This is not a request for legal advice, and any responses in this topic should not be taken as legal advice.
This is a request for general, nonspecific advice.
This is really awkward to ask as my first topic here on Meta, but I haven’t found any decent answers. I was in the process of figuring out how to delete illegal content from my S3 backups if I ever have to, and I made the unfortunate(?) decision of “consulting” ChatGPT if I should be aware of any laws that might be related to this… which led me down this rabbit hole.
Background
Last year, the US Congress passed the REPORT Act, which imposes requirements on providers to report instances of CSAM to the NCMEC (National Center for Missing and Exploited Children) CyberTipline, and retain this content up to a year. From my limited understanding, “providers” include anyone who is hosting a Discourse forum, since we are an “electronic communication service provider or remote computing service”.
As far as I could find, EU hosters have a reporting obligation, but don’t have a retention policy like the US does, other than some kind of proposal (I haven’t fully read this PDF, but it’s at least mentioned on page 8).
I did find an article that mentions that the UK also has the Online Safety (CSEA Content Reporting) Regulations 2025, which goes into effect on 3 November 2025. It seems to state that providers are also required to store this CSAM data for a year. I think I also read that UK providers are required to use image-hash detection to filter out known CSAM images along with CSAM URLs somewhere, but I can’t find the source.
Does this apply to us, as the Discourse community?
Probably? I haven’t found anything to the contrary, but please correct me if I’m wrong.
For me, I’ve been hard at work setting up a self-hosted AWS Discourse server for a family member’s tiny business (while learning Cloud Engineering/DevOps/IaC along the way), and the likelihood of someone posting CSAM on our forum is infinitesimal.
It’s probably more likely that I’ll get struck by lightning twice on a sunny day.
However, I want to have the required retention storage infrastructure and a plan ready in case some ill, self-destructive individual wanted to cause trouble - a “break glass in emergency” kind of preparation. I’m talking about setting up a dedicated retention bucket, securing it with encryption and/or IAM roles, keeping access logs, having a procedure for safely transferring this CSAM data away from your uploads bucket, etc.
Questions
My questions are primarily directed toward the US hosters, although it seems like UK and EU hosters may soon want these answers as well.
- Have you dealt with CSAM content before in your communities?
- What was your procedure to deal with it? NSFW AI Triage → report → storage? When did you contact a lawyer for this (if at all)? How did you deal with database + upload backups that may or may not have stored this data?
- Have you set up the required retention storage? If so, how did you comply with relevant regulations?
- Dedicated S3 bucket? Encryption? Do you have it on a different cloud account?
- Do you use any proactive image-hash detection/blocking software in your infrastructure so that this content doesn’t land on your server(s) to begin with? Any solutions that don’t break the bank?
I’d greatly appreciate some sort of general, NON-LEGAL guidance or references to use since all of the information I can find online seems to be geared toward someone working at a large company with a lot of money and experience, but I’m pretty sure these laws apply to everyone. Even if no one ever uploads this type of illegal content to any Discourse forum across the globe, I’d rather be safe than sorry.