Will Hackers Disclose the Porn Viewing Habits of Millions of Americans?

Now is the moment that bittorrent attorneys joke to themselves, “now is probably a good time to brush up on divorce law.” In short, there have been bloggers and members of the news media who [once again] have written fear-based articles that there is about to be a “hack of all hacks” which will disclose the porn viewing habits of millions of Americans.  The threat of such a hack was originally circulated in 2013, then in February 2014, then in April, then again in June, in October 2015, and now again. It has become a popular story to circulate because of the fear such a story invokes, and since it has reared its ugly head yet again, here are my thoughts on the proposed hack:

All YouTube-like Porn Website Activities Threatened To Be Exposed

In the most recent version of the story, anyone who this past year has visited websites such as “XVIDEOS.COM,” or other YouTube-like websites which stream pornographic (and likely copyrighted) content (even using the browser’s “incognito” mode [which does nothing except NOT SAVE what you visit on your computer, but all other records are kept regarding that website visit by both your ISP, the website itself, and all trackers and cookies hooked in to your connection]) has been threatened that there will be a major hack which will correlate the IP addresses of those who have visited the website with the real names of the internet users.

Why I think this would be a difficult hack.

Now without attracting the ire of hackers, this would have to be a pretty complicated hack in order for it to succeed.

Hackers would have to hack the porn tube websites to gain access to the visitor logs.

Hackers would not only have to hack the logs of the porn tube websites (not so hard to do, as website analytics logs are not that well guarded).  However, in order to link the IP addresses they would retrieve from a hack of the porn websites’ logs, they would still need to obtain the identity of the internet user.  They would accomplish this by hacking the IP address records of the ISPs (identifying which subscriber was assigned which IP address on which date and time).

Then, Hackers would need to hack the Internet Service Provider Account Records Database

In order to do this, the hackers would have to hack one or more ISPs (Comcast, Verizon, Time Warner, Charter, Centurylink, etc.) to obtain account information and/or IP address histories (a list of IP addresses that have been leased to the account holder over the past year in accordance with that ISP’s “IP retention policy,”)

The hacker can alternatively link a social networking site or make use of trackers to see which IP addresses were logged in under which profile.

Alternatively, the hacker would have to hack some popular website (e.g., Facebook, Instagram, etc.) which houses the real identities of the suspected internet users AND employs sufficient tracking methods (internet trackers or cookies) to follow those users when they are browsing “away” from the website (e.g., such trackers would note that a particular internet user visiting Amazon.com is the same user who just viewed their buddy’s updates on Facebook).

Then the hacker would need to correlate the IP address logs of the Tube sites to the IP address account holder.

In short, the hackers would need to obtain the identities of the internet users through either their ISPs or some popular website, and then they would need to correlate those identities with the stolen internet logs (of IP addresses of the internet users who have visited the pornography website).

Once again:

Now if that was a mouthful for you and you are confused, let me simplify the matter by going over this again in detail:

From the porn website side of the hack, every time you visit a web site, the website sees the IP address you have come from (or, if you are coming from a VPN, it sees the IP address of that Virtual Private Network which is shared by other internet users as well). The website can see which pages you viewed through the trackers associated with the site (e.g., Google Analytics helps website owners track what website each visitor came from, what search term(s) you used to arrive at the website, what you clicked on when you accessed the website, how much time you spent on each page, and where you clicked to when you left the site, etc.) What it cannot tell you is WHO YOU ARE.  This, they would need to get from another source.

Other Tools Explaining How You Expose Your Identity

There is a website put out by the Electronic Frontier Foundation called “Panopticlick” (https://coveryourtracks.eff.org/) which in my opinion freaks out everyone who clicks on it (especially security-minded users such as myself who have freakishly identifiable browsers based on the privacy plug-ins and custom privacy settings built into our browsers).  The purpose of the website is to teach you that your browser itself can “expose” who you are based on the fingerprints your browser leaves every time you visit a website.

Also, pay attention to IPLeak.net (https://ipleak.net/) which tries to see past your known IP address to discover if you are leaking your true IP address (which can lead a hacker to your identity through your ISP).

Lastly, pay close attention to the “IP Check” test on the JonDoNym website (http://ip-check.info/?lang=en) because each of these items checked can compromise your identity.

The missing link is who had the IP address at the time of the infringement.

The missing link to make such a hack happen is that the hacker would need to access the data mining logs that are stored on each user (e.g., in browser cookies) or through tracking websites such as DoubleClick, etc. (essentially, the hacker would have to also access the advertising-based websites which unknown-to-you latch on to the the website you visit so that when you shop on one website for a particular product, and then you switch to another website, the product you are shopping for appears as a creepy recommendation from the other site).

[For those of you who understand me how this works, I always got a laugh when I used to sign onto a public VPN at Starbucks using software such as Hotspot Shield {WARNING: DO NOT USE PUBLIC VPNS}, and in my browser’s search results, I would always see porn-related ads and suggestions.  This was an indication as to what everyone else who was signed on to that free VPN was doing with that VPN connection.]

Back on point as to trackers, you do not see the trackers*.

Trackers latch on to you when you visit popular websites (e.g., Facebook, LinkedIn, Netflix, Hulu, Amazon.com, Walmart, etc.).  To protect yourself from trackers, you should know that there are ad blockers and tracker blocker browser plug-ins, most notoriously Ghostery (https://www.ghostery.com/) or Disconnect (https://disconnect.me/) which do a good job blocking these trackers.

*NOTE: You can actually see the trackers when using one of these tracker blockers.  Alternatively, for a visual representation of which trackers you are connecting to, get the Lightbeam extension for Firefox (https://www.mozilla.org/en-US/lightbeam/), and get ready to be surprised.

In sum, the hacker would not only need to obtain the IP address logs from the streaming pornography website (which would indicate which IP addresses visited which pages at what times), the hacker would also need to hack into a website or company (e.g., Facebook) that has access to your real name.  Further, just in case your IP address history is not available for the hacker to correlate with the the porn websites’ IP address logs, the claim is that the hacker might be able to use your browser’s fingerprint (e.g., as described in EFF’s Cover Your Tracks (formerly, Panopticlick) website), or they might hack into a data mining company’s website which tracks you as your browse from one website to another to properly identify you as the individual who viewed that web page at that date and time.

In my opinion, I cannot imagine that the technology is this advanced to allow a hacker to track users using their browser fingerprints nor do I think they would be able to breach and access a data mining company’s records.  For these reasons, I don’t think this browser-based fingerprint hack or the data-mining based hack are valid threats, at least not yet.  (NOTE: If there ever comes a universal internet ID, then yes, this would easily identify users across websites, and such a database would probably be easily hackable too if you take the current record of IRS and federal employee data hacks and you project that lack of security forward into a universal internet ID system.)

My opinion: Technology is not advanced enough for this hack to happen.

Unless I am missing something, I can’t imagine that technology is that advanced to allow a hacker to hack the YouTube-based streaming porn site, identify the users who accessed that website through their IP addresses and perhaps the browser fingerprints (I don’t think browser fingerprint data is even available through generic website analytics likely employed by the pornography websites, even the paid websites), cross-link those browser fingerprints with other websites you have visited (even with the hacking of data mining services) to identify the real identity of the person using that browser, and then post a list of the real user names and associated identities (to “expose” those users) of those who have visited the targeted pornography websites just as they did in the Ashley Madison hack.  It is just too complex of a hack to do!

Here is why you do not need to worry about an Ashley Madison-like hack revealing your online viewing habits.

To the relief of those users who have visited these pornography websites and are concerned about being exposed, there are a few things to note.

Most users do not log in with their real name and address and pay to view online content.

Firstly, the Ashley Madison hack exposed the USER ACCOUNT INFORMATION AND REAL NAMES (OFTEN OF THOSE WHO PAID MEMBERSHIP FEES TO THE WEBSITE for access). Here, a viewer of online content likely has no account, and if there is an account, you probably didn’t give your real information because the sites merely require that you register in order to comment.   There is usually no paid content (premium content, yes, and perhaps these are the people at risk if there were such an imminent threat).

The companies that house the trackers have pretty good security.

Secondly, remember that websites that house real contact information and track their users using trackers and advanced cookies probably have really really good security.  I can’t imagine that a website such as Google, Facebook or LinkedIn would allow a hacker to break into their system and steal their user lists and data mining / tracking data.

[Yes, I know just a few days ago Experian was hacked (which is funny because they provide credit monitoring services just in case another website is hacked and identities are stolen), but] My best guess is that any website that houses user information and employs such deep trackers and data mining technology would be like Fort Knox as far as security is concerned.  So it’s likely a no go for such a hack to happen.

IF THE HACK ALREADY HAPPENED AND IS LAYING DORMANT (E.G. AS AN UNDISCOVERED VULNERABILITY), I WOULD BE CONCERNED.

However, here is where I would be concerned.  If I am wrong and such a large company WAS hacked (and perhaps they haven’t figured it out yet, just as the IRS took months before realizing that they were hacked), or if a zero-day security vulnerability was discovered (allowing a hacker to gain access to mining data and/or real identity records) and the employees at the company’s IT department haven’t caught it yet, then such a hack MAY be possible.

Perhaps the hackers have already infiltrated Google, Microsoft, Yahoo, or some giant free mail provider [which tracks their users in return for the free e-mail services] and the hackers already have obtained the real name contact information and, if they’re lucky, the IP address history (web history) from those mail providers. Then, the web history and account data would allow the hacker to go back in time and match the history of IP addresses obtained from the ISP or mail provider that it has hacked, and they would be able to correlate those past IP address logs to those IP address logs of the visitors to a particular website gleaned from an imminent or past hack of that website’s analytics logs. [If this wasn’t an old story, I would say that with the honor code of hackers, no hacker would say they CAN do something unless the hack had already happened and they are waiting to publish the results of that hack, or they have already identified the security vulnerability and are timing the imminent attack to gain access to the information they seek.]

How to check if your e-mail address has been involved in a hack.

If you are concerned that your e-mail address has been compromised or stolen in a past hack (such as the one I am proposing could maybe take place here), there is a website called “Have I Been Pwned” (https://haveibeenpwned.com/) where you can look up your e-mail address to see if your account and/or password has been compromised.

Final Thoughts

Realistically, though, I would be most concerned for users who have registered with accounts on the targeted websites (e.g., to post comments, join discussions, etc.). Anyone else — as soon as you can, lock down your browser, start learning about how to browse privately (I suggest learning how to use the Firefox plugins on the JonDoFox overlay and why each one is so important), and get and lock down your paid VPN if you are worried about inadvertently disclosing your IP address. Other than wiping your web and location history (e.g., with your Google or Yahoo account settings) [just in case the hack has not yet happened], this could hopefully protect you should such a hack take place in the future.

Now, for those of you who want to see what the hackers actually have in store, buckle down, grab your popcorn, and wait to be impressed. If this is a real story with an imminent threat AND IT ACTUALLY HAPPENS, then this could be an Edward Snowden kind of hack which could forever change the way we think of internet security. If it is a false alarm (my suspicion), or if the hacker cannot produce what he claimed he can or has been able to do, then that hacker who has been leaking this story over and over again might consider leaving town for his own safety — or else he might find himself at the bottom of a river for diluting the reputation of hackers who would no doubt be angry at him for promising something none of them can deliver.

References:
Independent.co.uk, “Internet porn viewers ‘should expect viewing histories to be made public’“
Brett Thomas, “Online Porn Could Be The Next Big Privacy Scandal“
Independent.co.uk (April), “Could your online porn habits be publically released?“

—

FURTHER OBSERVATIONS ON WHETHER LAWSUITS FOR ACCESSING STREAMING CONTENT WILL EVER HAPPEN: Where this article is relevant to copyright infringement / bittorrent / copyright troll lawsuits and DMCA requests for settlement amounts:  There are two nuggets that someone accused of downloading copyrighted pornography should take away from this article (and as usual, none of this is to be considered legal advice):

[2017 UPDATE: Carl Crowell has created a new entity called RIGHTS ENFORCEMENT which has reverse-engineered CEG-TEK’s proprietary DMCA copyright infringement notice system.  Many of you have visited CEG-TEK links thinking that RIGHTS ENFORCEMENT was CEG-TEK, but really they are an ‘evil twin’ competitor.  Since their methodologies are nearly identical, this article is still very useful in order to understand the risks outlined below.]

1) Just as a hacker would be able to obtain the IP address records from a pornography website’s analytics through theft, a copyright enforcement company such as CEG-TEK or RightsCorp can use bittorrent software to track the IP addresses of all of the downloaders participating in the bittorrent swarm (no theft; this information would be freely available to them).  No lawsuit is needed, and no subpoena is required from a judge to obtain the IP addresses of the accused downloaders.  The bittorrent software alone provides this information to them.

Also, neither CEG-TEK, RightsCorp, nor the copyright holders need to sue an accused downloader in federal court to obtain their identity.  Rather, under the DMCA laws, the copyright holder (or their agent) can send a DMCA violation notice to the accused infringer’s ISP, and the ISP forwards that violation notice (often containing a hyperlink forwarding that suspected infringer to their http://www.copyrightsettlements.com website (run by CEG-TEK), where the link they click on would prefill-in the case number and password of the accused downloader’s “case.”  It is in accessing this website that the accused downloader is faced with a demand for payment to settle all known claims of copyright infringement against them.  How all known claims?? Before CEG-TEK sends the DMCA violations notice, their computer system already pre-fills in all other accused downloads or past infringing activity based either on the accused downloaders’ past IP addresses, or based on the geolocation data provided to CEG-TEK.

2) Just as it would be difficult for a hacker to pull off such a hack as described here, also take away that all of the copyright infringement lawsuits filed in the U.S. District Courts (the federal courts) across the U.S. have been for BITTORRENT ACTIVITY.  As far as I know, with very few exceptions where the copyright holder identified and sued the uploader based on a watermark (or secret code) embedded into the copyrighted video that identified the accused infringer as being the one who disseminated the copyrighted materials, there has never been a “John Doe” bittorrent lawsuit against a downloader who got caught by viewing content streamed on a YouTube-like website.  This is not to say that there will not be one in the future.

In order for a copyright holder to sue an accused downloader for viewing content that is streamed to that user via a website (this is how they would need to do it), that copyright holder would need to first obtain from the pornography website’s owner the list of IP addresses of the individual or individuals who visited a particular web page of the pornography website (noting that each video would have its own unique website address), and this endeavor would require cooperation or compliance of the pornography website’s webmaster (which will almost certainly NOT happen, as most websites are now hosted OUTSIDE of the United States).

Second, after the copyright holders obtain the IP address(es) of the accused downloaders, they would need to follow the same procedure as Copyright Enforcement Group (CEG-TEK) by sending DMCA letters to the ISPs instructing them to forward those notices of copyright infringement to the account holder who was assigned that IP address.  Or, the copyright holder or their agent would need to file a lawsuit in the appropriate federal district court on behalf of the copyright holder, and the copyright holder would then need to persuade a judge to issue a subpoena to force the ISP to hand over the identities of the accused downloaders based on the list of IP addresses obtained from the website owner.

In the likely scenario that the website owner did not provide the list of IP addresses of the accused downloaders, the lawsuit could still proceed against the John Doe Defendants.  However, the copyright holder would first need to sue the website owner (who might reside outside the U.S., and outside the jurisdiction of the U.S. federal courts) to turn over the list of IP address logs of those users who visited a particular web page hosting or embedding the copyrighted video owned by the copyright holder.

Thus, the second takeaway from this article is that copyright holders have not yet and likely will never go through the initial step of 1) suing the porn website webmaster to obtain the list of IP addresses, and for this reason, I have not seen and do not foresee seeing lawsuits filed against defendants who viewed copyrighted content using a YouTube-like streaming service.  This is not to suggest or encourage that someone use this medium of viewing copyrighted films as technology can change, laws can change, and as the courts loosen their long-arm jurisdiction against foreign corporations and entities (weakening the Asahi case), the United States might start asserting its jurisdictions over foreign countries or foreign entities or corporations.  (As an attorney, it is also important to note that regardless of the means of obtaining access to view a copyrighted video, downloading copyrighted content — even a temporary copy to your computer could still be held to be copyright infringement).  That being said, it is a lot harder to sue someone for viewing streamed content rather than suing someone for downloading content via bittorrent.

—
CONTACT FORM: If you have a question or comment about what I have written, and you want to keep it *for my eyes only*, please feel free to use the form below. The information you post will be e-mailed to me, and I will be happy to respond.

NOTE: No attorney client relationship is established by sending this form, and while the attorney-client privilege (which keeps everything that you share confidential and private) attaches immediately when you contact me, I do not become your attorney until we sign a contract together.  That being said, please do not state anything “incriminating” about your case when using this form, or more practically, in any e-mail.