On October 13, 2008, the President signed the PROTECT Our Children Act, which expands existing child pornography reporting requirements and enhances the government's ability to prosecute producers and traffickers of child pornography. Title V of the new law, which was previously known as the Combating Child Exploitation Act of 2007, builds upon the child exploitation-related reports that providers of electronic communications services and remote computing services ("service providers") have been required to submit under 42 U.S.C. 13032, and must now submit pursuant to 18 U.S.C. 2258A. The portions of the new law that are directly relevant to service providers are as follows:

  • The PROTECT Our Children Act contains the following new requirements for service providers:
    • Data reported to the National Center for Missing and Exploited Children ("NCMEC") CyberTipline must be preserved by service providers. The newly created Section 2258A(h) requires service providers to treat report confirmation messages received from NCMEC as if they were preservation requests made pursuant to 18 U.S.C. 2703(f) for the reported data. Service providers must also preserve "any images, data, or other digital files that are commingled or interspersed among the images of apparent child pornography within a particular communication or user-created folder or directory." Preserved data must be maintained in a "secure" location, and access to that data must be restricted to activities required to comply with the preservation requirement.
    • Service providers and domain name registrars must minimize the number of employees that have access to any image reported to or received from NCMEC.
    • Any image reported to or received from NCMEC must be permanently destroyed if a law enforcement agency requests its destruction.
  • The PROTECT Our Children Act DOES NOT require the following:
    • Although Section 2258A(b) identifies detailed categories of data that service providers may include in their mandatory reports to the NCMEC, it does not require the inclusion of any of that data in the reports. Service providers are encouraged, but not obligated, to provide information within their control that may assist in identifying any individual or Web site associated with the apparent child exploitation, including: associated e-mail addresses; IP data; URLs; verified and/or user-reported identifying information; any image of apparent child pornography; and the complete communication containing any image of apparent child pornography (including any other attached data or files).
    • The law does not compel service providers to independently investigate or monitor customers' use of their services or customer communications for evidence of child exploitation.
    • If NCMEC sends "elements" of a child pornography image (including hash values, URLs or other unique identifiers) to a service provider, the service provider may use those elements for the limited purpose of stopping the further transmission of the images, but it is not required to do so. However, if a service provider uses image elements to conduct screening that results in the discovery of apparent images of child pornography, the service provider is still obligated to comply with its statutory reporting and preservation obligations.

In addition to the provisions described above, the law creates a safe harbor for service providers and domain name registrars, protecting them from claims "arising from the[ir] performance of the reporting or preservation responsibilities" under Section 2258A, unless the actions of the service provider/registrar (or an agent/employee thereof) involved intentional, reckless or other specified types of misconduct. The law also contains a threefold increase in the maximum penalties for knowing and willful failure to comply with reporting requirements ($150,000 for the first failure, $300,000 for subsequent failures).

The PROTECT Our Children Act is effective immediately and makes two other notable changes to the criminal code. First, the crime of "sexual exploitation of a child" now includes the transmission of live images of child abuse, and expands the definition of "visual depiction" to encompass any data capable of conversion into a visual image and transmitted by any means. Second, the law specifically prohibits the modification of images to create child pornography from a mixture of pornographic and non-pornographic images (for example, using Photoshop), thus criminalizing the depiction of an identifiable minor child in a pornographic image, despite the fact that the child at issue never actually engaged in the acts depicted therein.

A copy of the Act can be viewed at: http://www.sonnenschein.com/docs/docs_icdp/protect_act.pdf