DEV Community

Oarcom
Oarcom

Posted on

I Audited 95 Adult Sites for Privacy Using The Markup's Blacklight — Here's the Data

#privacy #security #webdev #data

I run an independent review site for adult platforms. Early on I realized that nobody was doing systematic privacy audits of these sites — the kind where you actually measure trackers, cookies, and invasive scripts across a large dataset rather than just saying "use incognito mode."

So I built a workflow around The Markup's Blacklight tool and scanned 95 adult websites. This post covers the methodology, the tooling, the results, and what surprised me.

The stack

Blacklight (themarkup.org/blacklight) — The Markup's real-time privacy inspector. It loads a URL in a headless browser and detects:

  • Third-party trackers (scripts loaded from external domains)
  • Third-party cookies
  • Canvas fingerprinting
  • Session recording (mouse movements, clicks, scrolls replayed as video)
  • Keystroke capture (logging what users type)

VirusTotal (virustotal.com) — Scans URLs against 90+ antivirus engines. A score of 0/94 means no engine flagged the site. Anything above 0 is a warning.

The workflow:

  1. Load the site in Blacklight → record tracker count, cookie count, fingerprinting, session recording, keystroke capture
  2. Run the URL through VirusTotal → record detection count
  3. Cross-reference results with manual browsing (5 min per site on desktop + mobile)
  4. Store everything in a structured TypeScript data file
  5. Push to Git → Telegram bot notification → live on the site

No scraping. No API abuse. Each Blacklight scan is manual — I paste the URL, wait for the result, and record the numbers. At 95 sites, that's roughly 8 hours of scanning spread across multiple sessions.

The data structure

Each site's privacy data looks like this:

interface SitePrivacyData {
  trackers: number;      // Third-party tracker scripts
  cookies: number;       // Third-party cookies loaded
  fingerprinting: boolean; // Canvas fingerprinting detected
  sessionRecording: boolean; // Session replay scripts
  keystrokeCapture: boolean; // Keystroke logging detected
  virusTotal: string;    // e.g. "0/94"
}
Enter fullscreen mode Exit fullscreen mode

Simple and flat. No nested objects, no computed fields at the data layer. The privacy score shown on the site is derived from this raw data at render time — the source of truth is always the scan result.

Aggregate results (n=95)

Here's what 95 scans produced:

Tracker distribution:

  • 0 trackers: 58 sites (61%)
  • 1 tracker: 22 sites (23%)
  • 2 trackers: 11 sites (12%)
  • 3+ trackers: 4 sites (4%)

Cookie distribution:

  • 0 cookies: 34 sites (36%)
  • 1 cookie: 42 sites (44%)
  • 2-3 cookies: 13 sites (14%)
  • 4+ cookies: 6 sites (6%)

Invasive techniques:

  • Canvas fingerprinting detected: 0 sites (0%)
  • Session recording detected: 1 site (1%)
  • Keystroke capture detected: 3 sites (3%)

The median adult site runs 0 trackers and 1 cookie. Compare that to news websites, which average 15+ trackers per page load.

What surprised me

The cleanest sites aren't the ones you'd expect. Free tube sites — the ones running on ad revenue — often had cleaner scans than premium subscription sites. SpankBang, PornTube, and XNXX all registered 0/0 (zero trackers, zero cookies). Meanwhile, some paid platforms with no ads still loaded tracking scripts.

Keystroke capture is rare but real. Out of 95 sites, only 3 triggered Blacklight's keystroke detection. One of them is a major cam platform with millions of daily users. That means everything typed into chat, search, or form fields on that site is potentially being logged. The other 12 cam sites I scanned? None of them did this.

VirusTotal was boring (in a good way). Almost every site came back 0/94. The adult industry — at least the established sites — runs clean infrastructure. The malware risk is in sketchy aggregators and popup chains, not the main platforms.

Dating sites track the hardest. The worst privacy scan in the entire dataset came from a dating/hookup platform: 5 trackers, 7 cookies. Dating sites rely on behavioral targeting for their own matching algorithms and for ad monetization. The incentive structure pushes toward more tracking, not less.

The Blacklight limitations

Blacklight isn't perfect. Here's what it doesn't catch:

  • First-party tracking. If a site tracks you using its own domain (no third-party scripts), Blacklight won't flag it. Most major platforms do extensive first-party analytics.
  • Server-side tracking. Anything happening on the backend is invisible to a client-side scanner.
  • Dynamic loading. Some sites load trackers conditionally — only after login, only on certain pages, only for certain geolocations. A single homepage scan might miss these.
  • Ad injection. Some trackers are loaded by the ads themselves, not the site. If the ad network changes, the tracker count changes. Scan results are a snapshot, not a constant.

I re-scan quarterly to catch drift. But any single scan is a point-in-time measurement, not a guarantee.

Why this matters

The privacy conversation around adult content usually stops at "use incognito." That advice is incomplete. Incognito prevents local history storage. It doesn't prevent:

  • Third-party trackers from identifying your device
  • Your ISP from logging the domain you visited
  • Canvas fingerprinting from creating a persistent device ID
  • Keystroke loggers from recording what you type

The actual risk model for someone browsing adult content is: your ISP knows you visited the domain, the site knows what you did on it, and any third-party tracker knows both — and shares that data with ad networks.

A VPN handles the ISP problem. An ad blocker handles most trackers. But the only way to know what a specific site is actually doing is to scan it.

The full dataset

All 95 scans — tracker counts, cookie counts, fingerprinting status, session recording, keystroke capture, VirusTotal results, and overall privacy scores — are published at nsfwranker.com. Each site has a dedicated review page with the raw Blacklight data.

The scanning tool is public: themarkup.org/blacklight. Anyone can verify any result I've published by pasting the same URL.

If you're building privacy tooling, working in infosec, or just curious about how tracking works in practice — this dataset is a useful reference point. Adult sites are an interesting case study because they span every monetization model (free/ads, freemium, subscription, token-based) and every level of technical sophistication.

Scans performed February 2026. Data is updated quarterly. I'm not affiliated with The Markup — I just use their tool.

Top comments (0)