117 comments

[ 2.9 ms ] story [ 183 ms ] thread
Direct link to the underlying paper:

https://arxiv.org/abs/1907.06520

The "even in incognito mode" part seems odd:

> What Jack does not know is that incognito mode only ensures his browsing history is not stored on his computer. The sites he visits, aswell as any third-party trackers, may observe and record his online actions

Yeah, a bit misleading, given that incognito mode doesn't share cookies (but does disk cache!) with the main profile. It's correct that they "may observe" as in "the browser still sends requests", but unless they do additional fingerprinting or use other information to correlate (IP), they can't easily connect the two observed users.

It may be useful to tighten up anti-tracking-tech in incognito windows. Currently, since plugins aren't enabled in incognito windows by default, it has the opposite effect: while your cookies are hidden, you're loading each and every tracker when in incognito mode.

I think it's not that odd. People assume that incognito means, well, "incognito" – like "anonymous browsing". But there are obviously more ways to identify a user besides cookies that are cleared/reset when incognito mode is closed and re-opened.

Edit: To clarify: The easiest would be an IP address check. More sophisticated techniques are browser fingerprinting. And I think there's no reason to assume that Google/Facebook/AdTech companies DON'T use these techniques.

> To clarify: The easiest would be an IP address check. More sophisticated techniques are browser fingerprinting. And I think there's no reason to assume that Google/Facebook/AdTech companies DON'T use these techniques.

Regarding IPs: it would be legally problematic and might be exposed leading to terrible press, large fines and a strong argument for more regulation, so there's a lot of incentive not to use it, and I'm not sure they would even need it given the vast amount of information they have on users.

Regarding fingerprinting: I believe somebody would have noticed. Google and FB are generally scrutinized much more than a random small ad-tech vendor.

Sorry, are you serious or is this sarcasm? Facebook has shown in the recent months that they try to obtain data about users in every possible way. Collecting and comparing the IP address is the simplest exercise in the book. This, of course, is probably sold as "making your account more secure".

It's incredible that on a site like HN people truly seem to believe that "incognito mode" equals some sort of anonymity and that there is such as thing like goodwill of Ad companies and that they won't take whatever data that is served on a silver plate (like the IP address).

And you know what's really troublesome? One's sexual preferences are unlikely to change by a lot. Once captured by tracking companies, it's in your profile. Doesn't matter if you prevent tracking later on.

> Collecting and comparing the IP address is the simplest exercise in the book. This, of course, is probably sold as "making your account more secure".

Sure, and if you agree to it, they can. If you don't, however, and somebody blows the whistle, they'll be looking at huge fines in Europe and most of their lobbying will be void because their bought politicians will look very corrupt if they try to stop regulations.

Again, I don't believe that they don't do it because "it's not ethical". Rather, it's going to cost them lots of money if they do and get caught (and lots of good will, too), and I doubt that they need it. IPs would be another data point, but they have so many already that it may not add as much value. That's for FB, Google & co, of course, for small ad-tech companies it's different.

> Once captured by tracking companies, it's in your profile. Doesn't matter if you prevent tracking later on.

That's true, and the reason why you'd want to disable tracking completely. As a user, you gain nothing from companies being able to track you, but you lose plenty. Again, I'm not suggesting that companies aren't tracking users, I'm saying that Google and FB are likely not operating that obviously that far outside the law. They can, sure, but they'll need to run a large conspiracy to keep it secret, and large conspiracies are hard and rare.

Facebook collects phone numbers of random people, if a FB user uploads their contact list.

Facebook collects data in shadow profiles.

Facebook collects login credentials for email accounts.

Facebook asks for phone numbers for "two-factor authentication" and then uses it in different ways.

Similar for Google. Most default options are enabled if you set up an Android phone (and these options and settings track you). Opt-in? Off by default? Nothing. Just to name one example.

Dark patterns to give consent everywhere, like buttons suggesting that opt-in is the only way to do it and so on.

All of this is kinda known, and illegal under GDPR. Consequences so far? None.

I just checked both Firefox and Chrome. When you open an incognito window both show a text snippet explaining what incognito mode is, and both go out of their way to explain that incognito mode does not make you anonymous to the website operator. It only claims to help against local users looking at your browsing history.
Why is that odd? "Incognito mode" is a feature to hide your browsing history locally. Usually this meant hiding your porn browsing from your parents/roommate/etc. Hiding anything from the server was (unfortunately) never a design goal.

The scope of incognito mode has recently expanded, but browsers still trust servers far too much (e.g. the Referrer header still exists, which is designed to leak private information).

Chrome literally says this when you open incognito mode:

> Your activity might still be visible to:

> - Websites you visit

> - Your employer or school

> - Your internet service provider

I remember when they used to also say "secret agents." Then after Snowden that disclaimer went away.
Second author here. The paper is written for a social-science audience (I'm the CS person, hence ACM template), so it is written that way to help get non-experts on board. Otherwise, there is ample research people don't understand how private browsing works, and there are plenty of ways to track people during privacy sessions. There are some very creative people working in adtech today and I don't doubt there are numerous methods that are being used to get around every single protection out there.

I'd vastly prefer that creative energy be directed to socially beneficial ends, but I have respect for the technical chops of people in adtech. However, it is fundamentally depressing that so many smart people spend their lives shattering the bounds of decency to get an ad impression for some useless item that will go into a landfill in 18 months. Aside from privacy the biggest tragedy here is the waste of brainpower spent promoting mindless consumerism in a world rapidly moving towards climate catastrophe.

>Silicon Valley’s biggest companies are always watching you — even when you’re browsing pornography websites in incognito mode.

>You’re in private mode.

>Log in or create a free New York Times account to continue reading in private mode.

You can't possibly make this sh*t up.

Should be easy to avoid with simply using another cookie jar or blocking third-party cookies. It seems the direct connection can only be made when a user is logged into a facebook or google profile. Otherwise the data can not be connected to a personal account without some degree of uncertainty and illegality.

G and F could use other data, like the browser fingerprint, OS information and the IP address to associate the data, which may be illegal, at least in Europe. Thus they probably use some other technique, for example creating pseudonymous shadow profiles and associating them based on similarity. In their front-end the data would just show clusters of profiles, which means they can claim they do not collect personal data, but from a quick glance it would be obvious to see connections between a user and "anonymous" clusters, if the similarity borders on 100%.

Thus a good practice would be to use a different Operating system and browser, together with the usual protective measures.

IP address is a very strong signal and short of Tor you cannot do much about that. I'm hesitant to recommend VPNs just due to the high level of trust you need to have in your provider. It isn't that easy to avoid tracking.
It's funny an article published behind a paywall about facebook and google partnering to track your pr0n use has a message that says, as soon as the page loads, you're in private mode".

NYT has become such a tabloid.

Study is here: https://arxiv.org/pdf/1907.06520.pdf

Now we can have a REAL Discussion.

“Nearly all tracking is by default and governed by impossible-to-read privacy policies. [...] For more detail please see our privacy policy.”

Ironic.

How is this ironic? Having a privacy policy is not the same as having an 'impossible-to-read' one. Also, I doubt the journalists at the New York Times are responsible for what the company's tracking policy is. Are they suddenly not allowed to write about privacy issues?

By this standard nobody would be allowed to talk about climate change, seeing as probably nobody has a 0% impact on climate change.

That's still ironical.

if their claims are valid or not is absolutely unrelated to the irony of that situation though.

Did anyone imply that if the content is 'ironical' we shouldn't write it or discuss it?

It isn't ironic just because they also have a privacy policy. It has to be unreadable to come close to irony.

Lets say that I own a burger restaurant and I tell you that burgers at McDonalds are crap. Would that be ironic? Because that is what you are saying.

> Did anyone imply that if the content is 'ironical' we shouldn't write it or discuss it?

I interpret the original comment:

> Ironic.

as a means to discrediting the journalist. You are right though and instead of "Are they suddenly not allowed to write about privacy issues?" I should have written something along the lines of "Is it suddenly not credible for them to write about privacy issues?"

You’re reading quite a bit into a single word comment. Can we at least agree the juxtaposition of those two sentences is funny?
Tangent: How many here have verified their Phone# for recovery reasons?

Or even installed some apps like true-caller?

Browser finger-printing, 3rd-party tracking or the website itself. Better off with p0rn-torrents' magnet-URLs?

Some privacy tips:

1. Use firefox with multi-account containers, with each domain set to auto-open in a different container (google, gmail, amazon, facebook, youtube, etc.). Make sure you're logged into google only in the gmail container (and not in the google search container), etc.

2. Use uMatrix and uBlock0, and enable limited third-party access using uMatrix dashboard only when a site breaks.

3. Enable DNS over https in firefox

4. Enable privacy.resistFingerprinting in firefox's about:config to thwart fingerprinting

5. Use the tor browser for browsing porn (or any site you really do not want associated with your IP).

Edit: Added resistFingerprinting to the list.

One might think that since browsing privately and securely is such a pain point, there would be more than one product (firefox) to solve the issue. Any HN entrepreneur types out there reading these posts?
Practically speaking, you would have to use Chromium as a base, if you want the product to be successful. And if you do that, Google has a million ways to screw you up. One of the first obstacles you will find will be Widevine. Hardly anyone moves past that point.
Not sure why you got downvoted. Practically speaking, A fully fledged and compliant modern browser would require a team to build if not built off the back of another browser. So either you're a funded non-profit or you need to make money which doesn't seem compatible with privacy on the internet.
Why not use Firefox as a base?
what is a pain about using Tor?
The incessant captchas.
speaking of captchas..

try solving them in chrome, and in firefox on different network and device afterwards.

In firefox i am constantly getting annoying slow ones that fetch new images after marking one.

In chrome i get piss easy fast static ones.

What about Tor Browser?
I have mixed feelings about Tor.
A lot of Tor nodes and endpoints are fairly small in terms of capacity and throughput. Streaming lots of porn vids through them eats up a lot of bandwidth compared to, say, writing emails or browsing darknet markets or reading about Tienanmen Square or something.

Tor has a place, but in most countries regular internet porn isn't seriously illegal. Save the limited Tor bandwidth for people that actually need protection, like gays in the middle east, victims of repressive regimes, etc.

Get a regular VPN, user-agent switcher, etc. for your pronz.

Thank you, a very good point.
Au contraire: More traffic benefits exactly those who need Tor's protection, because it grows the anonymity set. Your streaming innocuous porn over Tor helps to provide cover traffic for e.g. "gays in the middle east" streaming highly illegal porn. Without this cover traffic, Tor would be utterly useless.

So please do stream porn over Tor. Bandwidth capacity on the Tor network is just fine these days, and your use of Tor helps all those who really need the privacy and anonymity Tor can help to provide.

Entrepreneurs go after money to survive, where is money in selling a private browser? Moreover, using some niche addon is a very nice signal to fingerprint one in the ocean of privacy-unaware users.
I wouldn't mind paying 10-20$ per year for a decent browser. At scale it might be profitable.
You should consider donating this money to Firefox.
You say you would, but would you really? Those are two vastly different things.
For 1, I use Temporary Containers[0] and have it set to auto-start and delete the containers as soon as the last related window closes.

It's a PIA for logging into things (e.g.: companies who use three different redirects to three different sub-domains) but that complaint is my fault, based on how I've configured it.

That plus deleting history on close of Firefox isn't enough to thwart the most egregious adversary (e.g.: those with three-lettered names) but should be enough for privacy concerns.

For 2, I might also recommend Canvas Fingerprint Detector[1]. Instead of not replying (which could be, in and of itself, a fingerprint[2]), it generates a random fingerprint signature in response; though, in principle, this might be a tracking vector, as well.

[0] - https://addons.mozilla.org/sv-SE/firefox/addon/temporary-con...

[1] - https://addons.mozilla.org/sv-SE/firefox/addon/canvas-finger...

[2] - https://multilogin.com/how-canvas-fingerprint-blockers-make-...

> It's a PIA for logging into things

...which is why it's probably better to use multi-account containers that isolate and store your cookies in that container, for sites such as gmail that you use a lot. It's very simple to set it up to always auto-open in that container, no matter which container you type the address into.

(comment deleted)
Does the container provide "fake" lowest common denominator environment so that your browser cannot be fingerprinted? Are mouse movements and keyboard typing frequency randomized to avoid matching one's behavior to a subset of all users? If not, you are easy to spot.
You can enable privacy.resistFingerprinting in firefox's about:config to thwart fingerprinting.
We should be pushing for laws against fingerprinting. It was a cool idea, anonymously track users, but in practice it's not anonymous at all. Make a device fingerprint be PII and require tracking tools to get explicit consent before fingerprinting.
(comment deleted)
To add to this, disabling WebRTC when you're not using it (media.peerconnection.enabled in Firefox) is also a good idea as when it's enabled websites can use it to derive your IP address behind a proxy/NAT such as a VPN or a home router to better identify which machine you are. I also turn off WebGL (webgl.disabled in Firefox) because it seems to expose a large attack surface for fingerprinting* but I'm not too well versed on the exact risks of it.

* = According to PanOptiClick.

ublock has an option to disable webrtc ip leak without disabling webrtc entirely.
> 5. Use the tor browser for browsing porn (or any site you really do not want associated with your IP).

And in case the FBI or whatever is running your Tor entry guard, hit it via nested VPN chains.

Maybe some y'all remember the CMU exploit. The FBI got their data, and pwned probably 1000s of onion sites and users.

If those onion sites and users had been hitting Tor through nested VPN chains, probably 90% at least would have been safe.

Tor Project folk like to hate on VPNs, but I'm not aware of any takedowns at that scale which involved VPN compromise.

I'm pro privacy and don't want to say "nothing to hide", but who cares if you browse porn?

As long as it's legal (so barring being in a regressive country where eg. gay porn is illegal), why would you go out of your way to use a VPN for it?

For sure, use DOH and HTTPS sites only, and I can understand if you're a public figure and don't want to accidentally like incest porn on your official Twitter account but beyond that, really who cares. A large majority of people watch and browse for porn, myself and most people in this thread included. Maybe time to dispense with the shame.

Not all porn is equally legal (sodomy, for example). And our society (at least in the US) likes to pretend that it doesn't exist, which means that it's viable ammunition to attack a person's character with, publicly or privately.

So, in practice, this means that these big companies have ammunition which could be used to destroy careers and relationships. Whether used directly or incidentally via a data leak (it's not like those ever happen /s).

Anyone with a publicly-facing job.
Interestingly, I've noticed some adult websites (not necessarily pornography) are requiring Google captcha.

That thing is spreading like weed.

Most of them already have the social sharing buttons. I suspect those are able to catch the vast majority of users who don't use an incognito mode.
Is it just Google Analytics and similar things? Pretty much every website has some tracking of this sort.
I guess you can add browser fingerprinting, etc. which most folks seem to do these days, since there is a cat-and-mouse game of users slowly becoming more privacy sensitive and using basic tools like incognito mode and ad blockers.
Yes, mostly just analytics and standard fare from all websites. For the most part, it's just the regular "Share on Facebook/Twitter/Etc." buttons that you see all over the internet. All of the social media have trackers embedded in those buttons. It's always confused my why anyone would actually share what porn video they were watching with their friends on social media.

The one thing that isn't standard for porn sites is ad serving/tracking. They usually don't use ads served from Google and Facebook, probably because most people don't want their "regular" ads being served on a porn site. So most major porn sites have their own ad system.

Yeah, big players with brand value like Google or FB do not dabble with porn or other socially unacceptable content. At all.
Second-author here. Details are in the paper, but yes, Google Analytics is highly prevalent. Google doesn't allow porn sites to use their ad networks so we didn't find much Double-click, but it is fairly hypocritical to say "we won't show ads on porn sites" while also having no problem allowing porn sites to install your tracking software.
I feel like all these articles follow a pattern: they take a common, well known aspect of technology (in this case, analytics trackers), search for any cases where a major tech company is involved, and come up with the most clickbaity headline possible ("Google and Facebook Are Quietly Tracking You on Sex Websites", when it's actually the website owners adding this tracking code in the first place, explicitly for the purpose of understanding user behaviour.) These headlines are then shared and reshared by nontechnical users, prompting outrage when there isn't a good reason for it.
To be fair, it’s not like Google/Facebook are a neutral party and only collect data to give it to the site owner. They are also complicit because they keep this data for their own purposes.
From the article, I'm a little more worried about Oracle, who refused to comment on the story.

That being said, this isn't really news (to us, at least), but it's good that newspapers keep banging this drum, as I doubt most other people have thought about all the tracking that happens everytime they visit a new site.

Oh leave these people alone. It gives them something to talk about and keeps them off the streets.
I appreciate trackers are "well-known", but only to a specific class of technical individuals. "Nontechnical users" is basically everyone. They have a right to be outraged, especially when a technology is understood asymmetrically well by the class of individuals who exploit this asymmetry to their advantage.

Both the individuals visiting these sites, and possibly even the people making the decision to implement tracking don't know their browsing data is being used for anything other than analytics by the website provider, (if at all by the user, who likely feels safe behind a private browser).

> prompting outrage when there isn't a good reason for it.

Can you expand on why there's 'no good reason for it'?

The equivalent is my peering in your window to see and note down what you rub one out to... every time. And you don't know what I do with that information or where it will leak to.

That sounds perfectly fine to you, does it?

No, the equivalent is you walking into a store to buy DVDs, and the store manager keeping a record of what sells well, and what you show interest in, etc. to drive decisions about what to stock next.
... and then cross-referencing your purchase with everything else you ever purchased. And also every article you ever read. And then selling that information to others.
... and claiming it's not a privacy violation because they don't let the others search for martingoodson, they just offer selection criteria including your age, gender, geographical location, inferred income, inferred religion, inferred skin color, and of course interests.
Can you show me an example of where and how Google or Facebook "sells your information?" i.e. allows others to view that information?
That analogy only works if its only the store manager keeping the records. Whats really happening is the store manager is outsouring his record keeping to a 3rd party who has full access to the data from his store and data from millions of other stores too.
You mean like any big chain or conglomerate or Visa/MasterCard? Consulting/analytics isn't anything new for retail either.
Interestingly this example led to one of America's few, narrowly-focused privacy laws: https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act

> It makes any "video tape service provider" that discloses rental [or sale] information outside the ordinary course of business liable for up to $2500 in actual damages.

It's crazy, we understand that libraries should be barred from handing over our book checkout histories but somehow we allow corporations to do that and much more.
- the user didn't leave his home - he has an 'expectation of privacy' because the tracking is covert - he can't go to a different 'store'... the same covert tracking is in all of them pooling the information
No, the equivalent is you walking into a store to buy DVDs, and the store manager of a nearby store keeping a record of what sells well, and what you show interest in, etc. to drive decisions about what to stock next.
It is actually not like you peering through his window to see and note down what you rib one out.

It's more like when I have a massive orgy with lots of drugs at my place and I invited a bouncer, who is really good at statistics, to keep track of who is coming in and who are leaving immediately. The bouncer is also keeping track of what each person is doing, and letting me know periodically. And you both are invited for a night of drug fueled insane sex.

From my perspective, I am doing this to make sure everyone is having fun at my party. From the bouncer's perspective, he is there just to collect stats and let me know. He is not there to invade my privacy. I want to do that. I hired the bouncer.

I think that is more is an accurate description.

The story is only outrage-inducing because you hired a well-known bouncer whose dayjob - of which everyone is aware - is being a security guard at a mall, observing everyone as they do their groceries and banking.
You are the site owner. The bouncer works for you.

Your users didn't hire the bouncer and don't want to be tracked. Secretly, the bouncer may use this data for nefarious purposes. You can't control how the bouncer will use the data.

Exactly, especially if the bouncer comes to work for you for free. Which is what Google and Facebook analytics platforms do: they are free because they benefit from the collected information in ways beyond your control.
That's the site's perspective.

The outrage is from the user's perspective. It's no different from being peeped on.

Sure. But unless you go balls to the wall about it, you're always being "peeped on" when you're online.
I think that's the broader problem that the article is trying to get at. Pornography is just an example that makes it clearer to people that they should care about it.
What you forgot to mention was that the bouncer does this for free and has a day job publishing tabloids.
And none of the other orgy participants understand this. And OP may not fully understand it either.
My dads mantra used to be, “if it seems too good to be true, it probably is”. Now, I find I must consistently remind him- if it’s “free” (as in beer, not speech) you’re almost definitely paying for it.
Related, when consuming news, if the story seems to involve ridiculous levels of stupidity or malice, the truth is most likely much more mundane and much more reasonable.
There's nothing I enjoy more than a bunch of nerds analyzing a metaphor to death.
> explicitly for the purpose of understanding user behaviour.

Just to be clear, for porn sites that means who likes what sorts of porn.

> Google and Facebook Are Quietly Tracking You on Sex Websites

I kinda prefer it when they make a lot of noise.

It’s actually the website owners and Googbook tracking you. The headline may be incomplete but it’s not inaccurate. And “porn site operators track how you use their sites” is pretty mundane.

Pretty much everyone knows that sites can track your usage. It’s surprising that Googbook is also being given all the data on the porn you watch.

Second-author here, I have a few rebuttals to these points.

First, there is also a wider pattern in the US when it comes to privacy/computer legislation. We tend to have sectoral-focused laws which are often a response to media events, real and fictional. For example, Computer Fraud and Abuse Act was a response to the movie War Games. Video Privacy Protection Act was in response to a supreme court nominee's video rental history being leaked to the press. Children's Online Privacy Protection Act was partially spurned by concerted reporting (sometimes sensational) on risks to children online. So the pattern you are seeing is part of a larger system which often does produce real change, it is just a slow process. The press is called the "fourth estate" because they play an important part in the democratic process, which is what you are observing here.

Second, it is the very ubiquity of the systems these companies deploy which makes it possible to choose a given context (health, sex, etc) and find a privacy-violating technology. I'd love it if when I did these scans I turned up nothing, but the same set of bad actors are always to be found. Likewise, the definition of "well-known" on hacker news is far, far, far different from what a normal Internet user has any clue of. We have 20+ years of research showing people fundamentally don't understand this stuff, and just because you don't have a CS degree doesn't mean you don't have privacy rights.

Last, there is very good reason for outrage for many people. There are many places in the world you can be killed for being LGBTQ. Likewise, there are many state intelligence agencies that piggy-back on online tracking (see NSA/Doubleclick cookie), and some governments actively go after LGBTQ people. Even without state intel there is a long history of sexual data being leaked online. People killed themselves as a direct result of the Ashely Madison leak, and if any of these tracking companies porn sites - many of which do not have the security team of a FAANG - get hacked, people who are already marginalized by their societies may be at extreme risk.

Even if the Google Analytics is breached and the data is published online, you can't be tracked back to the things that you watched online.
But every big site is riddled with trackers. Why single out pornography websites?
Second author here, see replies above. TDLR: biggest reason to single out porn is what you view may reveal your sexual orientation, depending on where you live that can get you killed.
Somewhere at Google, someone has a Google Map showing who is consuming porn at what moment.
Pornhub probably has such a map, and their data analysis on Pornhub Insight is always a great read [0].

Of course google connecting porn searches with your other behavior is another level of scary.

0: https://www.pornhub.com/insights/ (sfw)

That is indeed fascinating.

"Thanks to a Facebook event called “Storm Area 51” ...

Since July 12th, searches for “Area 51” have surged from zero to 160,000 in just 4 days. July 16th alone had nearly 59,000 searches.

...

The most popular alien related search is “alien impregnation” followed by “alien sex”. Other interesting searches include “alien belly” (a reference to the scene from the original 1979 Alien movie?), “alien eggs”, “alien abduction” and “alien probe”. "

So I always suspected, that the internet is a weird place, but good to have data to back that up.

But seriously, out of porn consumption statistics, you can get a deep analytical experience of the population. So yes, it is scary, if some companies have all that knowledge.

> But seriously, out of porn consumption statistics, you can get a deep analytical experience of the population. So yes, it is scary, if some companies have all that knowledge.

Indeed. It gives you insights that are otherwise hard to get.

Like predicting the viewership of events based on traffic changes like these:

https://cs.phncdn.com/insights-static/wp-content/uploads/201...

Or how many people care about a solar eclipse:

https://cs.phncdn.com/insights-static/wp-content/uploads/201...

Or these graphs:

https://cs.phncdn.com/insights-static/wp-content/uploads/201...

https://cs.phncdn.com/insights-static/wp-content/uploads/201...

https://cs.phncdn.com/insights-static/wp-content/uploads/201...

And all of those graphs are just scratching the surface. For example they seem to have good data on age, gender and sexual orientation (likely from signed up users and statistical inference), which allows them to say what percentage of lesbians aged 30-40 living in Minnesota watch solar eclipses or watch the royal wedding.

I would be curious how they get the age data, though. Do they have the connection to facebook?
> Pornhub probably has such a map

Or rather MindGeek, who owns pornhub.com, redtube.com, youporn.com, tube8.com, brazzers.com, xtube.com, spankwire.com, extremetube.com, keezmovies.com, pornmd.com, thumbzilla.com, realitykings.com, mydirtyhobby.com, seancody.com, men.com, digitalplayground.com, mofos.com, babes.com, gaytube.com, twistys.com, peeperz.com, sextube.com, porniq.com, and webcams.com.

They also run their own ad network called TrafficJunky.

Why would anyone expect porno sites to track users less than The NY Times (for example) does? I mean, it's not like they're your friends.
Second author here. Many people carry over 'real world' privacy expectations to online interactions, often unwittingly. While this may be technically naive, I don't think it is wrong for people to assume established social norms around sex and privacy, which have existed for millennia, are suddenly null and void b/c they go online. Porn stores in real life often have curtains, dark windows, etc. to protect privacy, and some people likely have that mental model ingrained, even if they do have a suspicion they are being tracked.
I suppose. But I'd think that people would know by now that online tracking is ubiquitous. Arguably there are no "established social norms" online. That's one huge advantage, when it's about accessibility of stuff that's verboten or restricted in your society. Such as, for example, porn.

But it cuts both ways, of course. So established social norms about privacy are also widely ignored. The fundamental business model is based on violating users' privacy. Two of the largest online businesses, Google and Facebook, rely on monetizing the violation of users' privacy.

So yeah, perhaps it's understandable, but it's gobsmacking naive to think that online porn would be an exception.

I fully agree, but people are often capable of knowing something abstract is true in general (web is full of tracking), but often fail to make the cognitive step to apply those facts to the specific case (there is tracking on porn sites).

Nearly 20 years ago I worked as a Dell phone support technician for a few months and it was the best learning experience I've ever had in terms of understanding what the "average" person can actually comprehend. I think many technical people have experience with non-technical people who are otherwise fairly educated and clever (eg parents/grandparents), but there are a lot of people who have difficulty with the concepts, let alone the details. I think those people still deserve privacy.

I agree that they deserve privacy.

I just think it unrealistic to expect that they'll get it.

And it's also arguably unrealistic to expect that they'll learn how to take it. So for sure, jawboning is also a viable option.

Second author here, I'm busy for the next couple hours, but happy to AMA. Put any questions here and I will reply as I'm able.
This is a great example that should be used more often when communicating the risks and privacy violations and implications these ad trackers have.

Its disturbing to know that Google and Facebook have access to all this - they indeed know more about you, then you yourself.

To be fair, I always use incognito mode when using this kind of website, but Google can probably track me through the IP address I guess.

And I also use PiHole at home.

Second-author here. Thanks! One reason I initiated this research was trying to find ways to reach people who may be jaded about privacy. Sex usually wakes people up. :-)
The industry has moved from pay sites and piracy where you wouldn't track people to free porn sites that are ad supported. Obviously it's easier to use the free sites so the data tracking is not surprising.

If you don't want to be tracked, pay for your porn. Or pirate it.

I agree with you, but remember that VISA/Mastercard/etc are selling your purchases to whomever would like to buy them.
A large chunk of the traffic is Google Analytics and various APIs, so even if you pay you will almost certainly be tracked by Google. Piracy obviously has its own risks.
Have people stopped using usenet and bittorrent to get these things? I prefer SFTP. No HTML, no ads, no MITM. Mumble servers + SFTP servers are a good combo to decentralize the most important part of the web (porn).