Watching porn online entails an unsettling paradox: We want and expect our viewing habits to be totally private. Yet we know the modern digital economy is built on constant surveillance of our browsing habits.
That’s why potential and current porn viewers need to know what data adult sites can collect about them—and what they do with it. Men’s Health recently reached out to digital privacy and security experts, major porn sites, and adult industry figures to find answers to these questions.
“Porn websites are no more anonymous than any other website,” says Dylan Curran, director of tech for the digital security firm VFT Solutions. Like most sites, they log information on your IP address, the type of device and browser you’re using, and how your machine has interacted with the site in the past, stored in cookies. Sites can also choose to track what you click, how long you play videos, stay on a page, and other basic usage information. This holds true even if you’re using a browser’s private or incognito mode, which just prevents your computer from building a local history of pages you’ve visited.
But do they know who I am?
In theory, some porn sites could, with a little digging, use other digital databases to connect an IP address, browser fingerprint, or device to a named individual, says Rob Shavell, co-founder of online privacy firm Abine. They could also create comprehensive data files on named individuals’ porn viewing habits on their sites, which they could potentially sell to others.
However, streaming giants Pornhub and xHamster told Men’s Health they don’t use this data to identify specific individuals. (Users can and do at times opt into providing them more personal, identifiable info.) MindGeek, the firm behind Pornhub—and, by one 2018 estimate, 80 per cent of all mainstream online porn traffic—has told reporters in the past that it does not sell this data, or its analytics, to others.
Major porn sites do use data to get a sense of user demographics, so they can serve you content others in your demo-like. Companies like MindGeek that own streaming sites and film studios can also use that info to guide movie production. Cookie data also allows them to funnel content that they think you specifically will enjoy directly toward you—even if in theory they don’t know who you are, and just know your IP address or browser information.
Shavell notes that it’s hard to know from the outside which porn companies, of the thousands out there with ever-shifting privacy policies, may be involved in worrying identified data collection, “and which ones are just using the data on us to optimize our next visit” on their sites.
However, most porn companies do have a vested interest in protecting their patrons’ privacy, lest a PR disaster costs them a huge amount of their trust, user bases, and current or future profitability.
A study by Carnegie Mellon University, Microsoft Research, and the University of Pennsylvania looking at 22,484 porn sites in March 2018 found that 93 per cent sent user data out to an average of seven different external entities. That’s actually not bad by modern digital standards; as of 2018, YouTube sent data onwards to about 20 other parties. But it is hardly assuring to worried users.
Pornhub, xHamster, and other big porn sites told Men’s Health that they try to make sure any information they send on to third parties remains anonymous. However, it is not clear that every third party offers the same type or level of data anonymization. Daly Barnett of the Electronic Frontier Foundation notes that sometimes, even if you’ve scrambled one piece of a user’s data, like their IP address, an entity could still, in theory, identify them using other bits of info. And many third-party services have long been incredibly opaque about what they collect and how they use it beyond their core services.
Widespread HTTPS encryption prevents them from reading the full, after-the-slash, URL for a page their customer was on. However, as of 2018, only 17 per cent of porn sites had HTTPS security. So many porn sites still leak information about users’ searches, page views, and so on to ISPs. Then they can, in many jurisdictions, sell that information on to other firms or hand it over to the state.
The natural concern is that some of our porn data will, through one or more diffuse channels, end up in the hands of data brokers, companies that suck up all the info they can find on individuals. These brokers create dossiers on people, which they then sell on to everyone from credit rating agencies to marketing firms to other individuals. Even a few bits of fragmentary info on our viewing habits, anonymous in abstract, when sucked into a data broker’s massive archives could be used to build at least broad profiles on the sexual proclivities and porn viewing habits of named individuals.
Few big name data brokers, due to legal, company policy, or PR considerations, could work with porn data even if they wanted to. But there are, Barnett notes, many small, largely unregulated data brokers who use dubious sourcing to hoover up everything on us that they can. He says he hasn't seen sexual information appear in their profiles yet, but he "wouldn't be surprised" if they had it stashed away, or were selling it very discreetly. And while there may not be many corporate buyers interested in granular breakdowns on individuals’ porn habits, as these profiles become cheaper, more robust, and more widely accessible, Shavell argues there is a clear, growing market for them: individuals looking for dirt on people with whom they have an axe to grind.
So what do I do now?
What's a guy to do to protect against the as-of-yet speculative, but still palpable, risk of your porn data leaking into the world? Unfortunately, the experts' Men’s Health consulted for this piece said there is no one tool or tactic, or even one surefire set of tactics, that can fully mitigate this risk.
With that in mind, Barnett notes that one of the easiest steps to take to secure yourself is making sure that you are using a browser that places a premium on security. Browsers like Firefox, Iridium, and Tor take pains to build privacy protections into their systems, he says. You can also install one of many free browser extensions to block many third-party trackers from reading your most of your data, make HTTPS protections run on non-encrypted sites, or even provide real-time alerts on the snooping tactics a website you are visiting is employing and suggestions on how to react to them. It also doesn’t hurt, Barnett adds, to use a VPN and an ad blocker, and to clear your browser’s cookie cache to limit the amount data sites can glean.
Shavell also recommends limiting the number of porn sites you browse—ideally down to one—to minimize the avenues your data could leak through. If you decide to create an account on that site, or limited pool of sites, to access paid or premium content, he adds, make sure to use a throwaway email address created specifically to register for with site and anonymized payment, like a virtual credit card and phone number. The more personal data you willingly give when registering, the more direct and clear the risks—and not just of gradual data leakage. There have been numerous cases of hacks and data breaches exposing registered porn site users’ emails, passwords, and credit card info, all of which can be used for identity theft, to call out an individual for their habits in sextortion scams (a fairly common racket), or for social shaming.
No matter what we do, ultimately we all have to accept the fundamental paradox of online porn: If we want to adult content privately online, there’s always a risk that we’ll be caught out on it publicly. That risk is incredibly low. But it is real. It can be mitigated, but never eliminated. We either need to accept that or go back to buying porn in hard copy from a store 30 miles from our homes in cash while wearing a hoodie and shades. Given the choice, most of us will eat the risk.