Surfing the internet has become the standard way to answer any question, purchase anything, and generally fill the idle corners of your day. In that solitary dialogue between your brain and the screen, it feels like whatever you view is yours and yours alone. But contrary to that feeling of privacy, your internet browsing is constantly being tracked by companies who are building an online profile of you.
This may not bother you when shopping for jeans or looking up movie times, but what about when you’re researching sensitive medical information, or viewing things of a private sexual nature?
A forthcoming study — authored by Annenberg School for Communication alumni Elena Maris (Ph.D. ’18) and Timothy Libert (Ph.D. ’17) and doctoral candidate Jennifer R. Henrichsen — analyzed over 22,000 pornography websites and found that 93% of them were sending user data to at least one third party. Google alone was tracking users on nearly 75% of the sites studied.
To make matters worse, many sites’ privacy policies failed to mention the presence of third party trackers, and some sites lacked privacy policies altogether.
The research began when Libert, now core faculty at the CyLab Security and Privacy Institute at Carnegie Mellon University, contacted fellow students at Annenberg about a collaboration on privacy and pornography. Currently a postdoctoral fellow with Microsoft Research’s Social Media Collective, Maris, who focuses on the relationships between media and tech companies and their users, and Henrichsen, who studies the implications of surveillance and tracking on journalists, were excited to work with Libert, who had previously published research on online health privacy.
“Particularly in studies of technology and the internet, both technical and cultural sensibilities are needed to make sense of the complex challenges of the digital age,” says Maris. “Our study is a great example of the rich collaborative work that can emerge when people working with different methodologies and areas of expertise come together to think about the same problem.”
Using webXray and policyXray, software developed by Libert, the researchers were able to identify third party trackers present on pornography sites and extract sites’ privacy policies. The team then analyzed the data, finding an overwhelming lack of privacy and lack of transparency about privacy on these adult websites.
L to R: Elena Maris, Timothy Libert, Jennifer R. Henrichsen
Why should we care? The researchers cite three main reasons:
First, the authors highlight the need for affirmative consent in all types of sexual activity. Watching porn falls into this category, they argue, and therefore, the lack of transparency around what information is being shared with third parties is problematic.
Second, the researchers point out that while everyone should have control over all of their personal data, certain types of information carry more risk. According to their findings, approximately half of the pornography sites analyzed have URLs that reveal a specific gender and/or sexual preference, identity, or interest.
“In the U.S., you can be fired for being LGBTQ in a number of states,” Maris says. “That alone demonstrates a severe potential consequence of a leak that revealed someone’s history of browsing gay porn sites. And legal ramifications may be even more serious in other international contexts.”
Lastly, the authors discuss the larger implications for privacy across the web. Maybe you don’t watch pornography, but you’re likely accessing some kind of content online that you consider personal or sensitive. Even if you’re using a browser with an enhanced privacy setting, like Google Chrome’s incognito mode, you’re still susceptible to online tracking.
“People often assume that using private browsing modes protects them,” Henrichsen says, “but that primarily limits your browsing history from being stored on your personal computer. In reality, private browsing modes offer little to no protection against tracking more generally. The ecosystem for tracking is vast and ever-changing, so it is incredibly difficult to truly avoid being tracked online.”
According to the researchers, new laws are needed to remedy the situation. Presently, websites are strongly encouraged, but not exactly required, to have privacy policies, and the enforcement around this is hazy. Often, when privacy policies do exist, they are written in hard to understand language.
“Our study is further proof that the current model for privacy self-regulation in the U.S. is a failure,” says Libert. “And recent FTC fines against internet companies are wholly insufficient to curb objectionable behavior. Any solutions which place the burden of privacy protection on user actions are likely to be flawed from the start.”
The authors point to the European Union’s General Data Protection Regulation (GDPR), which has specific protections for sexual life and orientation, as a step in the right direction for online privacy. But they caution that the U.S. still has a long way to go to achieve anything similar.