Online Child Sexual Exploitation: A New MIS Challenge

© 2021, Association for Information Systems. All rights reserved. This paper deals with the difficult yet increasingly important MIS phenomenon of online child sexual exploitation (online CSE). Through the use of secondary and publicly available data from the Federal Bureau of Investigation, as well as primary data from a cybercrime police unit in the United Kingdom, this study takes a grounded theory approach and organizes the role that technologies and social actors play in shaping online CSE. The paper contributes to IS theory by providing a consolidated model for online CSE, which we call the technology and imagery dimensions model. This model combines the staging of the phenomenon and the key dimensions that depict how the use of technology and imagery both fuels and defuses the phenomenon. In informing the construction of the model, the paper extracts, organizes, and generalizes the affordances of technology and discusses the role of information systems in detecting online CSE.


Introduction
The exploitation of children is a disturbing topic with serious social repercussions (Carr, 2013).Sadly, the diffusion of digital technologies has been misused to fuel an ecosystem of activities that victimize children.Despite efforts from cybercrime police to counter such phenomena, one of the most serious forms of abuse online is online child sexual exploitation (hereinafter "online CSE") (Jalil, 2015).Online CSE must be distinguished conceptually from online SE (the online sexual exploitation of adults), which has other socioeconomic vulnerability factors (e.g., bereavement, social exclusion, homelessness, immigration), stronger financial fraud elements (e.g., defrauding elderly of their pensions), and image solicitation that is dwarfed by the adult porn industry (Miller & Veltkamp, 1998).In this paper, we concentrate solely on online CSE.
Online CSE includes activities on the internet (e.g., online pornography) but can also be connected to serious contact offenses including rape, kidnapping, trafficking, and murder.Yet, despite its social significance and the multifaceted role of technology in both enabling and constraining the phenomenon, the field of information systems (IS) has thus far not engaged with the study of online CSE.The study presented here deconstructs the connections between information and communication technologies (ICTs) and online CSE and explores these connections primarily within the organizational context of a cybercrime unit (CCU) in a local police department in the United Kingdom.The article contributes to the theoretical understanding of the phenomenon by developing a staging model for online CSE, relating it to an organizational context, and by extracting, organizing, and generalizing the affordances of technology in enabling and constraining the goaloriented actions of offenders and cybercrime police.
The remainder of this article is structured as follows: the second section reviews related work, the third section presents the methodology of the study, the fourth section presents our findings in relation to staging, and the fifth section presents our main findings around the use of IS in the CCU.In that context, affordances are extracted and generalized.The final section offers some conclusions about the nature of the phenomenon and its evolution and proposes future research possibilities and, indeed, research responsibilities for IS scholars.

Related Work
One of the key dynamics of online CSE is its staggering growth over the past two decades (Breeden and Mulholland, 2006).For example, in the United States, a 988% increase in arrests was witnessed between 2000 and 2006 (Mitchell et al., 2010).More recent work points to a global viral-like expansion as the internet has enabled increased interconnectivity (Calcara, 2013).In the UK, a 700% increase has been recorded in the number of online CSE referrals to the National Crime Agency between 2013 and 2019 (NCA, 2019).Meanwhile, the security-oriented significance of online CSE is evident from the UK's national security strategy.Online CSE is included as part of cybersecurity risk that, along with international military crises, pandemics, and terrorist incidents, is classified as a Tier 1 threat to the country (UKGov, 2015).
Despite the recognized importance of (and need for) more research into online CSE, the only tangential IS reference we could find comes from Lee's (2015) editorial as president of the Association of Information Systems (AIS).Lee mentioned that the "Council of the AIS has adopted a grand vision of an ICT-Enabled Bright Society, with the goal of preventing undesirable activities on the Internet."The internet has "become a minefield of crime" (p.iii) where "child protection" (p.ix) has become a major concern.In light of a lack of IS-literature dedicated to online CSE, we draw the main technology-oriented affordances of online CSE from other disciplines.This allows us to highlight the key characteristics of the phenomenon and to achieve an initial understanding of online CSE.We use the concept of affordances in order to help us weave a cross-disciplinary thread that will not only build up that initial understanding but will also serve to organize the later sections of the analysis.

Affordances
The concept of an affordance originates in Gibson's work in the context of his ecological approach to visual perception (1977).Gibson used the concept of affordances to fence off the idea that humans (and other living beings) orient to objects in their environment and that the interaction between humans and objects creates possibilities for action (i.e., affordances).For example, a "rock may have the affordance, for a reptile, of being a shelter from the heat of the sun; or, for an insect, of concealment from a hunter" (Hutchby, 2001, p. 447).The appeal of this general form of interaction between any species and objects in their environment, as well as the multiplicity of possibilities that objects open up for interaction, has led to the transposition of the concept of affordances into IS research, which perceives the materiality of technological artifacts as giving rise to possibilities for user-computer interaction or, more generally, interaction between a user and any given IT-related artifact (which could be a software application, a social network, a set of features, etc).
Thus, the use of the idea behind affordances has been deployed in IS research in a number of ways and framed as "the possibilities for goal-oriented action afforded to specified user groups by technical objects" (Markus & Silver, 2008, p. 622).As Leonardi points out, the key idea is that objects have properties, or features in the context of information technology, and users perceive the utility of these (i.e., what they afford) through user-computer interaction; naturally, one technology can support multiple affordances (Leonardi, 2013).However, affordances should not be perceived as freely variable.For example, "while a tree offers an enormous range of affordances for a vast variety of species, there are things a river can afford which the tree cannot, and vice versa" (Hutchby, 2001, p. 447).Hutchby (2001) also argues that technological materiality is both constraining and enabling.This distinction between enabling/constraining affordances can be thought of as the functional dimension of affordances and a very useful way of both categorizing and reflecting on affordances.But affordances are not only functional, they are also relational (Hutchby, 2001) in the sense that affordances differ from one group of users to another and that different observers/users will perceive different affordances.In saying that "affordances can both enable and constrain" (Volkoff & Strong, 2013, p. 823), relationality is important.Taking the example of a fallen log in the woods, "someone wanting to walk along a path may consider a barricading affordance constraining, whereas someone wishing to prevent passage would consider it enabling" (Volkoff & Strong, 2013, p. 823).Thus, it is important to state that "affordances of an artifact are not things which impose themselves upon humans' actions with, around, or via that artifact.But they do set limits on what it is possible to do with, around, or via the artifact.By the same token, there is not one but a variety of ways of responding to the range of affordances for action and interaction that a technology presents" (Hutchby, 2001, p. 453).This relationship is both open and bounded.
Using these ideas, Leonardi develops a classification of affordances as individualized, collective, and shared (Leonardi, 2013).An individualized affordance is an affordance that someone enacts when using a technology's features but that affordance is not common to his group; a collective affordance signals differential use and is collectively created by members of a group (e.g., a final output is created by individuals that work on their own, usually specialized, tasks); and a shared affordance denotes similar use where individuals in the group use technology in roughly the same ways.However, we would like to highlight a further distinction.While offenders engage in deliberate goal-oriented actions through which technology enables online CSE, at the same time, there is a non-offender-oriented use of technology that might enable online CSE but unwittingly, which would constitute misperceived affordances based on Gaver (1991).Misperceived affordances in the context of online CSE involve affordances that are not perceived by a user group although they do exist (e.g., the online dissemination of photographs by parents).Overall, the various conceptualizations of affordances assist us in both organizing the initial understanding of the phenomenon and driving the discussion of online CSE forward.

The Enabling and Constraining Affordances of Technology in Online CSE
Online CSE has been studied from several perspectives.Legal (Barnard-Wills, 2012), criminological (Tener, Wolak & Finkelhor, 2015) and psychiatric (Quayle & Newman, 2015) studies offer important insights.For example, Elliott and Beech (2009) find many interlocking neuropsychological aspects that describe offender behavior: emotional problems, social difficulties, cognitive distortion, and deviant behavior.Others focus around building typologies of online offenders themselves and classify them into two major categories: traders (where peerto-peer P2P networks enable users to traffic child pornography online) and travelers (where social media and other forms of interaction enable offenders to engage in online discussions and to coerce children for sexual purposes) (Alexy, Burgess & Baker, 2005).The behavior of young users is considered to be an important part of the problem.For instance, Wells and Mitchell (2008) found that the routine connectivity afforded to children who exhibit aggressive behavior online makes it twice as likely that these children will be victimized.In assessing the experiences of online victimization by using routine activity theory, Marcum, Ricketts, and Higgins (2010) described how children become suitable targets, mostly by providing personal information online.Psychologists also explore how the relationship between parents and young internet users affects the structure of online communications (McCarthy, 2010).

Perpetrators and Online CSE
Because the internet allows pedophiles to find each other, scholarly work has highlighted the significant role of child-abuse imagery and the creation of underground markets (Eisenstein, 2013).However, while different ways have been proposed to classify offenders (Tener et al., 2015), there is general agreement (Bartels & Merdian, 2016) that offenders should be differentiated as: (1) contact sex offenders, who are enabled by technology to pursue and lure their victims online with the intent to cause physical harm and crimes like child sex slavery and trafficking (Akullo, 2012), and (2) purely online sex offenders that confine their actions to the online space (Alexy et al., 2005).However, such classifications have a criminological orientation and they do not explain the process or the stages through which either type of offender is enabled by technology to commit online CSE.As Malesky (2007) notes, purely online offenders may still engage in serious criminal activities including online extortion and distribution of child pornography through peer-to-peer (P2P) networks.Even though 62% of cases in the US involve possession-only offenses, child pornography is seen as part of a larger pattern of offending behavior involving a complex technological role (Owens et al., 2016).
With most of the focus being placed on offender classifications per se, there is an important gap in exploring the broader affordances of technology in online CSE (both enabling and constraining).Most of the literature around online CSE focuses on behaviors and motivations, with little attention devoted to the constraining affordances and the contextual organizational aspects that would shape them.However, some work on P2P networks does shed some light upon the intensity with which online communities of pedophiles share content.Wolak, Liberatore, and Levine's study (2014) on Gnutella measured one year's worth of traffic, with the measurements focused on already known pornographic images of children that had a registered digital footprint from previous police investigations (each image was uniquely hashed).By collecting the individual IP addresses of users, they found that 244,920 US computers shared 120,418 unique child pornographic files.A surprising finding was that the majority of users "contributed" only a few images and less than 1% "contributed" more than 100 images.This high-volume/low-level activity related to image sharing shows just how widespread the phenomenon has become.It further emphasizes that even though it is clear that technology enables offenders to share child pornography, the specific function of imagery behind online CSE seems to occupy a more complex role.While the existing literature seems to portray imagery as part of the end goal of the phenomenon, because of its extent and interference, nuances of imagery play a more foundational role in fueling/defusing the phenomenon.For example, what are the challenges related to imagery that are faced by cybercrime police seeking to prevent, detect, and pursue offenders?

Victims, Digital Imagery, and Online CSE
The importance of deconstructing the role of technology is perhaps most evident in the conceptual centrality that digital imagery occupies in online CSE.
In laying out the potential ICT research agenda for online CSE, Hillman et al. (2014) do mention that we need to understand how technology is being used by criminals in relation to imagery since offenders are enabled by imagery and technology in varying ways to achieve different goals.In challenging the role of imagery, we also see it as a dimension of interference for online CSE that occupies different contexts, institutional efforts, and organizational processes within teams (e.g., in cybercrime police), and shapes enabling/constraining or misperceived affordances.Since the role of imagery is also critical from a detection perspective, cybercrime police use different information systems in order to constrain online CSE, while the mechanism of that containment takes place through imagery.However, a recognition of the combined significance of the role of technology in online CSE imagery and the sociotechnical challenges that can be found in a cybercrime organizational context is largely absent.The phenomenon cannot be confined without a deeper understanding of how conditions aimed at tackling cybercrime at the organizational level take shape via different affordances.
Unsurprisingly, the way that offender-oriented technology-use enables online CSE is also linked to how the victims approach technology as users.
Behaviorally, scholars point out that technology use for children has become a significant part of their lives, and youngsters may even experience online friendships before they engage in real ones (Dowdell & Bradley, 2010), which may expose them to stalking, harassment, bullying (Smith, 2014), or even to pedophiles.Unfortunately, youngsters do not usually understand the full spectrum of risks until it is too late (Guan & Huck, 2012).Alas, parents can be victims, too, as they suffer a great deal if their children are targeted.But parents play another significant role in online CSE.As we will discuss, when parents post images of their children, they provide fodder for predators who trawl social networking sites to harvest imagery (Richards, 2015).As the children's e-safety commissioner of Australia, Alastair MacGibbon notes, there are multiple challenges associated with this: pedophiles edit images to make them look pornographic, sexualize material, and conduct highly explicit user discussions by reposting material on pedophilia websites (Battersby, 2015).Based on Richards (2015), as much as half of the material found on pedophilia websites is sourced or stolen from parents innocently posting images of their families online.This also creates a sense of "permanence once abusive images have been distributed online" and can be trafficked into perpetuity (von Weiler, Haardt-Becker & Schulte, 2010, p. 211).The role of imagery (including video) is critical for both fueling online CSE (Quayle & Newman, 2015) and for detecting it (Wolak, Liberatore, & Levine, 2014).However, there is considerable fragmentation associated with the examination of this problem, presenting the need to move toward more integrative approaches (Livingstone, 2008).We summarize the key preceding insights in Table 1 and present the key characteristics for the problematization of the phenomenon (following Alvesson & Sandberg, 2011 in

Methodology
As we seek to understand online CSE from an IS perspective, we use both secondary data (from FBI cases prosecuted in the US) and primary empirical data (from a cybercrime unit in the UK) in order to address aspects (1) and (2) presented in the previous section.
Given the close cooperation between the US and the UK, the direct reporting of IP addresses from the US to the UK on UK-based suspects, and the multijurisdictional nature of the online phenomenon, a US/UK perspective can capture online CSE challenges in a more meaningful way.Also, given that offenders in the US and the UK use the same social media and other platforms operated by US tech companies, and given that offenders across borders collaborate in underground forums (Quayle & Newman, 2015), a degree of homogeneity in online CSE can be expected (at least in terms of how technology and imagery would enable or constrain it).For crimes conducted mostly in an online environment, jurisdiction becomes less important for the phenomenon's emergence, though it remains critical for prosecution and in terms of committing resources to its prevention and detection.
The research follows an interpretivist epistemology (Walsham, 1995;Klein & Myers, 1999) and an inductive reasoning underpinned by a grounded theory approach (Glaser & Strauss, 1967;Strauss & Corbin, 1998).Grounded theory allows us to both develop the context behind our phenomenon and strive for an explanation (Orlikowski, 1993).The goal is to move toward theoretical development (Corbin & Strauss, 2007, p. 107) as "current understanding of the phenomenon is severely limited due to a lack of theoretical and empirical research in the area" (Martin, 2014, p. 96).Thus, theory is generated during research and grounded in data from the field, especially in the "actions, interactions and social processes of people" (Creswell, 2013, p. 84).In these inductive studies, the construction of theories or conceptual models occurs through the structured analysis of data (Martin & Turner, 1986).
Based on the goals of the research and given that theoretical sensitivity is increased when informed by the literature (Glaser, 1978, p. 3), we have adjusted the theoretical sensitivity of our grounded theory approach by focusing on the process through which imagery is being used in online CSE (since the centrality of imagery is pivotal and used by offenders at the core of the phenomenon and cybercrime police for detection purposes).Furthermore, we extract the relevant affordances of technology in online CSE (Gibson, 1977;Markus & Silver, 2008;Volkoff & Strong, 2018).This helps us organize, develop, and abstract our understanding of the phenomenon and reflect on the corresponding affordances of technology.With the exception of the significance of imagery that we knew was critical for the phenomenon itself, we held no preconceived ideas regarding the development of our framework.The combination of both the public cases and the interviews conducted (Table 2) led to the development of rich data.
In  (Charmaz, 2014), to benefit from a higher degree of malleability by moving branches of the codes around, to reexamine data, and to combine or enrich the categories.This process continued into Phase 2 of our study as well.We illustrate different time slices of this process in Table C1.This process enabled us to go through the open, axial, and selective coding stages, and Coggle's timeline features allowed us to go back in time, explore modifications, and rebuild our model.We stopped adding further FBI cases when we no longer made significant changes to the TIDM model, signaling that saturation was achieved.
In the second phase of our research (Phase 2), we sought to connect and contextualize our TIDM model in an organizational context, gain a broader understanding of online CSE, and extract the different affordances.For these reasons, we conducted primary data collection in a specialist cybercrime unit (CCU).Detection attempts revolved around different uses of technology and imagery, which helped us anchor our UK fieldwork in the CCU onto the TIDM model.For our primary UK data collection, we interviewed 14 specialists and participated in four observation sessions with a total of 64 participants.We include the details of interviewees and the observation from the cybercrime unit and from other organizations in Table 2.The interviews were open ended so as to capture a wide spectrum of technology and imagery-related aspects in line with our grounded theory approach.The average duration of interviews was 1.5 hours; observation sessions lasted two hours in the context of the online safeguarding children boards at the local council (with the exception of one that lasted 4.5 hours).Because of the sensitivity of the domain, it was requested that we use no audio and interviewees were made aware that all names/institutions would be anonymized.Notes were taken during the collection of empirical data and refined immediately after for completion.No victim imagery was shown or accessed by the researchers throughout this study, no online access was granted to specialized online tools, and all of our primary data came solely from interviews or discussions with experts.
Washington DC, San Diego, Baltimore, Los Angeles, New York, Detroit, and Chicago.The integration of the data from Phase 2 allowed us to combine our TIDM model with organizational considerations from an IS perspective.It also reinforced the categories created from the FBI cases while allowing us to refine the dimensions of imagery and technology, as illustrated in Figure 1.The rich data/notes from the interviews and the insights from the FBI cases were first organized into separate MS Word documents and then combined for integration, sorting, writing memos and reflections on interviewee comments, and refining the conceptual categories, before extracting a complete list of technological affordances.In a recursive manner, these led to an expansion of the visual mind map as well (see time slices in Figure D1 in the Appendix).A few of our notes led to more data collection and additional interviews (particularly in the latter stages of the research that involved the digital forensics team).This added to our understanding and expanded the extracted affordances.Finally, the full list of affordances allowed us to refine the TIDM model further.A diagram of our grounded theory approach is shown in Figure E1 in the Appendix.

Technology & Imagery: Two Main Drivers of Online CSE
Based on our primary and secondary data, we now focus on discussing our findings.Here we discuss imagery and technology for offenders, and then the role of children and parents.Then, we present and analyze the different characteristics of our technological and imagery dimensions model.

Imagery and Technology in Online CSE: Offenders
Offenders use technology and imagery in a number of different ways.They either manipulate photographs by using image-editing software, distribute child pornography (e.g., through P2P networks, pedophile online groups, dark web), and/or create first-generation images (i.e., original imagery).An additional element that we found to be critical in online child exploitation is that of time.Based on the FBI cases we analyzed, months or even years might go into developing online trust to lure victims; this was also confirmed by Interviewees #4 and #5.In one case, the offender had pursued the victim for 2.5 years before sexualized imagery was divulged by the victim.Offenders also use imagery to gain the trust of victims and to mask their online identity.Between offenders, the exchange of imagery has evolved; based on our interviews with the police (#4, #5, #6) but also the observation sessions, offenders develop, build on, and adjust an online "esoteric language structure."An example was given by #6, who narrated an online discussion between pedophiles.One asked: "Have you got PTHC?"-and the other retorted "Sure."Then the police officer told us that this was "their code for Pre-Teen Hard Core" and it would often be seen split further in longer sentences to escape algorithmic detection on a keyword-basis (e.g., "Participate this coming Tuesday and don't forget to Help those less fortunate this Christmas").Despite some efforts to issue warnings to users (e.g., if a user were to search on Google for "child pornography" they would be warned that they may be reported) and some encouraging results that pedophile searching online has dropped through traditional search engines, our interviews indicate (predominantly #2, #4, #6, #7) that this activity has been pushed to the dark web.There, it is much more difficult to follow (#6).Even an accidental discovery of a virtual machine (VM) from a confiscated laptop examined forensically by the CCU, led to a tenmonth investigation that has not yet unraveled the darkweb activity of the offender who was receiving Bitcoin payments for child pornography.Our interviewees suggested that it is mostly intelligence agencies that have the capacity to explore such activities but, without direct access, we could not verify the circumstances of the role of intelligence agencies in online CSE.

Imagery and Technology in Online CSE: Children and Parents
Our data suggest that the way in which young users and parents use technology fuels the growth of online CSE.Since this is not their intention, we treat this as a set of misperceived enabling affordances.Based on several interviewees and observation sessions (#2, #7, #9, #10), we found that young users tend to ignore advice and/or misuse technology.The examples given to us included young people (1) routinely violating the terms and conditions of social networks, (2) lying about their age to gain access, (3) creating online profiles despite ageappropriate notifications, (4) behaving irresponsibly online with an attitude that is shaped by the average age of their exposure to pornography (estimated at ten years old in the UK), ( 5) displaying an apathy toward privacy online (reinforced by how parents behave online).
In this context, web-based relationships replace real relationships and increase risks for children.According to #2, the act of children sharing naked photographs of themselves has been normalized so much in web-based relationships that children refer to them as "just pictures."Failing to realize the consequences of image distribution and data permanence online makes young users easier targets for serious criminals.Illustrating such young user attitudes and behavior was a local council initiative that provided a custom-built "safe online networking platform" for students, which was abandoned since young users would "refuse to lock down their profiles and privacy settings" (based on both Interviewee #2 and #1).Furthermore, as large circles of "friends" demonstrate popularity, discussions in Observation Session #7 corroborated that young users "purchase" online friends from online services that sell followers, likes, comments, etc., for Facebook, Instagram, and other social networks.As an example, $16 would buy 300 Facebook friends and get 100 likes, all delivered within 2-3 days.These are provided by "digital sweatshops," with workers "befriending" users when an order comes in.Of course, young users who are desperate to grow their online following are easy prey for predators.As #6 suggested, children could be targeted based on their number of friends and their perceived popularity.The data suggested that more popular children, measured by a higher number of online friends, were targeted more.Another accelerating factor is how parents use technology.Parents generally lack "e-parenting" skills and (over)share imagery of their children across multiple social networks.This is the raw material that is exploited further.As clarified by #3, while parents cannot usually contemplate why someone would download images of their children, the answer often remains: "because they're available." Based on our interviews with #1, #2 and #8 as well as observation sessions #9, #10, we identified several interconnected elements related to oversharing parents recursively fueling online CSE: (1) legitimate photos that were uploaded by parents are downloaded, sexualized and recirculated as online pornography; (2) as children cannot give consent, parents are effectively violating the privacy of their children by posting online; (3) they further cultivate the apathy of children toward online privacy (desensitization), which makes children more vulnerable to future victimization; (4) locationsensitive information may be part of a photograph's metadata and children can be targeted for contact sex offenses; (5) phenomena like cyberbullying often use imagery from parent profiles; (6) the comingling of fake pornographic imagery (as an unintended consequence of parental posting) with first-generation imagery (i.e., original imagery of novel cases) and second-generation imagery (i.e., imagery recirculating from previous cases) creates detection challenges for cybercrime authorities.

Stages of Technological Use in Online CSE
Based on our grounded theory approach, we identify four key stages that underpin the centrality of imagery in relation to technological use (see Figure 1).These stages are initiation of contact, trust development, online extortion, and trafficking.They revolve around technology and imagery, two dimensions that are structurally coupled.Through the use of imagery, technology affords online CSE by supporting the goaloriented action of offenders.

Stage 1: Initiation of Contact
At this stage, offenders use different social networks, web applications, and platforms with the goal to initiate contact with potential victims (Dimension 1).
To support that goal, offenders require a proxy virtual identity to create distance from their real identity (cybercriminals call this "taking care of their own operational security" based on #3).In turn, as shown in Dimension 2, offenders require real/fake images to convince their victims of their proxy identity and conduct digital deception.As the goal is to lure children into producing and sharing authentic nude photos, this creates a recursivity that fuels the growth of the phenomenon.The reverse is also possible, although rarer: children seek out random connections themselves and volunteer nude imagery.As mentioned by #2: "remember when our parents used to say don't speak to strangers?Now children seek out to speak to strangers all the time through such (web) applications."Meanwhile, the exploitation of platforms by techsavvy pedophiles has escalated.There is evidence of bots being programmed to lure children.They initiate contact by posting an appealing message; they then sign-off and let an offender on another platform take over.Based on #5, "in prison it is known that pedophiles buy/sell addresses of vulnerable children in exchange for cigarettes, but in the online world, they cooperate on many different levels."

Stage 2: Trust Development
At this stage, the goal-oriented action of offenders is gaining the trust of their victims, often over long periods of time (Dimension 1).In one of the FBI cases, a twelve-year-old received 1200 messages over a twoyear period.While imagery becomes critical in trust development (Dimension 2), the techniques being used by offenders to gain trust vary, with location-tagging perceived to be more dangerous, as victims can be targeted for more serious, in-person crimes.An example from the FBI cases is the "new kid on the block" technique (Dimension 1), where offenders will pretend to be young children themselves that have just moved into the area.The act of "checking in" at a location nearby creates a false sense of trust.The critical role of how digital imagery affects this stage must be highlighted.For offenders to fulfill their goal and make potential victims feel comfortable, they will proactively offer nude images of their "online persona" (Dimension 2).While real images might be used as well, the sexualization of harvested images of children seems to be more dominant at this stage, with use of face-swap software and AI-based deepfakes (Kietzmann et al., 2020), allowing offenders to create photorealistic imagery easily (Dimension 1).
Overlaying a child's naked body over multiple faces allows offenders to create multiple proxy-identities for the parallel exploitation of different victims.The overabundance of children's photos (Dimension 2) makes this stage much easier for offenders.

Stage 3: Online Extortion and Threatening Behavior
Once victims are convinced to expose nude photographs of themselves, offenders engage in threatening behavior and online extortion.Offenders may start posting "soft" material that exposes the victim on public websites or social networks (Dimension 1), divulge intimate conversations, or even threaten to kill the victims or kill their family members if their demands are not met.
According to #1, this "constitutes a state of suspended humiliation or anxiety" that is extremely difficult for a young person to cope with.Victims may remain "compliant" for some time before they ask for help.The outcome is a highly disproportional relationship between the number of victims and the number of explicit images produced (Dimension 2).In one example from the FBI cases, a 12-year-old girl in the online extortion stage uploaded 660 sexually explicit images of herself to a cloud-based storage account controlled by a 25-year-old perpetrator before asking for help.In some cases, help is never sought.For offenders, the main goal is to maintain a continuous supply of explicit imagery (Dimension 2).Based on our interviews, this pattern is broken if the offender seeks to commit more serious sex crimes, including kidnapping, murder, rape, child trafficking, and organ removal for the illegal transplants market.

Stage 4: Trafficking
At this stage, offenders are enabled by P2P networks, the dark web, proprietary forums, and their goalorientation is trafficking child pornography (Dimension 2).In addition to the secret groups that offenders use to exchange illegal images through otherwise legitimate social networks, we were also told of the existence of "elite child-pornographic networks" (Dimension 1) where online access is "bought."The centrality of imagery comes into focus here, as it is the pornographic images of children themselves that are being used as a virtual currency.Based on our interviews (#3, #4), the buy-in threshold of access varies, though we were told of one example of a network requiring a minimum of 2,000 images as an ante.The use of illicit child imagery as tokens in such underground economies is what prompts aspiring "elite" pedophiles to make up for the difference in images that they do not hold in their possession.
Thus, these individuals engage in the practice of harvesting photographs of children from social networks and other web-based sources and manipulating them so that they appear pornographic.Alteration of imagery serves the double purpose of establishing fake online identities (Stage 1) and gaining token-based access to elite networks for trafficking (Stage 4).Monetization is also a factor here.
As #6 mentioned, we are entering a "space where requesting payments in Bitcoins or creating new online-CSE-related digital currencies like pedopoints might become the future norm."This reinforces Westlake's description of criminal careers in cyberspace.Based on the interview with #6, the case of Richard Huckle was mentioned as an example at this stage.Huckle, having abused more than 200 children himself, had thousands of images and videos depicting child abuse in his possession (mostly first-generation imagery).Given the complexity of this one case, the associated digital forensics analyses and the investigation took almost a year before Huckle could be arrested.To make matters worse, Huckle had used technology to develop an online community and to award "pedopoints" (a virtual token) based on other offenders sharing evidence of their successful exploitation of children (Dimension 1).If offenders were not advancing on Huckle's leaderboard, they were banned from the forum.Huckle had "gamified" online CSE and he was using child imagery as a tradable currency (Dimension 2) within a small criminal community of trust.He had even drawn plans to monetize them in exchange for Bitcoins just before his arrest at Heathrow Airport.Huckle was convicted in 2016 for 71 counts of serious sexual assaults against children.In that context, cryptocurrencies, the dark web, the overabundance of photographs of children that can be manipulated, and unsafe online behaviors across all social networking platforms fuel the dynamics of online CSE (Dimension 1).This creates a challenging context for the cybercrime police at the CCU.The next section discusses these challenges before relating them to the TIDM model.

Law Enforcement Information Systems Used to Fight Online CSE
In exploring online CSE in the organizational context of the cybercrime unit (CCU), it became evident that a variety of information systems were used to counter the phenomenon.We differentiate between peripheral IS that can be used in online CSE investigations and core IS that are essential.We have anonymized the names of several IS where necessary.

Peripheral Law Enforcement IS Used in the Fight Against Online CSE
As an example of peripheral IS for online CSE, two information systems used by the police are Watson and HOLMES 2. While we were told that the HOLMES 2 would only overlap with online CSE if a murder was also recorded, Watson is an analytical tool that is capable of linking intelligence with suspects, criminal groups, and locations.However, based on #6, who has been investigating cases of online CSE for nearly a decade, the collection of intelligence for suspects is scattered across different IS.Combining intelligence from many different sources (schools, health, and social services, public, police support services2 ) for a fuller picture of a suspect is time consuming and challenging.While there are some interoperable systems, a detective looking to develop a comprehensive profile of a suspect would need to combine intelligence and access different systems.To counter that fragmentation, #4 mentioned that he was "forced to develop" an Excel spreadsheet on his own so that he could "register different bits and pieces for CSE suspects" and "provide end-of-year CSE statistics to his superiors."Recognizing this, #5 said that the ICT strategy of the Association of Chief Police Officers recognized "that the police service in England and Wales can no longer afford to treat ICT as isolated programs of work developed and operated independently by separate organizations." A more extreme variant of this problem was discussed by #13, who mentioned that between two critical teams for online CSE 3 , there was no meaningful channel of communication.For instance, based on #13, one team might be investigating a possible child abuse case but lack the technology skills that would enable it to identify online CSE as an additional criminal dimension.Based on an observation session (#10), this was identified as a broader issue of organizational disconnect.As mentioned by #13, there are "different command areas" that are "not joined up" and this raises a broader child safeguarding issue.While the CCU is at the core of handling ongoing cyberrisks, safeguarding children transcends many different departments within the police and also involves external stakeholders.For instance, in observation session #11, the deployment of filtering tools was discussed for schools.The head of IT services for all schools in the local community explained how a new software "picked up keywords that might indicate specific vulnerabilities" related to online CSE.She mentioned that some online searches of children at schools were "bringing up some horrendous hitssome really severe hits."While this school filtering tool has been "working for about a month at an experimental level at only seven schools," it became clear that the manual review of the volume of red flags is beyond the capability of any school.A full-scale deployment would require a clear policy of how cases should be prioritized.Despite the clear and agreedupon need to deal with online CSE in a risk-based approach, the sporadic implementation of many different and disconnected technologies makes such initiatives increasingly difficult.

Core Law Enforcement IS used in the Fight Against Online CSE
Of course, technology is not only used by those who break the law, but also by those trying to uphold it and pursue offenders.Our study revealed a combination of different, at times overlapping core law enforcement IS.These include network monitoring systems, data filtering systems, systems developed to triage and prioritize the severity of images and offenders, riskassessment tools, and specialist digital forensics.In the following subsections, we discuss these systems and evaluate how cybercrime officers are enabled and constrained by these systems in their fight against online CSE.

Law Enforcement IS 1: Network Monitoring
While the streamlining of communications is challenging in the context of online CSE, there remain core IS that enable officers to identify first-generation 3 One being the Internet Sex Offenders team and the other being the PVP (Protection of Vulnerable People) team.
imagery and pursue offenders who have a higher probability of being contact sex offenders (firstgeneration imagery is associated with potential "ongoing victims").In this context, one of the core IS used to tackle online CSE is the INFOTRACK system (our alias) that is handled at the national level and administered by UK law enforcement. 4INFOTRACK monitors peer-to-peer networks for file exchanges.It identifies and collects imagery to be investigated further.Part of this mechanism includes filtering out those images that are second generation (i.e., that have been recirculated).This initial determination is achieved through the use of a database called CAID (Child Abuse Imagery Database), which became fully operational in December 2014.This database contains hashes of known child imagery in circulation.Thus, when an image is collected by a P2P network, it is hashed by an algorithm.When the hash is identical to an entry in the CAID database, this image will be recognized as a second-generation image that has been previously circulated/evaluated.While the trafficking of second-generation images remains an offense, it is considered to be low risk for purely follow-up investigatory classification purposes.While image alteration (even by a single pixel) would result in a different hash altogether, the application of specialist image recognition software would attempt to (re)classify these photos further based on previous photos in circulation.One such example is PhotoDNA, developed and provided free-of-charge by Microsoft.
The deployment of INFOTRACK along with the complementary use of image recognition has brought additional demands regarding how technology can be used.An example is the "additional need for police officers in the field who are now photographing empty rooms of offenders" (#16).The physical characteristics of known rooms in which offenses have occurred might be linked (through image recognition) to previously trafficked images and cases of exploitation.Thus, if the offender used the same physical space to conduct/record their activities, previously unresolved cases of victims and corresponding imagery could be associated with that offender.However, all of the firstgeneration images have to be reviewed, one by one, by police officers who evaluate the seriousness of the depicted abuse and categorize first-generation imagery at the level of local police forces in the UK.At the risk of stating the obvious, this is probably the most stressful task required of any IS user group, as these individuals have to "view gruesome images of child abuse as their day-to-day job" (#16) and then feed their results back to the database (in case the same image recirculates in the future).While some sporadic technical glitches have hampered the work of police officers because the "connection might have a problem" or the "speed of processing varies," the users generally view the INFOTRACK system favorably.It has enabled them to reduce the processing time and largely lifted the burden of verifying secondgeneration imagery that remains the "vast majority and accounts for probably more than 90% of the imagery trafficked" (#14).Through INFOTRACK, users conduct computer-assisted/manual first-generation imagery classification, risk-scoring, and offender profiling.
Additional constraints are that INFOTRACK "is not a permanently-on connection and it focuses on P2P networks only" (#13).The rest of the leads are referrals from technology companies.As #14 mentions, the "main ones that we have at the moment come from KikMe, Facebook, and Dropbox, but we get referrals from many."This was the subject of a more general discussion with several interviewees who felt that technology companies at large are not doing enough to address the phenomenon.However, some relationships between the police and internet service providers (ISPs), as well as different technology companies are, at times, challenging.First, although some national police authorities seek to develop software for reporting child online abuse, their operations are typically not supported by technology companies.For example, the UK's national center for Child Exploitation and Online Protection (CEOP) developed an online abuse button that could be integrated across different social networks and websites.However, we were told that Facebook declined to integrate it (#2, #3) because it uses other internal measures and ways for users to report abuse, which can then be forwarded to the police (#4).Also, a number of hashes from the CAID database are fed back into technology companies so that the images can be removed.
However, without research access to Facebook itself (or other social networks), we cannot determine the nature of the enabling/constraining affordances their analysts would encounter.Second, collaboration with ISPs is not always straightforward and involves variable degrees of cooperation.Based on #6, means of strengthening such collaborations and establishing better processes for data exchange need to be explored further.For instance, hardware black-box filtering at the ISP level is one countermeasure that could be explored to enable monitoring, though its application would (and should) be constrained by strict privacy safeguards, as misappropriation and surveillance would need to be factored into any decision-making.
This reflection of further countermeasures extends to the police as well.Based on different interviewees (#3, #7, #12, #18), it is evident that the police's use of INFOTRACK is reactive, even though proactive techniques that "sniff out potential offenders" (#16) would be more effective.For instance, police officers assume ghost virtual identities online when they pretend to be children themselves and chat online with potential offenders.The use of proxy identities online then is a shared affordance between offenders/police, as behavioral mirroring through technological appropriation offers the potential of unearthing offenders.We were also told of "online vigilantes that do the same thing and then report to police" (#6), though these seem to be limited occurrences.

Law Enforcement IS 2: Data Filtering
Since the challenges and the dynamic language structures that offenders use to "find themselves online" (#12) have escaped detection thus far, the current development of countermeasures involves realtime proactive filtering.As the emphasis is changing, we were informed of the experimental deployment of the HARVEST (our alias) information system.This involved a real-time filtering solution that was tuned to "listen to social media by fixed search keywords that were set by the police" (#16).The goal was to deliver intelligence on online CSE and develop an automated identification mechanism for high-risk classifiers (e.g., gender).While a sample profile was not disclosed, we discussed the organizational consequences resulting from the use of the HARVEST system.In the trial, the "overwhelming majority (of suspects) was meaningless" (#6) and, eventually, the police had to "shut the system down completely," as the examination of false positives consumed valuable resources.
Based on nearly all interviewees, the top challenge associated with the use of technology in online CSE can be summarized as a "coping with the data deluge" problem.While initiatives like the database of hashed second-generation imagery (CAID) have helped considerably and allowed the "force to focus on the quick identification of victims," the "massive data dumps from across the world" (#3) are daunting and pose significant challenges for any police force.Over the last few years, the resources demanded by this phenomenon have increased dramatically.In fact, at a moment in time when UK forces are experiencing budget reductions and crime has seen a 10% increase throughout the country, there are two growth areas that have become critical in policing: cybercrime and online CSE (according to #3).Whereas back in 2005, there were about 10,000-20,000 images related to child pornography and abuse, #2 estimated that there are currently 26 million images for the UK alone.This rough estimate and official reports of images "in the millions" (CEOP 2016) shows the scale of the challenge.For example, as we were told by #3, in one of the massive streams of data, in just one day, the UK received 100,000 distinct IP addresses and related images from the US-based National Center for Missing and Exploited Children.While this was a "burst of activity" that did not represent average daily operations, it serves to illustrate how swiftly these challenges can escalate.The IP addresses were passed onto the UK command and the images were compared with hashed versions of second-generation images.
Based on approximate geolocation, the IPs were forwarded to the 45 police forces in the UK, where the abuse images were assessed, ranked, and prioritized and suspects evaluated.The challenges involved in this process are many.
As the CCU says (based on #6), the unit receives IP addresses and some basic information about the indecent imagery that has been detected.In that context, the CCU submits further requests with ISPs in order to identify individuals behind such IP addresses and pursue their investigation.Occasionally, the simplest of technical issues would create a butterfly effect down the chain of investigations.For instance, one of the issues mentioned by #12 and #13 was that sometimes there is an issue with wrong IP addresses being recorded as part of the monitoring mechanism.If a router refreshes its IP address (e.g., restarts), the old IP address that was linked to illegal trafficking could be assigned to someone else and the "intelligence analyst assigned to the case may take it as far as a warrant … someone may get a knock on the door and have his equipment seized and it might take some time to analyze their devices before we realize we've got the wrong person … on another occasion, we ended up in an empty building due to a mix-up with the physical address … if there are many people in a house then we have to check for the GUIDs [Globally Unique Identifiers] (#14)."While the aforementioned examples are exceptions, there is a general acknowledgment that there are "several issues with IP resolution at a national level" (#15).Most of the time, the challenge is the sheer volume of imagery to be examined.Once INFOTRACK helps separate firstand second-generation imagery, the question becomes how the first-generation images will be analyzed by cybercrime police and how offenders will be prioritized.Several IS are used throughout these phases.In this context, we must remember that offender-driven demand for imagery, as delineated in our TIDM model (setting up proxy identities, establishing trust between offenders/victims, etc), all fuel the data deluge around this problem.

Law Enforcement IS 3: Online CSE Triage
Precisely due to the volume of data and images to be handled, there is a separate data triage process that aims to prioritize cases on two fronts: (1) the severity of images, and (2) the profile of the offender.In the context of the first front, triage is conducted using the INITIATE information system (our alias).Once a warrant has been executed, the confiscated devices are brought to the CCU for the triage process; this is not a full forensic examination that would stand up in court (which would be handled by the forensics department), but represents another layer of prioritization.
According to the manager of the triage department, the team's role works "much like a hospital triage process and tries to get the critical cases quickly to the forensics department so that the offender can be pursued in court … however, there is a backlog and a massive queue that could take months to clear out" (#15).
One of the key challenges emerging from the evolution of computer storage is that the triage process has changed substantially over the past years.As mentioned by #16, some years ago they would "confiscate a desktop disk, possibly a laptop … nowadays, police officers come back from a suspect's house with desktop hard drives, laptops, several SD memory cards, plenty of USB sticks, external hard drives, mobile phones, etc."For one case alone, the police had confiscated a total of "17 devices"; this is something that "complicates both the triage process and the full forensic examination and makes it more time consuming" (#16).Referring to a single case within the CCU, "it was impossible to look at the 1.5 million images we found across his devices; if we were to do that, we would increase the risk of (mis)handling other cases" (#15).The balance that needs to be struck in managing cases/volume is challenging because of the technological variety and new demands posed by new developments (e.g., cloud storage, the TOR browser that gives access to the dark web).
Despite the variety of technological artifacts used in tackling online CSE, the triage process is relying only on the INITIATE software.This is a shared collaborative tool amongst a small team of officers.
Once the devices are docked and the content is mirrored for the examination, data extraction begins.This "includes deleted photographs/videos and communications data while the whole process is documented based on national guidelines" (#15).Then, by using the INITIATE software, users will scroll through the extracted material in the userinterface of the software and manually categorize any material on a scale of 1 to 10 based on severity.They will then create a report for the digital forensics department for a full examination.The underlying basis of how the software scans for extracted material and designates file types can be customized and "users do tend to create their own profiles where a lot of filters that can be (de)selected … even though there is always the option of asking the software to find as much as possible in one go or use one of the eight different built-in default search profiles" (#15).For example, a detailed search profile5 collects allocated, embedded, deleted pictures and videos, searches for common keywords related to online CSE, searches for known hash values, collects received files from various applications (e.g., Skype) and other media cache folders, office documents, and registry files, searches for antiforensic applications, collects user desktop shortcuts, and so forth.Processing times vary depending on the filtering mechanism used but one indication given was that 500GB would take a full day for processing.On some occasions, a scan could be running for two weeks and produce terabytes as a report.Because a considerable amount of time is required to scan the devices confiscated, "users will often stop the scan if they think they've seen enough" to secure prosecution, though "90% of the time we let scans run to the end (#16)."Of course, the danger for the remaining 10% of the time is that the analysis might miss first-generation images.An example of such a near miss was when the image corroborating the attempted rape of a two-year-old boy by his father was extracted at the very end of a scan.
Adjustments on the sensitivity of the profiles for filtering represents an additional concern.The INITIATE software allows for several different options, including ranges, pattern modifiers, quantifiers, and sample prefixed patterns by the software company.The very act of the necessary ad hoc selection by triage users at the CCU invokes the risk that the technological profiling mechanisms through which content is analyzed and suspects are identified are not appropriate.In other words, what gets flagged and evaluated is contingent on whether the related filter(s) that will yield the result is selected or deselected.Reflecting on the technological contingencies, software use, profiling methods used, and the nature of the phenomenon, the following six key concerns emerged from the analysis of our interviews (mostly #15 and #16).First, the really technically skilled offenders may be escaping detection, because any custom filters that would detect their behavior might not be applied.Second, the capacity for staff members that can actually conduct such triage scans and use the INITIATE software is limited and needs to be increased, but lack of practice and training were identified as inhibitors.Third, the backlog of confiscated devices to be triaged has (periodically) increased to nine months.This is often quickly ameliorated by outsourcing some of the workload, though the financial sustainability of outsourcing such work is problematic.Fourth, cloudbased storage and related applications complicate the process time-wise, as a preservation order is required for limiting the suspect's access to the cloud before the data can be mirrored and analyzed.Fifth, users who work with such imagery undergo an annual mental health evaluation, meaning that all users of INITIATE would fall into that category.However, based on #14, it would be much more interesting and effective if userstress evaluations were built into the use of such triage software on an ongoing basis.This could identify users under stress based on behavioral patterns of software interaction.Sixth, while INITIATE triages data captured from confiscated devices, there is no capacity to examine anything related to the dark web and such investigations are within the remit of national-level agencies (e.g., in the intelligence community).

Law Enforcement IS 4: Risk Assessment and Prioritization
In parallel to the use of all the above systems, another tool is used, which we anonymize as TARGET.This software is being used as a standalone tool in order to evaluate the potential risk that an offender might be a contact sex offender by conducting behavioral psychological profiling.As #13 mentioned: "the filtering mechanism is conducted by applying a classification tool that helps us prioritize our workload."Although we received a copy of the TARGET manual from the police, we were asked not to disclose how this tool works in detail, because the material is classified as "Official Sensitive."Thus, we restrict our description to broad functions.Through a series of questions that the user (i.e., the police analyst at the CCU) is asked by the TARGET system, a high/medium/low risk is assigned to each offender.This is specific to whether the offender could be a contact offender.For example, individuals who have "easy access to children," for instance by working in a school, receive a relatively high risk-score for "access" from a preselected list.Clearly, high risk-scores receive overall priority.However, building the intelligence profile for a suspect is time consuming and takes about one week (or two to three days if there are additional concerns that would elevate the prioritization).According to both #13, #14, managing this "ongoing risk" by using technology in various forms (e.g., different software) is the single biggest challenge, particularly since the victim could be anywhere in the world and cross-border communication would transcend several different systems and scattered intelligence about offenders.Perhaps a surprising element in the context of using the TARGET system is its complete disconnect from the assessment of imagery.In terms of the future development of information systems in tackling online CSE, refining the risk-scoring for potential contact sex offenses and providing simultaneous risk indicators through imagery for profiling and prioritizing suspects is highly desirable.At the moment, the TARGET system "doesn't care if the suspect has downloaded one illegal image or 100,000 images-it's based on psychological profiling alone" (#15).This provides counterintuitive results, as someone who has downloaded a single image may be marked as high risk.Again, the issue of interoperability/intelligencesharing between different IS emerges.

Law Enforcement IS 5: Digital Forensics
The "last stop" of the process is the forensics department of the CCU.The CCU manager echoed the concerns above while adding additional issues.Within the forensics team, several computer-based systems are used; this variety contributes to the training time required.Limited staff resources mean that "people are doing things they shouldn't be doing" (#16).For instance, mobile phone extraction software users are overburdened; thus, their cases are allocated to other officers who are less familiar with the software.Also, while a few primary forensic software tools are used to examine confiscated devices and the same image categorization tools that follow up from the triage process in order to classify images based on sentencing guidelines (A: extreme imagery, B: medium, C: least extreme), the biggest demand for hardware/software is for mobile phones.In that context, the forensics team uses "two specialist applications but there's an increasing need for mobile docking stations dedicated to mobile phone analysis" (#16).The kiosks that analyze mobile phones are in high demand, and, even though the forensics team examines all seized exhibits, determining the priorities for each case is not always straightforward.Based on an estimate given to us, 42% of the examined mobile phones led to drug-related intelligence and "removing a lot of that volume out of the office" is not always easy.There is an increasing need for faster hardware/software configurations that will triage mobile phones to identify low-level crime and redirect it, thus allowing the team to focus on online CSE.
Perhaps one of the best examples of a specialist information system posing demands for both officers in the field and for the forensics team is the REVERSE system (our anonymization).According to #16, in addressing online CSE, although encryption safeguards legitimate transacting, "encryption is an obstacle."When pin-locked devices are brought to the forensics team and devices are password protected, the team tries to get around the security measures by hacking into the devices so that the content can be evaluated.The REVERSE software aims to address this gap: it also takes physical evidence that is collected by police officers in the field, including, among other evidence types, letters, bills, and anything else that police officers might consider important.It then combines them with other pieces of information collected electronically and generates a list of passwords from such bits of intelligence to gain access to the device(s).If this stage fails and access to the devices is not secured by the forensics team, the CCU resorts to a legal process6 that demands that suspects supply their passwords.Failure to do so renders them liable for prosecution, but this process is a "costly legal resort.If decryption fails, [prosecution] cannot be instigated without national approval and realistically very few people get convicted" (#16).Thus, from the point of view of the forensics team, encryption is a significant constraint.
The specialist use of such IS has recently led the UK government to reclassify all digital forensic departments as laboratories, prompting all to seek international accreditation. 7This strengthens the legal admissibility and evidential weight of electronically harvested, analyzed, and categorized digital information.It also safeguards the processes used throughout online CSE investigations and further minimizes any risks of third parties "planting incriminating information like in the case of a male suspect who was innocent and his ex-wife had planted child pornographic imagery on his computer to gain custody of their children" (#13).Working toward accreditation is creating "several new organizational demands that will require a persistent effort … the simplest one being the recruitment of specialist personnel to guide us through this process and a quality manager," as well as "changing the processes to fit the standard" (#16).However, the subtle issue of how different information systems construct the prioritization and identification of suspects remains.Put differently, technology use in online CSE constructs the pathways through which suspicion is identified in complex ways.We would prompt other IS scholars to explore the variable technological construction of online CSE at the level of suspicion.How algorithms and the use of technology prioritize and allow certain suspects to emerge, while others are either deprioritized or dismissed, is of pivotal interest.The development of algorithmic accountability in such contexts remains critical.Ultimately, reducing the complexity of online CSE through IS use is reflected across all stages.When it comes to dealing with the prosecution of online CSE, "a lot of forensic labs have set their criteria to 250 Class A imagery while over 50 Class A designations would stand up in court" (#16).However, the use of different IS and filtering restrictions creates a forceful reduction of complexity and creates additional risks.Based on #15, in one such example, "the totality of devices indexed had 1.4 million images to search through but the software got only 0.01% because of filtering restrictions … on occasion, we're running a big risk for unknowns." The alternative of a manual analysis is unrealistic given the volume to be examined.While diagrams simplify and reduce the content, the framework in Figure 2 summarizes some of the core aspects discussed above and brings together the preliminary TIDM model with the organizational context.
Figure 2 connects the main staging (Stages 1-4) of the TIDM with the organizational context in the CCU and the different IS used to tackle the phenomenon.First, on the right-hand side of the diagram, we notice that Stages 1-3 demand the participation of both victims (children and parents) and offenders.However, Stage 4 is somewhat distinct in that it occurs through P2P networks, elite pedophile communities, and dark web markets.Thus, as an activity, Stage 4 can occur independently but is also fueled by the continuous stream of activities that offenders initiate in order to lure more victims.Whereas we have seen the connections involved with attempting to monitor trafficking through INFOTRACK, the constraint remains that this is not a permanently-on connection.Real-time monitoring and increasing ISP collaboration in this context are very important but touch upon the sensitive debate of privacy versus security (Etzioni, 2015).Spotting first-generation imagery quickly so that high-risk abuse and "live cases" can be investigated remains very challenging because of the volume of data, lack of resources, and diffusion of intelligence.The variety of IS being used, often for complementary tasks, leads to fragmentation as hardware demands increase (e.g., mobile docking stations, decryption).
Furthermore, in the context of Stages 1-3, the CCU relies on technology companies to report suspicious activity.Based on #3 and #6, a common concern is that social networking and other technology companies are not doing enough to suppress the phenomenon.With information systems like HARVEST failing to capture real suspected offenders and the only other viable option for luring offenders is online impersonation of children by cybercrime officers, we need to rethink the relationship between technology companies and cybercrime police in the context of online CSE.Similarly, hardware black-box ISP filtering is one countermeasure that could be explored for Stage 4, but this raises similar concerns regarding the propagation of a surveillance state, exploitation of access for other reasons, and privacy violations.A combined exploration of this field alongside privacy-enhancing technologies (PETs) could lead to significant privacy-friendly monitoring innovations (Heurix et al., 2015).
While the challenges presented across Stages 1-4 are escalating, the organizational barriers at the CCU raise further difficulties in preventing and detecting online CSE.Separate command areas between critical teams should work more closely together.Also, intelligence can be found across several stakeholders that are often outside the CCU that is handling the ongoing cyberrisk.While the core utilities of IS can be recognized as serving (1) the timely identification of first-generation imagery, and (2) the identification and risk-scoring of offenders who have a higher probability of being contact sex offenders, these two elements are not really linked.Furthermore, training staff for online CSE is complex and requires serious investment.Specialist knowledge (e.g., at the forensic level) is demanding but there is also an increasing need to educate field officers.
Overall, the technology-based prioritization of online CSE cases is complex.The role that technology companies play, as well as that of ISPs and many other stakeholders that may be involved in deploying online CSE countermeasures through specialist information systems, is still emerging.As such, it is worthy of exploration from IS scholars.Most of the emphasis on countermeasures appears to be on how Stage 4 (trafficking) is handled through INFOTRACK, while the application of filtering across different levels raises an additional issue: how the related IS are used and integrated and end up "determining" who is recommended for prosecution and who is considered to be a suspect.This "determination" is far from causal, given the variety of filtering options being used.Different approaches for managing online CSE investigations run the risk of missing victims or flagging suspects in an inconsistent manner.Sadly, the online behavior of both parents and children contributes unwittingly to the volume of child imagery, as posted images are harvested and distorted by offenders and become comingled with first-generation imagery.The multidimensionality of technological interferences and the challenges faced in online CSE makes it critical to explore, model, and reflect upon the dynamic between technology and online CSE.We present the affordances of technology in online CSE in Table F1 in the Appendix.We need to remember here that artifacts can have both enabling and constraining expressions that are relational for different user groups.
Our emphasis remains on the relationality between enabling affordances for offenders (so that we can understand how their use of technology allows them to fulfill their goal to lure children) and the enabling affordances for the CCU (allowing cybercrime police to address the phenomenon).Each user group should have constraints: IS research should be conducted with a view toward increasing the constraints for offenders and decreasing the constraints for cybercrime police.
Our combined research into the stages of the phenomenon and the organizational context allows us to depict (1) how the escalation of the phenomenon occurs (from the perspective of offenders and how they use certain artifacts, features, images to achieve their goals), and (2) how the de-escalation of the phenomenon is attempted by cybercrime police.We accept the (unavoidable) limitation that there is a much greater number of affordances that can be captured; more research needs to occur within IS so that we can understand this phenomenon better.For example, technology companies like Facebook could be deploying their own technology artifacts, features of which would enable them to de-escalate the phenomenon but, without access to Facebook as a research setting, we cannot include these.Where an affordance can be considered as a shared, collective, or misperceived affordance, based on our discussion on affordances in the following section, we indicate that in Table F1.

Discussion on Affordances
While technological affordances have both enabling and constraining expressions, as shown in Table F1, the multidimensionality and interconnectedness of affordances point to a problem that is truly difficult to untangle.This article makes a first attempt toward deconstructing the role of technology and imagery in online CSE from an IS perspective.It is important to assert that IS research can make a difference in two ways: (1) by focusing on studies around the deactualization of the enabling affordances for offenders and, of course, by increasing, strengthening, and inventing new constraining affordances for offenders (so that their goal of luring children through technology use is disrupted); and (2) by strengthening the enabling affordances for cybercrime teams and minimizing their constraining affordances-here, the study of different cybercrime teams and jurisdictions could shed some valuable light.The study of the broader organizational IS context within which cybercrime teams are embedded is also significant, as we have shown in our analysis.The same applies to the critical role of technology providers and, in particular, social networking companies; a deeper exploration of their organizational dimensions and a clearer understanding of the problems, challenges, and missed opportunities that they face in addressing the phenomenon would lead to additional lines of scholarly inquiry.A longitudinal in-depth case study of a major social networking company would be invaluable in this context.Overall, our organization of affordances in Table F1 can assist IS scholars in concentrating their lines of exploration further.
Through our empirical findings, we delineate several ways through which technology is used by offenders to fulfill their goal-oriented actions.By using social networking sites, web applications, image editing software, face-swap applications, AI-based deepfakes, P2P networks, the dark web, cloud storage, as well as elite forums that are supported by underground digital economies and cryptocurrencies (or custom-made digital tokens), offenders are quick to adopt new technologies to enable their illegal goals of luring children online.The technology artifacts involved, the corresponding user characteristics of offenders, the enabling/constraining affordances, and the corresponding outcomes are listed in Table 2, while the centrality of imagery across many affordances is evident.By bringing together the insights of our preliminary model (depicting only the offenders' side), the organizational insights from studying the CCU, and the extracted affordances in Table F1, we reconceptualize and describe our comprehensive model (Figure 3), which depicts both the offenders' side and the CCU's side.
The nested triangles A, B, and C in Figure 3 both summarize and generalize what we have learned about online CSE.The left side of the triangle illustrates how properties of technology shape how users interact with them.The right side shows how properties of imagery invite users to act in various ways.Below, we describe the nested triangles briefly before discussing the affordances.

A. Stages of online CSE:
The center triangle of Figure 3 shows the various stages of online CSE: (1) initiation of contact, (2) trust development, (3) online extortion, and (4) trafficking.

B. Escalation of online CSE:
The second triangle of Figure 3 represents how offenders make use of the enabling affordances of technology and imagery; the goal-oriented action of offenders results in the escalation of online CSE.Of course, for each stage, offenders are limited by the constraining affordances of the corresponding artifacts (see Table F1).But, overall, it is the enabling affordances here that contribute to the escalation of the phenomenon, as captured by D1 and D2 of the diagram corresponding to all four stages of online CSE.A number of IS streams can be associated with deactualizing the enabling affordances of artifacts for offenders and dampening their effects.Image analytics (Vuppala et al., 2018), trust and digital identity (Halperin & Backhouse, 2012), deconstructing the dark side of social media (Baccarella et al., 2018), the study of online underground markets, and cybermoney laundering (Philippsohn, 2001;Demetis, 2018) are all important but they need to be concentrated onto the disruption of online CSE.A more targeted focus on the handling of digital forensics (Garfinkel, 2010) in the context of online CSE is also necessary.Organizational IS have much to contribute in this space, as we observed and discussed several organizational/IS barriers that create limitations in the sharing of intelligence and in the prioritization of cases.
Interoperability concerns, risk-based approaches, and communication disconnects within the police are all worthy of further exploration.
Our empirical data also point to misperceived affordances.While these affordances are not perceived by the user groups, they do exist (Gaver, 1991).For example, the misperceived affordance (A9 in Table F1) captures the possibility of unintentional image (over)sharing by parents, children, and other stakeholders (e.g., schools), which can lead to exploitation.Such imagery is captured, distorted, sexualized, and recirculated as online pornography; the desensitization of children toward online privacy and the comingling of imagery creates further detection challenges.The field of IS offers a number of streams in this context.A focus on privacy and data sharing already exists (Furnell, 2015), as do focuses on behavioral IS security (Dhillon, Syed, & Pedron, 2016), user-controlled privacy in relation to mobile phones and privacy-enhancing technologies (PETs) (ENISA, 2015), and cyberawareness (Franke & Brynielsson, 2014).But, thus far, these streams have not focused on online CSE.A focus on online CSE would create invaluable contributions that could lead to the de-escalation of this phenomenon.Design implications will demand further exploration of these goals.
While systemic difficulties in handling these aspects create severe challenges for the future, still, even in the face of such adversity, a number of distinct ways can be identified in which technology enables the deescalation of the phenomenon, despite several constraints (e.g., handling encryption, resourcing problems, interoperability concerns, etc).For example, the identification of previously circulated (secondgeneration) imagery through the INFOTRACK system and the CAID database enables the prioritization of first-generation imagery and the recognition of potentially live cases at a much faster pace (A5 in Table 2).More IS research in this context in peer-topeer network monitoring and filtering (Weber, 2016), darknet monitoring (Nunes et al., 2016) and digital forensics may yield considerable insights through which this could be reinforced.
Similarly, the use of behavioral profiling and other filtering approaches to risk-score the severity of offenders (A7) and the vulnerability of children would assist cybercrime authorities seeking to end the ongoing exploitation of victims.Profiling (Lamb & Kling, 2003;Middleton, Shadbolt, & De Roure, 2004) and the closely related practices of risk prioritization and management (Spears & Barki, 2017), as well as the development of software capable of enabling such prioritization, all need to be considered.A subtler point arises here regarding the algorithms that determine such prioritizations since the associated criminal investigations are often triggered by who is flagged as more highly suspect.Particularly when algorithmic transparency is very difficult if not impossible to achieve (e.g., because of "black box" approaches like machine learning), one can speak of the technological construction of suspicion.Thus, algorithmic accountability in this context acquires a particular significance (Garfinkel et al., 2017).
Another significant potential for de-escalation arises from efforts to gain access to offender devices and accounts (both cloud-based and confiscated devices) (A11).The work of cybercrime authorities can make a substantial difference in safeguarding children; cloudbased and digital forensics, as well as data filtering for prioritization, are two indicative IS streams that can strengthen the enabling affordances for the police.Unfortunately, encryption also enables offenders to protect their digital assets and thus remains a battleground between encryption-focused offenders and decryption-focused digital forensic specialists.The context of balancing the strengthening of encryption and its exploitation by offenders with the decryption capacities of cybercrime units remains truly challenging.
Even though we observed several IS at the CCU that could contribute to the de-escalation of the phenomenon and the pursuit of offenders, we would like to highlight the ability of cybercrime agents and online vigilantes8 to conduct impersonations of children themselves in order to expose offenders.While the process of having police officers lure offenders by impersonating children online can be time consuming, the use of social networks that enable the exposure of offenders is also shared with online vigilantes and their users.As we saw in our description in the previous section, an automated replication of this process was attempted by the HARVEST IS, which monitored online conversations for offender identification (A10 in Table 2) by listening to social media conversations in real time.While this was shut down because of the sheer number of false positives, a variety of other computational approaches could be explored toward that end.In the future, advanced "honeypot techniques" with digital tokens (Shabtai et al., 2016), machine learning (Pearl, 2019), or AI-based chatbots (Androutsopoulou et al., 2019) may take over the role of undercover cybercrime agents posing as children online.Overall, we do perceive the role of AI as having a set of potentially critical effects for both escalating and de-escalating the phenomenon.We prompt other IS scholars to explore these potential effects in detail; for example, deepfakes and AI-based face/voice mimicking would allow offenders to attract more victims and make artificial identities more convincing and realistic, while better detection tools could expose such deepfakes and alert users (an AI vs. AI scenario).Similarly, AI developments might assist police if autonomous software-based cybercrime agents could be launched online, attempting to converse with/expose offenders autonomously before referring them for a manual cybercrime review.

Future Research Directions, Limitations, and Conclusion
This paper contributes to a deeper understanding of online CSE by using a grounded theory approach and developing a model (TIDM) to depict the staging of online CSE in relation to imagery and technology contextualized within an organizational context and also by organizing technology affordances around online CSE.The complexity of the phenomenon, the multiplicity of IS-related considerations, and the enormous social impact associated with online CSE must prompt other IS scholars to engage with it.
While an obvious path for further research would be a deeper exploration of the affordances presented in Finally, the overall handling of online CSE and the way the phenomenon itself has emerged and evolved raises several ethical considerations.In this spirit, there is a rich literature at the intersection of ethics and IS that could be applied in order to unpack the ethical dimensions of the phenomenon.Classical theories in ethics and more contemporary information ethics (Floridi, 2008)

(
O) 12 Participantstwo closed sessions Technologies and social networks related to online CSE and school liaison roles at Online Strategy Group of Safeguarding Children Board (Local Council 1) (O) 20 Participantsclosed (i.e., private/invited) session on online CSE Child safety in schools (handling IT systems for schools and the deployment of a new filtering tool as well as e-safety training) in Local Council 1 (I) Former director of intelligence (NCA) Strategic issues around the deployment of information systems around online CSE and managing future challenges (I) Detective inspector (CCU) Role of the Protection of Vulnerable People (PVP) Command in online CSE and information systems being used (I) Detective inspector (manager of CCU) Managing online CSE work through different information systems (focusing on the TARGET and FILTER information systems) (I) Civilian attaché to CCU (triage manager) Use of information systems in handling and managing the triage process of online CSE related material (focusing on the INITIATE information system) (I) Detective inspector (digital forensics manager at CCU) Use of information systems in the digital forensics process of online CSE

Figure 1 .
Figure 1.The Preliminary Technology & Imagery Dimensions Model (TIDM) of Online CSE (Depicting Only the Offenders' Side)

Figure 2 .
Figure 2. IS in Online CSE

Figure 3 .
Figure 3.The Technology and Imagery Dimensions Model (TIDM) Figure D1.Time Slices During Phase 1

Table 1 . A Brief Summary of the Pre-Understanding of the Phenomenon and its Basic Affordances Technology artifacts and affordances Fueling the phenomenon Authors Defusing the phenomenon Authors
TableA1in the Appendix).taking into account the centrality of imagery and delineating the process through which imagery is being used, and (2) extracting the enabling and constraining affordances of technology in online CSE, informed by the organizational context of a UK police cybercrime unit (CCU).How do technology and imagery enable and constrain online CSE for offenders and the CCU?How can the process of online CSE be delineated if we assume that imagery affects different stages of the process?In order to elucidate these aspects, we focus on the IS implications of the phenomenon in the organizational context of the cybercrime unit of a UK police department.
In order to address these gaps, while accepting the central role of imagery for both offenders and for those tasked with its prevention and detection, we focus on deconstructing the relationship between online CSE and technology by (1)

Table 2 : Primary Data Collection Sources and Scope # Interviews (I) & Observations (O) Scope
7 (O) 21 Participantsclosed (i.e., private/invited) 6-hour session (cyberculture, online exploitation, online education, awareness)training session on online CSE at Local Council 2 8 (I) Police and crime commissioner (PCC) Challenges faced when tackling CSE at Local Council 2 9 (O) 11 Participantspublic session on online CSE awareness (Local Council 2) Police training, prison system, national working group on tackling CSE, young persons' risk "Resourcing against increasing demand" remains a substantial challenge.As #16 mentioned, "a member of [the] staff would undergo 12-18 months of specialist training to use the (information) systems we have here ... and then, of course, there is a more general technical knowledge issue and training of police officers in the field.For example, they may file a report on a confiscated mobile phone, and the report asks them to fill out what an IMEI is and they wouldn't know that." A "basic level of being comfortable with IT" is considered to be essential.Police officers, through no fault of their own, present a risk in terms of what intelligence is fed into different systems (e.g., incomplete or mistaken data entries).