Your online porn history with your name leaked online: experts comment

If you are viewing porn online in 2015, even in Incognito mode, you should expect your viewing history to be released and attached to your name at some point.

This is according to IT expert Brett Thomas, who said in February 2015 that it is not difficult to link the logs of porn website visitors to the logs of another website where you can be identified.

“If a malicious party obtained identifiable access logs for just one of the websites that know your name, and view logs for just one of the adult websites you’ve visited, it could infer with very high probability a list of porn you’ve viewed,” he said.

“At any time, somebody could post a website that allows you to search anybody by email or Facebook username and view their porn browsing history.”

His prediction made headlines again recently after Malwarebytes warned that high-profile porn sites served advertisements with malware attached to them.

The SSL malvertising campaign checked the user’s browser, and their security products, to launch an attack by directing a user to a fraudulent page.

Thomas’s conclusions dangerously misleading: Pornhub

Adult website Pornhub dismissed these concerns, saying Thomas’s conclusions are false and misleading.

Pornhub told Motherboard it does not store users’ viewing histories, as it will take up too much space.

“Pornhub’s raw server logs contain only the IP and the user agent for a very limited time, never a browser footprint,” said Pornhub.

Xvideos states in its privacy policy it also does not record its unregistered users’ IP addresses or activity.

“The voting, and generally clicking anywhere on the pages, cannot be tracked down to an individual,” said Xvideos.

Porn viewers’ browsing habits not very private

Motherboard reported that all the security experts it spoke to said porn viewers’ browsing habits aren’t nearly as private as they think.

Justin Brookman, a privacy expert at the Center for Democracy and Technology, told Motherboard that Thomas has a legitimate concern.

“Private browsing modes don’t prohibit all cross-service tracking mechanisms,” said Brookman.

Motherboard conducted its own privacy investigation, and found that most top porn websites have tracking elements installed.

Visitors’ data was transmitted to third-party corporations like Google and industry-specific ad services like Pornvertising and DoublePimp, it stated.

What is clear is that visitors to porn websites do not enjoy complete privacy, and that their data is shared with third parties.

Don’t worry too much about porn website hacks: South African security expert

SensePost CTO Dominic White said that Thomas’s concerns are a bit of a stretch. “They’re ignoring some specifics,” said White.

He said most sites only collect normal web server logs, and that advanced tracking isn’t built or logged by most web servers or apps.

That means all the server is storing about you is your IP, URL you requested, and your User Agent (UA) string.

“The UA provides your browser, browser version, OS, and OS version. For most users, they’ll be using common browsers on common OSs, and will be behind a NAT’ted or dynamic IP,” said White.

That means there are only a few edge cases – like an uncommon browser-OS configurations or minimal user static/NAT breakout IPs – that get close to identifying a user.

“In the case of a large corporate with a standard laptop build and a single breakout IP, or our local mobile networks that do the same, you’ll be a needle in a haystack.”

Advanced browser fingerprinting techniques a bigger threat

White said there are more advanced browser fingerprinting techniques that can be used, like Panopticlick – which Thomas refers to.

However, most sites don’t do advanced fingerprinting, and don’t store it. “He also makes his claims excluding supercookies.”

This means that unless a combination of your IP address and UA is unique, you are safe.

“The large majority of people’s IP/UA combinations are not unique, and the advanced techniques he talks about aren’t employed by most places.”

White said advanced browser fingerprinting is done by third-party advertising and analytics vendors, though.

“It is very likely that they would be able to do a lot more of this correlation.”

However, they don’t share the individual data about each site visitor with the porn site, so unless you compromise one of them, you aren’t able to do what Thomas claims.

White said he checked Pornhub (with images turned off), and it makes use of the following advertising/analytics trackers:

• https://apps.ghostery.com/en/apps/trafficjunky
• https://apps.ghostery.com/en/apps/doublepimp
• https://apps.ghostery.com/en/apps/google_analytics

Additionally, he did a check across a range of other porn sites, and most of them didn’t implement HTTPS by default.

That means your IP and UA – and the fact that you are accessing porn – are leaking to anyone intercepting traffic between you and the porn site.

“Those people are in a far better position to uniquely identify you – either by virtue of being closer to you – e.g. a corporate proxy would see your internal IP and username – or by analysing traffic flows, and I’d be more worried about them.”

The last word about online porn

White said there is a reason why there’s so much porn on the Internet, it gets high traffic volumes.

“Whatever your personal preferences, let’s not kid ourselves that online porn is some niche thing for deviants,” said White,

More about online porn

India reverses massive porn website ban

Here are the porn websites which India blocked

Worst ever Internet censorship law planned for South Africa