Patterns of ownership of child model sites: Profiling the profiteers and consumers of child exploitation material
First Monday

Patterns of
ownership of child model sites: Profiling the profiteers and consumers
of child exploitation material by Paul A. Watters, Christopher Lueg,
Caroline Spiranovic, and Jeremy Prichard

Recent research has indicated that cybercrime thrives when a corrupt social, economic, and political environment emerges such that law enforcement impact is minimised and key elements of crime prevention are absent. In this paper, using a snowball methodology we analyse patterns of ownership of “child model” sites which generate profits from advertising and/or subscriptions. While the material may not be traditional “pornography” in content, it is arguably exploitative. An open question is how the material compares to “beauty pageant” and other highly stylised mainstream photography that depicts children in adult situations, and whether access to all such material should be restricted.


Discussion and conclusions




To a large extent, the Internet lacks many of the controls that are effective in reducing crime in the “real world”, such as the absence of suitable guardians (including law enforcement). Shapiro (1999) suggested that many “mediaries” become redundant after the Internet enabled direct communication between buyers and sellers and also peer–to–peer networks. A key aspect of that is the loss of control that was previously provided by a suitable guardian, e.g., by a news agent refusing to sell “adult” magazines or cigarettes to teenagers. The problem is exacerbated by the emergence of political regimes which provide an environment conducive to cybercrime. A previous study (Watters, et al., 2012) identified two clusters of countries in Eastern Europe and the Baltic states as providing the ideal environment, including apparently high levels of official corruption accompanied by high economic growth, as well as high level of scientific and technical training and expertise.

Cybercrime will grow where this is strong demand and no means to reduce it. In a previous study, we found that demand for child exploitation material on the Internet was startlingly high (Prichard, et al., 2011). Supply reduction strategies — of the kind waged on the “war against drugs” — appear to have been ineffective.

Child exploitation is a growing area of cybercrime, despite investment in prevention and detection strategies. Child exploitation material (CEM) — as described by the COPINE scale (Quayle, 2008) — can range from non–erotic and non–sexualised pictures of children depicted in swimwear or underwear in normal settings (“non–extreme CEM”), through to nudity, assault, sadism and bestiality (“extreme CEM”). On the basis of COPINE, material “indicative” of CEM at the lowest level may depict children in swimwear, underwear and playing in normal settings, where the intent of the collector in organising images may indicate their intent. Federal legislation in Australia provides definitions of CEM that include sexual pose, or material where the dominant characteristic is a depiction of a sexual organ, female breasts or the anal region [1]. Assuming that the prevalence of such material is distributed over time in a power law fashion, the majority of images might be expected to be non-extreme CEM at the lower end of the COPINE scale, whereas a much smaller number will be at the upper end of the scale (extreme CEM) [2]. However, this assumption does not discount the possibility that, for example, a high prevalence of extreme CEM images might appear online over a short time period.

At the same time that law enforcement focus has been on “child pornography”, a parallel stream of thought has grown in opposition to the use of children in legitimate adult modelling, where children as young as ten are often dressed in adult clothes, and portrayed in settings which indicate sexual desire or activity. The most prominent recent example is Thylane Blondeau, a 10–year–old who was dressed in gold stilettos, heavy make–up, a blouse opened all the way down the front and sprawled across leopard skin bedclothes (Daily Mail, 2011). Far from being an isolated incident, many fashion magazines routinely recruit preteens to model as adults in a sexualised milieu. This category of advertising might be termed “sexual hothousing”.

Of course, some forms of corporate advertising involve children and adolescents in, for example, modelling children’s clothing, including pyjamas or underwear. While such material may fuel paedophilic fantasies, their appearance is innocuous to most viewers (Krone, 2005) — and indeed those generating the images are not seeking to generate sexual overtones. Sexual hothousing media, by contrast, involves reasonably transparent intentions to sexualise the pre–teen child. It seems difficult to distinguish between the content and themes of such material when compared with material which is labelled “child exploitation”.

A related and expansive discourse exists concerning the boundaries between art and pornography. Indeed, Australian police officers seized and investigated the photographs of a 13–year–old girl taken by Bill Henson — who has exhibited at the Solomon R. Guggenheim Museum in New York, Venice Biennale, and Bibliothèque Nationale in Paris — which were part of a legitimate art gallery exhibition (Herald Sun, 2008). No charges were eventually laid. There appear to be deep questions about the depiction of children in art, fashion magazines or on the internet which must eventually be dealt with at a policy rather than a law enforcement level. At the same time, there is an ongoing debate in the literature around the need to protect children versus the need to recognise sexual agency of children (e.g., Egan and Hawkes, 2009). Government agencies in Australia (e.g., Rush and La Nauze, 2006), the U.S. (American Psychological Association, 2007) and the U.K. (e.g., Papadopoulos, 2010) have all released high–profile reports in recent years concerning the sexualisation of children and young people via popular culture and consumer advertising.

While many studies have attempted to quantify the extent of CEM in general on the Internet, ours is the first study to focus on (a) the nature of legitimate “child model” Web sites that specialise in non–extreme CEM; and, (b) the profile of the users of such sites. Such sites have been available on the internet for many years, and first received wide publicity following a Wired article (Scheeres, 2001), which reviewed sites like “L’il Amber” (11 years old) — for a US$25 per month fee, subscribers could access photos and videos of Amber “posing in a bikini on a faux bearskin rug” or “dancing and running around”, and so on. One of the site owners was quoted as saying “This is definitely not kiddie porn ... . None of our sites have naked children”. Under Australian federal law, there is no requirement for child pornography to involve nudity, so this seems to be a false presumption. A U.S. case found that even when genitals are covered, exhibition or focus could still form the basis for depicting child pornography (U.S. Courts of Appeals, 1994). Such sites are clearly profitable; even 11 years ago, Scheeres reported that one site was receiving 20,000 hits per day to view a “Spice girls” themed video.

Based on the analysis by Watters, et al. (2012), we hypothesise that the countries and regions identified by a “top–down” analysis of the cybercrime environment would be strongly represented among the owners of sites involved in the sale of CEM. “Top–down” here means that an environment conducive to cybercrime can arise from a combination of social, economic and corruption factors, such as having economic growth being accompanied growth in corruption, while also increasing the number of graduates in science and technology. This hypothesised over–representation of former Soviet and Eastern European countries is supported by the work of Latapty, et al. (2009) who found that the ratio of P2P query searching for non–CEM versus CEM was highest for Russia (1.35 percent) with the next highest being the U.S. (0.59 percent). The search terms were verified as CEM by using a panel of 21 experts from Europol and the National Center for Missing and Exploited Children. Although much CEM appears to be traded underground, almost using a barter–style system, we wanted to explore the lowest (COPINE) level of this material — non–extreme CEM — which does appear to be readily available, and which may be drawn from entirely legitimate sources (such as social media). For example, a collector might assemble photographs of children in swimming costumes by searching for public images from swimming school Web sites, and make this available for sale. While extreme CEM is the most disturbing since it is associated with the greatest harm, the gap between sexualised images being used for advertising and non–extreme CEM may be less than expected. Indeed, many of the sites hosting “child model” sites go to great lengths to emphasise that they are not pornographic, containing only “non–nude” images. They are also able to generate significant revenue through monthly subscriptions, and operate within the legitimate economy, since the sites are able to process credit card payments, for example. This is quite distinct from the “underground” nature of many extreme CEM sites (Zook, 2003).

In this paper, we present the results of a pilot study, and further indicate what improvements could be made to enhance the technique and provide better insight into the nature of the threat landscape.




We used a snowball sampling technique to identify 20 distinct sites based on a seeded search of Google with an initial query term commonly used within the non–extreme CEM subculture [3]. A snowball sample starts with a single seed target, the analysis of which then produces new targets at the second level, based on extracting hyperlinks for related sites. Those sites are then analysed to produce the next set of hyperlinks at the third level, and so on. Snowballing is very effective in identifying sites which are linked thematically, since it replicates the path that a normal user might traverse through the network in their search for CEM, but it does suffer from biases, and in no way represents a random sample.

Our snowballing returned the most popular site when Google was queried with a known search term for child model sites, i.e., those containing non–extreme CEM. Such sites operate as legitimate businesses, charging subscription fees for “full access” to the site, after providing a number of sample images free of charge.

The textual content of the seed site was downloaded and verified as containing “child model” references, including the age of the children depicted in the images indexed on the site. The domain names of sites that were linked to the seed site, and which contained comparable descriptions, were then added to the sample. Links from those sites were then further analysed and added to the sample if they contained material with the same theme, and if the site was not already present in the list. Since many sites had the same “owner”, we investigated more than 100 unique sites to reach the target of 20 distinct sites.

Only three iterations were necessary to establish the sample. The domain names were then submitted to the WHOIS database so that their registrar and owner’s details could be obtained. The results were then tabulated.

We then established the volume of visitors to these sites, and data about the relative popularity of the sites was obtained from, which monitors traffic out of 30 million domains worldwide. The rank can be used to determine the relative popularity of each site. We also collected the Web reputation and safety scores from multiple providers about each site, and profiled user behaviour on the site, based on data from, including primary country of visitors, average time on site and average page views.

At no time were any photos downloaded from any of the sampled Web sites and as noted above, only the text of the seed site was downloaded.




Although the Domain Name System (DNS) is meant to be transparent, in fact, the owners of many sites that we sampled hid behind “domain privacy”, where the registrar acts as a contact proxy for the owner. Most legitimate sites will provide their details publicly. In this study, we found three key sites were being used to provide “privacy protection” for their owners; two of these sites were based in Australia, and one in the U.K. Of the remaining 17 sites, none were registered in the U.K. or Australia. Thus, registrants appear to be using cross–jurisdictional boundaries to protect their identities.

The country of registrant for the remaining 17 sites with unique owners is shown in Table 1. Overall, the U.S. had the highest number of registrants, although as a bloc, the countries predicted by Watters, et al. (2012) — Russian, Ukraine and Latvia — comprised 41 percent. Also of interest was the selection of remote or island sites like the Bahamas or Seychelles, and the use of Africa as a base. These locations may also offer generous tax advantages for businesses based there, where their revenue is primarily derived outside of that country. The Netherlands has a well–known pornography industry (with 3.6 percent of all adult domains globally; Zook, 2007) and also had three sites in the sample.


Table 1: Registrant countries.
United States4


Extended data from and the other data providers was not available for five sites, so the data from the remaining 15 sites was analysed. Table 2 shows the results for Alexa Rank and Google Pagerank. The lowest ranked Alexa site (i.e., the most popular) was 62,490, placing it in the top 0.21 percent of all domains by popularity. The media rank was 179,602, or within the top 0.6 percent of sites.

The Pagerank results were very interesting: only three sites were indexed by Google, meaning that the only way users would know about their existence would be following referrals from the ranked sites, or by word of mouth. None of the sites excluded the index page using the robots exclusion standard (robots.txt). Web sites can exclude themselves from being spidered by using the “robots.txt” exclusion standard. Although our initial sample site had a pagerank of one, the highest rank in the sample was a three. The fact that that 85 percent of the sample was not indexed by Google indicates that much of the material is not available directly to users through Google, but that referrals from higher–ranked sites play a key role in directing users to the “darker” (i.e., non–indexed) parts of the Web. It is important to note that only Google indexing was checked during this study, and we acknowledge that the overlap with other search engines may be limited (Spink, et al., 2008).


Table 2: Site visits and ranking.
Domain numberAlexa rankAlexa percentile rankGoogle pagerank
163,9660.21%1 — Low
2179,0310.60%0 — Not indexed
3222,4530.74%0 — Not indexed
4322,1061.07%0 — Not indexed
5571,7741.91%1 — Low
6113,0820.38%0 — Not indexed
9171,9320.57%0 — Not indexed
1162,9400.21%0 — Not indexed
1296,9570.32%3 — Average
14368,7661.23%0 — Not indexed
1591,0180.30%0 — Not indexed
16872,3322.91%0 — Not indexed
17265,7890.89%0 — Not indexed
18388,0381.29%0 — Not indexed
20179,6020.60%0 — Not indexed


The safety analysis results are shown in Table 3. None of the sites labelled themselves as having pornographic content, for example, by using ICRA (Internet Content Rating Association) labels. Indeed, the sites went to great lengths to describe themselves as not containing pornography of any kind. Google SafeBrowsing (https://developers. detects phishing and malware pages and none were identified in the sample, although AVG LinkScanner did provide a warning for one site. More concerning was the variance among the Web page “safety” sites; in most cases, the pages were flagged as “very poor” or “undesirable”, but in three cases they were marked clearly as “safe”. An effective 20 percent false negative rate indicates the grey area in which these sites operate, since site metadata and content terms associated with legitimate modelling and often emphasises that they are “not porn”. It appears that the safety tools might be very good at detecting extreme CEM but perform less well when identifying non–extreme CEM.


Table 3: Safety analysis.
Domain numberGoogle SafeBrowsingAverage AntivirusWOT (Web of Trust) ratingMcAfee SiteAdvisorChild Safety
1SafeSafeVery poorAlertVery poor
2SafeSafen/aAlert n/a
3SafeSafeVery poorAlertVery poor
4SafeSafeVery poorAlertVery poor
5SafeSafen/aAlert n/a
6SafeSafePoorSafe Very poor
9SafeSafeVery poorn/aVery poor
11SafeSafeVery poorWarningVery poor
12SafeSafeVery poorWarningVery poor
14SafeSafen/a Warningn/a
15SafeSafeVery poorn/aVery poor
16SafeSafeUndesirable AlertPoor
17SafeSafePoor AlertVery poor
18SafeSafeVery poorSafeVery poor
20SafeWarningn/a Safen/a


The user profile (see Table 4) is insightful: in all cases except one, the most prevalent users were from the U.S., with a median 39.25 percent, whereas North Americans (including Canadians) comprise only 12.0 percent of Internet users [4]. “Most prevalent” here means the country with the highest overall proportion of users. The median site visit was only 40 seconds, with a median 1.6 pageviews. Presumably, after reviewing the “smorgasbord” of links available, users are then clicking through to other sites which host the content.


Table 4: User profiles.
Domain numberAverage time on siteUser pageviewsMost prevalent countryPercentage of most prevalent users
60:181.21U.S.47.1 %
111:563.6U.S.41.8 %
120:512.4U.S.44.2 %
140:351.3U.S.38.7 %
150:401.3China29. 7%
170:391.5U.S.39.8 %
181:264.5U.S.46.2 %




Discussion and conclusions

This paper explored the characteristics of non–extreme CEM (“child model”) sites and presented a basic profile of their users. For site owners, we found:

  • Many site owners rely on “privacy protection” to obscure who owns the site
  • The largest bloc of identifiable site owners were based in former Soviet states
  • Some site owners were based in known tax havens
  • 85 percent of sites sampled were not indexed in Google, meaning that users can only find them by referrals
  • Safety tools which flag sites as being safe/not–safe found non–extreme CEM difficult to classify (such tools work well for extreme CEM and mainstream pornography)

For site users, we found:

  • The most prevalent users were from the U.S., with a median of 39.25 percent
  • Most site visits were quite short (median = 40 seconds), with a median of 1.6 pageviews, since they were primarily indexing or sample sites

The results support the hypothesis that cybercriminals within the former Soviet countries are involved with the sale and distribution of CEM (41 percent), as predicted by Watters, et al. (2012), but the most prevalent users are from the U.S. (39.25 percent). These results are consistent with the results of Latapy, et al. (2009) who found the highest query rate for CEM versus non–CEM P2P searches were for the U.S. and Russia. The results also reveal the global extent of the problem, with remote islands (including those with political turmoil) being selected as the base for operations. Alternatively, a number of cybercriminals also operate from the U.S. It is not clear how many of these people are actually involved in running a given site, taking and collecting photographs, and so on, or whether they are simply “fronts” for a more complex backend operation which itself may span continents and jurisdictions. Indeed, the fact that so many sites are hiding behind privacy provisions in countries other than those where registration occurs supports the idea of geographic and political segmentation of operations to reduce risk.

With respect to supply reduction, given the geographic spread, it may be difficult to enforce. Variations in page safety ratings make it difficult for automated systems to determine whether a site is “safe” or not, especially when site owners are working hard to legitimise the content of their sites, avoiding the use of terms associated with pornography. Further qualitative analysis on site content could lead to the derivation of Bayesian decision rules to enhance the filtering of such sites (Ho and Watters, 2005; 2004), but filtering alone is a very blunt instrument. The key question remains how to reduce demand for this material as identified in our research (Prichard, et al., 2011).

In terms of global Internet policy, it should be mandatory for all registrants to make their details publicly available, and also for registrars to ensure that registrants are actually residents in a given country of registration and that they are carrying on a business. This would incur significant additional costs on registrars, and would only be feasible if backed up by legislation and enforcement. While this may work in democracies with a proven track record of enforcement, it may simply force operations off–shore and into countries with more favourable regimes. Certainly, operators in Russia, Ukraine and Latvia very openly recorded details and did not appear to be concerned about legal issues.

There are limitations to this paper’s methodology. Statistics gathered by third parties, such as Alexa, are more limited than those available through direct analysis of site logs (Watters, et al., 1998). The use of anonymising techniques may also reflect that more users access anonymous proxy servers in the U.S. than elsewhere. Further work is needed to link specific individuals on the basis of structured and unstructured data more broadly in cybercrime (e.g., Layton, et al., 2010).

From a situational crime prevention perspective, forcing domain registration into the open would allow formal surveillance to be strengthened, and remove excuses for those involved in the trade as well as the utilisation of this material. However, a broader question remains — why do societies tolerate the sexual exploitation of children for commercial gain, whether through an underground/subcultural movement or more generally in the legitimate economy? How can a deeper understanding of market demand be used to reduce or eliminate the desire for this material? End of article


About the authors

Dr. Paul A. Watters is the Director of the Internet Commerce Security Laboratory (, which is a joint venture between the Australian Federal Police (AFP), Westpac Banking Corporation, IBM, State Government of Victoria and University of Ballarat. Dr. Watters is also Associate Professor of Information Security at the University of Ballarat, and was previously Director of Postgraduate and Professional ICT Programmes at Macquarie University, and Head of Data Services at the U.K. Medical Research Council’s National Survey of Health and Development, the longest–running longitudinal health study in the world. He is a Fellow of the British Computer Society, a Senior Member of the IEEE, and a Chartered IT Professional.
E–mail: p [dot] watters [at] ballarat [dot] edu [dot] au

Christopher Lueg is Professor of Computing in the School of Computing & Information Systems at the University of Tasmania.

Caroline Spiranovic is Research Assistant Professor in the Faculty of Law at the University of Tasmania.

Jeremy Prichard is Lecturer in the Faculty of Law at the University of Tasmania.



We acknowledge the assistance of Aaron Herps in bulk extracting WHOIS data. Paul A. Watters is funded by the Australian Federal Police, Westpac and IBM.



1. Criminal Code Act 1995, Division 473.1 (a)–(c).

2. A power law describes the distribution of many phenomena such that small events are extremely common but large events are quite rare. An example is the uneven distribution of wealth, where 20 percent of the population might control 80 percent of the wealth, if wealth was distribution follows a Pareto distribution (Kafri, 2008).

3. Bona fide researchers can contact the research team for details of the terms used and the sites visited, but they are not reproduced here for ethical reasons.

4. http://www.



American Psychological Association, 2007. “Sexualization of girls,” at http://www, accessed 20 January 2013.

Daily Mail, 2011. “Far too much, far too young: Outrage over shocking images of the 10–YEAR–OLD model who has graced the pages of Vogue” (10 August), at http://www. Shocking-images-10-YEAR-OLD-Vogue-model.html, accessed 20 January 2013.

R.D. Egan and G. Hawkes, 2009. “The problem with protection: Or, why we need to move towards recognition and the sexual agency of children,” Continuum, volume 23, number 3, pp. 389–400.

Herald Sun, 2008. “Police seize child nude portraits” (24 May), at news/more-news/police-seize-child-nude-portraits/story-e6frf7kx- 1111116428934, accessed 20 January 2013.

S. Ho and P.A. Watters, 2005. “Identifying and blocking pornographic content,” ICDEW ’05: Proceedings of the 21st International Conference on Data Engineering Workshops, p. 1,181.

S. Ho and P.A. Watters, 2004. “Structural and statistical approaches to filtering Internet pornography,” Proceedings of the 2004 IEEE International Conference on Systems, Man and Cybernetics, volume 5, pp. 4,792–4,798.

O. Kafri, 2008. “Sociological and economic inequality and the Second Law,” Munich Personal RePEc Archive (MPRA) Paper, number 9175, at http://, accessed 20 January 2013.

T. Krone, 2005. “Does thinking make it so? Defining online child pornography possession offences,” Trends & Issues in Crime and Criminal Justice, number 299, at, accessed 20 January 2013.

M. Latapy, C. Magnien, and C. Fournier, 2009. “Measurement and analysis of P2P activity against paedophile content,” at, accessed 20 January 2013.

R. Layton, P.A. Watters, and R. Dazeley, 2010. “Authorship attribution for Twitter in 140 characters or less,” CTC ’10: Proceedings of the 2010 Second Cybercrime and Trustworthy Computing Workshop, pp. 1–8.

L. Papadopoulos, 2010. “Sexualisation of young people review,” at cm_docs/2010/s/sexualisationyoungpeople.pdf, accessed 20 January 2013.

J. Prichard, P.A. Watters, and C. Spiranovic, 2011. “Internet subcultures and pathways to the use of child pornography,” Computer Law & Security Review, volume 27, number 6, pp. 585–600.

E. Quayle, 2008. “The COPINE Project,” Irish Probation Journal, volume 5, pp. 65–83.

E. Rush and A. La Nauze, 2006. “Corporate paedophilia: Sexualisation of children in Australia,” Australia Institute, Discussion Paper, number 93, at http://www., accessed 20 January 2013.

J. Scheeres, 2001. “Girl model sites crossing line?” Wired (23 July), http://www., accessed 20 January 2013.

A.L. Shapiro, 1999. The control revolution: How the Internet is putting individuals in charge and changing the world we know. New York: PublicAffairs.

A. Spink, B.J. Jansen, and C. Wang, 2008. “Comparison of major Web search engine overlap: 2005 and 2007,” Proceedings of the 14th Australasian World Wide Web Conference, at, accessed 20 January 2013.

U.S. Court of Appeals, 1994. “United States v. Stephen A. Knox,” U.S. Court of Appeals for the Third Circuit, on appeal from the U.S. District Court for the Middle District of Pennsylvania (D.C. Crim. No. 91–00074), at, accessed 20 January 2013.

P.A. Watters, M.F. Watters, and S.C. Carr, 1998. “Evaluating Internet information services in the Asia–Pacific region,” Internet Research, volume 8, number 3, pp. 266–271.

P.A. Watters, S. McCombie, R. Layton, and J. Pieprzyk, 2012. “Characterising and predicting cyber attacks using the Cyber Attacker Model Profile (CAMP),” Journal of Money Laundering Control, volume 15, number 4, pp. 430–441.

M.A. Zook, 2007. “Report on the location of the Internet adult industry,” In: K. Jacobs, M. Janssen, and M. Pasquinelli (editors). C’lick me: A netporn studies reader. Amsterdam: Institute of Network Cultures, pp. 103–112, at http://www., accessed 20 January 2013.

M.A. Zook, 2003. “Underground globalization: Mapping the space of flows of the Internet adult industry,” Environment and Planning A, volume 35, number 7, pp. 1,261–1,286.


Editorial history

Received 29 November 2012; accepted 12 January 2013.

Copyright © 2013, First Monday.
Copyright © 2013, Paul A. Watters, Christopher Lueg, Caroline Spiranovic, and Jeremy Prichard.

Patterns of ownership of child model sites: Profiling the profiteers and consumers of child exploitation material
by Paul A. Watters, Christopher Lueg, Caroline Spiranovic, and Jeremy Prichard
First Monday, Volume 18, Number 2 - 4 February 2013

A Great Cities Initiative of the University of Illinois at Chicago University Library.

© First Monday, 1995-2019. ISSN 1396-0466.