10.25.10

The Porn Spies in Your Laptop

It’s the most popular genre on the Internet, but those who think it's their secret may be in for a shock. Tom Weber reveals the 8 groups of people with access to your surfing habits.

Digital privacy is back in the spotlight, thanks partly to a flurry of reports revealing how marketers have stepped up efforts to track you online. Yet there's one question that never quite seems to get answered—even though for some, it may be the most pressing privacy issue of all: Who knows when you're looking at porn online?

Don't care? We believe you. (Sure we do.) But whether or not it's of concern to you personally, there's little question that it matters to a sizeable audience. Numbers on the online adult-entertainment industry are notoriously unreliable, but it's usually considered at least a $1 billion industry. One group of researchers analyzed search-engine queries—and found porn accounted for 7 percent of all searches.

With that in mind, we consulted security researchers for a look at everyone who could conceivably get a glimpse into your—er, a hypothetical user's—private Web surfing. Our list follows the chain beginning with your own PC, out onto the Internet and all the way to the Web site at the other end. Now, to be sure, many of those with the ability to spy on your online activities have strict policies against it (or simply don't care). So keep in mind this list is based on technical capabilities, not confirmed instances of snooping.

1. YOUR SPOUSE (OR ROOMMATE): You might be married to the suspicious type, who routinely checks the list of recently visited sites that your browser automatically logs. They might even look more closely at the tracking cookies on the PC or the files in the cache (a temporary storage area that often includes copies of images you've viewed).

Or your spouse might just innocently trip across your surfing habits—in Firefox, for instance, a feature nicknamed "The Awesome Bar" attempts to guess which site you're headed to as soon as you start typing an address, based on that most-recent info. A few innocent letters typed by your spouse could cause a decidedly un-innocent site address to pop up in the options list.

2. YOUR I.T. GUY: Even if your significant other isn't too snoopy, or you think you're pretty clever about covering your tracks (you use your browser's privacy options to clear out your recent history and your cache constantly), technical problems invariably arise. Then you have to turn to your company support guy, or your computer-savvy brother-in-law.

And they can pretty easily see what you've been up to. Information about your activities gets stored on your computer in a variety of ways, not all of them obvious. One simple example: the "index.dat" file used by Internet Explorer contains information about Web addresses that have been visited. Your IT guy may not even be snooping; it could be that your computer problem is a virus infection from one of those adult sites and he winds up needing to track down the problem.

3. YOUR NEIGHBOR: Using a Wi-Fi wireless connection on your laptop? If you're using WPA encryption, you're probably safe from civilian-grade snoopers. (If that sentence is meaningless to you, find the manual for your Wi-Fi router, pronto.) But if you are using the older WEP system, or don't have the encryption turned on, your neighbor could be tuning into your surfing. Worse, if you use your computer on an unsecured network (think coffee shop or the free Wi-Fi at a conference you're attending), you could be vulnerable to spyware that will later broadcast your activities.

4. YOUR ISP: Everything you do online goes through your Internet service provider, so the ISP is ideally positioned to know about every site you visit. "The point I like to make about ISPs is that they can access everything if they really want," says Paul Ohm, an online privacy researcher and associate professor of law at the University of Colorado Law School. "They're a bottleneck. They're your first hop to the rest of the Internet."

Privacy policies and fears of consumer backlash generally keep the ISPs' noses out of your surfing. But technically, there's nothing stopping your ISP—or a renegade employee with the right knowledge and access—from keeping track of those adult sites you visit. And ISPs have a variety of business reasons for peeking at your traffic, from enforcing copyright provisions to understanding the traffic flow in order to improve speeds.

5. AD NETWORKS: Advertising networks routinely track users across different sites, using the information to decide which ads are most "relevant" to you. The basic method for this tracking is the "cookie," a small file placed on your computer which allows the network to identify you as the same user during your travels across different sites.

Unlike your ISP, ad networks don't typically have a billing relationship with you, so they mainly see you as "User 498838XB," not by name. And they usually have a policy against linking personally identifiable information to those surfing profiles. Also, ad networks that serve ads on adult sites are usually different from those showing ads on mainstream sites. But there are some crossovers. And again, policies can be broken.

6. CONTENT NETWORKS: Content networks—that is, companies that operate multiple Web sites—are also in a position to use cookies to track users across different sites. And though there's usually a big divide between non-adult and adult sites, it's not always so. Gawker, for instance, operates the Gizmodo gadget site but also has Fleshbot, an adult-oriented property. Tumblr serves as the platform for myriad blogs, including those of individuals and some big names, too—but also serves up a significant amount of adult fare on Tumblrs devoted to X-rated photos. Here, too, policies generally protect your privacy. But tracking across content networks is still worrisome, because you're more likely to have turned over personal information—signing up for a free membership, for instance—to a content site than an ad network.

7. GOOGLE: Most need some way to find the adult content they want, which means Google is in the pathway as well. Not to mention that Google operates its own gigantic ad network. Not to mention that, thanks to a Gmail account, you've probably identified yourself to Google. The search giant recently provided an object lesson in the fallacy of counting on privacy policies for protection when Gawker reported a Google engineer was fired after accessing personal accounts.

A few innocent letters typed by your spouse could cause a decidedly un-innocent site address to pop up in the options list.

8. THE ADULT SITE ITSELF: When you visit an adult site, your computer is talking to the server computer at the other end of the connection. In the case of pay sites, the lack of privacy is obvious—if you need to fork over a credit card, you're not going to stay anonymous. But even if you think you aren't supplying any personal information, it's not impossible to be identified, given Web technologies and databases. For instance, Web browsers routinely supply servers with a lot of information about your computer, including such trivial-sounding facts as the fonts installed on your PC.

Enough data points can serve as a fingerprint for your machine—and if a database somewhere is able to connect you with that fingerprint, it's conceivable that the operator of the server can know who you are. If you're curious, the Electronic Frontier Foundation offers Panopticlick, a free tool to show how unique—and therefore, potentially identifiable—your configuration is. Just another reminder that the myth of Internet anonymity is largely just that.

Thomas E. Weber covers technology for The Daily Beast. He is a former bureau chief and columnist at The Wall Street Journal and was editor of the award-winning SmartMoney.com. Follow him on Twitter.