@bot @book it's a two way arrangement - i have their entire known CSAM hash database loaded in memory and any file uploaded to pomf is hashed and checked for any matches in the DB before being allowed on disk - if there's a match, it gets rejected and wiped

if any files make it past that system and are then detected by either my own security systems or someone submitting an abuse report, the files and their hashes are provided back to the NCMEC in a formal report, which is what that ESP document shows a count of