DEV Community: Oarcom

I Built a TAKE IT DOWN Act Compliance Checker for Adult Sites

Oarcom — Tue, 31 Mar 2026 01:55:43 +0000

The TAKE IT DOWN Act goes live May 19, 2026. Every platform hosting user-generated content has to implement a notice-and-takedown process for non-consensual intimate images within 48 hours of a valid request. FTC enforcement. Up to two years in prison for individuals. Penalties treated as unfair or deceptive practices under federal consumer protection law.

I run privacy audits on adult sites — Blacklight scans measuring trackers, cookies, fingerprinting, session recording, keystroke capture. Over 1,000 sites in the database. When the TAKE IT DOWN Act passed last May, I started thinking about which platforms are actually positioned to comply and which ones are going to get crushed by the deadline.

So I built a framework to evaluate them. Not a legal opinion. A technical readiness check based on observable infrastructure.

What the Act actually requires

The law targets "covered platforms" — websites or apps that either primarily host user-generated content or regularly host nonconsensual intimate visual depictions. That covers virtually every adult site with an upload button. Pornhub. OnlyFans. Reddit. Fansly. Every creator platform. Every tube that accepts user uploads. Every forum with image hosting.

Each covered platform needs three things by May 19:

A conspicuous, accessible reporting mechanism for victims to request removal
Removal (or access disabling) within 48 hours of a valid request
Reasonable steps to prevent the same content from being republished — including identical copies

That third requirement is the engineering problem. Taking down a single URL is trivial. Preventing a re-upload of the same content across a platform with millions of videos requires content hashing, perceptual matching, or both. PhotoDNA exists. But implementation at scale on adult content is a different beast than implementation on mainstream social media.

The five signals I check

Here's what I look at when evaluating whether a platform is likely to be ready. None of this is conclusive — but together they paint a picture.

1. Does the operator have a name?

Sounds basic. It isn't. In my database of 1,000+ adult sites, a surprising number are operated by anonymous entities behind privacy-shielded WHOIS registrations in Panama, Belize, or the Seychelles. No corporate name. No published address. No identifiable compliance team.

NudeVista — a porn search engine with 9 million monthly visits — runs behind a Panamanian privacy shield. Anonymous operator. Keystroke capture active. If a victim submits a TAKE IT DOWN notice to NudeVista, who processes it? What jurisdiction applies? Where's the 48-hour clock start?

Compare that to Aylo — whatever you think of their track record (and the FTC just fined them $5 million for content moderation failures), they're a named Canadian corporation with a Montreal headquarters and documented compliance processes. The infrastructure to receive and process takedown requests exists even if the execution has been publicly criticized.

Signal: Named operator with a published legal entity = higher compliance likelihood.

2. What does the content moderation infrastructure look like?

This one requires reading between the lines. I don't have access to internal moderation tools. But some indicators are externally visible.

Platforms with verified-upload-only policies — OnlyFans, Fansly, LoyalFans — already require creator identity verification before any content goes live. That's a KYC layer that doubles as a compliance foundation. If every uploader is verified, tracing the source of a non-consensual upload is straightforward.

Platforms with open upload — Pornhub pre-2020, most imageboards, many forums — have a harder problem. The content goes up anonymously. Tracing it to a source requires metadata analysis or external reporting. Pornhub's 2020 purge (removing all unverified uploads) was partly a response to exactly this problem.

The sites that still accept anonymous uploads with no verification are the ones facing the steepest compliance curve.

3. Has the platform already been caught?

The FTC settled with Aylo for $5 million in September 2025 over allegations that tens of thousands of reports about non-consensual and underage content went unaddressed on Pornhub. An internal compliance employee called it "a goldmine for illegal material." Aylo now operates under 10 years of mandatory audits.

This tells me two things. First, the reporting infrastructure failed historically — bad sign. Second, the company is now under external monitoring that essentially forces compliance — better sign going forward. Aylo will be compliant by May 19 because the FTC is already watching. The consent decree is doing the work the Act was designed to do, just a year early.

The platforms I worry about are the ones that haven't been caught yet. The mid-tier sites with enough traffic to host NCII but not enough visibility to attract regulatory attention. These are the sites most likely to miss the deadline and most likely to face enforcement actions when victims file reports and nothing happens within 48 hours.

4. What does the privacy scan tell me about technical sophistication?

This is where my Blacklight data becomes unexpectedly relevant.

A platform running 0 trackers with clean infrastructure — Stripchat, Chaturbate, XNXX — has an engineering team that made deliberate technical decisions. That team can build a takedown pipeline. A platform running 12 trackers, session recording, and keystroke capture from three different third-party vendors has an ad-tech stack bolted on by someone optimizing revenue, not compliance.

I'm not saying high trackers equals non-compliance. I'm saying the technical culture at a 0-tracker platform is more likely to produce a robust NCII detection system than the technical culture at a platform that can't even control its own third-party scripts.

Correlation, not causation. But the pattern holds in practice.

5. What's the re-upload prevention plan?

The Act doesn't just require removal. It requires "reasonable steps" to prevent re-posting of identical copies. This means content hashing at minimum.

Microsoft's PhotoDNA is the industry standard for CSAM detection. But deploying perceptual hashing on adult platforms is a different technical challenge — you need to hash millions of legitimate uploads and then detect matches against a blocklist without false-positiving on similar-but-consensual content. The error tolerance matters enormously when legitimate adult content can visually resemble non-consensual content in ways that mainstream social media content typically doesn't.

The platforms most likely to have this ready are the ones already using hash-based deduplication for content management purposes. Pornhub, OnlyFans, and other high-volume platforms almost certainly have internal hashing for duplicate detection. Adapting that system for NCII blocking is an engineering project, not a moonshot.

The platforms least likely to have this are the imageboards, forums, and smaller tubes running on commodity hosting with no content analysis pipeline.

What I found across 167 reviewed sites

I categorized the platforms I've reviewed into three buckets:

Likely compliant by May 19: Named operators with verified-upload policies and existing content moderation teams. OnlyFans, Fansly, Pornhub (post-FTC), Stripchat, Chaturbate. These platforms have the infrastructure even if the track record is imperfect.

At risk: Mid-tier platforms with some moderation but no visible NCII-specific tooling. Many premium studios, smaller cam sites, niche platforms. They have legal teams and billing infrastructure but may lack the content analysis systems the Act requires for re-upload prevention.

Red flags: Anonymous operators, no verification on uploads, privacy-shielded registrations, no published terms of service, no visible moderation process. These platforms are structurally unprepared for a law that requires a 48-hour response to an identified victim.

The full compliance framework, along with a breakdown of which site categories face the steepest challenges, is on NSFWRanker's TAKE IT DOWN Act 2026 guide. The privacy scan data for every platform is in the privacy score tool.

Fifty days

That's how long platforms have as of this writing. The criminal provisions are already active — knowingly publishing NCII is already a federal offense. The platform obligations kick in May 19.

If you're building tools for adult platforms, the compliance opportunity is real. Takedown request management systems, perceptual hashing implementations, automated re-upload detection. The platforms that need this most are the ones least likely to build it in-house.

If you're a user, the Act gives you something that didn't exist federally before: a legal mechanism with teeth. A 48-hour clock. FTC enforcement. Prison time for violations. Whether it works depends on whether the platforms actually build the systems. Fifty days until we find out.

I run Blacklight privacy scans on 1,000+ adult sites at nsfwranker.com. The TAKE IT DOWN Act guide is at nsfwranker.com/guides/take-it-down-act-2026. The privacy data for every platform is in the privacy score tool.

The EU Just Caught 4 Major Porn Sites Breaking the Law — I Checked What They Track

Oarcom — Sun, 29 Mar 2026 21:44:11 +0000

Three days ago, the European Commission dropped a bomb: Pornhub, Stripchat, XNXX, and XVideos are in preliminary breach of the Digital Services Act. The charge? Failing to protect minors from accessing pornographic content. Potential fines up to 6% of global annual turnover.

The investigation started in May 2025. Ten months later, the Commission's conclusion is blunt: all four platforms rely on self-declaration — a "click here to confirm you're 18" button — and the EU considers that worthless. Content warnings, page blurring, "Restricted to adults" labels — none of it counts as an effective measure under the DSA.

But here's what caught my attention. The EU is focused on who accesses these sites. Nobody's asking what these sites collect from the people already using them.

I have that data.

What Blacklight Found on All Four Sites

I run a project called NSFWRanker where I scan adult sites with The Markup's Blacklight tool — the same privacy inspector built by investigative journalists. It detects third-party trackers, cookies, canvas fingerprinting, session recording scripts, and keystroke capture.

Here's what the scans show for the four EU-targeted platforms:

Pornhub — 2 third-party trackers, 0 cookies. No fingerprinting. No session recording. No keystroke capture. Owned by Aylo (Cyprus). The scan looks reasonable on paper, but Aylo operates 13 properties as a first-party data network. Cross-site profiling that Blacklight can't measure.

Stripchat — 0 trackers, 0 cookies. Nothing. Clean across the board. This is a live cam platform with millions of daily users and it runs a tighter ship than most news websites. Also Cyprus-based (Technius Ltd).

XNXX — 0 trackers, 0 cookies. Zero everything. The largest free tube by video count, owned by WGCZ (Czech Republic), and one of the cleanest scans in my entire dataset of 1,000+ sites.

XVideos — 1 tracker, 0 cookies. Sister site to XNXX, same parent company. Nearly identical clean profile. One tracker is marginal noise.

The Irony Nobody's Talking About

The EU wants these four platforms to implement "privacy-preserving age verification." The Commission is even building an EU Age Verification app with pilot programs in six member states including Denmark and France.

But look at the scan data. These four sites are already among the cleanest major adult platforms on the internet. Stripchat and XNXX run zero trackers. Zero cookies. That's cleaner than CNN, cleaner than WebMD, cleaner than most EU government websites.

Meanwhile, sites that aren't on the EU's radar are running 7, 15, even 56 third-party trackers. One adult search engine I scanned records every keystroke users type — including fetish searches. A network of 9 sites owned by the same UK company records full browsing sessions. Several platforms use canvas fingerprinting to track users across devices, even in incognito mode.

The EU caught the big fish for the wrong thing while the small fish do the real damage unnoticed.

Age Verification Creates New Privacy Risks

XVideos responded to the Commission's findings by saying the EU was "asking us to commit suicide for nothing" — that age checks would push users to unregulated sites outside EU jurisdiction. It's a self-serving argument, but the underlying concern about age verification privacy is legitimate.

We've already seen what happens when age verification vendors handle sensitive data. Persona — the vendor used by Discord, OpenAI, and Roblox — had 2,500 verification files found on a government server earlier this year. The system ran 269 surveillance checks including facial recognition, PEP screening, and terrorist watchlist queries. All of it stored. 419 cybersecurity professors from 30 countries signed an open letter against it.

Requiring age verification on sites that already collect zero trackers could paradoxically make users less private, not more.

What the Data Actually Shows

After scanning 1,000+ adult sites, the pattern is clear:

The biggest platforms tend to be the cleanest. They have legal teams, compliance departments, and enough visibility that they can't afford to deploy aggressive tracking.

The real surveillance happens on mid-tier and small sites that nobody regulates and nobody scans. Sites where the operator is a shell company in Panama or a network of entities registered across three jurisdictions. Sites where session recording captures every mouse movement and keystroke capture logs every search query.

The EU is looking at the front door while the backdoor is wide open.

Full privacy scans for all four EU-targeted sites — and 163 others — are at nsfwranker.com. The tracker ranking breaks down the worst and cleanest sites by the numbers.

I scan adult sites for trackers, fingerprinting, and surveillance scripts using The Markup's Blacklight tool. The data is free, the methodology is public, and nobody pays for rankings. More at nsfwranker.com.

I Found Corporate Networks Hidden Behind Porn Sites — Same Tracker Fingerprints, Different Brands

Oarcom — Sun, 22 Mar 2026 23:25:24 +0000

When you scan one adult site with Blacklight, you get a privacy report. When you scan 167 of them, you start seeing patterns that weren't supposed to be visible.

I've been running Blacklight — The Markup's open-source privacy auditing tool — against adult sites for about a month. The original goal was straightforward: document trackers, cookies, fingerprinting, and session recording across the industry. Build a dataset. Publish the findings.

But somewhere around scan 120, I stopped looking at individual results and started looking at clusters. And that's when the corporate networks appeared.

The Setup

Blacklight checks for seven things: third-party trackers, third-party cookies, canvas fingerprinting, session recording, keystroke capture, Facebook Pixel, and Google Analytics remarketing. Each scan produces a consistent fingerprint — a combination of flags that's unique enough to compare across sites.

When two sites run by the same company use the same ad network, the same tracker stack, and the same surveillance tools, their scans look almost identical. Even when the sites themselves look completely different.

That's the tell.

Network 1: AVS Group — Session Recording Across the Board

TXXX is a free tube site. Nothing remarkable about it at first glance — standard layout, standard content, moderate traffic. The scan came back 7 trackers, 9 cookies, and session recording active.

Then I scanned hclips. Different domain, different design, different branding. The scan: 8 trackers, 26 cookies, session recording active. Same ad network — ClickAdilla. Same corporate fingerprint.

So I kept going. upornia, voyeurhit, vjav, hdzog, pornzog, hotmovs, tubepornclassic. Every single one: session recording active. Every single one: ClickAdilla ads. The tracker and cookie counts vary, but the surveillance layer is consistent.

They're all AVS Group. A network that, from the front end, looks like nine independent tube sites. From the scan data, it's one operation running session recording everywhere.

In 2025, UK regulator Ofcom fined them £1.4 million. TXXX was the flagship in that case, but the infrastructure is shared. Interestingly, TXXX actually has the lightest tracking in the network — 7 trackers and 9 cookies versus hclips at 8 trackers and 26 cookies. The site that got named in the fine is the cleanest node.

The pattern here: identical surveillance tools deployed across brands that present themselves as unrelated.

Network 2: PB Web Media — The Clean Ghost

This one is the opposite pattern. TubeGalore: 1 tracker, 0 cookies, zero ads on the actual site. iXXX: 1 tracker, 0 cookies, some banner ads. Both registered in the Netherlands through PB Web Media B.V.

PornPics, a photo gallery site with a 30-year-old domain, scans at 0 trackers, 1 cookie. Different visual identity, but the same operational fingerprint: minimal tracking, Netherlands registration, zero controversies across domains that are 18 to 27 years old.

Three sites. Same parent. Combined traffic well over 200 million visits per month. And a tracking footprint so small you'd almost miss the connection.

This is what a quietly well-run network looks like in scan data: consistent minimalism across all nodes. No session recording, no fingerprinting, no keystroke capture. Just one tracker and a clean record spanning decades.

The pattern: uniformly clean scans across brands with no public connection.

Network 3: IG Media — The Cyprus Shell

YouJizz scans at 1 tracker, 6 cookies. Beeg scans at 2 trackers, 8 cookies, plus session recording. Different sites, different user experience — Beeg is minimal and design-forward, YouJizz is a standard tube.

Both are registered through EuroDNS. Both trace back to Cyprus through shell entities. Investigative reporting by The Next Web confirmed a shared administrator, though the corporate structure is deliberately opaque.

What's interesting from a technical perspective: same holding company, same registrar, but different surveillance levels. Beeg has session recording. YouJizz doesn't. That means someone made a deliberate decision to deploy session recording on one brand and not the other within the same network.

The pattern: same corporate infrastructure, intentionally different tracking configurations per brand.

Network 4: Aylo — The Free vs. Premium Split

This is the most documented network, but the scan data reveals something I haven't seen reported elsewhere.

Aylo owns Pornhub, RedTube, YouPorn, Tube8 (free tubes) and Brazzers, RealityKings, Twistys, Babes (premium studios). That's public knowledge.

The scan pattern: every free tube has exactly 2 trackers. Every premium studio has exactly 0.

Not approximately. Not "fewer." Zero versus two, consistently, across every property I scanned.

The business model determines the tracking stack, not the brand, not the tech team, not the domain age. Free sites that monetize through ads deploy trackers. Premium sites that monetize through subscriptions don't need to.

This is the cleanest example of how corporate policy, not technical capability, drives surveillance decisions. Same parent company, same engineering team presumably, completely different tracking based on revenue model.

How to Spot These Patterns Yourself

If you want to replicate this:

Scan with Blacklight at themarkup.org/blacklight. It's free, takes about 45 seconds per site.
Record the full output, not just the summary. The specific tracker domains, cookie names, and flag combinations matter more than the counts.
Look for shared ad networks. ClickAdilla across multiple sites = likely same operator. Same tracker domain appearing on "unrelated" sites = shared infrastructure.
Check registrars. Sites that share a registrar (especially niche ones like EuroDNS or Gransy s.r.o.) and have similar scan profiles are probably related.
Compare session recording deployment. This is the most telling flag. Session recording costs money to implement and process. When it appears on multiple "independent" sites, someone is paying for it centrally.
Cross-reference with WHOIS history. Privacy-protected WHOIS on its own means nothing. Privacy-protected WHOIS plus identical scan fingerprints plus shared registrar is a pattern.

What This Reveals

The adult web isn't thousands of independent sites. It's a handful of networks operating dozens of brands each, with corporate structures designed to obscure the relationships.

From a user perspective, you think you're choosing between independent options. From the scan data, you're often choosing between different front ends for the same surveillance infrastructure.

That doesn't mean every network is malicious. PB Web Media runs a clean operation across all its properties. Aylo's premium studios are tracker-free. The point isn't that networks are inherently bad — it's that you can't evaluate a site's privacy practices without understanding which network it belongs to.

And the only way to figure that out, in most cases, is to scan them all and look for the fingerprints they didn't mean to leave.

The full dataset — 167 sites scanned, 1,007 sites in the privacy database — is available at nsfwranker.com. Every scan uses Blacklight by The Markup. The tool is free and open to anyone.

Browser Fingerprinting on Adult Sites: What I Found After 130 Blacklight Scans

Oarcom — Mon, 16 Mar 2026 04:09:47 +0000

I'm a developer who's been running Blacklight privacy scans on adult websites. Not for moral reasons — for data. Over three months, I scanned 130 sites across 12 categories. Here's what I found about browser fingerprinting specifically, and why it matters more than tracker counts.

The Setup

Blacklight is The Markup's open-source inspection tool. It loads a URL in a headless browser and monitors for:

Ad trackers (third-party scripts loading from known advertising domains)
Third-party cookies (cookies set by domains other than the one you're visiting)
Canvas fingerprinting (JavaScript that reads canvas rendering output to identify your device)
Session recording (scripts from services like Hotjar/FullStory that replay user sessions)
Keystroke capture (scripts that log keyboard input)
Evading cookie blockers (techniques to set tracking data despite browser protections)

I ran this on 130 adult sites. Here's the fingerprinting data.

Fingerprinting Detection Results

Out of 130 sites scanned, 7 had fingerprinting detected (5.4%):

Site	Category	Trackers	Cookies	Fingerprinting	Other Flags
Toonily	Manga	56	186	✅	—
Motherless	Free Tubes	1	7	✅	—
CrushOn AI	AI Porn	—	—	✅	Mozilla warning
FetLife	Dating	0	0	✅	—
POVR	VR Porn	1	0	✅	—
F95Zone	Adult Games	7	18	✅	Session recording
Hitomi	Manga	4	8	✅	—

Why Fingerprinting Matters More Than Cookies

Cookies are the privacy concern everyone talks about. GDPR banners, cookie consent, "we use cookies" — it's the visible layer. But cookies have a fundamental limitation from the tracker's perspective: users can delete them. Incognito mode doesn't carry them. Browser extensions block them.

Fingerprinting bypasses all of that.

Canvas fingerprinting works by having JavaScript draw something to an invisible <canvas> element and then reading back the rendered pixels. Different GPUs, different font renderers, different OS configurations produce slightly different output. Combined with other signals — screen resolution, timezone, language, installed plugins, WebGL renderer string, audio processing characteristics — the result is a unique identifier for your device that persists across sessions, across cookie clears, across incognito windows.

On a regular website, fingerprinting is a privacy concern. On an adult website, it's an identity concern. Especially on these platforms:

FetLife — 0 trackers, 0 cookies, fingerprinting ✅

FetLife is a social network for BDSM and kink. Users maintain pseudonymous profiles. They share sexual interests they may not want connected to their real identity. Many users explicitly compartmentalize — different browser, different email, different device.

Fingerprinting undermines that compartmentalization at the hardware level. If you use the same laptop for FetLife under a pseudonym and for Gmail under your real name, a fingerprint can potentially correlate those sessions. Not through FetLife itself necessarily — but through whatever third-party service receives the fingerprint data.

The 0/0 tracker/cookie scan looks clean. The fingerprinting makes it not clean. This is why looking at only tracker counts misses the story.

Motherless — 1 tracker, 7 cookies, fingerprinting ✅

Motherless is the only free tube site where fingerprinting was detected. It's also the only free tube site named in federal court documents for CSAM uploads. The FBI has traced user activity through the platform multiple times.

Fingerprinting on a site with this law enforcement history means your device is uniquely identifiable on a platform that has been subject to federal investigation. Even if you never create an account.

Toonily — 56 trackers, 186 cookies, fingerprinting ✅

The worst scan in the project. Fingerprinting is almost academic when 56 tracking services are already profiling you, but it closes the last escape hatch. Even users who aggressively block cookies and trackers can be identified by fingerprint.

What Developers Can Learn

If you're building a web application — any web application — here's what this data tells you:

1. Fingerprinting is a deployment choice, not an inevitability.

123 out of 130 sites I scanned did NOT have fingerprinting. Including sites with billions of monthly pageviews (XNXX, Pornhub, XVideos). If the largest porn sites on the planet can operate without fingerprinting, your SaaS product can too.

2. Session recording + fingerprinting is the worst combination.

F95Zone has both. The session replay captures what you do. The fingerprint identifies who you are. Together they create a behavioral record tied to a device identity. If you use Hotjar or FullStory, understand that you're creating this combination on your own site.

3. Zero tracking is achievable at any scale.

XNXX: 0 trackers, 0 cookies. Billions of pageviews. Archive of Our Own: 0 trackers, 0 cookies. 548 million monthly visits. Tinder: 0 trackers, 0 cookies. 75 million monthly active users. The "we need tracking for analytics" argument doesn't hold. Self-hosted analytics (Umami, Plausible, Matomo) provide everything you need without third-party surveillance.

4. The Blacklight tool is free — use it on your own sites.

themarkup.org/blacklight — enter any URL and get a full privacy scan. If you're deploying third-party scripts on your production site, you should know what they're actually doing. You might be surprised.

The Full Dataset

I publish Blacklight scan data — trackers, cookies, fingerprinting, session recording, keystroke capture, VirusTotal results — for every site I review at nsfwranker.com. Currently 130 sites across 12 categories. The data is in every review's safety section.

If you're working on anything privacy-related — browser extensions, privacy dashboards, ad-blocking tools — the dataset might be useful. The adult web is the internet's largest unexamined privacy surface.

I Used a Newsroom Privacy Tool to Audit 100+ Adult Sites. Here's How the Stack Works.

Oarcom — Sat, 14 Mar 2026 16:12:55 +0000

Blacklight, VirusTotal, Supabase, and a lot of uncomfortable browser tabs.

This started because I wanted to build an adult site review platform that wasn't just opinions. Every "best porn sites" list on the internet is the same thing — ten affiliate links, a paragraph about "great content," and zero verifiable data. I wanted scan results. Numbers. Something a reader could cross-check.

The problem: there's no standardized privacy scanning pipeline for adult websites. Nobody's built one. The tools exist in pieces across different contexts — journalism, security research, browser extension development — but nobody's stitched them together for this specific use case.

So I did. Here's the stack, the methodology, and the non-obvious problems I ran into along the way.

The scanning tool: Blacklight

Blacklight is an open-source real-time privacy inspector built by The Markup, a nonprofit investigative newsroom. It loads a URL in a headless browser and detects:

Third-party trackers — scripts loaded from external domains that track user behavior
Third-party cookies — cookies set by domains other than the one you're visiting
Canvas fingerprinting — using the HTML5 Canvas API to generate a unique device identifier
Session recording — scripts that replay your mouse movements, clicks, and scrolls (think FullStory, Hotjar)
Keystroke capture — logging form field input before submission
Facebook/Google tracking pixels — specific integrations with ad platforms

For this project, the relevant outputs are trackers, cookies, fingerprinting, session recording, and keystroke capture. Facebook/Google pixels aren't meaningful in the adult space — those platforms ban adult advertisers, so the pixels are rarely present.

What Blacklight doesn't catch

This matters more than what it does catch.

Blacklight measures third-party tracking. It does not detect first-party analytics (server-side logging, Plausible, Matomo). Every website with a server collects access logs — IP addresses, timestamps, user agents, referrers. Blacklight can't see that because it's server-side. A site returning 0 trackers and 0 cookies in Blacklight is not collecting "no data." It's collecting no data via third-party scripts in your browser.

That distinction is important and I've had to explain it in approximately 40 reviews.

The malware layer: VirusTotal

Blacklight tells you about tracking. It doesn't tell you about malware. For that I use VirusTotal's URL scanner — it submits the URL to 90+ antivirus engines and returns a consensus score.

Every site I've scanned came back 0/94 or close to it. The malware threat on major adult platforms in 2026 is effectively zero. The actual malware risk in the adult ecosystem lives in the ad network — pop-ups, redirects, and interstitials that route through sketchy ad exchanges. The sites themselves are clean. The ads around them aren't always.

This is why uBlock Origin is the single most impactful browser extension for adult site safety. It kills the ad layer entirely.

The data model

I store everything in a TypeScript object (siteData.ts) that looks like this for each site:

{
  trackers: 2,
  cookies: 0,
  fingerprinting: false,
  sessionRecording: false,
  keystrokeCapture: false,
  billingDescriptor: 'Aylo/Probiller',
  paymentProcessor: 'Probiller',
  vtScore: '0/94',
  vtFlagged: false,
  monthlyVisits: null,
  topCountry: null,
  domainAge: '2000',
  paymentMethods: {
    creditCard: false,
    crypto: true,
    paypal: false,
    giftCard: false
  }
}

This feeds into everything — review pages, comparison tables, the privacy score tool, aggregate statistics on guide pages, and the sitemap. When a scan value changes, every page that references it updates at the next build. No manual propagation. No copy-paste errors.

The site runs on Next.js (App Router, server components), deployed on Vercel, with Supabase for analytics (self-hosted Umami). The data layer is deliberately not in a database — it's a TypeScript file that gets bundled at build time. For 100 sites this is faster than any database query and the DX is simpler: edit the file, push, done.

At 1,000+ sites I'll probably need to migrate to Supabase, but premature database architecture is how side projects die.

The non-obvious problems

Adult sites break headless browsers differently

Blacklight runs a headless Chromium instance. Some adult sites detect headless browsers and serve different content — fewer ads, different tracking scripts, or outright blocks. This means the scan may undercount trackers on sites that fingerprint the scanner itself.

I've dealt with this by running scans on multiple occasions and comparing results. If a site returns 0/0 once and 3/2 the next time, something is being served conditionally. I report the higher number with a note.

Paywall gating changes the scan surface

A site like Brazzers has a landing page (what Blacklight scans) and a members-only area (what it can't reach). The tracking infrastructure behind the login may be completely different. Blacklight scans the public-facing homepage. This is a limitation I document for every paid site.

For free sites, the scan surface is the actual user experience. For paid sites, it's the marketing layer. Keep that in mind when comparing free tubes (full scan surface) to premium studios (partial scan surface).

Cookie counts are noisy

A site with 7 cookies isn't necessarily worse than a site with 1 cookie. One session management cookie is benign. Seven analytics and marketing cookies are not. But Blacklight reports the count, not the function. I've started doing manual cookie audits on the worst offenders to break down what each cookie actually does, but for the aggregate data, the count is the reported metric.

Billing data requires a subscription

I can't scan what a billing descriptor looks like without actually subscribing. For some sites I've subscribed, noted the descriptor, and canceled. For others I rely on user reports and processor documentation. The billing descriptor field in my data model has varying confidence levels — some confirmed firsthand, some sourced from forums and reviews.

What 100+ scans taught me about the adult industry's privacy landscape

The data clusters into three tiers:

Tier 1 — Clean (0-1 trackers, 0-1 cookies, no invasive tech): This includes platforms you wouldn't expect. XNXX — one of the top 50 most visited websites globally — returns 0/0. Chaturbate, the biggest cam site, returns 0 trackers and 1 cookie. OnlyFans returns 0/0. Literotica returns 0/0. The clean tier is bigger than most people assume.

Tier 2 — Standard (2-3 trackers, 0-3 cookies, no invasive tech): Most major sites land here. Pornhub at 2/0. XHamster at 2/0. Erika Lust at 2/0. This is the baseline for sites running standard analytics and ad attribution without anything aggressive.

Tier 3 — Heavy (4+ trackers, 4+ cookies, or invasive tech present): This is where it gets interesting. Ashley Madison at 5 trackers and 7 cookies. Fansly at 6/6. Promptchan AI at 3/12. LiveJasmin with session recording AND keystroke capture. Ersties at 3 trackers and 9 cookies. The sites in this tier have business models or organizational structures that demand more data from users.

The pattern: the heaviest tracking doesn't correlate with the sketchiest sites. It correlates with the most complex business models. VC-backed startups, sites with affiliate programs, platforms running multiple payment processors — these are the ones that light up the scan. A simple tube site with ads runs cleaner than a "premium ethical" platform with investors, because the tube doesn't need cohort analytics for board presentations.

The tool I built from this data

The scan data feeds a public tool at nsfwranker.com/tools/privacy-score. Type a site name, get the Blacklight results. No signup. No paywall. The dataset covers 100+ sites now and scales to 1,000+ without code changes (it reads from siteData.ts dynamically).

The guide pages — adult site privacy rankings, does Pornhub track you, cam site privacy report — all pull from the same data source. One TypeScript file. Every page reflects the current scan state at build time.

If you're building something similar in a different vertical (health sites, kids' apps, news outlets), the methodology is directly transferable. Blacklight is open-source. VirusTotal has a free API tier. The hard part isn't the tooling — it's scanning enough sites to make the patterns visible.

Replicate this yourself

Go to themarkup.org/blacklight
Enter any URL
Wait 30-60 seconds for the headless browser to load and scan
Read the results — trackers, cookies, fingerprinting, session recording, keystroke capture

That's it. No account needed. No API key. The tool is free and public.

For batch scanning, The Markup has published the Blacklight source code — you can run it locally against a list of URLs and collect results programmatically. I haven't done this yet (manual scans for 100 sites was tedious but manageable), but it's the obvious next step for scaling.

VirusTotal: virustotal.com. Paste any URL. Free. 4 scans/minute on the free API tier if you want to automate.

The full dataset and all reviews: nsfwranker.com

Source code for the scanning methodology and data model is not open-source (yet), but the tools it relies on are. If enough people want a standalone privacy-scanning pipeline for any vertical, I'll consider packaging it.

Tags: privacy security webdev javascript opensource

I Used The Markup's Blacklight to Audit 98 Adult Sites. One Records Your Keystrokes.

Oarcom — Sun, 08 Mar 2026 01:58:19 +0000

I scanned 98 adult websites with Blacklight and VirusTotal. Here's the methodology, the raw findings, and the three sites running active surveillance on their users.

The Tools

Blacklight (themarkup.org/blacklight) is a real-time privacy inspector built by The Markup. You give it a URL, it loads the page in a headless browser, and reports back what's running: ad trackers, third-party cookies, canvas fingerprinting, session recording scripts, and keystroke loggers. It's the same tool journalists used to investigate Facebook's tracking infrastructure and how popular websites surveil visitors.

VirusTotal aggregates scan results from 94 security engines. Submit a URL, get a consensus verdict on whether the domain is serving malware, phishing pages, or malicious scripts.

Neither tool requires authentication. Neither notifies the site being scanned. The data is what the page serves to a regular browser visit.

The Process

For each of the 98 sites:

Submit the URL to Blacklight. Record: ad trackers (count), third-party cookies (count), canvas fingerprinting (boolean), session recording (boolean), keystroke capture (boolean).
Submit the URL to VirusTotal. Record: detection ratio (e.g., 0/94, 1/94).
Manually verify payment processor and billing descriptor from checkout flow.
Record domain registration date from WHOIS.

Total time per site: roughly 5 minutes for the automated scans, another 5 for manual verification. The whole project took about two weeks of evening sessions.

No site was informed. No scan was sponsored. I paid for premium access on platforms that required it to verify billing descriptors.

The Findings Nobody Expected

Malware is basically nonexistent

91 out of 98 sites returned 0/94 on VirusTotal. The remaining 7 had a single vendor flag each — almost always a heuristic that flags adult domains by category, not by detected threat. Zero sites were flagged by more than 3 vendors.

The "porn gives you viruses" narrative is a decade out of date. These are commercial operations running Cloudflare CDNs, React frontends, and enterprise payment processing. The risk isn't malware. It never was.

The average site loads 2.1 trackers

Across all 98 sites, the mean tracker count is 2.1 with a median of 1. That's below the general web average. The distribution is heavily skewed — 20 sites run zero trackers, while the top offender (Seeking.com, a dating platform) loads 10.

The top 10 by tracker count:

Seeking.com          10 trackers
Fanvue                7 trackers
Fansly                6 trackers
Hitomi.la             6 trackers
Ashley Madison        5 trackers
Flirt4Free            4 trackers
Jerkmate              3 trackers
SexLikeReal           3 trackers
PromptChan            3 trackers
Kupid AI              3 trackers

The pattern: dating and creator platforms track more than streaming sites. The sites where you create an account, enter payment details, and interact with other users are the ones running the most third-party tracking scripts. Free tubes that monetize through ads — the sites you'd expect to be worst — are frequently cleaner.

Three sites run active surveillance

This is where Blacklight's value goes beyond counting trackers. It detects two specific techniques that cross the line from analytics into surveillance:

Session recording captures your entire browsing session — every scroll, click, mouse movement, and page transition — and replays it server-side. It's like someone watching a screen recording of your visit. Companies like FullStory and Hotjar sell this as a UX research tool. On an adult site where users browse intimate content and have private conversations, the implication is different.

Keystroke capture logs every character you type in any input field on the page. Search queries. Chat messages. Login credentials. On a cam site with live text chat, that means the platform records every message you send to a performer — not just as chat history, but as raw keystroke data including corrections, deletions, and typing cadence.

I found both on LiveJasmin — a major cam platform with millions of daily users. Session recording and keystroke capture running simultaneously. On a site where people enter credit card numbers, have private text chats with performers, and browse content they wouldn't want replayed in a boardroom.

Pure Taboo and Transfixed (both Gamma Entertainment / Adult Time network) returned keystroke capture without session recording. These are premium studio sites where the primary interaction is video streaming, not chat — the keystroke capture likely monitors search and login inputs rather than conversations, but the script doesn't discriminate. It captures everything typed on the page.

Every other site in the dataset — 95 out of 98 — came back clean on both session recording and keystroke capture. Including Pornhub. Including OnlyFans. Including Chaturbate. The absence is the norm. The presence is the red flag.

20 sites returned a perfect 0/0

Zero trackers. Zero third-party cookies. No fingerprinting. No session recording. No keystroke capture. On ad-supported sites with hundreds of millions of monthly visits. Here's the list:

XNXX              SpankBang         Stripchat
OnlyFans           Hanime            CandyAI
AdultFriendFinder  Twistys           FantasyAI
Nutaku             MyDirtyHobby      Virtual Porn
XNXX Gold          Literotica        SimpCity
PornTube           F95Zone           CherryTV
Rule34.xxx

XNXX serves billions of pageviews monthly with zero third-party tracking. Rule34.xxx handles 445 million visits a month at 0/0. Meanwhile Fansly — a creator platform handling payments and private messages — runs 6 trackers and 6 cookies.

The gap between the cleanest and dirtiest sites in the same industry is wider than I expected going in.

What This Means for Users

A VPN encrypts your connection and hides your IP address. An adblocker (uBlock Origin) strips tracker scripts and cookies from the page. Together they cover most of the threat surface.

Neither stops session recording or keystroke capture. Those scripts run inside the page itself, after the content loads, regardless of VPN or adblocker configuration. The only defense against session recording is not using the site, or using a browser extension that blocks known session recording domains (FullStory, Hotjar, Mouseflow, etc.) at the network level.

The Data

All 98 scan results are published with full transparency at nsfwranker.com, where each reviewed site has an individual safety report with the raw Blacklight results.

The privacy score tool at nsfwranker.com/tools/privacy-score lets you search any site in the database and see the scan data.

Scans performed February 2026 using The Markup's Blacklight and VirusTotal. This is independent research, not sponsored content.

I Used The Markup's Blacklight to Audit 96 Websites. Here's the Technical Breakdown.

Oarcom — Wed, 04 Mar 2026 05:37:41 +0000

The Markup built Blacklight as an investigative tool for journalists. It visits a URL with a headless browser, inventories every third-party script that loads, and classifies what those scripts do — ad tracking, fingerprinting, session recording, keystroke capture.

I used it to scan 96 websites and cross-referenced every URL with VirusTotal's 94-vendor malware detection. Here's what I learned about web surveillance at scale.

The Stack Behind Blacklight

Blacklight runs a headless Chromium instance and monitors:

Third-party requests — any HTTP request to a domain different from the page's own domain
Cookies — both first-party and third-party, with classification of known tracking cookies
Canvas fingerprinting — detects when a site draws to a hidden canvas element and reads the pixel data back (a technique for generating a unique browser fingerprint without cookies)
Session recording — detects scripts from known session replay services (FullStory, Hotjar, etc.) that capture mouse movements, clicks, scrolls, and DOM changes
Keystroke logging — detects scripts that attach event listeners to keypress/keydown events and transmit the captured data
Facebook Pixel, Google Analytics remarketing, TikTok Pixel — identified by their specific script signatures

It's not a vulnerability scanner. It's a surveillance auditor. The distinction matters: a site can be malware-free (VirusTotal 0/94) while running 10 tracking scripts that report your behavior to advertising networks.

What 96 Scans Taught Me About Tracking

Distribution is bimodal

Sites cluster at either 0-2 trackers (clean) or 5-10+ trackers (heavy tracking). Very few sites sit at 3-4. The industry has roughly split into "we don't track" and "we track everything." The middle ground barely exists.

Cookies correlate weakly with trackers

You'd expect high tracker counts to mean high cookie counts. The correlation is weaker than I expected. Some sites load 6 trackers with 0 cookies (using fingerprinting instead). Others set 7 cookies with only 1 tracker (using first-party cookies for behavioral tracking without third-party scripts).

The takeaway: tracker count and cookie count measure different vectors. You need both to understand a site's surveillance posture.

Session recording is rare but targeted

Out of 96 sites, only a handful had session recording scripts. But the sites that did have it were platforms where users input sensitive information — chat messages, payment details, personal preferences. Session recording on a static content site is invasive but limited in damage. Session recording on an interactive platform where users type private messages is a fundamentally different risk.

Canvas fingerprinting is more common than expected

Multiple sites used canvas fingerprinting — a technique that's harder to block than cookies and persists across browsing sessions. The technique works by rendering invisible text and graphics to a <canvas> element, reading the pixel data back, and hashing it. The hash is unique to your combination of GPU, driver version, OS, browser, and font rendering — essentially a device fingerprint that doesn't require storage on your machine.

uBlock Origin blocks most known fingerprinting scripts. The Brave browser blocks canvas readback by default. Standard Chrome and Firefox do not.

VirusTotal as a Complement

Blacklight tells you about surveillance. VirusTotal tells you about security. They answer different questions:

Blacklight: "Is this site watching what I do?"
VirusTotal: "Is this site trying to harm my device?"

The overlap is smaller than you'd think. A site can have 0/94 VirusTotal flags (no malware, no phishing) while loading 10 trackers, running session recording, and fingerprinting your browser. Conversely, a site with 1/94 VirusTotal flags might have a perfect 0/0 Blacklight scan — the flag often comes from the ad network, not the site itself.

For a complete assessment of any URL, you need both tools.

How to Run Your Own Scans

Blacklight: Visit themarkup.org/blacklight, enter any URL, click Scan. Results in about 30 seconds. No account needed. Free.

VirusTotal: Visit virustotal.com, paste a URL in the search tab. Results from 94 security vendors plus community score. Free, with API access for bulk scanning.

Programmatic approach: VirusTotal has a public API. For Blacklight-style analysis at scale, you'd need to build your own headless browser pipeline — Puppeteer or Playwright with request interception to log third-party domains. The classification (which scripts are trackers vs. analytics vs. functional) is the hard part. The Markup hasn't open-sourced Blacklight's classification engine, but the EasyList and EasyPrivacy filter lists (used by uBlock Origin) provide a solid starting point for script classification.

The Project

I published all 96 scan results at NSFWRanker. Each site has an individual safety report with raw Blacklight data, VirusTotal score, and a privacy rating based solely on the scan results.

The scan data drives editorial rankings:

If you're building something similar for a different vertical — health sites, fintech, news — the methodology transfers directly. Blacklight + VirusTotal + editorial context = a privacy audit framework that works on any category of website.

Questions about the scanning methodology? Drop them in the comments.

I Audited 95 Adult Sites for Privacy Using The Markup's Blacklight — Here's the Data

Oarcom — Sun, 01 Mar 2026 07:56:59 +0000

I run an independent review site for adult platforms. Early on I realized that nobody was doing systematic privacy audits of these sites — the kind where you actually measure trackers, cookies, and invasive scripts across a large dataset rather than just saying "use incognito mode."

So I built a workflow around The Markup's Blacklight tool and scanned 95 adult websites. This post covers the methodology, the tooling, the results, and what surprised me.

The stack

Blacklight (themarkup.org/blacklight) — The Markup's real-time privacy inspector. It loads a URL in a headless browser and detects:

Third-party trackers (scripts loaded from external domains)
Third-party cookies
Canvas fingerprinting
Session recording (mouse movements, clicks, scrolls replayed as video)
Keystroke capture (logging what users type)

VirusTotal (virustotal.com) — Scans URLs against 90+ antivirus engines. A score of 0/94 means no engine flagged the site. Anything above 0 is a warning.

The workflow:

Load the site in Blacklight → record tracker count, cookie count, fingerprinting, session recording, keystroke capture
Run the URL through VirusTotal → record detection count
Cross-reference results with manual browsing (5 min per site on desktop + mobile)
Store everything in a structured TypeScript data file
Push to Git → Telegram bot notification → live on the site

No scraping. No API abuse. Each Blacklight scan is manual — I paste the URL, wait for the result, and record the numbers. At 95 sites, that's roughly 8 hours of scanning spread across multiple sessions.

The data structure

Each site's privacy data looks like this:

interface SitePrivacyData {
  trackers: number;      // Third-party tracker scripts
  cookies: number;       // Third-party cookies loaded
  fingerprinting: boolean; // Canvas fingerprinting detected
  sessionRecording: boolean; // Session replay scripts
  keystrokeCapture: boolean; // Keystroke logging detected
  virusTotal: string;    // e.g. "0/94"
}

Simple and flat. No nested objects, no computed fields at the data layer. The privacy score shown on the site is derived from this raw data at render time — the source of truth is always the scan result.

Aggregate results (n=95)

Here's what 95 scans produced:

Tracker distribution:

0 trackers: 58 sites (61%)
1 tracker: 22 sites (23%)
2 trackers: 11 sites (12%)
3+ trackers: 4 sites (4%)

Cookie distribution:

0 cookies: 34 sites (36%)
1 cookie: 42 sites (44%)
2-3 cookies: 13 sites (14%)
4+ cookies: 6 sites (6%)

Invasive techniques:

Canvas fingerprinting detected: 0 sites (0%)
Session recording detected: 1 site (1%)
Keystroke capture detected: 3 sites (3%)

The median adult site runs 0 trackers and 1 cookie. Compare that to news websites, which average 15+ trackers per page load.

What surprised me

The cleanest sites aren't the ones you'd expect. Free tube sites — the ones running on ad revenue — often had cleaner scans than premium subscription sites. SpankBang, PornTube, and XNXX all registered 0/0 (zero trackers, zero cookies). Meanwhile, some paid platforms with no ads still loaded tracking scripts.

Keystroke capture is rare but real. Out of 95 sites, only 3 triggered Blacklight's keystroke detection. One of them is a major cam platform with millions of daily users. That means everything typed into chat, search, or form fields on that site is potentially being logged. The other 12 cam sites I scanned? None of them did this.

VirusTotal was boring (in a good way). Almost every site came back 0/94. The adult industry — at least the established sites — runs clean infrastructure. The malware risk is in sketchy aggregators and popup chains, not the main platforms.

Dating sites track the hardest. The worst privacy scan in the entire dataset came from a dating/hookup platform: 5 trackers, 7 cookies. Dating sites rely on behavioral targeting for their own matching algorithms and for ad monetization. The incentive structure pushes toward more tracking, not less.

The Blacklight limitations

Blacklight isn't perfect. Here's what it doesn't catch:

First-party tracking. If a site tracks you using its own domain (no third-party scripts), Blacklight won't flag it. Most major platforms do extensive first-party analytics.
Server-side tracking. Anything happening on the backend is invisible to a client-side scanner.
Dynamic loading. Some sites load trackers conditionally — only after login, only on certain pages, only for certain geolocations. A single homepage scan might miss these.
Ad injection. Some trackers are loaded by the ads themselves, not the site. If the ad network changes, the tracker count changes. Scan results are a snapshot, not a constant.

I re-scan quarterly to catch drift. But any single scan is a point-in-time measurement, not a guarantee.

Why this matters

The privacy conversation around adult content usually stops at "use incognito." That advice is incomplete. Incognito prevents local history storage. It doesn't prevent:

Third-party trackers from identifying your device
Your ISP from logging the domain you visited
Canvas fingerprinting from creating a persistent device ID
Keystroke loggers from recording what you type

The actual risk model for someone browsing adult content is: your ISP knows you visited the domain, the site knows what you did on it, and any third-party tracker knows both — and shares that data with ad networks.

A VPN handles the ISP problem. An ad blocker handles most trackers. But the only way to know what a specific site is actually doing is to scan it.

The full dataset

All 95 scans — tracker counts, cookie counts, fingerprinting status, session recording, keystroke capture, VirusTotal results, and overall privacy scores — are published at nsfwranker.com. Each site has a dedicated review page with the raw Blacklight data.

The scanning tool is public: themarkup.org/blacklight. Anyone can verify any result I've published by pasting the same URL.

If you're building privacy tooling, working in infosec, or just curious about how tracking works in practice — this dataset is a useful reference point. Adult sites are an interesting case study because they span every monetization model (free/ads, freemium, subscription, token-based) and every level of technical sophistication.

Scans performed February 2026. Data is updated quarterly. I'm not affiliated with The Markup — I just use their tool.