
Pornography sites found to be riddled with trackers from major tech companies - Jerry2
https://www.nytimes.com/2019/07/17/opinion/google-facebook-sex-websites.html
======
aviraldg
I feel like all these articles follow a pattern: they take a common, well
known aspect of technology (in this case, analytics trackers), search for any
cases where a major tech company is involved, and come up with the most
clickbaity headline possible ("Google and Facebook Are Quietly Tracking You on
Sex Websites", when it's actually the website owners adding this tracking code
in the first place, explicitly for the purpose of understanding user
behaviour.) These headlines are then shared and reshared by nontechnical
users, prompting outrage when there isn't a good reason for it.

~~~
letstrynvm
> prompting outrage when there isn't a good reason for it.

Can you expand on why there's 'no good reason for it'?

The equivalent is my peering in your window to see and note down what you rub
one out to... every time. And you don't know what I do with that information
or where it will leak to.

That sounds perfectly fine to you, does it?

~~~
aviraldg
No, the equivalent is you walking into a store to buy DVDs, and the store
manager keeping a record of what sells well, and what you show interest in,
etc. to drive decisions about what to stock next.

~~~
martingoodson
... and then cross-referencing your purchase with everything else you ever
purchased. And also every article you ever read. And then selling that
information to others.

~~~
dsr_
... and claiming it's not a privacy violation because they don't let the
others search for martingoodson, they just offer selection criteria including
your age, gender, geographical location, inferred income, inferred religion,
inferred skin color, and of course interests.

------
throwawayyy6349
Some privacy tips:

1\. Use firefox with multi-account containers, with each domain set to auto-
open in a different container (google, gmail, amazon, facebook, youtube,
etc.). Make sure you're logged into google only in the gmail container (and
not in the google search container), etc.

2\. Use uMatrix and uBlock0, and enable limited third-party access using
uMatrix dashboard only when a site breaks.

3\. Enable DNS over https in firefox

4\. Enable privacy.resistFingerprinting in firefox's about:config to thwart
fingerprinting

5\. Use the tor browser for browsing porn (or any site you really do not want
associated with your IP).

Edit: Added resistFingerprinting to the list.

~~~
trilila
One might think that since browsing privately and securely is such a pain
point, there would be more than one product (firefox) to solve the issue. Any
HN entrepreneur types out there reading these posts?

~~~
dvfjsdhgfv
Practically speaking, you would have to use Chromium as a base, if you want
the product to be successful. And if you do that, Google has a million ways to
screw you up. One of the first obstacles you will find will be Widevine.
Hardly anyone moves past that point.

~~~
ehnto
Not sure why you got downvoted. Practically speaking, A fully fledged and
compliant modern browser would require a team to build if not built off the
back of another browser. So either you're a funded non-profit or you need to
make money which doesn't seem compatible with privacy on the internet.

------
mirimir
Why would anyone expect porno sites to track users less than The NY Times (for
example) does? I mean, it's not like they're your friends.

~~~
tlibert
Second author here. Many people carry over 'real world' privacy expectations
to online interactions, often unwittingly. While this may be technically
naive, I don't think it is wrong for people to assume established social norms
around sex and privacy, which have existed for millennia, are suddenly null
and void b/c they go online. Porn stores in real life often have curtains,
dark windows, etc. to protect privacy, and some people likely have that mental
model ingrained, even if they do have a suspicion they are being tracked.

~~~
mirimir
I suppose. But I'd think that people would know by now that online tracking is
ubiquitous. Arguably there are no "established social norms" online. That's
one huge advantage, when it's about accessibility of stuff that's verboten or
restricted in your society. Such as, for example, porn.

But it cuts both ways, of course. So established social norms about privacy
are also widely ignored. The fundamental business model is _based on_
violating users' privacy. Two of the largest online businesses, Google and
Facebook, rely on monetizing the violation of users' privacy.

So yeah, perhaps it's understandable, but it's gobsmacking naive to think that
online porn would be an exception.

~~~
tlibert
I fully agree, but people are often capable of knowing something abstract is
true in general (web is full of tracking), but often fail to make the
cognitive step to apply those facts to the specific case (there is tracking on
porn sites).

Nearly 20 years ago I worked as a Dell phone support technician for a few
months and it was the best learning experience I've ever had in terms of
understanding what the "average" person can actually comprehend. I think many
technical people have experience with non-technical people who are otherwise
fairly educated and clever (eg parents/grandparents), but there are a lot of
people who have difficulty with the concepts, let alone the details. I think
those people still deserve privacy.

~~~
mirimir
I agree that they deserve privacy.

I just think it unrealistic to expect that they'll get it.

And it's also arguably unrealistic to expect that they'll learn how to take
it. So for sure, jawboning is also a viable option.

------
makepanic
Direct link to the underlying paper:

[https://arxiv.org/abs/1907.06520](https://arxiv.org/abs/1907.06520)

The "even in incognito mode" part seems odd:

> What Jack does not know is that incognito mode only ensures his browsing
> history is not stored on his computer. The sites he visits, aswell as any
> third-party trackers, may observe and record his online actions

~~~
WA
I think it's not that odd. People assume that incognito means, well,
"incognito" – like "anonymous browsing". But there are obviously more ways to
identify a user besides cookies that are cleared/reset when incognito mode is
closed and re-opened.

Edit: To clarify: The easiest would be an IP address check. More sophisticated
techniques are browser fingerprinting. And I think there's no reason to assume
that Google/Facebook/AdTech companies DON'T use these techniques.

~~~
luckylion
> To clarify: The easiest would be an IP address check. More sophisticated
> techniques are browser fingerprinting. And I think there's no reason to
> assume that Google/Facebook/AdTech companies DON'T use these techniques.

Regarding IPs: it would be legally problematic and might be exposed leading to
terrible press, large fines and a strong argument for more regulation, so
there's a lot of incentive not to use it, and I'm not sure they would even
need it given the vast amount of information they have on users.

Regarding fingerprinting: I believe somebody would have noticed. Google and FB
are generally scrutinized much more than a random small ad-tech vendor.

~~~
WA
Sorry, are you serious or is this sarcasm? Facebook has shown in the recent
months that they try to obtain data about users in every possible way.
Collecting and comparing the IP address is the simplest exercise in the book.
This, of course, is probably sold as "making your account more secure".

It's incredible that on a site like HN people truly seem to believe that
"incognito mode" equals some sort of anonymity and that there is such as thing
like goodwill of Ad companies and that they won't take whatever data that is
served on a silver plate (like the IP address).

And you know what's really troublesome? One's sexual preferences are unlikely
to change by a lot. Once captured by tracking companies, it's in your profile.
Doesn't matter if you prevent tracking later on.

~~~
luckylion
> Collecting and comparing the IP address is the simplest exercise in the
> book. This, of course, is probably sold as "making your account more
> secure".

Sure, and if you agree to it, they can. If you don't, however, and somebody
blows the whistle, they'll be looking at huge fines in Europe and most of
their lobbying will be void because their bought politicians will look very
corrupt if they try to stop regulations.

Again, I don't believe that they don't do it because "it's not ethical".
Rather, it's going to cost them lots of money if they do and get caught (and
lots of good will, too), and I doubt that they _need_ it. IPs would be another
data point, but they have so many already that it may not add as much value.
That's for FB, Google & co, of course, for small ad-tech companies it's
different.

> Once captured by tracking companies, it's in your profile. Doesn't matter if
> you prevent tracking later on.

That's true, and the reason why you'd want to disable tracking completely. As
a user, you gain nothing from companies being able to track you, but you lose
plenty. Again, I'm not suggesting that companies aren't tracking users, I'm
saying that Google and FB are likely not operating that obviously that far
outside the law. They can, sure, but they'll need to run a large conspiracy to
keep it secret, and large conspiracies are hard and rare.

~~~
WA
Facebook collects phone numbers of random people, if a FB user uploads their
contact list.

Facebook collects data in shadow profiles.

Facebook collects login credentials for email accounts.

Facebook asks for phone numbers for "two-factor authentication" and then uses
it in different ways.

Similar for Google. Most default options are enabled if you set up an Android
phone (and these options and settings track you). Opt-in? Off by default?
Nothing. Just to name one example.

Dark patterns to give consent everywhere, like buttons suggesting that opt-in
is the only way to do it and so on.

All of this is kinda known, and illegal under GDPR. Consequences so far? None.

------
tlibert
Second author here, I'm busy for the next couple hours, but happy to AMA. Put
any questions here and I will reply as I'm able.

------
user17843
Should be easy to avoid with simply using another cookie jar or blocking
third-party cookies. It seems the direct connection can only be made when a
user is logged into a facebook or google profile. Otherwise the data can not
be connected to a personal account without some degree of uncertainty and
illegality.

G and F could use other data, like the browser fingerprint, OS information and
the IP address to associate the data, which may be illegal, at least in
Europe. Thus they probably use some other technique, for example creating
pseudonymous shadow profiles and associating them based on similarity. In
their front-end the data would just show clusters of profiles, which means
they can claim they do not collect personal data, but from a quick glance it
would be obvious to see connections between a user and "anonymous" clusters,
if the similarity borders on 100%.

Thus a good practice would be to use a different Operating system and browser,
together with the usual protective measures.

~~~
tlibert
IP address is a very strong signal and short of Tor you cannot do much about
that. I'm hesitant to recommend VPNs just due to the high level of trust you
need to have in your provider. It isn't that easy to avoid tracking.

------
StavrosK
But _every_ big site is riddled with trackers. Why single out pornography
websites?

~~~
gourou
In order to get people to care about their online privacy, use what they're
most private about. Last Week Tonight used the same trick on their segment
with Snowden.

[https://www.wired.com/2015/04/john-oliver-edward-snowden-
dic...](https://www.wired.com/2015/04/john-oliver-edward-snowden-dick-pics/)

~~~
StavrosK
Ah, that makes sense, thanks.

------
grandmczeb
“Nearly all tracking is by default and governed by impossible-to-read privacy
policies. [...] For more detail please see our privacy policy.”

Ironic.

~~~
mosselman
How is this ironic? Having a privacy policy is not the same as having an
'impossible-to-read' one. Also, I doubt the journalists at the New York Times
are responsible for what the company's tracking policy is. Are they suddenly
not allowed to write about privacy issues?

By this standard nobody would be allowed to talk about climate change, seeing
as probably nobody has a 0% impact on climate change.

~~~
Xelbair
That's still ironical.

if their claims are valid or not is absolutely unrelated to the irony of that
situation though.

Did anyone imply that if the content is 'ironical' we shouldn't write it or
discuss it?

~~~
mosselman
It isn't ironic just because they also have a privacy policy. It has to be
unreadable to come close to irony.

Lets say that I own a burger restaurant and I tell you that burgers at
McDonalds are crap. Would that be ironic? Because that is what you are saying.

> Did anyone imply that if the content is 'ironical' we shouldn't write it or
> discuss it?

I interpret the original comment:

> Ironic.

as a means to discrediting the journalist. You are right though and instead of
"Are they suddenly not allowed to write about privacy issues?" I should have
written something along the lines of "Is it suddenly not credible for them to
write about privacy issues?"

------
693471
The industry has moved from pay sites and piracy where you wouldn't track
people to free porn sites that are ad supported. Obviously it's easier to use
the free sites so the data tracking is not surprising.

If you don't want to be tracked, pay for your porn. Or pirate it.

~~~
everdrive
I agree with you, but remember that VISA/Mastercard/etc are selling your
purchases to whomever would like to buy them.

------
blub
Interestingly, I've noticed some adult websites (not necessarily pornography)
are requiring Google captcha.

That thing is spreading like weed.

~~~
fareesh
Most of them already have the social sharing buttons. I suspect those are able
to catch the vast majority of users who don't use an incognito mode.

------
H8crilA
Is it just Google Analytics and similar things? Pretty much every website has
some tracking of this sort.

~~~
throw20102010
Yes, mostly just analytics and standard fare from all websites. For the most
part, it's just the regular "Share on Facebook/Twitter/Etc." buttons that you
see all over the internet. All of the social media have trackers embedded in
those buttons. It's always confused my why anyone would actually share what
porn video they were watching with their friends on social media.

The one thing that isn't standard for porn sites is ad serving/tracking. They
usually don't use ads served from Google and Facebook, probably because most
people don't want their "regular" ads being served on a porn site. So most
major porn sites have their own ad system.

~~~
H8crilA
Yeah, big players with brand value like Google or FB do not dabble with porn
or other socially unacceptable content. At all.

------
kerng
This is a great example that should be used more often when communicating the
risks and privacy violations and implications these ad trackers have.

Its disturbing to know that Google and Facebook have access to all this - they
indeed know more about you, then you yourself.

~~~
m-p-3
To be fair, I always use incognito mode when using this kind of website, but
Google can probably track me through the IP address I guess.

And I also use PiHole at home.

------
LinuxBender
Have people stopped using usenet and bittorrent to get these things? I prefer
SFTP. No HTML, no ads, no MITM. Mumble servers + SFTP servers are a good combo
to decentralize the most important part of the web (porn).

------
lota-putty
Tangent: How many here have verified their Phone# for recovery reasons?

Or even installed some apps like true-caller?

Browser finger-printing, 3rd-party tracking or the website itself. Better off
with p0rn-torrents' magnet-URLs?

------
amelius
Somewhere at Google, someone has a Google Map showing who is consuming porn at
what moment.

~~~
wongarsu
Pornhub probably has such a map, and their data analysis on Pornhub Insight is
always a great read [0].

Of course google connecting porn searches with your other behavior is another
level of scary.

0: [https://www.pornhub.com/insights/](https://www.pornhub.com/insights/)
(sfw)

~~~
hutzlibu
That is indeed fascinating.

"Thanks to a Facebook event called “Storm Area 51” ...

Since July 12th, searches for “Area 51” have surged from zero to 160,000 in
just 4 days. July 16th alone had nearly 59,000 searches.

...

The most popular alien related search is “alien impregnation” followed by
“alien sex”. Other interesting searches include “alien belly” (a reference to
the scene from the original 1979 Alien movie?), “alien eggs”, “alien
abduction” and “alien probe”. "

So I always suspected, that the internet is a weird place, but good to have
data to back that up.

But seriously, out of porn consumption statistics, you can get a deep
analytical experience of the population. So yes, it is scary, if some
companies have all that knowledge.

~~~
wongarsu
> But seriously, out of porn consumption statistics, you can get a deep
> analytical experience of the population. So yes, it is scary, if some
> companies have all that knowledge.

Indeed. It gives you insights that are otherwise hard to get.

Like predicting the viewership of events based on traffic changes like these:

[https://cs.phncdn.com/insights-static/wp-
content/uploads/201...](https://cs.phncdn.com/insights-static/wp-
content/uploads/2018/11/5-pornhub-insights-2018-year-review-tv-live-
events-1.png)

Or how many people care about a solar eclipse:

[https://cs.phncdn.com/insights-static/wp-
content/uploads/201...](https://cs.phncdn.com/insights-static/wp-
content/uploads/2017/08/pornhub-insights-2017-eclipse.png)

Or these graphs:

[https://cs.phncdn.com/insights-static/wp-
content/uploads/201...](https://cs.phncdn.com/insights-static/wp-
content/uploads/2018/11/1-pornhub-insights-2018-year-review-favorite-times-to-
watch.png)

[https://cs.phncdn.com/insights-static/wp-
content/uploads/201...](https://cs.phncdn.com/insights-static/wp-
content/uploads/2018/11/maps-pornhub-insights-2018-year-review-most-viewed-
categories.png)

[https://cs.phncdn.com/insights-static/wp-
content/uploads/201...](https://cs.phncdn.com/insights-static/wp-
content/uploads/2018/11/3-pornhub-insights-2018-year-in-review-age-group-
searches-categories.png)

And all of those graphs are just scratching the surface. For example they seem
to have good data on age, gender and sexual orientation (likely from signed up
users and statistical inference), which allows them to say what percentage of
lesbians aged 30-40 living in Minnesota watch solar eclipses or watch the
royal wedding.

~~~
hutzlibu
I would be curious how they get the age data, though. Do they have the
connection to facebook?

------
TheBobinator
It's funny an article published behind a paywall about facebook and google
partnering to track your pr0n use has a message that says, as soon as the page
loads, you're in private mode".

NYT has become such a tabloid.

Study is here:
[https://arxiv.org/pdf/1907.06520.pdf](https://arxiv.org/pdf/1907.06520.pdf)

Now we can have a REAL Discussion.

