Collage of a man watching porn.
Photo: Pixabay | The Eye:Maxpixel.net;
 CCO 1.0 | Collage: VICE
Tech

Here's How Much Pornhub Knows About You

Advertisers can target your location, language, sexual preferences and the specific browser you're using.

This article originally appeared on VICE Germany.

People love porn. Websites like Pornhub and xHamster consistently feature among the most visited sites in the world, and in some countries get more daily hits than news sites, Twitter or Netflix.

During a time in which we're constantly investigating companies like Google and Facebook on what they're doing with our data, should we not give porn sites and the companies that own them the same level of scrutiny? Because behind every porn site is a giant tech firm to whom millions of users give away intimate insights into their most personal fantasies.

Advertisement

I looked at Pornhub and xHamster to better understand what these websites know about us – and, importantly, what they are actively doing with that information.

To do that, I signed up as clients of their advertising platforms and tested how far you could go in customising ads based on how much personal information I could collect from their users. What I discovered is that porn sites are selling the makeup of our sexual desires and automatically collecting data that could potentially be used to track individual users over time.

"We respect your privacy," Pornhub says in its data protection statement – but that doesn't quite seem to align with what the company is pitching to clients.

Though there are an infinite number of websites online that will show you a video of two people fucking, only a handful of tech companies control the most popular ones. MindGeek is arguably the largest of them all, with a network that owns, among other sites, Pornhub, YouPorn, RedTube and MyDirtyHobby. Meanwhile, xHamster is run by Hammy Media.

Hammy Media doesn't have its own website. Even though MindGeek does, you'd struggle at first glance to realise the company has any relationship whatsoever with pornography. It actually seems like they're trying very hard to avoid using the word "porn" at all. Instead, MindGeek just reels off a bunch of numbers: 115 million hits, 15 terabytes of content per day, more than 1,000 employees across six locations from Luxembourg to Montréal.

Advertisement

Still, we can ascertain what porn sites collect about us based on the ads that they sell.

Screenshot von TrafficJunky

When you define your target group more specifically, TrafficJunky gives you suggestions: why would you just pick the "MILF" category when you could also choose "My friends hot mum"? Screenshot from traffickjunky.com

TrafficJunky is MindGeek's advertising platform. On its page, it's more explicit about its links with Pornhub and other adult sites, as is the language it uses to attract potential clients. "Tailor each ad buy and select the specific placements that will put the right ad in front of the right customer for your product."

Reading this, it seems hard to believe that Pornhub can both respect your privacy and offer advertising tailored to individual specifications.

To dig into this, I signed up as a TrafficJunky client, logged into the online shop where you can purchase the type of ad you want to place and picked out the banner that would appear across the top of the screen. From there, I customised the ad according to different target groups.

For example, you can narrow it down to audiences who browse content related to specific categories like "Milf", "BDSM" or "anal". I could also choose whether the target group was gay, straight, trans or "female-friendly", and pick a place of residence: country, region and city.

Do you want the ad to be visible only at night? No problem, simply enter a time limit. You also have the option to select some more specific technical criteria, like targeting a specific operating system or people browsing in a particular language. What this all means is that you could create a hyper-specific ad that is only seen by people watching gay porn in Bristol who are browsing in Spanish between 6 and 7AM, looking for content with the keywords "threesome" and "outdoor".

Advertisement

xHamster works in a similar way, but they use TrafficStars instead of TrafficJunky. Here, too, you can customise ads based on a person's individual specs and sexual preferences. Differing from Facebook and other services, however, ads placed by TrafficStars are only based on the data collected during a single page view; previous online behaviour is not taken into consideration.

It is, however, possible to track the online habits of visitors over the course of a longer period of time, even when they delete their cookies and browse in incognito mode. Whenever a user views a page, a bunch of data is automatically transferred from the browser to the website, such as your IP address, how full your battery is, which browser version you are using, your time zone, system fonts, screen resolution, which plugins you have installed and much more.

If enough data points are gathered, a website can create a digital fingerprint of sorts that can more comprehensively distinguish one visitor from another, based on their very unique set of characteristics, as you're likely to be the only person using a specific browser on GMT, with exactly your set of plugins, screen resolution, language settings and graphics card. This fingerprint can then be used to track users over time and across websites, and even to create a personalised advertising profile just for you.

A 2010 study by the the Electronic Frontier Foundation (EFF), an NGO focused on civil liberties and privacy online, found that 83.6 percent of the browsers in the study had an instantaneously unique fingerprint. In an en email exchange with VICE, both Pornhub and xHamster denied tracking individual users using digital fingerprinting methods. A spokesperson for MindGeek wrote: "We don't analyse the viewing habits of individual users." The spokesperson for xHamster also replied that: "While we look at broader patterns, we avoid connecting data to individual users."

Advertisement

In addition, Pornhub assures users in its privacy statement that the website anonymises the IP addresses of its users. As explained above, however, not knowing a user's IP address is not necessary to track them: other elements can make up that unique digital identity as well. Still, singling out users based on their habits is only possible if the information gathered is comprehensive or is combined with other datasets.

So what is actually collected by Pornhub and xHamster when you visit their pages? I used the browser extension "Don't Fingerprint Me" to check which tracking methods are applied by the websites, and found that both gather data that could be compiled into a digital fingerprint, but nothing more than usual. Most websites collect the same, if not more, information.

According to Dominik Hermann, professor for Privacy and Security in Information Systems at University of Bamberg in south-central Germany, the data might be enough to create a digital fingerprint, but that can only be determined on an individual case. What we do know is that there is a gap between fingerprinting someone's behaviour and associating it with an actual name. But people can accidentally reveal their names through common surfing habits, such as providing credit card information to a site or an email with your name in it. From a technical perspective, it is possible to associate the two when different datasets are merged, but we have no evidence to prove that this is already happening.

Advertisement

How your information is being used also depends on where you're accessing the sites. Much of Europe is currently protected under the EU's General Data Protection Regulation (GDPR), which determines how the personal data of EU citizens is processed, used, stored and exchanged. Personal data refers to all information that can be linked to an identifiable subject, so includes things like your name, address and income, but also health information, political opinion, race and sexual orientation.

According to these regulations, EU citizens are entitled to the right to know how, where and for what purpose their personal data is being processed, as well as the "right to be forgotten" – having all your data deleted. The point of digital fingerprinting is to track single users across the internet and match them with personalised ads, so the practice must comply with GDPR rules.

The GDPR requires all companies that process personal data of EU citizens to prove that they have a legitimate reason to do so. Because consent is supposed to be informed and be given freely, companies should, in theory, disclose their fingerprinting methods, wait for users to consent and then apply them. However, companies can also claim that collecting such data falls within their "legitimate interests".

Unfortunately for our collective love of porn, "legitimate interests" is a legal concept that remains extremely vague.