
Online Porn Could Be the Next Big Privacy Scandal - bthomas
http://brettpthomas.com/online-porn-could-be-the-next-big-privacy-scandal.html
======
ffn
Honestly, as an employer, I really wouldn't care if my employees watched porn
in his free time as long as he keeps it to himself. Our attraction to naked
bodies of the opposite (or same) sex is as old as walking upright and is
deeply and fundamentally a part of our humanity since our ancestors roamed the
Serengeti. And while for the sake of social norms I'm more than willing to put
aside my "dirty pastime" in a professional setting in today's modern age, if
society is going to come around into my private life and "expose" that I look
at porn in my off hours, I see no reason to feel ashamed or apologetic for it
(unless it's my girlfriend who finds out, then all bets are off, and I will
feel as much shame and apology as necessary).

~~~
higherpurpose
I agree that's how people should feel about it, and if they did that it would
solve two major issues we have in the society right now (hopefully):

1) "sex scandals" \- it seems politicians or others in power can't go to
prison for stealing a lot of money or even murdering someone. But if they are
involved in a sex scandal - well god may have mercy on their souls! Their
careers are basically over then. It's also why intelligence agencies can have
tremendous power over politicians, judges and so on, if they can "discredit
them" through their porn or sex habits. That should stop happening. It should
be a non-issue for everyone.

2) the more people are "okay" with porn or sexuality in general, the less
likely it will be for some politicians one day to manage to pass a bill that
criminalizes either porn in general, or specific kinds of porn or sexuality
(like say gay porn).

~~~
moe
_" sex scandals"_

That seems to be mostly an american thing.

Over here in Europe hardly anyone bats an eye when the latest sex-party
involving Berlusconi, François Hollande/Sarkozy etc. is revealed.

People only get upset when truly dirty stuff comes out, such as the child
abuse ring involving british government figures[1].

[1] [http://uk.reuters.com/article/2014/12/18/uk-britain-abuse-
id...](http://uk.reuters.com/article/2014/12/18/uk-britain-abuse-
idUKKBN0JW1SO20141218)

~~~
hueving
Didn't the UK recently require people to register to be able to view porn?

~~~
192431665
Not quite. Most of the big ISPs were required to add an 'adult content'
filter, which yes, basically blocks porn among other things. When signing up
for a new broadband connection, the box enabling this 'adult content' filter
is ticked by default, meaning you have to actively untick it. ISPs are also
required to contact all existing customers somehow and ask them whether or not
they want the filter enabled.

No laws have been passed yet to enforce ISPs to do this, just pressure from
David Cameron and campaigns by the Daily Mail and 'parent' groups and stuff,
although David Cameron did say if the recently implemented system was not
effective enough they would have to legislate (the problem now, is whether the
4-8% takeup on all but one isp is 'effective'.)

~~~
m_t
It's not always as simple as that unfortunately. I arrived in the UK recently
and got a mobile sim card with a pay-as-you-go system.

When trying to view an adult content website using my mobile data connection,
I arrived on that wonderful "blocked content" page. To get it removed, I could
use a credit card. Oh, but not any credit card. The one I have from my country
of origin wasn't valid, not even the one from my previous country of
residence. I needed a UK credit card, which I didn't have yet. The only option
was to go back in a store, with my passport, and say "Yes dear Sir/Madam I
would like my internet with porn enabled please". It was (almost) faster to
setup a vpn.

Also, note that I say _adult content_, not even porn, as some website that do
not contain specifically porn are blocked as well.

------
siegecraft
Everyone commenting seems to be very blase about this. I guess they are
forgetting that there countries where it is still illegal/dangerous to be
openly gay. Besides that, probably useful in targetted blackmail/extortion
plots but not a huge threat to the common man.

------
michaelvillar
It always confused me of why this hasn't been fixed yet.

It seems like most of the uniqueness is from the list of fonts and plugins.

Couldn't browsers limit that by asking user permission before providing it?
(Fair question and I'm waiting to be wrong)

~~~
burke
You can test whether a font is installed with any number of tricks. For
example, render white text on a white background with "sans". Then, change the
font to the candidate font, with a fallback of sans. If the width of the text
changes, the font must be installed.

~~~
michaelvillar
Interesting.

Maybe browsers shouldn't have access to system fonts except a specific set.
Websites can't assume fancy fonts are installed anyway, I don't think it would
be a problem?

~~~
roel_v
Yeah, all we'd have to do is convince every manufacturer of operating systems
and/or browsers to agree on a common set of fonts, work out licensing/font
rendering technology issues etc., then convince all web developers across the
world (or at least a sizable portion) to redevelop their websites to work with
this list, then enforce the font restriction, and then convince users that
this is somehow a good idea because invariably a bunch of the websites they
use are going to break. We also need to do it within a few years, otherwise
it's too late, and our main argument is going to be 'but maybe websites can
use fonts as part of a fingerprint to track what websites we are visiting'.

~~~
michaelvillar
You couldn't be more wrong about this.

\- You need to convince only one browser. People that care about privacy will
use that browser.

\- You don't need licensing, they still use the OS fonts. They just limit the
fonts available.

\- You don't need to convince web developers because they already use these
fonts and only these fonts. Who's using Papyrus?

\- 1997 websites are going to break. Again, new websites use only a set of
system fonts or fancy web fonts.

~~~
tankenmate
You're both wrong; most people at the point of browsing don't care that much
for privacy. Most users would hand out their passwords for a chocolate bar!
[0] How much less would they care about their privacy let alone understand how
one browser is better than another.

[0]
[http://news.bbc.co.uk/1/hi/technology/3639679.stm](http://news.bbc.co.uk/1/hi/technology/3639679.stm)

------
vbezhenar
Browsers should improve incognito mode so websites won't be able to
distinguish Chrome@OS X from Firefox@Windows. And may be allow easier
integration with proxy services. Privacy is important.

~~~
siegecraft
I agree; I don't think there's any reason for a browser to be fingerprintable
even when not in incognito mode. I'm curious if this is on the roadmap for a
browser like firefox or one of the linux ones. You would think govt / infosec
people might care about it too?

~~~
amelius
There are so many details in eg JavaScript that a website could probe, that it
really doesn't seem feasible

------
supercoder
I think the reader will suffer more from obtaining a list of my viewed porn
than me.

------
sjp2705
Write a script to continuously scrape and hit every porn video on every porn
site. It's obviously impossible for you to watch all that porn and unlikely
any hacker will try to intuit your exact history (which would be difficult and
not worth the effort). Problem solved.

~~~
bhayden
Unless the script perfectly emulates human browsing patterns, it wouldn't
really be helpful.

------
mc32
Unless there is big money in this, I don't think this will be the next big
privacy scandal, with the exception of politicians --they could get worried
(people who have a big stake in maintaining an image). But your average Jurgen
and Silvie, not so much.

[edit]That's to say, porn, for all practical purposes, is mainstream. It's an
open secret. I don't think people are going to hyperventilate, freak out. I
mean, 50 shades, the movie, is a marketing juggernaut in middle America --and
beyond.

~~~
greendestiny
I would think a lot of people would pay to keep such information secret
though. Maybe not enormous sums individually but given data that you can
personally verify this would be a fairly effective threat.

I'm imagining the typical popup - 'Warning your browsing information is
compromised - pay us to remove the offending data!'. Add to that page a list
of actual viewing history and I think conversion ratios would increase.

~~~
swhipple
I think this would tremendously backfire. It wouldn't be too difficult to
figure out which companies have leaked customer data, which is now being used
for extortion, and they'd likely lose more money than they could gain from the
ad clicks.

Reputable porn sites tend to be more secure than your average company website
specifically because they know that privacy is important to their viewers.
Being known for leaking your viewer data would be suicide.

~~~
4ndr3vv
The sites themselves wouldn't likely leak these data, rather it could be
compromised.

From the article: "All that's needed are two nominal data breaches and an
enterprising teenager that wants to create havoc."

------
lwhalen
I'm surprised the article doesn't mention an even bigger point - very few porn
sites provide end to end TLS. Through, uh, research, redtube doesn't have ANY
TLS available, and xhamster has a 'some content on this site is not delivered
over TLS' warning.

------
TeMPOraL
> _yet another reason that the tech community should take a more proactive
> approach ensuring data privacy._

Or maybe yet another reason for people to get their shit together.

Seriously, this is not an issue of privacy - it's an issue of society
potentially overreacting to things. So Jane Doe watches porn. Big deal. John
Doe watches it too. Like 80% of country's population. It's an open secret,
like going to shrink used to be. It only holds power over you if you expect
people around you to behave like apes (which they often do - see being gay 30
years ago, or being not pro-gay now).

I know very well that it's easier to influence tech than society; hell, it's
even easier to influence biological factors than social ones. But ultimately,
we can't blame it on tech when it's lack of civility that's the problem. Maybe
it's the very expectation of privacy that makes people such bigots?

Either way, it's another data point for "privacy vs. progress of mankind, pick
one".

~~~
yummyfajitas
Here's a real issue. It's not the existence of porn, it's the _nature_ of the
porn. If you've decided you want to attack someone, and if they have even
remotely unusual tastes, you can certainly attack based on those.

If it's really a low status taste (e.g., furry, femdom, cuckold), the attacks
write themselves. If it's more mainstream, it isn't hard to twist it into
something deeply revealing about their character (e.g., "omfg look at how he
objectifies asians").

Here is a real life example of this, albeit not based on privacy leaks but on
something I chose to reveal:
[https://news.ycombinator.com/item?id=7945286](https://news.ycombinator.com/item?id=7945286)

~~~
anigbrowl
Without disagreeing with your observation, as a practical matter the biggest
influence is how one responds to the allegations. I remember a few years ago
it emerged that a US Senator not only patronized prostitutes, but that his
preferred sexual fetish supposedly involved wearing diapers (which is a pretty
fringe preference, to at least the same degree as those you mention).
Embarrassing of course, especially as it was his second prostitution-related
scandal in a decade, but he made the usual tearful public apology to his wife
on TV followed by a reaffirmation of his religious faith and bingo, forgiven.
His party didn't want to lose a Senate seat if he resigned, and he's since
been re-elected and is this year planning to run for governor of his home
state.

------
Chinjut
I see a lot of people saying, essentially, "I don't care that anybody knows I
view porn; that's totally mainstream". And, yeah, I feel the same way.

But on reflecting on it, I find there's more nuance to it:

I don't care that anybody knows I view porn; that's totally mainstream. But to
have people know the specifics of my tastes in porn? Suddenly, I would begin
to feel embarrassment; I'd worry I'd be thought a weirdo for getting off to X
which is considered a fetish instead of Y which is considered standard stuff,
etc.

~~~
higherpurpose
Only at the last election there were some presidential candidates that toyed
with the idea of banning porn. That would mean all the sudden you could be
criminalized for watching porn, just like you are now for playing poker
online.

------
Padding
This may or may not be an issue for targeted attacks on high-profile
individuals (which in turn likely have the means to avoid them). But I don't
think crosslinking moderately-reliable browser identifiers across different
websites, so as to be able to extort "average Joes", will really be that
profitable.

Remeber that there's a lot of people watching porn and a lot of people on
facebook-like sites, so those unique broswer identifiers won't be so unique
any more in the end. Also there's a lot of money involved in both porn and
facebook, so trying to meddle with them get you sued if you endager their
profits.

The real issue I see however is credit card data and how easy it would be for
corrupt authorities to abuse it. I looked into options for anonymous credit
cards just because of this, but sadly that gets you into really shady money
landering territory really quickly.

------
rl3
The easiest way to mitigate this is to view your porn on a mobile device or
tablet, if able.

Mobile browser fingerprints are far more uniform than their desktop
counterparts.

Host address correlation would however remain fairly effective in most
circumstances, so it would be prudent to conceal that as well.

~~~
Artemis2
Ask AT&T and Verizon, who put custom headers with tracking IDs in your
browsing sessions.

[http://www.forbes.com/sites/kashmirhill/2014/10/28/att-
says-...](http://www.forbes.com/sites/kashmirhill/2014/10/28/att-says-its-
testing-unkillable-tracker-on-customers-smartphones/)

~~~
rl3
That's just evil.

Fortunately most people switch over to a non-carrier network via 802.11 when
they're at home with their mobile devices.

------
llamataboot
This is assuming that there is data to be breached though. Unless it was some
realtime MITM attack, I don't think many porn websites are storing the browser
footprints of all their visitors in a database. But, I could be naive.

~~~
yummyfajitas
Ad networks, probably including adult ad networks, regularly track browser
footprints. You don't need an MITM attack, you merely need a porn site which
runs ads. That consists of about 100% of the porn sites I browse.

The EFF has a nice demo of it:
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

------
hopfog
There's an ongoing criminal case in Sweden where a website streamed their porn
movies for "free". However, in the fine print it said that in order to watch
this you need to pay X. So basically the company could bill you just for
watching.

This wouldn't be any problem since people are anonymous. The twist is that the
company behind it actually had a deal with some of the phone network operators
where they sent the phone number as a header for mobile devices.

The result was that hundreds of people got invoices and were told that their
personal details would be exposed if they didn't pay.

~~~
mariuolo
> The result was that hundreds of people got invoices and were told that their
> personal details would be exposed if they didn't pay.

Sounds like fraud and extortion to me. Were criminal charges filed?

------
mrits
There will be a small percentage of error that all of us will fall under.

------
sparaker
I think this should only be applicable to sites where you are logged in, as
otherwise its going to be pretty difficult for them to identify using your
name.

~~~
rosser
Wrong. All it takes is a browser fingerprint. If they can associate that with
a name, whether or not you're logged into the porn site — e.g., through sites
that you _are_ logged into — they can identify your browsing session on the
former.

~~~
sparaker
What is this browser fingerprint? If you are talking about some cookies and
the user agent string. I wouldn't be concerned.

~~~
Starwatcher2001
[https://panopticlick.eff.org](https://panopticlick.eff.org)

"Your browser fingerprint appears to be unique among the 5,053,325 tested so
far."

~~~
bhayden
It seems like denying access to my plugins (and maybe non-standard fonts)
would solve this. Why does a website need to know my plugins in the day and
age of Flash being deprecated?

------
dismal2
Of course it's deniable, just say the person is clearly trying to blackmail
you, or that you watched that one but not that truly terrible one. Also who
cares. Now if they could hack into your camera while you watch and you happen
to be a person in the public eye, that could turn into a short lived
manufactured controversy that gossip sites and cable news live on.

------
staunch
Most people would suffer much more from a leak of their email, photos, or code
than their porn browsing habits.

~~~
thret
I also think dating website data would be more important. Looking at ordinary
porn is an inconsequential fact of life.

~~~
mercurial
Depends on how conservative your country is.

~~~
soylentcola
Or what your coworkers/family/local officials consider "ordinary porn".

------
Roritharr
When reading the headline I expected someone had done facerecognition over
redtube, xvideos and the like and created a database with people in
pornvideos, making it easy to lookup for future reference...

Just finding out that someone watches porn at work is really uninteresting
from my european point of view...

------
heyalexej
Porn websites, as it stands, are better secured than your average Bitcoin
exchange. Nothing to worry about.

------
nsxwolf
Flabbergasted that the HN crowd harps on endlessly about privacy until it's
about porn. Then it's all about get over your hangups, radical transparency.

Many people don't want their porn habits made public for all sorts of reasons
and it is _not_ your place to judge.

------
Riesling
There is a huge privacy problem even without browser fingerprinting. Some porn
sites use google analytics. I find this irresponsible, especially since most
people have their real word ID bound to their google account.

------
netheril96
Well, it appears my browser fingerprint is rather unique. Guess I should
install some new fonts now and then and thus change my fingerprint.

------
colinb
isn't this what throwaway Linux VMs where invented for?

Elsewhere in this thread someone mentions a conspiracy of service provider and
porn [alleged] criminal. So I guess Fapuntu-64 won't work for that, but for
all else, it seems a good solution, so long as your desktop is not your
telephone.

------
houseofshards
does it mean if there is a browser just for browsing non-login sites and doing
nothing else (do all browsing that requires a login or identification of any
kind from a different browser), this problem can be prevented ?

~~~
192431665
I would love something in a browser that makes it easier to seperate the login
sites I use, like webmail and facebook (occationally).

I use all the usual plugins, like Disconnect, uBlock, https everywhere, but
recently I have been using a Firefox plugin called 'priv8' to sandbox the
login sites I use the most (means I am not signed into google or facebook for
my regular browsing). I honestly do not have that much of a in depth knowledge
of browser tracking, so I am not exactly sure if this makes much of a
difference.

------
supercoder
Guess I'll start buying burner phones for porn every 2 weeks.

