Data about porn features in this guest post on from our colleague John Carr in London. John is one of the world’s leading authorities on children’s and young people’s use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International. John is also Technical Adviser to the European NGO Alliance for Child Safety Online, administered by Save the Children Italy. He is an Advisory Council Member of Beyond Borders (Canada). We have featured other posts from John on the Online Harms White Paper, Age verification and UK obscenity law.
Facebook and Google have very strict rules about porn. Essentially it is banned from both platforms. Here is what Google says
Sexually Explicit Material
“Do not distribute sexually explicit or pornographic material. Do not drive traffic to commercial pornography sites”. (emphasis added)
Here is Facebook’s policy
Adult nudity and sexual activity
“We restrict the display of nudity or sexual activity because some people in our community may be sensitive to this type of content. Additionally, we default to removing sexual imagery to prevent the sharing of non-consensual or underage content. ” (ditto)
And yet
Leaving aside Facebook’s absurd, transparently phoney use of “our community”, these policies are reasonably clear. Yet as research published last week shows they do not seem to have stopped either company collecting data on a significant scale from porn sites via trackers they themselves put there.
I cannot imagine many users of a pornographic site knowingly consenting to Facebook or Google picking up information about their porn habits. On the contrary, if they thought there was any possibility those data could be linked to other aspects of their online lives, particularly their online life with Facebook and Google, they would vigorously object. If these companies know this, why do they do it? On what legal or ethical basis? I cannot imagine it is happening within the EU. I will ask both companies to confirm that is the case. But should it be happening in any jurisdiction? No.
As you will see, by a country mile Google is the largest collector of data of this kind. Though, to be fair, they are probably the largest collector of data across every category of web sites.
I’m sure I won’t be alone in wondering, what Google and Facebook actually do with data they collect from such expressly forbidden places?
Have pyschoanalytics reached a point where knowing a person’s sexual interests or the details of the frequency and timing of their visits to particular types of sexual sites, allows one to infer that they are likely to respond to advertisements for scuba diving holidays or cookery books? Answers on a postcard please to the usual address.
New Scientist reveals all!
An article in this week’s New Scientist caught my eye with this rather striking headline“Most online pornography sites leak user data”. The headline in the online article is different – it says “Thousands of pornography sites leak data to Google and Facebook”). Not sure “leak” is the right word if trackers are in place. I mean Facebook and Google are not hacking.
I’m aware that New Scientist has not always been a reliable witness on the question of porn on the internet. So, I went to the original source, a research article published by Jennifer Henrichsen of the University of Pennsylvania, Timothy Libert of Carnnegie Mellon and Elena Maris of Microsoft Research. The research was carried out in March, 2018 using a computer based in the USA. That was pre-GDPR but anyway since the test machine was in the USA it would not have applied.
Here is the opening Abstract
“This paper explores tracking and privacy risks on pornography websites. Our analysis of 22,484 pornography websites indicated that 93% leak user data to a third party (ditto). Tracking on these sites is highly concentrated by a handful of major companies, which we identify. We successfully extracted privacy policies for 3,856 sites, 17% of the total. The policies were written such that one might need a two-year college education to understand them.
Our content analysis of the sample’s domains indicated 44.97% of them expose or suggest a specific gender/sexual identity or interest likely to be linked to the user. (ditto) We identify three core implications of the quantitative results: 1) the unique/elevated risks of porn data leakage versus other types of data, 2) the particular risks/impact for vulnerable populations, and 3) the complications of providing consent for porn site users and the need for affirmative consent in these online sexual interactions.
Not so incognito
Brace yourself for the authors’ introductory paragraph
“One evening, ‘Jack’ decides to view porn on his laptop. He enables ‘incognito’ mode in his browser, assuming his actions are now private. He pulls up a site and scrolls past a small link to a privacy policy. Assuming a site with a privacy policy will protect his personal information, Jack clicks on a video. What Jack does not know is that incognito mode only ensures his browsing history is not stored on his computer. The sites he visits, as well as any third-party trackers, may observe and record his online actions. These third-parties may even infer Jack’s sexual interests from the URLs of the sites he accesses. They might also use what they have decided about these interests for marketing or building a consumer profile. They may even sell the data. Jack has no idea these third-party data transfers are occurring as he browses videos.”
Sexual privacy
“Sexual privacy sits at the apex of privacy values because of its importance to sexual agency, intimacy, and equality. We are free only insofar as we can manage the boundaries around our bodies and intimate activities… It therefore deserves recognition and protection, in the same way that health privacy, financial privacy, communications privacy, children’s privacy, educational privacy, and intellectual privacy do.”
That’s a quote cited in the main article. There’s a lot in it that makes sense but does “sexual privacy” truly sit at the apex of privacy concerns? Maybe not, but it definitely should rank equal with the others mentioned. In fact in the EU it probably already does. Unless someone has given “express consent”, under Article 9 of the GDPR collecting or otherwise processing information about someone’s “sex life or sexual orientation” is prohibited. The researchers appear to approve of the GDPR’s provisions. However, they note (a) they do not apply worldwide and (b) it is still too early to say what impact they will have.
Where does this leave age verification?
When the UK children’s organizations’ began their campaign to advance children’s well-being by restricting under 18s’ access to porn sites, one of the arguments most frequently trotted out by the anti-age verification (av) lobby was that, inevitably, av would lead to “Ashley Madison” scenarios. People with minority or very particular sexual appetites would be rendered especially vulnerable.
These suggestions were based on the idea that porn companies themselves or hackers could and would make unauthorised linkages between data rendered to an av supplier and data collected by porn publishers. And if the porn publisher and the av supplier appeared to have any sort of business or other connection with each other then, well, what more needed saying? A whole profile of your sexual preferences could be built, with potentially terrible consequences even if Ashley Madison never reappeared.
The fact that making such linkages is illegal in the EU and probably many other places, was glossed over or ignored. As was the fact that with some of the available av solutions – perhaps the ones that will come to dominate the av market – such linkages will be technically impossible even if anyone tried.
Where were those same voices before we started trying to defend children by campaigning to get av introduced? Where was the searching critique of the status quo? Everything was fine with porn sites until we hoved into view? Porn sites as they exist today speak of liberty and liberalism? We are the forces of reaction? I don’t think so. Even if nothing else changed, how exactly would av make things worse than they are now and have been for very many years?
If you value your privacy stay away from porn sites
The great majority of porn sites describe themselves as being “free”. They aren’t. You just pay in a different way. You pay with your data, not cash upfront. As the research shows, 93% of sites are collecting and passing on information about your porn consumption. I am surprised 7% of sites seemingly aren’t. But either way the porn consuming public will be shocked at what the research shows.
If you value not only your “sexual privacy”, but privacy of any kind, porn sites are probably the last places you should go. They are selling you, if not down the river, then certainly to entities paddling in its watery and muddied margins.
Approached correctly, av offers to protect children. It could also open a pathway to a greater degree of user privacy than has ever existed for people who visit porn sites. That’s never been one of my major objectives in life but then it’s funny how things can turn out.
What is to be done?
In descending order of threat to the existing, data-driven business model of porn sites, perhaps they could be required to run large, unmissable banner headlines on their landing page, with reminders every 5 minutes, telling viewers, if it is the case, that on this “free”site information is being collected about what they are looking at, making clear that it may be used to build or add to an advertiser’s profile of them. It could be argued this should happen on every web site that is linked to sensitive data. I’d be OK with that.
Perhaps porn companies could be required to provide a prominently displayed one-click tool as an option to prevent any personally identifiable information being transferred to or collected by anyone. Either of these could destroy or radically reshape the current predominant business model. I sense there is a certain inevitability about it. The smart purveyors of porn will already be working out what to do next to stay alive.
