by Pierluigi Canino*
Introduction, Definition and Context of Revenge Porn
The phenomenon of “revenge porn” represents one of the most insidious forms of digital violence, with far-reaching legal, social, and technological implications. The non-consensual dissemination of intimate content not only severely violates the dignity and privacy of the victims, but it also raises complex issues in legal and cybersecurity domains. This article aims to provide a detailed and comparative analysis of the Italian, French, and German regulations regarding revenge porn, examining the legislative measures adopted, the challenges in law enforcement, and the role of institutions in protecting victims. The term “revenge porn” refers to the non-consensual sharing of sexually explicit images or videos, often by ex-partners with vengeful intent. This practice has evolved with the advent of digital technologies, making it easier to share such content and more difficult to remove it. The consequences for the victims are devastating, including psychological, social, and professional damage.
The Regulatory Framework: Italian Legislation and European Supranational Framework
The Italian legal system has introduced a specific criminal law framework with Article 612-ter of the Criminal Code, titled “Unlawful Dissemination of Sexually Explicit Images or Videos,” introduced by Law No. 69 of July 19, 2019 (the so-called “Red Code”). This criminal provision penalizes the dissemination, without the consent of the depicted person, of images or videos containing sexually explicit content that were originally intended to remain private. The punishment is imprisonment from one to six years, along with a fine ranging from €5,000 to €15,000. The case of eventual intent is encompassed, and an aggravating circumstance is envisaged when the act is committed by a spouse, even if separated or divorced, by a person who has or has had an intimate relationship with the victim, or through the use of computer or telecommunication tools. The provision also punishes the conduct of third parties who, though not directly involved in the production of the material, contribute to its dissemination with the specific intent to cause harm. On the administrative side, Article 144-bis of Legislative Decree No. 196 of June 30, 2003 (the Privacy Code), introduced by Law Decree No. 139 of October 8, 2021, grants the Italian Data Protection Authority specific emergency intervention powers. Within 48 hours of receiving a report, the Authority can urgently order the de-indexing, blocking, or removal of sexually explicit content distributed without consent, even temporarily and with provisional measures. This regulatory framework allows for the coexistence of criminal and administrative protection, following a logic of complementarity and multi-level subsidiarity, enhancing the immediate effectiveness of administrative action during criminal investigation.
European Regulatory Framework: GDPR, DSA, and Directive Proposals
At the supranational level, the issue is first anchored within the systemic framework of Regulation (EU) 2016/679 (GDPR), which recognizes the non-consensual dissemination of personal, sexually explicit content as a serious violation of the right to privacy and informational self-determination of the data subject. Article 9 of the Regulation classifies data related to sexual life and sexual orientation as “special categories of personal data”, the unlawful dissemination of which can cause significant harm to human dignity, thereby legitimizing corrective actions by national supervisory authorities under Articles 58 and 83 of the GDPR. The protection of victims of revenge porn is also linked to Regulation (EU) 2022/2065 (Digital Services Act – DSA), which imposes enhanced due diligence obligations on online platforms concerning the management of illegal content, including that which falls under digital sexual violence. In particular, Article 16 of the DSA mandates platforms to provide notification and rapid removal mechanisms (“notice and action”), while Article 17 requires hosting providers to act promptly upon receiving a reliable report of illegal content. In terms of legislative policy, the proposal for Directive COM(2022) 105 final, relating to the fight against gender-based violence, aims to harmonize at the European level the criminal definitions of certain behaviors associated with revenge porn, as well as minimum standards of victim protection, including preventive and reparative measures. The proposal, currently under negotiation, specifically highlights online violence, introducing for the first time a harmonized legislative definition of “digital sexual violence.”
Role of Data Protection Authorities and Challenges in Enforcing Regulations
Data protection authorities play a crucial role in the fight against revenge porn. In Italy, the Data Protection Authority (Garante per la Protezione dei Dati Personali) has the power to order the immediate removal of illegal content from digital platforms, as provided by Article 144-bis of the Privacy Code. In France and Germany, though data protection authorities do not have specific powers as the Italian ones, they collaborate with other institutions to address privacy violations and support victims in the process of content removal.
Despite the existence of specific regulations in certain countries, the effective enforcement of revenge porn laws presents several challenges:
- Identification of Perpetrators: The anonymous nature of the internet complicates the identification of those responsible for the unlawful dissemination of content.
- Content Removal: Once content is online, its complete removal is difficult due to the speed with which it can be shared and replicated across various platforms.
- International Cooperation: The transnational spread of content requires effective collaboration between authorities in different countries, often hindered by legislative and procedural differences.
A notable case that attracted media attention involved the current Prime Minister of Italy, Giorgia Meloni. In 2020, deepfake pornographic videos featuring her face were disseminated online. Meloni took legal action against, seeking a symbolic compensation of €100,000 to be donated to a fund for survivor of domestic violence. This case highlights the growing threat posed by digital sexual violence.
Tackling Revenge Porn in the European Union. Some insights on legal and operational differences with the UK model
The legal and operational approach to revenge porn shows significant differences in the European Union framework, primarily due to distinct regulations on data protection, privacy, and cybercrime. Within the European Union, the treatment of revenge porn primarily focuses on the protection of personal data and individual privacy, as outlined in the General Data Protection Regulation (GDPR). This regulation ensures that victims of revenge porn receive a high level of legal protection, imposing an obligation on online platforms to promptly remove unauthorized content, with regulated “takedown” procedures and the possibility of seeking compensation for moral and material damages. The GDPR classifies sexually explicit images and videos shared without consent as a violation of personal data (Article 9 GDPR), and victims can use this regulation to seek redress against the abuse. The NIS2 Directive (Network and Information Security), although not specifically addressing revenge porn, provides a regulatory framework that obliges online platforms and ISPs to ensure cybersecurity, preventing the dissemination of sensitive content. Moreover, the implementation of Cooperative Threat Intelligence platforms between CERTs/CSIRTs of different member states allows for a coordinated response to revenge porn attacks, extending cooperation at the European level through agencies like Europol and Eurojust. In countries such as Italy, France, and Germany, the criminalization of revenge porn revolves around privacy violations, with the adoption of specific criminal laws such as Article 612-ter of the Italian Penal Code and the Loi contre la cyberviolence in France. In Germany, the Strafgesetzbuch provides penalties for the unauthorized distribution of sexual content, with the aggravating factor of privacy violation. Transnational cooperation between law enforcement and legal authorities is facilitated by the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe), which ensures a centralized and multidisciplinary management of revenge porn cases.
Nonetheless, beyond but still ‘close’ to EU, the framework of revenge porn in the United Kingdom is worth noticing, since characterized by more targeted and robust legislation that clearly distinguishes the crime of revenge porn from general violations of privacy and data. With the introduction of the Revenge Pornography Offence in 2015, through the Revenge Pornography Offence (Offensive Communications Act), the UK established direct criminalization of the distribution of intimate images without the consent of the person depicted. Unlike EU regulations, which primarily focus on data protection, the UK has opted for a specific penal response, with penalties of up to two years of imprisonment for offenders. This penalizing approach differentiates the UK, placing strong emphasis on the direct punishment of perpetrators rather than treating the harm as a violation of personal data. Victims of revenge porn in the UK can take legal action to obtain compensation and request the removal of content from online platforms, within a regulatory framework that also mandates the rapid removal of harmful content. From a data protection perspective, the Data Protection Act 2018 incorporates the GDPR but with some modifications resulting from Brexit, regulating the management of personal information with a system that preserves the privacy of victims. However, the fundamental difference is that, while in the EU data protection is treated as a fundamental right and interventions focus on protecting confidentiality, in the UK the response is more reactive and focused on direct penal action against revenge porn.
Operationally, the European Union and the United Kingdom also differ in their methods of international cooperation. In the EU, cooperation between member states and cybersecurity agencies such as Europol and Eurojust enables coordinated large-scale efforts to combat revenge porn, also utilizing AI-powered takedown tools and hash matching techniques to remove content quickly and efficiently. Online platforms, mandated by the Digital Services Act (DSA) to remove harmful content, are also required to follow cooperative threat intelligence protocols to prevent the dissemination of sensitive content. In the United Kingdom, indeed, cooperation is facilitated by initiatives such as the National Domestic Violence Helpline and Secure Information Sharing Systems (SISS), which allow law enforcement to monitor and respond quickly to threats. Additionally, the adoption of the Online Safety Bill imposes new responsibilities on online platforms, requiring them to monitor and remove revenge porn content more directly.
Technical Dynamics and Cybersecurity Profile of Revenge Porn: Compromise Methods and Attack Vectors
Revenge porn, in its digital form, is characterized as a targeted attack on confidentiality (confidentiality breach) and, in some cases, the integrity (integrity violation) of personal information assets. The main methods of acquiring and compromising sensitive material include:
- Unauthorized access to personal devices: through techniques such as credential stuffing, brute force attacks on cloud-based systems, or by using info-stealer malware (e.g., RedLine, Raccoon) delivered through phishing, smishing, or social engineering.
- Data exfiltration from messaging or cloud storage services: exploiting unprotected APIs, mismanaged JWT tokens, or session hijacking in environments such as iCloud, Google Drive, Telegram Desktop, etc.;
- Compromise through low-persistence spyware: often physically installed by the abusive partner on the victim’s device, which may perform keylogging, screenshot scheduling, or webcam access (e.g., FlexiSpy, mSpy), falling under the category of stalkerware.
Also, the dissemination of the materials often occurs on semi-public or pseudo-anonymous networks, such as:
- Decentralized imageboards (e.g., 4chan, 8kun, Ylilauta);
- Telegram channels with permissive policies, often used for cyber mobbing or doxxing;
- Onion-based services on the dark web, with hosting in bulletproof environments.
- Closed access forums (closed boards) that operate based on pseudonymous reputation systems.
These environments use content persistence mechanisms through resilient hosting techniques, including fast-flux DNS, distributed mirrors, and the use of Content Delivery Networks (CDNs) that make technical removal extremely costly, both in terms of time and jurisdictional capacity.
Takedown, Tracking, and ‘Mitigation’ techniques
The technical response to revenge porn is organized into three main areas: digital forensics, incident response, and cooperative threat intelligence. The main measures include:
- Hash-matching and fingerprinting: using algorithms like SHA-256 or Perceptual Hashing (pHash) to identify duplicate content on a large scale (e.g., tools like Google Content Safety API, Microsoft PhotoDNA, or AI-based systems from social media platforms);
- OSINT and SOCMINT investigation: for tracking the initial sources of publication, involving tools like Maltego, SpiderFoot, Recon-ng, combined with semantic NLP analysis to identify contexts and sharing networks.
- Takedown automation: involving automated Notice-and-Takedown procedures with CDNs and registrars, often mediated by AI-powered forms from platforms (e.g., Facebook and Twitter use the Lumen Database for managing reported content).
If the investigation leads to a criminal procedure, the seizure of evidence is carried out according to forensic imaging protocols (e.g., using FTK Imager, Autopsy, or X-Ways Forensics), ensuring the digital chain of custody in line with ENFSI and ISO/IEC 27037 guidelines.
Involvement of CERTs, PSIRTs, and Interinstitutional Structures
The increasing relevance of revenge porn as a cyber-social threat has led various incident response structures to expand their competencies:
- CERT-PA and CSIRT Italia conduct threat monitoring and collect Indicators of Compromise (IoC) related to botnets and phishing campaigns used to extort intimate material;
- PSIRTs from big tech companies (Meta, Google, Apple) collaborate with law enforcement for attribution and content tracking, integrating proactive abuse detection systems and sandboxing mechanisms for at-risk material;
- Hotlines and priority channels (e.g., Trust & Safety desk, STOPNCII.org program) allow victims to initiate immediate protection and takedown procedures, using unique content hashes without needing to re-upload the material (hash sharing without re-upload).
NIST SP 800-207, NIS2 Directive, and GDPR: Systemic Impact on Investigative Activities Related to Revenge Porn
The adoption of the Zero Trust Architecture (ZTA) paradigm, formalized in the NIST SP 800-207 document, introduces a structural shift in managing the surface of trust within public and private infrastructures. The founding principle — “Never trust, always verify” — requires granular access control, logical segmentation of information flows, and adaptive authentication based on contextual attributes.
In investigative contexts, this paradigm has two main impacts:
- Access control and advanced logging: Implementing ZTA forces public entities and platforms subject to US-EU regulations (under Article 45 of the GDPR) to maintain detailed and correlatable audit trails through SIEM (Security Information and Event Management) systems, which are crucial for reconstructing access events and the illicit distribution of sensitive material.
- Automation of forensic analysis with policy-based enforcement: Data segregation on a micro-segmented basis facilitates the isolation of compromised digital artifacts, improving the effectiveness of triage processes and preserving evidential value according to ISO/IEC 27043:2015 standards.
NIS2 Directive (EU) 2022/2555: Obligations for Essential Service Operators and Impact on Law Enforcement
The NIS2 Directive, transposed into national laws starting from 2024, extends cybersecurity obligations to a significant number of critical and important entities, including:
- ISPs, hosting platforms, and social media.
- Cloud service providers and CDNs.
- Domain registries and DNS providers.
From an operational perspective, NIS2 imposes:
- Strict incident notification deadlines (within 24 hours) for events involving the compromise of sensitive data, including unauthorized audiovisual private material (such as in revenge porn);
- Enhanced cooperation between CERT/CSIRT teams and law enforcement through Secure Information Sharing Systems (SISS) and EU-wide response networks (e.g., CSIRTs Network, European Cyber Crises Liaison Organisation Network – EU-CyCLONe);
- Mandatory designation of an information security officer (CISO) even in private entities, who becomes the direct contact for forensic support and incident response (incident containment and post-mortem analysis).
Integration with GDPR and Implications for Revenge Porn
The coordination between NIS2 and GDPR materializes operationally through the interaction between Supervisory Authorities (e.g., Italian Privacy Authority) and Computer Security Incident Response Teams in investigation and breach notification activities, as follows. As for Article 33 of GDPR, the latter requires notification within 72 hours to the Data Protection Authority in the case of a data breach involving unauthorized dissemination of personal data, including sensitive data (Article 9 GDPR); Article 58 of GDPR allows Data Protection Authorities to access system logs, encrypted communications, and media repositories — with or without the subject’s consent, for judicial investigation purposes or to protect public interest; Article 5(1)(f) GDPR, concerning integrity and confidentiality, represents the conceptual link between cybersecurity and data protection, directly impacting the classification of revenge porn as personal data misuse.
This regulatory integration creates a dual system. On the one side, security and privacy by design are intertwined in digital infrastructures; on the other, forensic readiness becomes a necessary condition to ensure the effectiveness of judicial activities under Article 612-ter of the Penal Code.
Operational Convergences: Integrated Investigation Scenarios
A typical revenge porn investigation today combines multidisciplinary expertise, resulting in key technical elements. For instance, first and foremoste a Certified forensic acquisition of physical and virtual media (PCs, smartphones, cloud storage) using tools such as Cellebrite UFED, Magnet AXIOM, and XRY, following the principles of ISO/IEC 27041. Also, an Integration of SIEM flows (e.g., Splunk, QRadar) is carried out to correlate access events, exfiltration attempts, and suspicious activities with precise timestamps and relevant metadata for evidence. Moreover, SOAR platforms (Security Orchestration, Automation and Response) are used to automate repetitive tasks such as crawling, identifying compromised hashes, and notifying cloud operators. Not least, qualified threat intelligence feeds (e.g., MISP, OpenCTI, Intel 471) are crucial to detect indicators of threats related to systemic revenge porn campaigns on an international scale.
Digital platforms as well (Meta, Google, TikTok, Discord, Telegram, Reddit) employ advanced technologies to counter the spread of non-consensual content. Inter alia, PhotoDNA (Microsoft) uses hashing and fingerprinting techniques to identify images previously flagged as abusive, even if modified (resized, converted, cropped), whereas Hash Matching & AI-assisted moderation are useful Systems based on cryptographic hashes (SHA-256, perceptual hash) and NLP/CV models are employed in order to detect at-risk content or repeated reports from users. Some platforms (e.g., OnlyFans, TikTok) use predictive algorithms to preemptively block suspicious content based on metadata, contextual analysis, and anomalous upload patterns, such as Red Flag AI Systems. Among Digital Forensics Tools, Autopsy, Cellebrite, Magnet AXIOM, and X-Ways are used by law enforcement institutions for the collection, preservation, and analysis of evidence in revenge porn cases, including extraction of content from devices, identification of dissemination channels, and IP traceability.
Integration with Security Frameworks
Proactive handling of revenge porn directly integrates with major international cybersecurity standards, namely the NIST Cybersecurity Framework 2.0 (2024) and the OWASP Top 10 (2023). In fact, the phenomenon fully aligns with the main functions of the framework.
As far as the former is concerned, indeed, they can be highlighted as:
- IDENTIFY: Classification of vulnerable digital assets (e.g., explicit content, cloud archives, BYOD devices).
- PROTECT: Implementation of data loss prevention (DLP) systems, encryption, access control, and acceptable use policies.
- DETECT: Monitoring of endpoints, anomalous activities, UEBA (User and Entity Behavior Analytics) tools to prevent content exfiltration.
- RESPOND & RECOVER: Post-incident procedures, victim support, rapid takedown, and digital evidence retention (Article 20 of the GDPR, log retention policy).
As for the latter, on the contrary, Revenge Porn can exploit some of the vulnerabilities listed in the OWASP Top 10, including a Broken Access Control (A01), i.e. lack of restrictions on access to personal content in cloud environments or apps, an Injection / API Misuse (A03) or a malicious use of APIs to exfiltrate data from systems with weak authentication, a Security Logging and Monitoring Failures (A09) as a lack of alerts on suspicious behavior related to illicit sharing, and a Server-Side Request Forgery – SSRF (A10) exploited to access non-public internal resources
The NIS2 Directive should also be mentioned, strengthening the resilience of critical digital infrastructures through several tools. First, there can be found a Risk management obligation (Article 21), hence Organizations must prepare data protection plans for sensitive content, also against abuse by internal users (insider threats). Incident reporting (Article 23) is also taken into account, since the illicit dissemination of content must be notified if it compromises the integrity, availability, or confidentiality of data. Additionally, platforms must monitor storage and distribution service providers to avoid hosting illicit content (e.g., offshore servers), as for the Supply chain risk assessment (Article 28).
In this regard, there are several Operational Implications for DPOs, SOCs, and CSIRTs, thus Entities responsible for information security must integrate the risk of sensitive content into threat intelligence models. They must collaborate with judicial authorities for forensic data preservation, including real-time acquisition (e.g., via mirror or volatile memory dump), as well as implement specific hardening measures for high-risk devices, e.g. disable cameras, sandbox media players, network segmentation for VIP users.
Some conclusions… so far
The non-consensual dissemination of intimate material, commonly referred to as revenge porn, is emerging as an increasingly relevant attack vector within the digital threat landscape. Its impact extends well beyond reputational harm: it constitutes a form of structured digital violence that exploits socio-technical vulnerabilities and regulatory gaps to deliberately undermine the psychological and physical integrity of victims. From a technical-operational standpoint, the growing automation in the collection, distribution, and persistence of intimate content – through scraping tools, distributed storage systems (e.g., IPFS), encrypted messaging apps, and anonymous platforms on the dark web – necessitates a significant enhancement of detection and response capabilities. The integration of forensic techniques (e.g., image hash matching, metadata reconstruction, network traceback), AI-driven content detection systems, and shared incident response frameworks is now crucial. In this context, aligning with the technical requirements defined in the NIST Cybersecurity Framework 2.0 (Identify, Protect, Detect, Respond, Recover) and the EU NIS-2 Directive offers a structural blueprint for the development of resilient digital environments. However, technological measures alone are insufficient. A holistic approach is required, encompassing cross-border legislative harmonization, targeted training for legal and investigative professionals on handling digital evidence, and the adoption of rapid response protocols supported by central authorities (e.g., national CERTs and CSIRTs). Finally, at the level of operational countermeasures, enhancing interoperability between law enforcement agencies, online service providers, and judicial authorities is critical. This includes leveraging automated reporting platforms and adopting EU-wide shared guidelines, such as those already piloted through the INHOPE initiative and Europol’s inter-institutional task forces. Only a structured, multidisciplinary, and technologically advanced approach can ensure a timely, effective, and concrete response to the increasing sophistication of digital abuse linked to revenge porn.
*Cyber Security Specialist/Security Analyst
Detailed terminology and definitions below:
