I had an inkling! They've been on a roll this past year or so.
>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
Well, that's pretty fucking wild! Email address & time and location sent to a 3rd party, nice! Absolutely no reason for that, of course. Especially considering these are paying customers!
I guess somewhat notably is Mixpanel denying that it's coming from their November breach. They have less incentive to lie in this case, given that they've already admitted to being breached, and (presumably) their systems & logs have been gone over with a fine-toothed comb to identify all affected parties:
>"The data was last accessed by a legitimate employee account at Pornhub’s parent company in 2023. If this data is in the hands of an unauthorized party, we do not believe that is the result of a security incident at Mixpanel."
>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
I had always known, albeit intuitively, that registering to porn websites was a dumb idea.
Private Internet Access has denied under oath that they have logs to turn over.
There is no reason to think that more reputable activist providers like Mullvad or AirVPN would if a party like PIA already doesn't.
I'd steer clear of NordVPN though. They have lots of controversy in their history and they are very financially motivated, considering the deluge of YouTube sponsorship and ads they pay for each year. Still don't think they would lie about no logs but why risk it.
Private Internet Access has denied under oath that they have logs to turn over.
Did they also testify under oath there is no lawful intercept API or anything similar? That does not require logs. In fact when the feds would set up phone call intercepts on telco switches we would intentionally disable logs and put the mainframes into "test mode". And that is even before people start playing legal word games like calling lawful intercept "debugging" or something else. Lavabit [1] found out what happens if lawful intercept is not available.
Just me personally, I would always assume a service I do not entirely control and operate is doing what it can to comply with lawful intercept requirements and they are likely playing word games to not drive away their members and I would not blame them. I am just the properly paranoid type in part due to a good upbringing by a properly paranoid person.
<I am just the properly paranoid type in part due to a good upbringing by a properly paranoid person.>
I say you've properly got your eyes open. Anyone who thinks anything you do online is completely private is naive. IF any government wants to know what you've been up to online, nothing can stop them. Privacy is a thing of the past, we should vote only for politicians who say they want the government out of our backyards, banks and bedroom. Oops, too late!
Considering it was a LEA that put them in court, yes, I don't think they were playing word games. Otherwise the LEA would have just forced them in court to intercept.
However, I also think threat model comes into play here. If you don't want advertisers to track you or to download some torrents, a VPN provider works great. If you want to hack into NORAD, probably do that from a secondhand laptop on Tor over a public wifi.
Websites that uses third-party analytics will at minimum send the IP address, time and the url when users access pages. It also very likely they will send API calls if the developers want to track those.
So if any calls looks like "https://example.invalid/api?confirmemail=user@example.invali..." would cause a leak of the email. I have seen multiple companies and websites do this (either with email or username) when signing up or after first login, and I would strongly guess that most of not all of them uses some kind of analytics for that request that leaked data.
Web developers are supposed to scrub their sites so that doesn't happen, but then the main arguments in favor of using third-party analytics is the convenience of enabling it globally with minimum effort and then getting pretty graphs for free. There are occasionally HN posts about self-hosting analytics and the common response is that its too hard and too much work.
3rd party user tracking can slurp up a lot of unexpected data, and no one ever wants to disclose problems when a vendor loses things like this. MixPanel has a long history of problems/
I don’t love location tracking but their statistics blog posts are usually pretty funny/interesting. And I’m guessing part of this is to work with specific laws. I read that in US states with draconian laws, they’re actively blocking users.
The thing is, you can do the same statistics without including the user's email address or otherwise directly linking a data point to a specific person.
They may need to retain certain information for laws, but they aren't obligated by law to also share that information with their analytics partners.
Why as an engineer, would you log the entirety of a user’s info on mixpanel? I mean come on, how hard is it to have an obfuscated unique id for your users that can’t be traced back to them when logging info in third party apps? What benefit can you possibly get from logging email ids in mixpanel?
I had an inkling! They've been on a roll this past year or so.
>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
Well, that's pretty fucking wild! Email address & time and location sent to a 3rd party, nice! Absolutely no reason for that, of course. Especially considering these are paying customers!
I guess somewhat notably is Mixpanel denying that it's coming from their November breach. They have less incentive to lie in this case, given that they've already admitted to being breached, and (presumably) their systems & logs have been gone over with a fine-toothed comb to identify all affected parties:
>"The data was last accessed by a legitimate employee account at Pornhub’s parent company in 2023. If this data is in the hands of an unauthorized party, we do not believe that is the result of a security incident at Mixpanel."