The premise of this post is simple: If you are watching/viewing porn online in 2015, even in Incognito mode, you should expect that at some point your porn viewing history will be publicly released and attached to your name.

How is this possible?

This is an uncomfortable topic to talk/write about, which perhaps contributes to how we've arrived at the current state. So, to understand the threat, start with some technical considerations:

  • Browser footprints: Web browsers leave an essentially unique footprint every time you visit a web page, even in Incognito mode (and even without supercookies). This is well established; many web tools such as Panopticlick will confirm that you give a website lots of information about your computer every time you visit.

  • Global identifiers: Linking your browser footprint on one website to your footprint on another website - or to a previous footprint on the same website - is straightforward. You should think of your browser footprint as a persistent global identifier, and this is particularly true if you don't take any measures to hide your IP address (eg. a VPN). The EFF has an excellent technical overview of how this works.

  • User tracking: Tracking web users is super valuable, so almost every traditional website that you visit saves enough data to link your user account to your browser fingerprint, either directly or via third parties. The Economist ran an overview of user tracking in September. (Though, interestingly, there is no mention of adult websites.)

  • Hacking is ubiquitous: We hear about data breaches that involve tangible harm - Target, Anthem, TurboTax - but not the (likely great majority) of cases when hackers don’t want additional exposure. Or, paraphrasing the FBI director: There are two types of companies...those that know they've been hacked...and those that don't know they've been hacked.

How might this happen?

If a malicious party obtained identifiable access logs for just one of the websites that know your name, and view logs for just one of the adult websites you’ve visited, it could infer with very high probability - beyond plausible deniability - a list of porn you've viewed. At any time, somebody could post a website that allows you to search anybody by email or facebook username and view their porn browsing history. All that's needed are two nominal data breaches and an enterprising teenager that wants to create havoc.

In 2014 a set of celebrities had naked photos released to the public, a deeply disturbing event that was fantastically labeled “the fappening”. Many people brushed off the episode - oh well, I'm not a celebrity. But I think the next big internet privacy crisis could expose the private and potentially embarrassing personal data of regular people to their neighbors - perhaps as described here, perhaps in a different form. I worry about the policy measures that could be hastily enacted in response to such an event - yet another reason that the tech community should take a more proactive approach ensuring data privacy.