EmXcore podcast Episode 2: Starting a new job during a pandemic and fighting the hosting of child pornography

In this episode we talk to Alex de Joode about starting a new job during a pandemic at Amsterdam Internet Exchange (AmsIX) and about a tool he devoloped to fight the hosting of child pornography.

EmXcore podcast Episode 2 with Alex de joode

---

Lisa:
Hey everyone and welcome to another episode of the EmXcore podcast, a podcast where we will invite customers, partners, or anyone of whom we think has something interesting to say or has some interesting views on the internet and networking industry.

Today, we are talking to Alex de Joode about starting a new job during a pandemic at the Amsterdam internet exchange (AmsIX) and about a tool he developed to fight the hosting of child pornography.

Welcome Alex. I’m very happy that you’re here to join us for this podcast. How are things going?

Alex:
Well, Excellent. We see that basically for a large part it’s back to business. People are visiting the offices a bit more, as we saw in the Netherlands even the minister of justice and safety, who is in charge of the 1.5 meter distancing rule, at his own wedding decided it wasn’t necessary. I think in the Netherlands it’s, well the figures are going up a little bit from what I understood. It’s basically the young people so the infections go up, but the people at meeting admitted to the hospitals basically stays the same or even are declining. So, um, well, all in all I think from the perspective here in the Netherlands, everything is going quite okay.

Lisa:
Are you still working from home or are you in the office?

Alex:
No I’m still working from home. I think it’s, well the easiest. We do have a very good infrastructure, digital infrastructure in the Netherlands, so working from home basically is not often an issue for people ,they are able to work remotely. However, if it’s possible to go to the office I’ll definitely be at the office. Last week I went to the office twice.

I started at AmsIX three months ago. So I know a lot of people through zoom but I haven’t had real interaction with them, and meeting people and, not shaking hands, but giving them the elbow and drinking a cup of coffee yeah that’s a real nice way of getting to know people too. And it definitely beats the clinical zoom sessions we’ve had previously.

Lisa:
Yeah I can imagine it must be really weird starting at a new job without meeting the people or even setting foot in the office.

Alex:
Yes, it’s strange. Normally I would walk around, you know, you see a person and you say, hi, what you’re doing? And you can introduce yourself. And with zoom while we have the call, and then you introduce yourself, so everybody knows who you are, but you basically have no idea who may be 50 out of 60 people are. So when you’re in the office, they say, Hey Alex, and you’re thinking, okay, who are you? So yeah, it’s strange.

Lisa:
Yeah. I can imagine well it must be nice now too finally actually seeing the faces.

Alex:
Yeah. I mean, some people you speak, well not daily but weekly, in a Zoom session and others you’ll hardly have any interaction with so if you see them it doesn’t ring a bell.

Lisa:
Yeah, true. Well, can you tell us a little bit more about, about yourself? I mean you already mentioned you worked at, Amsterdam internet exchange.

Alex:
Well I started there three months ago basically doing risk management compliance, a bit of legal, some lobbying, connections with the government. We have a telco regulator that’s interested in what we’re doing, downtimes, et cetera, et cetera. That’s, I think a really nice part if you like it. And I do like it. Other people think it’s quite boring talking to the government, but I think it’s fascinating, you learn what they think. Some of them really have no idea what the internet entails, so you can also do some explaining of what is good and what is bad. So that’s, in my opinion, really, really nice.

Before I went to AmsIX, I worked for NL digital, which basically is the national trade association for it companies in the Netherlands. So Google, Facebook, Microsoft, Booking, HP, Dell, a lot of those big names in tech, they are member.
And I was basically active in in Brussels and in the Hague making sure that they also understood what are the challenges for these companies and how we can basically ensure that the digitalization of the Netherlands proceed where we are one of the front runners.

I think we have this unique position that the Dutch people are not that afraid of technology, they’re ready and they’re willing to embrace it. And that makes that we have an infrastructure that needs to adapt. And if you look at what then happens. We have a government that more or less is relatively digital savvy. We have digiD, which is a way to authenticate yourself. A lot of information is available on the internet. Most people working in the government do have an email address and you can contact them by email.

So I think that there is a lot of information also available digitally. If you look at other countries, like I said, I worked in Brussels and in the Hague. If you go to Brussels that’s a different level of digital they understand there. For example if you want to open a bank account in Brussels it’s totally different, instead of making your appointment online you have to go to the office. You go in an empty bank office you say “okay, can I open a bank account?” They look at you saying, “Oh, sure” And then they give you a day three weeks later. So you know it’s a different world.

Lisa:
It takes a bit of extra time. Yeah.

Alex:
Yeah. And I think we’re relatively blessed here in the Netherlands and most Dutch persons probably don’t realize how blessed they are.

Lisa:
Because that’s what you’re used to. They’ll probably even be frustrated if it doesn’t go fast enough for them.

Alex:
Even if, you know, you drive here on the motorway, basically everywhere you have 99% reception of telephone signals, if you then go on a holiday in Germany, you know, big structures of the Autobahn, zero internet. So because we have a very dense populated country which isn’t that big we also had the, well, the good ingredients I think for this really nice environment.

Lisa:
Yeah. True. Do you see that now, especially of course with COVID-19, a lot of stuff is getting more online and digital that the development of digitalization is being sped up?

Alex:
Well, I mean, I think there was this meme at the beginning of COVID that the biggest driver for digitalization in 2020 was COVID not the it department. A lot of organizations suddenly needed to work remotely or offer that, so suddenly all the discussions, you know, can I trust my employees they’re null and void because you had to trust your employees cause you had to give them access. And I think it really turned out that people are more productive if they work from home. The feedback I received at least at AmsIX is that it’s very difficult for people or more difficult to clearly define, okay now it’s working time and now it’s time off. I think it’s a big driver for digitalization. A lot of organizations basically had a very small line from the office going out. If you then have your VPN concentrator in your office and 100 people started using it, then your line, your internet connection isn’t big enough. So you need to upgrade.

So for a lot of these organizations, it meant upgrading connections, getting more licenses for VPNs, making sure that remote work is possible. I think Ziggo, one of the largest internet service providers here in the Netherlands, they basically made sure that their whole support desk would be able to work from home. So even call centers, et cetera, well they couldn’t be in the office so they had to find a way to make sure that basically they could still service their customers. And I think in the end it worked marvelously.

Lisa:
Did you see a big increase then as well at AmsIX, which is one of the largest hubs for internet, I think around the world even.

Alex:
Yeah, I think we are number two or so. I think we saw a 17 – 20% increase in traffic during the day. But all in all this was quite manageable and I think the infrastructure in the Netherlands is such that hardly anyone notices. The big impacts for the network basically is if Microsoft, Apple, and one of those gaming companies send an update at the same time. I mean, then it’s busy, you know? And now it’s basically a better utilization of connectivity, so nothing to worry about it is just business as usual.

Lisa:
Yeah, exactly. Next to your work at AmsIX you also run a very interesting project aside of that, where you’re trying to reduce the amount of child pornography that’s being hosted uon Dutch servers. Can you tell a bit more about that and what the tool is that you came up with?

Alex:
Yeah. If we go back a long, long time, I think it was 1994, I was involved with XS4All and we basically already had this discussion about the Netherlands being Sodom and Gomorahh, all kinds of content were available. And with a group of people we then, well through a thought process that basically resulted in the establishing of the hotline against child pornography and Meldpunt kinder porno as it’s called in Dutch. We had a liaison with the police. How should we deal with this? Then all the hotlines in Europe together founded Inhope, which is an association, to Dutch laws based here in Amsterdam also. Um, and basically we tried to educate people what the laws are and informed organizations that they had child pornography on their servers. I then became a dad and I was like, okay, you know, this is enough.

A couple of years ago, we had the new minister of justice: Grapperhaus, the one we mentioned before and he basically said, it’s totally ridiculous that 70% of the European child pornography is hosted in the Netherlands, we should do something about this. As I was the security officer and regulatory counsel for a large hosting company before I went working for NL digital, I had devised a system whereby basically, if you look at a picture you can make a digital fingerprint out of it. It’s called a hash and you can basically check hashes against hashes. So if there is a known picture in the database, in a police database and Interpol database, a Europol database, then you can match known pictures that are uploaded by these image farms and then you can basically, as the owner one of those image farm have the picture automatically deleted.

it’s totally ridiculous that 70% of the European child pornography is hosted in the Netherlands, we should do something about this

So that was very successful at the company that I worked for. We did a test, the Dutch police was very hesitant about the test because they thought it would give them an enormous amount of work. So after the test they decided, okay, you know, let’s wait and see. So we basically stopped the test.

Then of course Grapperhaus came by and said, okay what are the possibilities? And I basically said, well this is what we did at this previous company and this is something we can do very easily here.So then he said, okay that’s a very good idea. But in the meantime in the Netherlands we had the GDPR implemented, the privacy law. So there was this huge discussion within the police if this hash, so it’s not a picture itself there is no identifiable person on the hash but it’s basically just the fingerprint. Well it is a GDPR thing, can you share these fingerprints? So I think that the police took about five months to decide that it is possible to to make these hashes available.

So we set up a system to a HA proxy servers. And I think we have four instances behind these proxies and they basically do I think 140, they checked 140 hashes per second. There is one guy who’s putting several billions of hashes through the system as we speak. So I’m not sure what the hit rate is. I think that’s something you should ask Meldpunt, but from what I understood, there are several hundreds of hits.

One of the issues is because the algorithm used is Sha1 MD5, that if you put a logo in a picture the fingerprint changes. So only an exact copy will get a match. Luckily Microsoft, is a very good company that’s sponsoring research into how to combat child pornography online. They devised a new algorithm, photo DNA, and with photo DNA, you basically still can identify a similar picture, even if it’s not a 100% complete match. Unfortunately, that takes a lot of CPU resources. So within the current infrastructure we have we can not use it. Luckily Cisco will be making available some beast computers as I call it.That basically has four CPU’s, you know. So we can basically use that equipment to use photo DNA and make that available to the image farms and other people who basically want to get rid of child pornography uploads of pictures that aren’t exact matches but are near matches. And then it’s up to the website owner to decide if he’s agreeing to remove 80% or 90% or whatever is the percentage that he feels most comfortable with.

So I think that is a very nice way of making sure that we’re using technology in a good sense. Even Price Waterhouse Coopers is doing some AI stuff where they basically train AI in, is it a human? Is it a nonhuman? Is it an adult? Is it the non adult? Is it a child with clothes or is it a naked child? Basically to make sure that, I think Meldpunt basically gets about 400 thousands references and it’s down to six people basically deciding whether or not it’s child pornography. It would be great if there is already this huge decision tree in front. And they don’t have to actually look at the pictures that are most likely not child pornography. And they can basically review the pictures that most likely are, and hopefully they can find some new stuff, which they then can relay to the police for investigation and hopefully save the child.

Lisa:
That is a really good tool. Do the hosting companies and stuff run the tool themselves or is it something that you guys run for them? How does that work?

Alex:
Yeah, basically it’s not the hosting companies that are involved as such, but the customers of the hosting companies in the Netherlands. We have net neutrality and no deep packet inspection policy, which basically means that as a hosting company you can’t do deep packet inspection. So basically you have to review who are your customers, how many complaints do you get from the Dutch hotline from Meldpunt per month for a customer? And if this customer basically receives a certain amount of child pornography hosting complaints then you contact this customer and then the customer basically can access a special API and they can then upload, they make the fingerprints themselves, they upload the hash and they get a one or a zero. This is known, and this is unknown. If it’s a known picture, then basically the website owner removes the picture. If it’s an unknown picture it can basically mean it’s an unknown picture that still is child pornography, but it’s unknown to the database, or it’s a regular picture. So to say, it’s not like if you use it, you will have no child pornography, on your server anymore. It’s just the known pictures, that are basically labeled.

Lisa:
Is the tool only working for the Netherlands or is it international?

Alex:
Good question. To be honest, I don’t know. I think that’s something people if they are interested, they should contact, EOKM, which basically is the foundation that runs the hotline. You can send an email to fg@eokm.nl and then basically you will get an answer. You know the issue with the Netherlands is that we have a, well we have an infrastructure, everything is basicallyfree. So as a customer of Meldpunt you don’t have to pay Meldpunt anything. It’s service for you to make sure that the known child pornography images can be removed. If the whole world were to use this infrastructure I think it would be a bit overwhelmed So yeah, if you’re interested, please contact EOKM.nl and they will probably help you further.

If companies are interested in running this tool, they should contact EOKM. Send an email to fg@eokm.nl and they will help you further

www.eokm.nl

Lisa:
I’ll put the link in the description as well (see above), so it’s easy to find. I think that’s about it. I think we covered quite a lot of it already. Are there any projects, any things you’re like, Oh, that’s what I wanted to mention as well?

Alex:
Well, I think if a lot of networking people will listen to this podcast, the eque-commerce directive I think is one of the foundational laws that basically govern internet and liability of service providers. There now is the DSA, digital services act, at the European level. And I would basically ask everyone who’s interested in, well these things in liability things, please make sure that you pay attention because this might change the way you have to do business.

Lisa:
Yeah. Yeah. That’s a good one. Actually just have a little bit of awareness on those regulations

Alex:
If you are basically a member of a organization, a the tech association, or you know some other form, basically ask them what is the status and how can you help? And of course, if this goes the wrong way while you’re into it, liability will become a nightmare for most organizations.

Lisa:
Yeah, definitely. Well, thank you so much for being on our podcast. Enjoy the rest of your day. Thanks for having me. Yes, of course. Okay. Bye bye.

For the people listening. Thank you for listening to this episode. Please let us know what you thought about it, or if you have any suggestions for the next episode, hopefully untill the next one.