this post was submitted on 07 Mar 2025

107 points (100.0% liked)

Selfhosted

43624 readers

393 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

ruud@lemmy.world

Loki@lemmy.world

CannaVet@lemmy.world

devve@lemmy.world

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

107

Random people started sharing child pornography on my matrix server, what are my options? (jlai.lu)

submitted 2 days ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world

NSFW 40 comments fedilink hide all child comments

Obviously I already removed all media, banned all the users and prevented account creation. I have ip addresses and metadata of the users

all 42 comments

sorted by: hot top controversial new old

[–] MonkeMischief@lemmy.today 8 points 1 day ago* (last edited 1 day ago)

Lots of good responses here. That'd be a really scary find, OP, and I'm sorry you're dealing with that. :(

As much as I also long for justice, I also totally understand the inclination towards just nuking and paving the whole thing and moving on. Some factors that occurred to me:

Those posting it might be outside your nation's jurisdiction.
They might just be bots set loose by unknown actors.
The above, plus they might be using "zombie" machines to bounce this material around unguarded servers wherever they can. It could be very difficult to ascertain who is behind this.

I agree with others that you should only move forward under the guidance of a good lawyer, because you don't want to be the most convenient potential suspect they have access to.

If you could log their IPs or other identifying data and anonymously forward suspicions to authorities that would take action on them, that could potentially be a viable option. But again I'd ask a lawyer.

[–] the_crotch@sh.itjust.works 5 points 1 day ago (1 children)

If you deleted the content the authorities have no evidence a crime was committed other than one witness saying "yes, totes CSAM". They're not going to be able to pursue the uploaders on that alone, and reporting it will only draw attention to yourself. If it was me I'd shut down or lock down the server and move on.

[–] Mubelotix@jlai.lu 3 points 22 hours ago

Good point but I have to add technical details. The content I deleted was replicated media from federated rooms. Authorities could still join the group and get all the original information from the original server

[–] neidu3@sh.itjust.works 77 points 2 days ago* (last edited 2 days ago) (1 children)

DO NOT call the police. They will confiscate the server as evidence, and lacking any other suspect, you will be their primary lead. Police aren't about convictions or justice, they want to consider a case solved.

By law, you are not liable. But because of law enforcement incentives, it will absolutely become your problem.

[–] the_crotch@sh.itjust.works 6 points 1 day ago

By law, you are not liable.

There are hundreds or thousands of different jurisdictions in the world. I don't think you can say this confidently unless you know exactly where OPs server is located.

[–] Geodad@lemm.ee 47 points 2 days ago

Nah, the police are not your friend.

[–] MTK@lemmy.world 11 points 1 day ago

You can try this https://www.iwf.org.uk/en/uk-report/

I would suggest doing it with the tor browser as to not be associated with it in any way.

Sadly without the actual content and giving your server away for forensics, this might not go anywhere. But! It can help build a case, especially if any of the pii (ip, username, etc) you provide is already being investigated.

[–] BCsven@lemmy.ca 25 points 2 days ago

Anonymously report them. Don't call police they will come and take the server

[–] ashaman2007@lemm.ee 27 points 2 days ago

The openSUSE matrix server had this happen last year, and the admins came up with a good solution of bots that seems to keep things very clean now. I'm sure they might be happy to help if you asked in their admins group

[–] HelloRoot@lemy.lol 21 points 2 days ago* (last edited 1 day ago) (6 children)

Probably should have given all of the evidence to the police instead of deleting some of it.

In most western jurisdictions platform operators are not liable for user content, (as long as they cooperate with the authorities) so nothing for you to worry about.

Next time, don't do anything, no deleting, no blocking, contact the police and ask them what they would like you to do. Maybe they'd even would want to letting them keep posting for a while to gather more data on the offenders, but idk how they deal with selfhosted stuff tbh..

(this is not legal advice)

(Also I totally understand that you don't want your other users seing that kind of stuff. I know nothing about the matrix moderation tools, so maybe the media is on the server db somewhere ... might be relevant to figure that out)

Edit: this does not apply if you live in an authoritarian police state or third world country, like OP apparently does.

[–] null_dot@lemmy.dbzer0.com 58 points 2 days ago (1 children)

I would think very carefully before contacting the police. I am not suggesting that you should provide a safe harbor for people sharing CSAM, or obfuscate their crime. You absolutely should take action, but carefully weigh your options before calling the police.

While it may (possibly!) be true in your jurisdiction that platform operators are not liable for user content, police aren't on "your side". Even if you assume the highest standards of professionalism from them, they need to represent the interests of the victims (not you) and need to diligently investigate the crime. That means they need to confirm beyond reasonable doubt that you are not involved beyond operating the host.

Just because you self-disclose does not mean that you are innocent. You could've been actively participating and when threatened with blackmail you've decided to self-disclose to avert guilt.

Another consideration is what else I have on my server. I'm catch and release for pirate movies and TV these days so there's only 100gb or so. I do have several hundred pirate audiobooks though. Deleting all that before handing my server over will look very suspicious.

With all of this in mind, the only course of action is to talk to a lawyer. A lawyer will know exactly what laws are relevant, and can guide you through the process of self-disclosure while minimising the imposition on you.

[–] Mac@mander.xyz 19 points 2 days ago* (last edited 2 days ago)

I would consult with a lawyer even now after the fact.

[–] unexposedhazard@discuss.tchncs.de 48 points 2 days ago (2 children)

Horrible advice. Atrociously bad. Dont talk to the cops without consulting a lawyer.

[–] SkyezOpen@lemmy.world 6 points 1 day ago

"Hello police I have a server full of cp, oh get in the van? OK."

[–] Andres4NY@social.ridetrans.it 0 points 2 days ago

@unexposedhazard @HelloRoot this

[–] Lost_My_Mind@lemmy.world 34 points 2 days ago (1 children)

I mean......I get where you're coming from, but fuck that!

I'd have deleted the entire matrix server entirely. Washed my hands of the entire thing.

Because you can go to the police, and say "There's child porn on MY server", and the cops MIGHT work with you to catch the people actually posting it.

OR

They might take the easy way. There's a guy here, saying he's hosting a server with child porn. Arrest him, because we know who he is, and call it a win in the media. Yes thats not how the law works...but it's how lazy and corrupt cops work.

Cops are never your friend. I'd avoid any interactions with them that you can.

[–] earphone843@sh.itjust.works 2 points 1 day ago

Yeah, I'd dban the drives and everything.

[–] rc__buggy@sh.itjust.works 18 points 2 days ago

If you have a problem and call the police, now you have two problems. That's not just cliche, it's true.

Don't call the cops, call a lawyer.

[–] EarMaster@lemmy.world 2 points 1 day ago

This is bad advice. Do not listen to this guy.

[–] NeoNachtwaechter@lemmy.world 15 points 2 days ago (1 children)

Probably should have given all of the evidence to the police instead of deleting some of it.

Or maybe not. ...

In most western jurisdictions platform operators are not liable for user content

Around here, OP would then automatically be a suspect for possession of the material. Possession is a crime. And that is far from funny. Better have a very good lawyer from minute 1.

[–] MTK@lemmy.world 4 points 1 day ago (1 children)

Out of curiosity, did you host your server as a public one that is advertised as open to all? Or did you just not set access controls and someone just found it?

[–] Mubelotix@jlai.lu 8 points 1 day ago

No, it was not advertised nor listed anywhere. They found it

[–] j4k3@lemmy.world 18 points 2 days ago (3 children)

Search for posts or contact db0. IIRC they worked with LW admin and others to create a filter for this using a very small AI model. It should be on their Git.

[–] db0@lemmy.dbzer0.com 13 points 2 days ago

I didn't work an lw admin. I built this one my own (well as part of Haidra)

[–] walden@sub.wetshaving.social 12 points 2 days ago (1 children)

Are you thinking of Lemmy? OP had it on their Matrix chat server.

[–] j4k3@lemmy.world 14 points 2 days ago

Abstract solutions for content recognition with a bot on a server is not a platform specific issue. The dev is skilled and likely on Matrix too.

[–] ocean@lemmy.selfhostcat.com 1 points 2 days ago (1 children)

How would that “admin” be helpful on matrix?

[–] j4k3@lemmy.world 11 points 2 days ago

It is a bot that identifies CSAM images. They are a very skilled dev. The problem is content recognition on a server. So in abstract, it is the same problem.

[–] Bgugi@lemmy.world 8 points 2 days ago

Contact a gym, delete a lawyer, hit the Facebook.

[+] Xanza@lemm.ee -17 points 2 days ago (1 children)

HelloRoot is correct. You should not have deleted anything. You should have simply shutdown the server and contacted the FBI (not the police). Child porn is a serious federal offense and because they committed the offense across state lines (or aren't in the US at all), FBI wold have jurisdiction. Because you deleted the evidence (a crime, by the way) there's nothing for them to go on now.

If this ever happens again, shut down the server so no one can connect, and contact the FBI Criminal Division who has their own child crimes division that specifically deals with child pornography.

[–] Mubelotix@jlai.lu 35 points 2 days ago (5 children)

I'm in France though, keeping it would make me a criminal

[–] Telorand@reddthat.com 20 points 2 days ago (2 children)

TBH, this sounds like something to ask a lawyer. Since you're in France, there may or may not be statutes that protect witnesses or people trying to cooperate with law enforcement, and a lawyer who's familiar with your laws would be able to give you correct advice.

And in the event they give you bad advice, there may also be protections regarding "following the advice of counsel." In the US, following in good faith some bad advice from lawyers can result in protections or immunity from certain charges.

So do yourself a favor and get some proper legal advice.

[–] NeoNachtwaechter@lemmy.world 4 points 1 day ago* (last edited 1 day ago)

statutes that protect [...] people trying to cooperate with law enforcement,

I don't know exactly about France, but such a concept is rare in Europe in general (except England), and even more so when it comes to possession of such materials.

In Germany, I know the tolerance is absolutely ZERO, and the excuses too. You can carry the material to the police to deliver it, and with that you have proven that you were in possession one second before (it is very different with illegal weapons btw.). Private investigators or journalists have tried to do reports about the topic, seriously and neutrally without any doubt, but got punished for possession then.

[–] Marighost@lemm.ee 4 points 2 days ago

I second this opinion. The parties responsible absolutely need to be held accountable but due to the severe nature of the crime you absolutely have to protect yourself.

[–] HybridSarcasm@lemmy.world 8 points 2 days ago

Take the above comment and replace references to “FBI” with the French equivalent.

Though, if you keep registration closed, you’re unlikely to have this problem again.

[–] Xanza@lemm.ee 3 points 2 days ago

Then definitely don't follow my advice. lol I have no idea what french law is.

[–] NeoNachtwaechter@lemmy.world 2 points 2 days ago

Better delete it in the same minute when you found it.

[–] Ashiette@lemmy.world 2 points 2 days ago

Va à la Gendarmerie / Police Nationale et vois avec eux directement.