An analysis of 22,500 porn sites found that third-party tracking of users is rampant, privacy policies are difficult to understand and a majority fail to implement basic HTTPS encryption. In all, it’s a recipe for enabling sexual violence and shaming, according to an academic paper released this week.
According to a research team from Microsoft, Carnegie Mellon and the University of Pennsylvania, 93 percent of the pages analyzed – from 22,484 sites – leak user data to a third-party. Of those pages that leaked data, they did so to an average of seven outside domains. About 79 percent of pages have a third-party cookie (often used for tracking). And out of those that do, there are an average of nine cookies per page.
Digging deeper into the third parties entities that are tracking porn visitors, the team identified 230 different companies and services that are doing so. The tracking can take place even when a user is in “private browsing” or “incognito” mode, they added.
“Such tracking is highly concentrated by a handful of major companies, some of which are pornography-specific,” according to the research paper, released this week. Of the non-pornography-specific services, Google’s analytics and other services track 74 percent of sites, followed by Oracle (24 percent), Facebook (10 percent), Cloudflare and Yadro (7 percent each), and New Relic and Lotame (6 percent each).
“Google’s YouTube is the largest video host in the world, but does not allow pornography. However, Google has no policies forbidding websites from using their code hosting (Google APIs) or audience measurement tools (Google Analytics),” according to the paper. “Thus, Google refuses to host porn, but has no limits on observing the porn consumption of users, often without their knowledge.”
The authors argued that this rampant tracking gives third parties access to sensitive data about users’ sexual preferences. In the wrong hands, this could lead to harassment, or worse.
“Everyone is at risk when such data is accessible without users’ consent, and thus can potentially be leveraged against them by malicious agents acting on moralistic claims of normative gender or sexuality,” according to the paper. “These risks are heightened for vulnerable populations whose porn usage might be classified as non-normative or contrary to their public life.”
In looking at privacy policies for 3,856 sites, or 17 percent of the total, the research determined that the average education level needed to decipher them is two years of college. Policies have an average word count of 1,750 and take seven minutes to read.
Aside from the inscrutability, only 11 percent of the third-party trackers are disclosed in the policy, “making it impossible for users to consent to the use of their data for tertiary purposes,” the report said.
“Users may have no means to learn which companies might have troves of data about their porn use,” the team wrote. “The difficulty of understanding a policy indicates those who do not have college-level education (and likely many that do), may be unable to give informed consent on pornography websites.”
Inferring Sexual Interests
Apart from knowing that users are visiting a specific porn site, third-party trackers can also infer much about a person’s sexual interests based solely on a URL, the research found. This greatly amplifies the privacy considerations, the researchers noted.
Based on a random sample, 44.97 percent of porn site URLs…contain words or phrases that would likely be generally understood as an indicator of a particular sexual preference or interest,” the team wrote.
“These results reveal the extent to which third parties might assume users’ specific sexual characteristics based on sites visited,” according to the research. “Venturing further into a site would provide an even more complete understanding of the content therein.”
The team ultimately argued that the porn data leakage they uncovered represents a unique and elevated risk compared to many other types of data.
“[A considerable concern lies in the fact that] a large majority of our sample leaked users’ sexual data to third-parties, combined with the growing precedent for high-profile, large-scale leaks, hacks and missteps with sexual data,” the team said.
Researchers noted marginalized groups are most likely to be targeted and harmed by such tracking. “The extent to which gender and sexual interests could be inferred from site URLs demonstrates the troubling potential for the tracking and disciplining of sexual interests labeled non-normative. There is precedent for such targeted abuse of women and other marginalized populations online, and we contend their susceptibility to technological attacks based on moral outrage point to wider societal vulnerabilities in the face of constantly shifting socio-sexual norms.”
Meanwhile, the privacy-policy findings indicate a disregard for consent and agency, the team argued.
“Porn sites and other industrial actors dealing in this data must acknowledge they are engaged in a transaction involving sex and power, and thus require affirmative sexual consent from users,” according to the paper.
Hacks and Attacks
The paper also pointed out that hacks on adult sites are not uncommon.
Perhaps most famously the extra-marital site Ashley Madison was hacked in 2015, exposing 32 million names, credit-card numbers, email and physical addresses, as well as sexual interests. The report also detailed other hacks: In 2012, YouPorn suffered a major breach, exposing thousands of user emails and passwords. A website related to more specific sexual practices, Rosebudboard[.]com, was hacked in 2016, resulting in more than 100,000 user accounts being exposed. And in 2018, thousands of users who accessed a bestiality website had personal details including email addresses, birth dates and IP addresses circulated on public image boards by hackers.
Going forward, the research team said that it believes regulation could rescue porn visitors from the privacy invasion vortex that it has uncovered.
“While the findings of this study are far from encouraging, we do believe regulatory intervention may have positive outcomes,” the researchers noted. “The form of consent currently found in U.S. self-regulatory ‘opt-out’ systems fails to meet sexual consent norms and reinforces the ‘blame the victim’ mentality that often emerges in slut-shaming and other forms of sexual violence.”
In contrast, the European Union’s GDPR formulation of online tracking consent more closely matches norms for sexual consent by emphasizing consent must be affirmative and freely given, according to the paper.
“Our results demonstrate the imperative to attend to outcomes of the GDPR and to develop models of affirmative digital consent for porn websites that meet the diverse requirements for providing and withdrawing consent in sexual interactions,” the team wrote.
Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More