The porn site privacy rating scale ranges from A (fully trustworthy) to F (multiple risky leaks and/or highly vulnerable). An overview is available here.
For the site ratings we consider privacy and vulnerability risk. Privacy risk mostly depends on the number of domains/companies called in 3rd-Party-requests. Multiple requests to the same domain are counted only once, requests to sub-domains are mostly included in the respective domain as well. Not
Other 3rd-party-domains that are requested during a page visit are checked against blacklists. If a domain is considered dangerous (e.g. tracking, data brokers) then it gets weighted accordingly. Domains which we couldn’t classify via blacklists, but which do get requests many different websites are considered as hidden trackers. Ad domains and other unclassified domains are considered as medium risk. Also, we try to assign domains to companies; different domains belonging to the same Corporation are considered in the scoring with a reduced weight of 10%.
If a website ends with an overall good or trustworthy rating then we validate the results manually, e.g. by reviewing the Privacy-Policy of the website or reviewing the results and by performing additional checks.
Risk Rating Points
Currently, 3rd party requests considering above rules are rated as follows:
- Data Brokers: 8 Points
- Tracking: 6 Points
- Not classified but suspicious: 6 points
- Ads: 4 points
- other not classified sites: 4 points
- low-risk companies: 2 points
"low-risk companies” are the large corporates Ap*l. (never involved in practice), Am*z, G. and M.s.; Names are abbreviated for the sake of our ranking. Those companies are frequently present, and we don't see them unproblematic. However, almost every page relies on their services, all of them know a lot about us, and we don't expect them to leak data by intend. Whitelisting was not an option, but we decided to draw a bottom-line by assigning a score of 2 points + 0.2 Points for each additional request.
In parallel to the privacy score, a vulnerability score is calculated. Each request which is not SSL-encrypted gets a score of 8. Websites that do not enforce SSL get a score of 25. Finally
, the worse out of privacy score and vulnerability score applies for the overall security rating. The scale is then built based on the sum of above 3rd-party-involvements with a reduced weight to inner-company-ratings.
Ratings and thresholds are as follows:
- A: 0 Points, no 3rd party requests
- B: up to 2.4 points, means in practice one low-risk-company and up to 3 domains
- C: less than 6 points, so no tracking and no data broker
- D: up to 14 points and no data broker
- E: up to 24 points and no data broker
- F: more than 24 points
As you can see, it is quite easy to get a bad rating. But the rating also depends on the progress in our manual analysis work. And this work is easier if the involved 3rd party domains can be assigned to a purpose and/or company. In other words: transparency helps.
We did validation checks and saw that the volatility of the scoring is very high. So far, we were not able to identify any pattern/relationship between privacy behavior and other features of websites. However, some analysis using average ratings
showed a right-skewed (~Poisson) distribution in relation to the popularity of the websites. On average, websites having an Alexa rank below 500 and above 5 Million had the lowest number of 3rd party requests. Websites ranked between 1.000 and 10.000 have the worst total score, and starting from an Alexa rank of ~10.000 the average score slowly improves. However, the good rating for the top sites may be related to the fact that many of them belong to Mindgeek, which has its own ad network.