On our latest episode of Security Nation, we spoke with a true hero: Chris Hadnagy, founder of the Innocent Lives Foundation. He works as a social engineer, helping to advance understanding around the field and why it’s the No. 1 attack vector in technology. Chris is also the founder and CEO of socialengineer.org, founded the social engineering village at DEF CON, and runs the Human Hacking Conference. We spoke with Chris about his charity, the Innocent Lives Foundation, and its work to catch perpetrators of child pornography.
What is the Innocent Lives Foundation?
The Innocent Lives Foundation is focused on gathering professionals from the infosec community that can find things that don’t want to be found. The foundation works closely with law enforcement on both the federal and local level to uncover perpetrators of child pornography and ensure they receive justice.
Chris started the foundation after a pen test in which he and his security team found an IP address tied to pretty constant Tor traffic, which they uncovered quickly was not related to the business organization’s operations. They recommended to the company owner that he install a keylogger on the computer that was being used for the Tor traffic. The owner found out that the employee was using their computer to transmit videos of child pornography over the Dark Web.
Chris and his team contributed directly to the arrest of the individual, which led to more work finding and turning in perpetrators of these crimes. After a few similar experiences, he started to wonder if there were other people in the infosec community who might be interested in committing to this same sort of work. After speaking with a few close friends as well as a lawyer, Chris decided to start the foundation. He announced the foundation at DEF CON 25, and found a warm reception, including over 300 people volunteering to help out then and there. The charity also received support from leading tech companies, which donated server space and funds to get the foundation up and running.
Now, the organization includes two full-time employees, with a third on its way, and dozens of volunteers. In 2019 alone, the team handed more than 70 cases over to law enforcement that resulted in the arrest of predators. The foundation is committed to doing this work without receiving credit from law enforcement or recognition in the news media. They are also very explicitly not a vigilante group, and work strictly with law enforcement to ensure that criminals are arrested rather than simply shamed or outed.
While the work they do to catch criminals involved in human trafficking and child pornography is fulfilling, it’s also extremely difficult. Chris set up the company carefully, including support from therapists and counselors to ensure his team gets help with the emotional issues surrounding their efforts. The volunteers who are on the frontlines doing the research into criminals have to agree to meet with a therapist at least once a month.
How to volunteer
People who are interested in volunteering can visit the Innocent Lives Foundation website and sign up to be either a technical volunteer or a non-technical volunteer. According to Chris, what the team really needs in a technical volunteer is someone who uses open-source intelligence (OSINT) daily and has been successful at researching people. People who aren’t necessarily as experienced with OSINT can also be useful in other ways, such as marketing or fundraising.
There is an extensive vetting process for becoming a volunteer. The process starts with the volunteer’s application being looked over by a small group of employees who determine whether if the individual is a fit. After that, the team has a video meeting with the volunteer to describe the onboarding process and see if they want to continue. The volunteer then receives the $0 employee agreement that serves as an NDA and allows the foundation to do background checks. The volunteer also signs a medical release form that allows the therapists to get their medical records if necessary.
Once the form is signed, the team conducts a full criminal, financial, and federal background check on the volunteer. The volunteer is informed of the results of the background check in a meeting, and then is given a skills assessment. If everything checks out, the foundation gives the volunteer a virtual desktop infrastructure (VDI) within the organization and is then trained on how to use it. From there, they’re given their first case. All told, the onboarding process can take several weeks.
Volunteers are allowed to work as much as they can, and can leave the organization whenever they want. Some volunteers give as much as 30 hours a week, while others can only give five or six, depending on their regular occupations and other considerations. Although volunteers can take a break and come back, they have to undergo a new round of background checks if the break is longer than six months.
If you’re interested in learning more about the foundation, volunteering, or making a donation, visit InnocentLivesFoundation.org. If you’d like to hear the full interview with Chris, listen to the podcast here. (WARNING: The podcast contains some sensitive material. Listener discretion is advised.)