If you have encountered child sexual abuse material (CSAM) online, your immediate priority is to report it to the correct authority. This is not a situation where you should attempt to gather evidence, investigate the source, or handle the material in any way. Reporting CSAM is a legal obligation for service providers in most jurisdictions and a moral imperative for everyone. This article exists to direct you to the right reporting channels as quickly as possible. For a broader overview of the abuse reporting process, see my complete guide to reporting IP abuse.
Critical Warnings Before You Proceed
Read these before taking any other action:
- Do NOT download, screenshot, or save CSAM material. Possessing this material is a criminal offense in virtually every jurisdiction, even if your intent is to preserve evidence for a report.
- Do NOT attempt to investigate the source yourself. Tracing hosting infrastructure, contacting suspected perpetrators, or conducting any form of independent investigation can compromise law enforcement operations already in progress.
- Do NOT share the material with anyone other than the official reporting channels listed below. Forwarding CSAM, even to report it, through unofficial channels is illegal.
- Report immediately using the appropriate channel below. Note the URL where you encountered the material and report it. That is all you need to do.
Where to Report CSAM
NCMEC CyberTipline (United States)
The National Center for Missing & Exploited Children operates the CyberTipline at report.cybertip.org. This is the primary reporting mechanism for CSAM in the United States and accepts reports from anywhere in the world. NCMEC works directly with law enforcement agencies and has legal authority under federal law to receive and process these reports. US-based electronic service providers are legally required to report to NCMEC under 18 U.S.C. Section 2258A.
If you are in the US or the material is hosted on US infrastructure, this should be your first report.
IWF (United Kingdom and International)
The Internet Watch Foundation at iwf.org.uk is the UK's designated reporting body for CSAM. The IWF also operates internationally and maintains a URL list used by ISPs and hosting providers worldwide to block known CSAM content. If you are in the UK or the material is hosted on UK infrastructure, report through the IWF portal. The IWF also accepts reports from outside the UK.
National Reporting Hotlines by Country
Different countries have designated bodies responsible for receiving CSAM reports. Use the hotline for the country where you are located or where the content appears to be hosted:
| Country | Reporting Body | Website |
|---|---|---|
| United States | NCMEC CyberTipline | report.cybertip.org |
| United Kingdom | Internet Watch Foundation (IWF) | iwf.org.uk |
| Canada | Canadian Centre for Child Protection | cybertip.ca |
| Australia | Australian Federal Police / eSafety Commissioner | esafety.gov.au |
| European Union | INHOPE Network (national hotlines per member state) | inhope.org |
| New Zealand | Department of Internal Affairs | dia.govt.nz |
| Germany | eco Complaints Office / jugendschutz.net | internet-beschwerdestelle.de |
| France | Point de Contact / PHAROS | internet-signalement.gouv.fr |
If your country is not listed, the INHOPE network (inhope.org) maintains a directory of member hotlines in over 50 countries. You can also report directly to NCMEC's CyberTipline, which forwards reports to the appropriate international law enforcement agencies.
Hosting Provider
If you can identify the hosting provider or ISP serving the content, many providers maintain a dedicated csam@ contact address specifically for these reports. You can use the IP Location tool to look up the IP address of the server hosting the material and find the abuse contact information for the hosting provider.
When reporting to a hosting provider, keep your report brief: provide the URL, the date and time you encountered it, and state that the content is CSAM. The provider's trust and safety team will handle the rest. Do not include any description of the material itself.
Law Enforcement
For situations where a child is in immediate danger, contact local emergency services (911 in the US, 999 in the UK, 112 in the EU). For non-emergency law enforcement reports:
- United States: FBI (tips.fbi.gov) or local FBI field office. See also my guide on reporting cybercrime to law enforcement and the FBI IC3.
- United Kingdom: National Crime Agency (NCA) CEOP Command at ceop.police.uk
- Canada: Local police and RCMP
- Australia: Australian Federal Police at afp.gov.au
What Information to Include in Your Report
When filing a report through any of the channels above, include the following:
- The URL where you encountered the material — this is the single most important piece of information. Copy the full URL from your browser's address bar.
- Date and time of discovery — as precise as possible, including your time zone.
- How you encountered the material — brief context such as "found via search engine," "appeared on a forum," or "hosted on a website I was reviewing for abuse."
- IP address of the server (if known) — use the IP Location tool to look up hosting details if you have the domain or IP.
- Your contact information — so the reporting body or law enforcement can follow up if needed.
Do NOT include the material itself. Do not attach images, videos, or screenshots to an email. Use only the official reporting portals (NCMEC CyberTipline, IWF, or your national hotline), which are built to receive this type of report securely and legally.
Legal Obligations
For Service Providers
In the United States, 18 U.S.C. Section 2258A makes it a federal crime for an electronic service provider to fail to report CSAM to NCMEC after becoming aware of it. This applies to hosting companies, ISPs, social media platforms, cloud storage providers, and any entity that provides an electronic communication service or remote computing service. Penalties for failure to report include fines up to $300,000 for a first offense and up to $600,000 for subsequent offenses.
In the United Kingdom, the Online Safety Act 2023 imposes obligations on service providers to proactively detect and remove CSAM. The IWF works with providers to maintain blocklists and ensure compliance.
In the European Union, the proposed CSAM Regulation (commonly referred to as "Chat Control") aims to impose detection and reporting obligations on messaging and hosting services across all member states. Individual member states already have national laws requiring provider cooperation with law enforcement on CSAM matters.
For Individuals
Ordinary citizens are not subject to the same mandatory reporting laws as service providers in most jurisdictions. However, reporting CSAM when you encounter it is strongly encouraged and may be legally required depending on your jurisdiction. In all cases, knowingly possessing, distributing, or failing to report CSAM when you have the ability to do so can carry legal consequences. When in doubt, report.
If You Are a Hosting Provider or ISP
If you operate hosting infrastructure and receive a CSAM report or discover CSAM on your systems, follow this sequence:
- Do NOT destroy evidence. Do not delete the content, wipe the server, or terminate the account before preserving evidence. Destruction of evidence can obstruct law enforcement investigations and may be a criminal offense.
- Preserve evidence under legal hold. Isolate the server or account. Preserve all associated data: access logs, account registration details, payment information, IP access history, and the content itself in a forensically sound manner.
- Report to NCMEC (if US-based) via the CyberTipline at report.cybertip.org. This is a federal legal requirement under 18 U.S.C. Section 2258A.
- Contact law enforcement. Depending on your jurisdiction, contact the FBI, NCA, or your national police cyber unit. Provide your NCMEC report reference number if applicable.
- Restrict access to the content immediately after preserving evidence. Remove public access to the offending URLs while keeping the underlying data preserved for law enforcement.
- Document your actions. Record every step you take, including timestamps, who was involved, and what was preserved. This documentation protects you legally and assists investigators.
If you are unsure about your legal obligations as a provider, consult legal counsel experienced in internet law and CSAM compliance in your jurisdiction. Do not delay reporting while seeking legal advice — file the report to NCMEC or your national hotline first, then consult counsel.
This article is part of the IP Abuse Reporting Guide. See also: Report Cybercrime to Law Enforcement and the FBI IC3.