93% of porn sites leak data to a third-party

New academic research reveals the extent of user tracking on top adult sites.

glasses-porn.jpg

In a research paper published this week, academics said that 93% of 22,484 adult websites they analyzed were leaking data to a third-party entity, such as online advertisers or web analytics providers.

The list of companies on the receiving end of users' porn browsing habits and sexual preferences includes the likes of Google, Oracle, Facebook, Cloudflare, but also advertisers that were only active in the adult industry.

Only 17% of top adult sites have a privacy policy

The research team selected the sites they used for their analysis by scanning the Alexa Top 1 Million list for sites that used the term "porn" in their title or metadata.

They identified 22,484 websites, and then analyzed their source code, and looked for the presence of a privacy policy. Inside privacy policies, researchers looked for wording that may indicate if the website is sharing user data with third parties, confirming their source code scans.

"We successfully extracted privacy policies for 3,856 sites, 17% of the total," said the research team, consisting of Elena Maris from Microsoft, Timothy Libert from Carnegie Melon University, and Jennifer Henrichsen from the University of Pennsylvania.

"Policies have an average word count of 1,750 and take seven minutes to read," researchers said. "The policies were written such that one might need a two-year college education to understand them."

In addition, only 11% of third-parties seen tracking users on an adult web page were also listed in a site's privacy policy, meaning there's a lot of user tracking going on that's not disclosed to users.

Trackers! Trackers everywhere!

But while some sites bothered to set up a privacy policy, some didn't, at all, opting to deploy various trackers in the site's source code or use technology that silently collected data about users' behavior.

Per the research team, Google-related scripts were found on 74% of the 22,484 adult sites, followed by exoClick (40%), Oracle (24%), JuicyAds (11%), and Facebook (10%).

porn-top-10-trackers.png

Image: Maris et al.

"Our results indicate tracking is endemic on pornography websites," the research team said. "93% of pages leak user data to a third-party; the pages that leak data do so to an average of seven domains; 79% have a third-party cookie (often used for tracking); of the pages with cookies, there is an average of nine cookies; and only 17% of sites are encrypted, allowing network adversaries to potentially intercept login and password details."

Further, researchers said they also looked into the companies behind the tracking domains. In total, they identified 230 companies that tracked users, but there were only a few big players, which aggregated most of the data.

"Thee majority of non-pornography companies in the top ten are based in the U.S., while the majority of pornography-specific companies are based in Europe," researchers said. "One reason may be differing cultural and commercial norms towards sexual content. In the U.S., many advertising and video hosting platforms forbid 'adult' content."

"Thus, Google refuses to host porn, but has no limits on observing the porn consumption of users, often without their knowledge," researchers said.

Site URLs leak sexual preferences

But according to researchers, one of the worst parts was that tracking scripts would record the URL of a page a user accessed on adult sites.

This is normal tracking behavior for any analytics provider, but the structure of some adult sites' URLs created problems because it would reveal the nature of the material the user was viewing.

Any third-party observer analyzing these URLs would learn the sexual preferences or viewing habits that users would most likely want to be kept private, and not associated with advertising profiles.

From a sample of random sites they analyzed, researchers said that almost 45% of adult sites used URL structures that exposed users' sexual preferences.

The conclusions of this research are that users should invest into an ad blocker or any similar technology that ensures the user's privacy while navigating the web, especially if they want to keep their porn viewing habits private. Using a browser's private browsing mode did not help, as these are not designed to isolate the user from web trackers, but rather avoid leaving footprints in a browser's local history.

More details are available in a white paper entitled "Tracking sex: The implications of widespread sexual dataleakage and tracking on porn websites."

Related cybersecurity coverage: