Tales from the Porn: A Comprehensive Privacy Analysis of the Web Porn Ecosystem Pelayo Vallina Álvaro Feal Julien Gamba IMDEA Networks Institute / IMDEA Networks Institute / IMDEA Networks Institute / Universidad Carlos III de Madrid Universidad Carlos III de Madrid Universidad Carlos III de Madrid [email protected] [email protected] [email protected] Narseo Vallina-Rodriguez Antonio Fernández Anta IMDEA Networks Institute / ICSI IMDEA Networks Institute [email protected] [email protected] ABSTRACT 1 INTRODUCTION Modern privacy regulations, including the General Data Protec- Pornographic (porn) websites are among the most visited and lucra- tion Regulation (GDPR) in the European Union, aim to control tive online services since the early days of the World Wide Web [91]. user tracking activities in websites and mobile applications. These Pornhub, the most visited porn website according to Alexa’s domain privacy rules typically contain specific provisions and strict require- rank [4], had 33:5 Billion visits and was returned in 30:3 Billion ments for websites that provide sensitive material to end users such web searches in 2018 [72]. MindGeek, Pornhubs’ parent company, as sexual, religious, and health services. However, little is known has reported over half a billion dollars of revenue in the 2015 fiscal about the privacy risks that users face when visiting such websites, year [56]. and about their regulatory compliance. In this paper, we present Modern privacy regulations like the EU General Data Protection the first comprehensive and large-scale analysis of 6,843 porno- Regulation (GDPR) [32] and California’s Consumer Privacy Act graphic websites. We provide an exhaustive behavioral analysis of (CCPA) [18] consider sexual information of an individual as highly the use of tracking methods by these websites, and their lack of sensitive data. All these privacy regulations require organizations regulatory compliance, including the absence of age-verification with an online presence to request informed consent from users mechanisms and methods to obtain informed user consent. The re- prior to any data collection [18, 32, 44, 46]. However, as in the case sults indicate that, as in the regular web, tracking is prevalent across of regular websites, pornographic ones also integrate third-party pornographic sites: 72% of the websites use third-party cookies and components – e.g., advertising and analytics libraries – with the 5% leverage advanced user fingerprinting technologies. Yet, our capacity to track users’ interaction with such services and, therefore, analysis reveals a third-party tracking ecosystem semi-decoupled potentially infer a visitor’s sexual orientation and preferences. The from the regular web in which various analytics and advertising collection of this information, in addition to the absence of secure services track users across, and outside, pornographic websites. network protocols like HTTPS, could put at risk visitors of those We complete the paper with a regulatory compliance analysis in websites, specially those connecting from countries where certain the context of the EU GDPR, and newer legal requirements to im- sexual orientations are prosecuted [16, 39, 42, 77, 84]. plement verifiable access control mechanisms (e.g., UK’s Digital Despite the many research efforts that have taken place inthe Economy Act). We find that only 16% of the analyzed websites have last decade to identify and quantify the presence and use of tracking an accessible privacy policy and only 4% provide a cookie consent technologies in the web, no study has deep dived yet into the pri- banner. The use of verifiable access control mechanisms is limited vacy risks of sensitive websites, like pornographic ones. It is unclear, to prominent pornographic websites. as a result, whether pornographic websites can pose a privacy risk to their visitors, and if they comply with the provisions set both by CCS CONCEPTS privacy regulations and by newer rules to control minor’s access to adult content like the UK’s Digital Economy Act [53]. In fact, • Security and privacy → Human and societal aspects of se- anecdotal evidence suggests that there are significant differences curity and privacy. between the third-party organizations operating in the porn and the regular web tracking industry [11] as large online ad networks such as Google Ads set strict constraints for porn-related publishers, pro- hibiting the advertising of adult-oriented products and services [39]. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed These restricting terms of services – possibly driven by fear of dam- for profit or commercial advantage and that copies bear this notice and the full citation aging their brand reputation – opened new market opportunities on the first page. Copyrights for components of this work owned by others than ACM for other actors who have specialized in providing advertising and must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a tracking technologies to adult sites. This context has created, as a fee. Request permissions from [email protected]. result, a parallel ecosystem of third-party service providers in the IMC ’19, October 21–23, 2019, Amsterdam, Netherlands porn ecosystem who has not been scrutinized by regulators, policy © 2019 Association for Computing Machinery. ACM ISBN 978-1-4503-6948-0/19/10...$15.00 makers, and the research community. https://doi.org/10.1145/3355369.3355583 IMC ’19, October 21–23, 2019, Amsterdam, Netherlands Pelayo Vallina et al. In this paper, we develop and use a methodology to perform protect consumers’ privacy and digital rights. New comprehensive the first holistic analysis of pornographic websites from a privacy, data protection laws such as the European General Data Protection transparency, and regulatory compliance perspective. Our main Regulation (GDPR) – which became effective on May 25th, 2018 [20] contributions are: – aim to bring transparency to web services and to empower users • We design a semi-supervised method to compile a representa- with control over their personal identity in the web and beyond. tive sample of pornographic websites using publicly available In the case of online services, this objective is achieved by forcing resources (Section 3). After manually inspecting and removing companies with a digital presence to obtain explicit consent from false-positives, we identify 6,843 different pornographic websites. any European visitor before collecting, processing, or sharing per- • We develop and use a methodology to study the presence of sonal data on their sites. The GDPR, which will be complemented third-party services in the porn ecosystem (Section 4). We com- by the ePrivacy directive in 2019 [19, 30], also gives users the right pare the presence of third-party services present in pornographic to access, correct, and delete their personal data collected by online websites with those embedded in the most popular web sites services, revoke their collection consent at any time, and object to according to Alexa’s rank. We find 3,673 third-party services em- automatic data processing. bedded in porn websites, including companies specialized in the In the context of pornographic websites, the GDPR imposes porn industry (e.g., ExoClick), well-known advertising compa- additional requirements and restrictions on data controllers due to nies (e.g., DoubleClick), analytics services (e.g., Google Analytics), the sensitive nature of their services. Article 9.1 [32] of the GDPR and domains associated to data brokers (e.g., Acxiom). 84% of the states that “processing of data concerning a natural person’s sex life or third-party services embedded on pornographic websites do not sexual orientation shall be prohibited.” Until the ePrivacy regulation appear in the most popular non-pornographic websites. becomes effective, the GDPR will require website owners to obtain • We study the behavior of pornographic websites and the third- explicit consent from users to install and use tracking methods, party tracking services embedded in them (Section 5). We find such as HTTP cookies, except when it is strictly required to provide the presence of third-party HTTP Cookies in 72% of the analyzed a service requested by the user, to fulfill a legal mandate, or to carry pornographic websites, while 5% of them also use advance fin- out certain transmissions [31]. gerprinting techniques like Canvas Fingerprinting to identify Similar regulatory efforts are taking place in other jurisdictions visitors uniquely. Interestingly, 91% of the scripts we found using that used to have a traditional laissez faire attitude towards pri- canvas fingerprinting are not indexed by EasyList and EasyPri- vacy. Notable examples are California’s Consumer Privacy Act [18] vacy [25]. (CCPA) (passed in June 2018), the Japanese Act on Protection of • We quantify behavioral differences on porn websites depending Personal Information [46] (effective since May 2017), and the Indian on the user’s location and jurisdictional area (Section 6). We Personal Data Protection Bill of 2018 (PDP) [44]. All the aforemen- conclude that the number of third-party services is quite stable tioned regulations classify and consider information regarding a across countries, yet there