Image Abuse Via Privacy-Preserving Credentials

Authors

Janet ZhangFollow
Steven M. Bellovin, Columbia University Law SchoolFollow

Abstract

The problem of non-consensual pornography (“NCP”), sometimes known as intimate image abuse or revenge porn, is well known. Despite its distribution being illegal in most states, it remains a serious problem, if only because it is often difficult to prove who uploaded the pictures. Furthermore, the Federal statute commonly known as Section 230 generally protects Internet sites, such as PornHub, from liability for content created by their users; only the users are liable, not the sites.

One obvious countermeasure would be to require Internet sites to strongly authenticate their users, but this is not an easy problem to solve. Furthermore, while strong authentication would provide accountability for the immedi- ate upload, such a policy would threaten the ability to speak anonymously, a vital constitutional right. Also, it often would not help identify the original offender—many people download images from one site and upload them to another, which adds another layer of complexity.

We instead propose a more complex scheme, based on a privacy- preserving cryptographic credential scheme originally devised by researcher Jan Camenisch and Professor Anna Lysyanskaya. While the details (and the underlying mathematics) are daunting, the essential properties of their scheme are straightforward. Users first obtain a primary credential from a trusted iden- tity provider; this provider verifies the person’s identity, generally via the usual types of government-issued ID documents, and hence knows a user’s real iden- tity. To protect privacy, this primary credential can be used to arbitrarily generate many anonymous but provably valid sub-credentials, perhaps one per website; these sub-credentials cannot be linked either to each other or to the primary credential. For technical reasons, sub-credentials cannot be used directly to digitally sign images. Instead, they are used to obtain industry-standard crypto- graphic “certificates,” which can be used to verify digital signatures on images. The certificate-issuing authority also receives and retains an encrypted, random pseudonym known by the identity provider, which is used to identify the web- site user. If NCP is alleged to be present in an image, information extracted from the image’s metadata—plus the encrypted pseudonym—can be sent to a deanonymization agent, the only party who can decrypt it. The final step to reveal the uploader’s identity is to send the decrypted pseudonym to the identity provider; which knows the linkage between the pseudonym and real person. In other words, three separate parties must cooperate to identify someone.

The scheme is thus privacy-preserving, accountable, and abuse-resistant. It is privacy-preserving because sub-credentials are anonymous and not link- able to anything. It provides accountability, because all images are signed before upload and the identity of the original uploader can be determined if necessary. It is abuse-resistant, because it requires the cooperation of those three parties—the certificate issuer, the deanonymization agent, and the identity provider—to identify an image uploader. The paper contains a reasonably detailed description of how the scheme works technically, albeit without the mathematics.

Our paper describes the necessary legal framework for this scheme. We start with a First Amendment analysis, to show that this potential violation of the constitutional right to anonymity is acceptable. We conclude that exacting scrutiny (as opposed to the generally higher standard of strict scrutiny), which balances different rights, is the proper standard to use. Exacting Scrutiny is what the Supreme Court has used in, e.g., Citizens United, to justify viola- tions of anonymity. Here, the balance is the right to anonymous publication of images versus the right to intimate privacy, a concept that we show has also been endorsed by the Supreme Court. We go on to discuss the requirements for the different parties—e.g., their trustworthiness and if they are in a juris- diction where aggrieved parties would have effective recourse—and the legal and procedural requirements, including standing, for opposing deanonymization. We suggest that all three parties should have the right to challenge dean- onymization requests, to ensure that they are valid. We also discuss how to change Section 230 in a way that would be constitutional (it is unclear if use of this scheme can be mandated), to induce Internet sites to adopt it. Finally, we discuss other barriers to adoption of this scheme and how to work around them: not everyone will have a suitable government-issued ID, and some sites, especially news and whistleblower sites, may wish to eschew strongly authenticated images to protect the identities of their sources.

Recommended Citation

Janet Zhang & Steven M Bellovin, Preventing Intimate Image Abuse Via Privacy-Preserving Credentials, 26 SMU Sci. & Tech. L. Rev. 149 (2023)