SEX

Your Favorite Porn Site Might Be Vulnerable To Hacking, Surveillance

There's a push underway for adult websites to switch to secure HTTPS connections — but many big players have not

SEX
Illustration: R. A. Di Ieso
Jan 31, 2017 at 4:26 PM ET

When someone logs onto a tube site to watch some porn, their biggest privacy concern is usually a nosy parent barging in or a significant other snooping through their browser history. They don’t realize that there is another threat — one entirely impervious to locked doors or deleted browser histories — that risks exposing the most lurid and intimate details of their porn-viewing habits. It’s the fact that so many of the world’s most popular adult websites use unencrypted connections that could make public your every pervy keystroke.

A technologically savvy snooper “can certainly see what sections of the site you visit exactly, what videos you’ve watched — all of that would be available because it’s not encrypted,” said Brian Wesolowski of the Center for Democracy & Technology (CDT), a non-profit working to “promote democratic values and constitutional liberties in the digital age.”

This is why there’s a big push underway for adult websites to move toward HTTPS, a security protocol that encrypts websites so that the details of a user’s online activity is effectively scrambled. Without this protection, a user’s internet service provider — a company like Verizon or Comcast — can see exactly how many times they have watched “The Simpsons XXX” or searched for “granny” porn. That same information could also be exposed to government surveillance or hacking.

Despite all this, few adult sites have made the move to HTTPS — and many of the most popular ones are still unencrypted. That includes sites like YouPorn, XVideos, and RedTube. Sure, plenty offer encryption when processing credit card transactions — for the small percentage of porn viewers who pay for the experience — but they often leave the rest of their sites unencrypted, so a user’s bank information might be protected but not their sexual fantasies.

More What Security Experts Want You To Know About The Ashley Madison Hack

We have already seen the damage this kind of information can do, thanks to the 2015 hack of the extramarital dating website Ashley Madison. Hackers released detailed private information about 36 million users — including marital statuses, home addresses, and sexual interests. For some, that led to lost jobs and divorce (not to mention exposing conservative reality TV star Josh Duggar, as well as several government officials, as members). Last year, AdultFriendFinder, which dubs itself the “world’s largest sex and swinger community,” was hacked, exposing information on more than 400 million users. Hacks have also exposed information on several hundreds of thousands of users of adult site Brazzers and tube site xHamster.

Of course, all unencrypted websites are vulnerable, but adult ones that carry a threat of a unique kind of personal humiliation. “It could wreck their life beyond just ‘I have to cancel my credit cards,’” said Mike Stabile, spokesperson for the Free Speech Coalition, the trade association for the adult industry.

The dangers of exposed porn browsing could extend even beyond destroyed relationships and lost jobs. In some countries, it could in theory even lead to criminal punishment. “The fact of the matter is that some of the content that is served up on adult sites that we would not think is even offensive and is certainly not illegal in the U.S. is, in fact, illegal in other countries,” said Wesolowski.

Take the fact that countries like Iran and Saudi Arabia outlaw homosexuality, and sometimes punish it by death. “If they can identify you as someone who is part of the LGBT community, they can use that against you in court and it could lead to, obviously depending on the country, pretty awful outcomes,” Wesolowski said.

That threat was part of what motivated xHamster to make the switch to HTTPS in the fall. “This is an international company and in a lot of … places pornography itself is illegal,” said spokesperson Alex Hawkins. “It is illegal to be gay. It is illegal for women to expose themselves or access information about sex. We really specialize in user-uploaded videos and so we need to be very protective of their privacy and of the privacy of those visiting.”

These sensitivities are true not just of porn websites but dating websites, particularly “adult” ones, where people list their fetishes and turn-ons. “You’re disclosing not just, say, what image you’re looking at, you’re disclosing your name, your location, your sex, your sexual orientation, what types of activities you’re interested in,” said Wesolowski.

More Hookup Site Adult FriendFinder Hacked, Millions Exposed

The adult HTTPS movement began in earnest in the fall, after Google released a list of the top-visited sites around the world with and without HTTPS. Two of the biggest categories of sites not using HTTPS were news organizations and adult websites. This alarmed the Center for Democracy & Technology (CDT), said Wesolowski. “We realized, oh my goodness, we need to do both,” he said. So, they started reaching out to news organizations, but also gave a call to the Free Speech Coalition (FSC). The two groups began collaborating on how to spread HTTPS adoption throughout the industry, and FSC started reaching out to its members. “The first thing we wanted to do was say, ‘Hey, listen, there is an issue here, here are what the risks are,” said Stabile.

Now the movement has gained a greater sense of urgency with the inauguration of Donald Trump, who has come out in favor of expanding government surveillance powers and even expressed enthusiasm for unlawful spying. He has also nominated a CIA director and Attorney General who opposed the 2015 USA Freedom Act, which limited the NSA’s bulk collection of phone records. “It’s likely that you have an administration that is going to be more supportive of invasive government surveillance practices and companies can do things to protect the privacy of their users,” Wesolowski said. “HTTPS is one of the most important things they can do by default.”

“For a lot of us, it’s a brave new world,” said Stabile. “When you have a government with broad surveillance powers and you have material that is potentially inflammatory, you’re not really sure how it’s going to used.” But, given ramped up Republican rhetoric about the so-called “public health crisis” of porn, Stabile says, there is reason to worry.

Even prior to Trump, the government has been known to pressure ISPs into assisting with surveillance of internet traffic. “The government can, as they always do, leverage the internet service provider,” said Wesolowski.

Of course, ISPs having access to that information is an issue even short of government strong-arming. It’s important to understand that your traffic isn’t just exposed to your personal ISP, like, say Verizon. “When you go to a website, your connection to the website will go through networks operated by three or four different organizations on average,” explained Richard Barnes, a security lead at Mozilla. “Each of those different organizations can see what you’re doing.” In the case that you’re visiting a tube site based in Malta, your traffic might be routed through companies in three different countries, he says.

That information can not only be handed over to governmental authorities across the globe, but can also be used for what he calls “commercial surveillance and tracking,” for example in serving a user targeted ads. “Everything you do on these sites is completely transparent to any of these intermediate networks in the middle and in some cases the other people who are using the network over public Wi-Fi,” he said.

More Amid Fears Of Trump Cabinet, Congress Revives Email Privacy Bill

The other great threat comes from hackers. If someone is using public wifi and browsing without HTTPS, it requires very little for someone to intercept their interactions online—all someone has to do is download the Firefox extension Firesheep.

Earlier this month, the adult industry trade publication XBIZ hosted a panel on the importance of HTTPS, which was sponsored by CDT and FSC. “We didn’t know if people were going to show up. It’s kind of an obscure issue,” said Stabile. “But the house was packed.” As Wesolowski tells it, there was already a fair amount of industry awareness. “Everyone in the room knew what HTTPS was, some of them just needed a bit of a nudge to get there,” he said.

The push seems to be having an impact. A spokesperson for Pornhub told Vocativ that the site has already transitioned to HTTPS for its premium section, and in the coming months the whole site will default to HTTPS. Redtube, which is owned by the same company as Pornhub, will also be going to HTTPS. “We have well established brands that customers can trust, and the push to get more adult sites to use HTTPS is definitely a step in the right direction toward a safe and secure online experience,” said Corey Price, Pornhub’s vice president.

Despite the growing interest in encrypted traffic, there are still holdouts in the adult industry. A big concern is getting third-party ads to work with HTTPS, as embedded ad networks often need to be reconfigured. Another is the negative impact a switch to HTTPS can have — if even temporarily — on search engine optimization, meaning they’ll lose precious ranking spots when potential customers search for key terms. “Many adult companies don’t want to protect their data, because it’s difficult and it can cause short term issues with search results,” said Hawkins.

But for a growing number, the challenges are worthwhile, given the risks. As Stabile puts it, “It’s really sensitive information, much more than pretty much anything else that you’re sharing on the internet. What you search for sexually is stuff that you want to keep private.”