When I was researching the privacy policies of sex worker directories, I sent an email to the contact email for each directory asking them a series of questions.
Here are the questions I asked:
- Do you require personally identifying information from sex workers for verification?
- Identity documents?
- Selfies?
- Can these be partially obscured or redacted?
- Do you sell our identities and/or personal details to third party advertisers?
- Do you take any steps to secure our identities from hackers or in case your servers were seized?
- Are our identity documents and selfies deleted after verification?
- Stored offline?
- Encrypted?
- If you were told you could protect yourself from prosecution by freely handing over the identities of sex workers to authorities, would you do so?
- Or would you put up a fight and demand that they get a subpoena?
- Do you honour deletion requests?
- In entirety?
- How long does this take?
At the time, I didn't get a reply from Megapersonals but more recently I was corresponding with /u/MegaPersonals_REAL on reddit via modmail for the /r/sexworkers subreddit of which I'm a moderator.
I mentioned my privacy policies blog posts and this time I was able to get answers.
We at Megapersonals use a third party verification service provider AgeSmart.eu who do the acquisition and storage of ID documents for the purposes of age verification on our behalf. This is AgeSmart.eu's response to these questions as it related to the terms of service with Megapersonals.
Accepts partially obscured or redacted identity documents YES. Age verification is what we're after. Obscuring private identity data is accepted. There is a feature to do this directly in the web app.
Refrains from selling personal details to third parties YES. Personal data is never sold to anyone, period.
Encryption used to secure our identities YES.
Identity documents and selfies are deleted after verification NO. For legal reasons we are prohibited from deleting proofs of age verification.
Withholds identities from authorities unless subpoena provided YES. We require subpoenas.
Honours deletion requests partially YES. Users can delete their entire posting history and media.
Deletion requests honoured entirely. NOT entirely. User can delete their entire posting history and media, however, age verification records are maintained - with allowance for partially obscuring private identity data.
Processing time for deletion requests: Immediate.
You are in control. The DELETE MY ACCOUNT button available to the users.
That's good! I suggested to Mega that all of the above would make excellent selling points for attracting new members to Megapersonals, and reassuring existing members, if it were spelled out loud and clear on the site.
My suggestion seemed well received so hopefully, it will be made more clear in their terms that they are committed to preventing our identities and personal details from falling into the wrong hands.
A lot of sex workers on reddit seem to be losing access to their Megapersonals accounts recently. It seems they have an overzealous algorithm detecting account access from new IP addresses that's in the habit of locking users out and then requiring that they wait for manual re-verification.
If this happens to you, I recommend using their contact page or sending an email. If you don't get a reply within their SLA of 24 hours, try making a post on /r/sexworkers and tagging /u/MegaPersonals_REAL. They'll get a notification from reddit for the username mention and they usually do respond on reddit within 24 hours.
I made a suggestion
"for sex workers, losing access to our Megapersonals account means we lose some, or all of our income. That's a big problem. Especially for survival workers. It's great that you're here to answer people's concerns and it will be even better if whatever is causing so many genuine providers to get locked out of mega accounts could get fixed."
Mega has assured me that they're rolling out changes over the next month that should prevent genuine sex workers getting locked out of their accounts.
I recently had the opportunity to interview Cory Doctorow, (craphound.com), a renowned science fiction author, activist, and journalist.
Cory is a passionate advocate for digital rights, privacy, and freedom of expression. He fights against corporate overreach, surveillance capitalism, and monopolistic practices in technology, emphasizing the need for open, interoperable systems that empower users rather than exploit them. A strong supporter of copyright reform, Doctorow champions creators' rights while opposing draconian laws that stifle innovation and access to knowledge. He also highlights the intersections of technology with labour rights, social justice, and economic equity, calling for systemic change to create a fairer, more democratic digital future.
Cory's latest novels are THE BEZZLE (a follow-up to RED TEAM BLUES) and THE LOST CAUSE, a solarpunk science fiction novel of hope amidst the climate emergency.
The most recent nonfiction book by Doctorow is THE INTERNET CON: HOW TO SEIZE THE MEANS OF COMPUTATION, a Big Tech disassembly manual.
He is the author of the international young adult LITTLE BROTHER series. He is also the author of CHOKEPOINT CAPITALISM (with Rebecca Giblin), about creative labor markets and monopoly; HOW TO DESTROY SURVEILLANCE CAPITALISM, nonfiction about conspiracies and monopolies; and of RADICALIZED and WALKAWAY, science fiction for adults, a YA graphic novel called IN REAL LIFE; and other young adult novels like PIRATE CINEMA.
Upcoming books include Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025 and Unauthorized Bread: a middle-grades graphic novel adapted from his novella about refugees, toasters and DRM, FirstSecond, 2025.
Doctorow maintains a daily blog at Pluralistic.net. I highly recommend following Pluralistic via RSS.
He works for the Electronic Frontier Foundation, is an MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University, a Visiting Professor of Practice at the University of North Carolina’s School of Library and Information Science and co-founded the UK Open Rights Group.
Born in Toronto, Canada, Doctorow now resides in Los Angeles. In 2020, he was inducted into the Canadian Science Fiction and Fantasy Hall of Fame.
In 2022, Cory earned the Sir Arthur Clarke Imagination in Service to Society Awardee for lifetime achievement.
In 2024, the Media Ecology Association awarded him the Neil Postman Award for Career Achievement in Public Intellectual Activity.
York University (Canada) made him an Honourary Doctor of Laws; and the Open University (UK) made him an Honourary Doctor of Computer Science.
I've been reading Cory's books and watching video clips of his presentations and interviews and am greatly impressed by his opposition to, and proposed strategies for dealing with, the likes of Facebook Google, Twitter et al in terms of their disregard for the rights of their users, prioritising monetization over functionality, evading accountability to laws and regulations, abusing our rights to privacy and data security and generally behaving like cartoon supervillains.
Sex workers, and other disfavoured minority groups, are all too familiar with mistreatment at the hands of big tech. Social media likes to ban or shadowban us with no warning or explanation and the platforms we use to advertise (escort directories) blatantly abuse our rights to privacy, data security, deletion requests and ownership of our intellectual property.
Cory is an absolute wealth of information on how we can fight for our rights online and a goldmine of knowledge that I hope we can apply at the point where his ideas intersect with some of the difficulties sex workers face using both platforms intended for us (eg escort directories), and platforms where we are almost, not quite, kind of, sometimes, barely tolerated eg Twitter, Google, Reddit, the various messenger apps like Whatsapp and pretty much any site or app we use for advertising our services, networking with other providers and seeking support and information.
Here is our conversation =
Cory: Hi Oz, how are you?
Oz: Good, thank you Cory. How are you?
Cory: I'm honestly not great, but happy to talk. I've had some recent health complications.
Oz: Sorry to hear that. Thank you so much for taking this time to talk to me. I really appreciate it. I'm a fan of your work and I think what you say about technology and digital rights is really interesting. So, I'd love to hear your thoughts on those topics in the context of sex work.
Cory: Sure. I'm not an expert on sex work. I'm happy to tell you what I know but I'm also humble enough to know when I'm not an expert and not qualified. To the extent that I'm qualified to speak about this from the internet and human rights angle, I'm happy to chat with you.
Oz: Yes please, from that angle it should be very interesting. First of all, my commiserations regarding the election result, I know you're not a fan of the orange terror there.
Cory: No. That's pretty terrible indeed. I'm just trying to post through it and wait for other people to have better ideas than I have right now for what to do next. I figure being stressed out about it doesn't hurt Donald Trump and it does hurt me, so I'm trying not to dwell on it.
Oz: That's a good philosophy, I think. Best not to stress. I think sex workers all over the world are following what's going on there with interest, though, because a lot of the platforms that we use are based in America, operated by Americans. We're worried about things like this Project 2025, and whether that might progress now that the Republicans are in. What do you think about that? Is there much we can do to mitigate the effects of something like Project 2025 if it happens?
Cory: You know, the characteristic of the first Trump regime was a lack of administrative competence. There are a lot of people who are saying Trump is going to address the main stumbling block to administrative success that he had in the first term by packing his agencies with personal loyalists who are really firmly committed to his cult of personality and not making concessions to the party grandees by putting in older line conservatives that might not jump when he says frog. But I don't know that those people are actually administratively competent, right? They, themselves are also, chiefly weird and not necessarily good at getting stuff done.
Rick Perlstein who is a very, very, very good historian of right-wing movements has written I think the best take on Project 2025 which is that the most interesting thing about it is not how extreme their proposals are but how irreconcilable they are. So, in every key area from migration to abortion to labour rights to trade policy, there are multiple conflicting proposals for how to undertake them.
Oz: A lot of Project 2025's proposals just don't make sense from what I've seen.
Cory: It's not that it doesn't make sense, it's that what you see is that within the coalition that has given us Trump, there are irreconcilable differences and, you know, maybe relevant to what we do about Trump. Every change that we see in society almost without exception is the result of a new coalition.
You know if there's a bunch of people who want some stuff and they try really hard to get it, maybe they just have the wrong tactics and eventually, they'll hit on a better tactic and figure out how to make this stuff happen. But usually what you're seeing if someone's trying to make something happen and failing is that they don't have enough clout to accomplish their goals and so when things change it's because a coalition is formed. You fuse together two or more groups who inevitably don't agree on everything and so the coalition is how things get done.
After the Thatcher years you had new Labour which is a coalition of business interests and trade unions. With the trade unions taking the role of junior partner. That coalition was very powerful. We see lots of years of Blair with a strong parliamentary majority able to enact policies that punish the junior partners, the working people, to the benefit of mostly the finance sector people who joined the Blair coalition, and eventually that crumbles. Eventually, the Labour coalition crumbles and Labour ends up in the dark again for 14 years because that line of power is also a line of weakness or a line of brittleness.
There's a vulnerability as well as the strength. When we look to Project 2025, if we're taking a critical eye to it and saying, ‘What can we do to avert the worst outcomes?, What we can treat Project 2025 as is a roadmap to the fractures within the coalition.’
If these predatory, irreconcilable proposals actually aided in to Project 2025, what we can say about that with some degree of certainty is that the people who disagree about this are each of them sufficiently important and powerful enough in the movement that no one can dominate the other.
Which means that what you have is unstoppable forces and immovable objects in conflict, and that's an area where things could really shatter, right? So if we can figure out how to heighten the contradictions around those areas of fracture that they've so helpfully diagrammed for us, that's a good tactical place to start, to start pulling that coalition apart.
Oz: The part of Project 2025 that I worry about is that they're going to criminalize pornography. That consenting adults selling images and video online could become illegal, but as you say, that could be a fracture line in that people that are profiting from porn are not going to want it to be illegal.
Cory: Oh, not just that, right? Remember that a huge part of this coalition are libertarians of various types. Some of them are libertarians because they want to live in polycules and hire sex workers and consume all the pornography they want, and some of them are libertarians because they don't want to hire black people. Most of them are libertarians because they don't want to pay any taxes.
All of those groups, broadly speaking, are going to be really upset about porn bans, both on ideological and sort of personal grounds.
They represent a really significant bloc, and moreover, they represent a really significant fraction of the financial backing to the movement. And so, that fracture line is going to be a really important one.
Oz: Definitely. Well, a lot of people watch porn for sure, so it's something that affects everyone.
Cory: Yeah, you know, you can see this in the inverse, right? So if you recall, second-wave feminists who were anti-pornography, like Andrea Dworkin, found themselves in coalition with evangelicals like Jerry Falwell, even though they disagreed on other things.
You could imagine a coalition of libertarians who absolutely oppose rights for sex workers of any description, still forming a coalition with sex workers to defend the right to have pornography and do sex work. So that would be a very weird coalition. It's going to be really uncomfortable. You're going to be in the room with people who are marching side by side along with them or signing letters with them, with people who you really dislike and who have no interest in your well-being, but who might be tactically useful.
Deciding whether or not you want to make that compromise or form that coalition is going to be a really hard call. There's no right answer. And as far as I know, there's no heuristic to actually say, ‘Okay, well, this is the compromise that you should make’ and these are the compromises that are beyond the pale.
Oz: Yes, that's very interesting and I guess now we'll see how it plays out. Now when I was researching that blog post that I sent you about the privacy policies of the sex worker directories, I got a lot of mixed messages about how those platforms handle our identities and why. Some of them say it's because of the GDPR or the FTC or the requirements of their payment platform or Visa or MasterCard. But then they're claiming to be in Cyprus or Malta to avoid these things or they end up charging using Bitcoin anyway. So, it's all a bit of a mess, but I was wondering what do you think about what needs to change before they'll actually show any respect for our privacy and change the way they do things?
Cory: Well, I think that what you're seeing is different kinds of regulatory arbitrage. So, firms that pretend to be Maltese are not pretending to be Maltese to avoid the GDPR or the FTC, they're pretending to be Maltese to avoid tax and also to avoid disclosure of beneficial ownership, right?
When you see these problems within the EU, they're actually, I think downstream of intrinsic contradictions within Federalism. So, if you have a bunch of independent or quasi-independent states and you say, okay, we're all going to form a single bloc, there's always going to be some tension there that's completely legitimate.
You know I'm Canadian and it wasn't until after World War II that Newfoundland, which is population-wise, a very small territory, joined the Canadian Confederation. People from Newfoundland were legitimately concerned that everyone else in the country might gang up on them and say, okay, well, we have these new policies for our eastern coastal waters that are quite broadly beneficial to the whole country, but fuck over everyone in Newfoundland.
So whenever you have Federalism, you have these humanitarian rights for otherwise small things during federations. The problem is that that creates opportunities for small states to sell out the bloc.
So in Europe, you have Ireland, Malta, Cyprus, to a lesser extent, the Netherlands, and Liechtenstein, selling out the EU on tax and to a lesser extent, but still in a related matter, selling out the EU on regulation and enforcement.
Broadly, if you're a tax haven, you are relying on companies that, by definition, can change their flag of convenience, because that's how they got to your country. So the way that they decided to pretend to be Irish is they figured out how to do the paperwork.
If they can do the paperwork to pretend to be Irish this week, they could do the paperwork to pretend to be Luxembourgian next week. So you have to have something besides low taxes to keep them there.
What that ends up being is things like, oh, we just don't enforce the GDPR, which is Irelands big thing, their "data commissioner".
So, in terms of these contradictions you're seeing, you're seeing the intersection of a whole ton of different problems. One is this problem of European Federalism, where you have these different territories with different privacy regimes and different degrees of enforcement, and they're doing this tax haven shit that is luring companies there, even though they're not really there.
So obviously, Luxembourg is where Mindgeek mostly pretends it's based, even though they're a Canadian company and everyone knows it, right? I mean, that's like one source of the problem. And then within European Federalism, you have this other problem of enforcement, where it all starts in Ireland and the Irish Data Commissioner sucks.
Then you have a lack of antitrust enforcement, and that all of our payment processes have these incredible arbitrary and ever-changing lines. And so counsel for these firms, as well as their business strategists, just say, okay, well, we don't want to colour up to the edge of the line, because if the line moves even a bit and we find ourselves on the wrong side of the line, we lose everything.
So, we are going to colour really well inside the line. So, now you're trying to reconcile GDPR stuff with the tax haven stuff, with the monopoly payment processor stuff, and then there's the foundational thing that they just don't give a shit about your privacy, right? They don't give a shit about anyone's privacy broadly, and they really don't give a shit about the privacy of disfavoured minorities like sex workers.
So, in terms of what has to change before any of that can move, well, one way to think about this is that any change that we make to any part of the puzzle will result in some material improvements to the policy that flow out of it.
So the FTC has brought a case against Visa for domination of payment processing and monopolisation of payment processing. If that results in more competition in the payment processing world, broadly those companies will be less beholden to Visa and less conservative about pissing Visa off. So that's one thing that might help.
The EU, with the Digital Market Act, has said, okay, well, we're going to move frontline GDPR enforcement to the federal court and out of the national courts.
And so perhaps sex workers will have the ability to use this multi-use flag of convenience against sex worker platforms and say, you know, the European Court of Justice is going to order you to knock this shit off.
Now, again, this was not going to be an easy win because there are lots of good fundamental justice reasons not to want the federalization of European policy enforcement. But like your federalization of European public policy enforcement is how we got Greek Austerity that collapsed the Greek economy and the rise of fascist groups, right, like national sovereignty isn't always bad you know and so there's going to be a lot of countries that are going to be legitimately pissed off for really good reasons that you and I will probably support about the federalizing of European policy enforcement.
But you know, I don't want to say it swings around abouts because that's cheap but I want to say that like there are just as with coalitions there are tactical levers that we can pull on and none of those tactical levers operate just the one issue that we're trying to move.
They change the orientation of many issues that we want to move on and that impacts our ability to form and maintain coalitions so there'll be coalition partners who will be with you right up to the moment you say ‘and by the way we support European federalism and federal enforcement of European policy’ at which point it will become your bitter enemies and you're going to have to figure out right which side of those fights you're going to be on and which kind of coalition is going to get the most done and there there is a point where if you just prioritize coalition happiness above all other things and you say okay well today I'm going to side with these guys who I hate on 99 things but like on this hundredth thing and you are going to I'm going to be in partnership with these other guys who I hate on almost everything but like on this completely different thing, eventually you kind of look yourself in the mirror you go like it kind of seems like I don't stand for anything but I seem to be like marching alongside Maoists and like neo-Nazis, depending on whether it's a Tuesday or a Wednesday.
Oz: We have to draw the line somewhere.
So I'll give you an example from my own career.
You know, in most democracies, you have these expert agencies, right? Like the FTC or, you know, the European Commission or the various ministries within the UK. When they propose a regulation, they have some kind of notice and comment. So they say like, “Hey, we're thinking about banning lead in petrol.
What do you guys think?” Everyone submits comments, and then those comments are published, and then everyone submits reply comments, and then they propose a rule, and everyone submits comments, and everyone submits reply comments, and then the rule is ratified or modified or struck down.
That's broadly speaking how administrative agencies work everywhere.
There was a proposal to revamp the portal by which administrative agencies received comments, right, so all administrative agencies irrespective of what policy they were making.
The proposal was that they would develop a system to identify and discard, quote, substantively duplicative comments.
So comments that seem to be the same, so like spam. The problem with that is that once you say that an agency has leeway to decide whether a comment is duplicative, then what we're saying is that if 10 million people all say, “fuck no, this is a terrible idea”, the agency can say, “well, you're pretty duplicative, we're just going to count that as one now”
Everyone was likely very worried about this, so we created a sign-on letter for different kinds of things.
Oz: That's kind of the opposite of democratic.
Cory: Indeed. I mean, there is such a thing as spam. But it's badly conceived. So we put together a coalition letter to oppose this, and people poured in There were pro-abortion activists, anti-abortion activists, pro-gun activists, anti-gun activists, you know, everybody on every side just understood that this was the wrong discretion to put in the hands of the administration, that they should have to recognize and attend to every comment, or if they were going to discard comments. It would have to be on the basis of something more than this kind of automated opaque system. We got to this point where the guy I was working on this with called me up and said, ‘We don't want to accept comments like a sign-on from the KKK, right?’, and I was like, ‘No, we really don't’, right?
But this is how it might be. Somewhere along the line, you're going to have to draw that line about who you agree with and who you don't. You know, everyone, I think, around the world who follows American politics has heard of that Koch brothers, which is now just the one Koch brother, because the other one died. And the Koch brothers are terrible monsters. They're also prison abolitionists. They want shorter sentences.
They want more emphasis on rehabilitation. They are a libertarian in the best sense of the word partly because they understand that prisons are very expensive and they don't want that public expense, but also I think, because there is some genuine feeling that imprisoning people is an insult to their liberty.
The question is, ‘How do you feel about joining up with the Koch brothers to demand a better justice system?’ when they're also on the wrong side of every other issue? So, this is going to be like, this is the challenge that sex workers and other people from disfavoured minorities face.
Another way of saying a group that's not big enough to make the change that they want is disfavoured minorities. If you're a disfavoured minority, getting the change that you want is going to require forming coalitions.
Those coalitions, if you're very lucky, will just consist of, you know, lovely chaps who don't see your issue as their issue, but probably you all agree.
So I think of the environmental movement. You care about owls, I care about the ozone layer, foundationally, we don't really care about the same thing, but we're both environmentalists, so we can form a coalition.
But sometimes it's going to be like, you care about owls, and I'm a raving, swivel-eyed eco-fascist who thinks that the climate crisis is going to bring millions of migrants into the country, and I want to keep our borders strong. So we're both environmentalists. And do we end up in coalition together? It's not a question with one answer.
Oz: No, it's really not. I'm getting the impression from your answers that a lot of the troubles that we're facing are due to borders and conflicting interests of different nations. I was thinking of a science fiction scenario, I read a lot of Ian M Banks, if we were to ever have The Culture where we really were one civilization, one culture, that would kind of eliminate the borders and countries kind of problem in making decisions.
Cory: I don't know that that's true, because then you just have the problem of regions, right? You know, I loved Ian's work, and I knew him slightly, and thought the world of him. But, you know, I think that, like, if you look at the United States, which started off as 13 independent colonies unified and then absorbed several other independent territories over the ensuing century, the elimination of borders within the United States did not create a more robust democracy, it created a series of regionalisms that each of them represents a fracture line that can be exploited by bad actors.
When I lived in London, I lived in Hackney, which was the largest borough in the UK, it's larger than most cities in the UK, and I was having a classic local government problem where there was a legal hotel going into the building next to mine and they were doing all their renovation works, they were legally removing their asbestos without any remediation and they were doing it from midnight till 6 in the morning by jackhammering the wall of my bedroom every night. This is just a classic local government issue, right?
The noise abatement team was useless, they only had two people, they took eight hours to respond to a call and if there was no noise when they arrived, then they didn't do anything. So we never got any action out of them. So I went to see my counsellor, so I attended his surgery multiple times, he never showed up, I sent him emails, I sent him calls, never heard back from him, and eventually I called him out on Twitter.
And I was down at my local coffee shop and someone recognized me and said, ‘Oh I saw your tweet about your counsellor, you need to understand that because this is an absolutely safe Labour stronghold, that whoever wins the selection, the in-party selection, through Labour just has the seat, right?’
The election doesn't matter. Once you're selected you win because Labour always takes the counsel. I was at the selection meeting where your counsellor was selected, there were 12 of us there, he was elected by seven people. So, the reason your counsellor is not answering your phone calls or turning up for your surgery is because he doesn't give a shit and he doesn't have to give a shit.
Having a system where there's no competition, where there's no ability to move from one territory to another and seek a better system, and so on, it doesn't necessarily make for a system of more responsive better governance. It can actually create a system of extremely stagnant one-party rule where you don't see much responsiveness and you know, a lot of the, I think if you look at Liz Truss-Toryism, a lot of that is driven by the fact that the electoral map in the UK has been carved up in a way that makes many of the seats uncontested.
So when a seat is not contested, the actual contestation for the seat is in-party and what you get are the civilized loons, who are the only people who are really into how their party is governed, who turn up at the selection meeting and say, ‘I want the maniac who believes in a greater place’ in theory. Because that in-party selection process is so weakly democratic, it doesn't have the safeguards of a general election. It's like, you can take people out for lunch and offer the money to change.
Like, it's not election fraud to bribe someone on in-party selection stuff. All of the stuff that is illegal in a general election is permissible in an in-party selection. So you have these in-party selections that end up with these very weak candidates.
You know, the US election last night had the lowest turnout ever, right? The lowest vote for federal candidates ever. The federal top of the ticket. People just didn't vote for anyone for president yesterday.
Even the people who voted for president, voted in yesterday's election, in record numbers did not vote for the president because they just didn't like the candidates. The candidates are selected by party grandees who are completely disconnected from the will of the people. So without any kind of credible threat of loss of personal power, right, these party grandees can be insulated from the consequences of making poor decisions in the same way that the councillors or the other officials that they install into power are then subsequently insulated from any consequences for failing to serve their constituencies and you get bad governance downstream of that.
Oz: It's a pretty strange system where if you're not in a swing state a lot of people feel that their vote's not going to count and they might as well not bother voting so you do get these very low turnouts.
Cory: But even against that, we still have record low numbers because that's not new. We still have record low numbers of people saying I don't want either of these people for president.
So even people who turned up and voted, even in the swing state, in record numbers they left the top of the ticket blank. This is the party grandees going like we will feed the public a rasher of shit and they will eat it and the public saying ‘no thank you’.
Oz: Yes, as they should. What if we abolished the career politicians altogether and instead drafted in random members of the public to serve short-terms of compulsory political service, just reward them if they do a good job, punish them if they don't, and then kick them out at the end of their one year? Perhaps we could get sex work decriminalized that way.
Cory: So certainly sortition, which is more or less what you're describing there, has been a very effective way at breaking through issues where there's broad public support but the political consequences of siding with one issue over another are so intense that you get political gridlock.
The most famous example is abortion rights in Ireland, where broadly the Irish public supported the rights of women to have abortions but the political situation in Ireland with such that a party that supported it would get completely pasted in any kind of upcoming election.
Sortition created that basis for legalization without the political consequences. But sortition is not as punitive as you just described. Sortition does not need to include that we punish them if they make bad decisions. The advantage of sortition is that you've got sort of neutral experts who advise people, and then if they turn out not to be very good, they're balanced out by other people in the sortition jury. And sortition, I don't think anyone, even the biggest fans of sortition say that sortition should be exclusive of elected politicians as well.
Sortition is a badly needed tool in the governance toolbox, but it's not the only tool we should have. There's a place for elected legislatures, there's a place for expert drafting, there's even a place for continuity. So one of the things is that if you don't have continuity within political elected leadership, all your continuity comes from your bureaucracy, from the permanent bureaucracy. I think that civil servants can be very good and career civil servants can have this kind of longitudinal view of how things work. But, civil servants do not have the democratic legitimacy of elected leaders. You need at least some kind of long-term governance among at least some of those leaders to understand how things work, and why things are there.
There's the Fence Principle, where it's like if you find a fence, you shouldn't remove it until you find out why it's there. Because you remove it and it's like, oh shit, this fence is here because like twice a year the bulls come through here, and the fence stops the bulls from running through the schoolyard. It's not obvious when you see the fence, you think, ‘Oh, this is a stupid fence, I'm tearing it down.’ So, you know, you do want continuity because there are policies that are in place that are facially weird, but actually, have some long-term purpose.
An example of that would be that after the Great Depression, Western democracies around the world instituted separation between retail banks and investment banks. Your high street bank was not an investment bank, they didn't gamble with depositors’ cash. In the GoGo- Blair- Clinton era, we removed those restrictions, and then we had the great financial crisis. That was directly because you had a retail banks that erased the wall between themselves and the investment banks.
Well Ruth Bader Ginsburg said this when they struck down the Voting Rights Act, she said, ‘if we observe that we are not getting wet because we go outside with our umbrellas, it doesn't follow that we should discard our umbrellas because we don't have a problem getting wet anymore.’
The policies that work are the ones that are going to be the hardest ones to understand the reason for them because the problem has been so far in our rear-view mirror that we don't even know it's a problem anymore.
Oz: The political side of things is clearly a bit of a tangled web, the online side of things, the “enshittification” as you put it in your book, The Internet Con, which I really liked. I did say in the email I sent you that if I could wave a magic wand, I'd decriminalize sex work and give everyone their own personal website, their own blog page, and a payment portal so that people can just pay us directly. And then clients could use a privacy-oriented search engine like sex worker search or DuckDuckGo so that people can find us that way, pay us directly our deposits and for our content, and stay up to date with our blogs via RSS instead of scrolling social media. Basically, I'd like to cut out the directories and the big social media companies because that's where all the enshittification happens in sex work in my opinion. But how can we get there?
Cory: I think that there are a couple of different things to note about that lovely dream. The first one is that technically none of it is particularly challenging except maybe the payments piece. I'm sceptical of cryptocurrency for payments and decentralized payments more broadly. But I think that all of that stuff is stuff that exists, some of it like RSS is stuff that has existed since I was a young man and I'm decidedly not a young man anymore.
There's not a real technical impediment. I think that people who use those technologies in their ascendancy and people who can make them work for themselves today greatly prefer them to the platforms.
The problem isn't, broadly speaking, that people don't like it, and people just like the wrong things.
If we can say that these things are technically possible and broadly people like them and would prefer them, then you have to ask why aren't they using them.
Now, the right-wing economists will tell you that what we're seeing is something that they call a ‘revealed preference’. So in other words, if you sign away your privacy, every time you use a service, you must not value your privacy very much. No matter what you say, your actions speak louder than your words. I think this is nonsense.
That's like saying poor people like living in flats with cockroaches because if they didn't, they wouldn't, you know, like you gotta have a roof over your head, okay? I don't know, you know, people sleeping rough do not have a revealed preference for getting frostbite, right?
You have to factor in power relationships to understand what's going on. So really what's happening with these big platforms is that on the one hand, they did solve a problem, right?
It was hard to establish yourself online when Web 2.0 came along. So Web 2.0 solved a bunch of legitimate technical problems that people faced when they were trying to, you know, establish an online presence. They also created barriers to switching that are now what has cemented their dominance.
The normal life cycle of platforms up until the kind of monopolization of the internet was a bit like a leaky bucket. So people came in, but people also left. They churned out. The way that they churned out was that they had the ability to use third-party tools that made it easy for them to migrate accounts from one place to another and the best example of this was that Facebook lured away MySpace users by offering them a bot that you could feed your login and password to. Then would go to MySpace several times a day, grab all your waiting messages and put them in your Facebook inbox, and then you could reply to them and it would post them back out to your MySpace friends. So you didn't have to choose. Between the people you were already connected to on MySpace and the superior service on Facebook as Facebook was, in many ways superior to MySpace, including the fact that they had a really robust privacy policy where they promised not to spy on you, which is a thing I think a lot of us forget about Facebook's origins.
What Facebook did was they took advantage of a policy environment where it was permissible for a new market entrance, a new firm, to create these interoperable layers, what I call adversarial interoperability, right? When you modify a service without the permission of its owners or operators.
They took advantage of that and then they took great measures to end that policy. So you can't do that to Facebook again. So I think that Facebook will tell you that the reason people stay on Facebook, even though they don't like it, is because they have a revealed preference for Facebook.
Oz: No. It’s just difficult to leave.
Cory: Right, and I think that when you look at what Facebook does whenever someone makes it easier to leave, right, the litigation threats, the technical countermeasures, sabre rattling, that what you find is that Facebook has a strongly revealed preference for not making it easy for people to leave.
So Facebook does not act as though people just prefer Facebook. Facebook acts as though people would leave Facebook at the drop of a hat if they could. So I think that we can actually use these revealed preferences here a little. And we can say, actually, when we look at Facebook's actions, these are not the actions of a company that thinks that it has a bunch of secretly satisfied customers. These are the actions of a company that thinks that their customers are champing at the bit to leave.
So one thing that we can do is take Facebook at their word here, at least at their revealed word, and we can make it easier to leave Facebook in the other big platforms. That's something that we see in the Digital Markets Act where there are these interoperability mandates that require the largest gatekeeper platforms to have what are called APIs, which are just like programmable interfaces, where instead of having bots that go and write stuff, you can just say, “hi, I'm Oz's registered agent for this new service. Please give me everything waiting for him on Facebook and put it in his inbox over here. I hear all the things that he's sending back to the Facebook users who haven't left. Please put them in there in boxes, right?” This is something that's in the DMA.
The devil is in the details about how it gets implemented. The digital markets unit in the UK has just received authority to do similar stuff in the UK. And indeed, if a big bloc like the EU does this, it's probably going to come to the rest of the world anyway. So that's pretty exciting. It's a slow-moving process. There are lots of ways that it can go wrong, but it's pretty cool.
The other thing that we can do here is we can re-establish the rights of individuals and the people who serve them to not have to wait for official channels like this and simply reverse engineer, scrape, modify, and do that adversarial interoperability. There's not as much of that coming into law, but it makes for a very good adjunct to these mandates.
One of the problems with a mandate like this, as you say to Facebook, you've got to create an API that allows people to compete with you. Then Facebook says, ‘Okay, we'll comply. Here's our API, and it's just shit, and it won't work.’ So then you have a long argument about whether it works or not. You can be tied up for years.
Facebook can then like, even if you come up with something that does work, you would want Facebook to be able to shut down that gateway if they thought that it had a defect and someone was exploiting it to steal people's private information.
So all of a sudden, the successful competitors start showing up and saying, Facebook is turning off the gateway six times a day, and our users are just going back to Facebook because they're fed up with us. They need a reliable service. And Facebook says, ‘Oh, we're sorry, those were legitimate mistakes, you know, we do not want to expose our users, we have 4 billion users, we don't expose them to risk.’ So now you have these very complicated evidentiary questions that you have to resolve, you know, whenever this happens. It's very easy for Facebook to sabotage a rule like this.
Oz: It would be very difficult to prove that they're breaking the rules.
Cory: But what if we have this rule and we complement it with another rule that says, broadly, people are allowed to reverse engineer Facebook and wage guerrilla warfare with it? They're allowed to scrape it, they're allowed to break the DRM on the apps, they're allowed to do all kinds of things.
Now, Facebook can probably, like, tap engineers to, like, fight them and figure out what they're doing and block it, but that's a lot of unquantifiable risk for Facebook. And it can create, like, really big problems for them and make their shareholders really angry. If Facebook shows up at the start of the next quarter and says we did have this big feature we're going to roll out, but instead, we spent the last three months just fighting with people who are scraping us because the law no longer allows us to shut those people down.
All we can do is throw engineering at it. Facebook is going to be in trouble. We then create a kind of carrot and stick for Facebook where either they play nice and offer an API that is fit for purpose, or they task a completely unquantifiable amount of resources to fight reverse engineering.
One of the ways that we can figure out whether the API is good is whether or not people prefer to use the API or that they're just scraping and doing reverse engineering which is always going to be harder than using an API that's fit for purpose. So it gives regulators a kind of diagnostic tool.
We can do both, and I think we should. There's not much of this kind of adversarial interoperability in law. Where we are seeing it come up a little bit now is in right-to-repair rules where we are seeing prohibitions by state-level governments in the United States on invoking IP law to block legitimate kinds of reverse engineering.
So that's in the Oregon laws and the New York law. It's basically saying you're just like, if someone is reverse engineering for the purpose of fixing the thing, you just can't use IP law against them.
You’re just carving out that kind of litigation threat. So now you've got these companies that either can fight this guerrilla warfare with the independent repair sector or they can play nice and give everyone the diagnostic tools they need so that anyone can fix anything and the kind of the cheapest and most commercially advantageous route for them broadly is to play nice and not cheap.
We're setting up an environment where not cheating at the rational thing to do. If you're irrational and they cheat anyway, we still have an escape valve. We still have things that we can use to go around the firms and their intransigence while we wait for the justice system to make a determination that they are cheating, which might take many years.
So I think that's like, I know it's a very wonky answer, right? But that is the policy stuff that we need to try and make it easier to realize the promise of a world in which people who don't like platforms don't feel that they can't leave them.
Oz: If that kind of policy goes through, that's a big deal for everyone, I think. And for sex workers specifically, platforms like Twitter that make it difficult for us to leave are kind of a big problem. Like recently, Elon cancelled their function to block people so that somebody that you've blocked, can still read your tweets. As a sex worker, if you block somebody, often it means that that person is dangerous, they're stalkers, so that's been a bit of a tipping point. People have actually started to leave Twitter and go to things like Bluesky or Mastodon, things like that, which will be great if that happens. If more people start leaving, then maybe they'll stop treating us the way they do, like a second-class user of their platform.
Cory: Yes, indeed. You know, people who fear your departure, broadly speaking, treat you better.
Oz: That would be really nice to see. Also, regarding intellectual property, I’m all for your proposals about free sharing of digital media and the copyright only existing to stop people from selling somebody else's content that they own, like for your own profit. But from a sex worker perspective, I think a lot of us value the right to have our images removed from the internet, if they're stolen or they're misused or we're retiring or have a stalker. People want to be able to take their pictures down, which I've recently written a guide for people on how to send takedown requests. What are your thoughts on intellectual property rights specific to sex workers in those kind of scenarios?
Cory: Well, I think that these are totally understandable priorities and they're not unreasonable. I use takedowns when my books are sold on Amazon's Audible platform. People record pirate editions and sell them there, which I get quite affronted by and have them taken down. That's fine. I recognize that the takedown process is somewhat tedious. It can be complicated and daunting. What I would urge sex workers to understand as they navigate that process is that the barriers to removal are themselves of enormous benefit to sex workers.
Anything that we do to make it easier to remove things without adequate proof that the person requesting removal is entitled to do so without some kind of review and so on makes it possible for people to just remove sex workers' voluntary and consensual work from the internet, makes it possible for harassers to remove their stuff as a way of attacking them economically, makes it possible for bad clients to have factual and true information about their abuses of other sex workers removed.
I'm not saying that we should never be able to take an intermediary and require them to honour a takedown request, but I am saying that it's very easy as someone who's only interaction with intermediaries, and by an intermediary, I just think you're not hosting your own server in your own data centre with your own website that you wrote yourself on an ISP that you own. You're relying on an intermediary somewhere to connect you with the rest of the world. Anyone who thinks that the intermediary should be less careful because, quote unquote, obviously this is bad, it was someone who has not thought through how their own enemies would have used that facility. I think that sex workers have a lot more to fear from spurious takedowns than they do from bureaucratic requirements around takedown.
That again is like not to say that all bureaucratic requirements are good, they could be nonsensical and so on, but the idea that we should have precautions, that we should have guardrails around takedown notices is in fact hugely beneficial to sex workers and any other disfavoured group because it's what protects our ability to communicate with each other.
Oz: In building the search engine, I'd like to try and encourage more sex workers to build their own personal websites because I see the benefit in it myself that as my own website has improved in search ranking, I'm relying a lot less on directories and a lot less on social media. It feels like something that I personally own and I'm a lot more motivated to work on it. I think the main stepping stone that discourages people from doing that themselves as they feel that it's too complicated to work on SEO. They think they're going to be permanently on page 100 and nobody will ever see their site. I know you've had a lot of success with your own blogging with Plausible. I was wondering if you have any hints about how to promote a blog and get better ranking.
Cory: I think this is a huge problem. I think that we have seen a sharp decline in Google search quality and Google having 90% of all search means that we're seeing a huge decline in search more broadly. There have been a lot of people who've been writing about the failures of Google in respect of SEO.
Giselle Navarro runs this website that's really good, that reviews air purifiers, called ‘This House Fresh’ and consistently her extremely careful reviews where they have a lab and they do a lot of you know very serious technical analysis get weighted below like Forbes spam reviews where they just take the top 10 items off Amazon, summarize the consumer reviews and add ad affiliate links and those are the ones that Google sends people to and not to these very careful reviews.
This is happening all over the place there was just a thing this week where a bunch of smaller publishers were invited to Google for kind of workshop and they all came away from it saying you know like this was terrible. Google basically admitted that their only priority now is making you know, large brands happy that our content will never gain priority again, it doesn't matter how good it is.
I think if this is one of those things where you do not have an individual fix, what we have is the Department of Justice convicting Google of being a monopolist over its search engine and demanding, among other things, that Google be broken up.
I think that's the kind of thing that we need to be engaging with here, that you don't solve SEO by getting better at SEO. You solve SEO by making SEO less important. There is a lot of movement on this, both in the EU and in the US. So I know these are obscure wonky issues, but there are issues that we really need people to engage on.
Oz: Absolutely. I wish it was as simple as just writing quality content that people want to read from start to finish, which is what I advise people to do when they ask what to do with their blog. But as you say, the algorithm is gameable, and there are people out there that are very smart and very good at that, that figure out how to pass off something that they've built with a bot or containing basically spam, which will end up higher up in search results than quality content.
Cory: Yeah. No, I agree. I mean, you know, Google has been saying, oh, just make quality content since the year dot. I've been I've been hearing them say this forever and ever. And, you know, I think it was a cop-out when it started. I think it's a much bigger cop-out now. You know, I think when it started, it was legitimately that there was a small group of technical people who were kind of connected through social bonds to Googlers who wanted to know why their content wasn't rated more highly. It was literally just a way for Google to get out of awkward party conversations where someone said I made the ultimate cat website so why isn't it the top cat website on Google, they could just say make your content better.
These days, it's just a fig leaf right around the fact that they are under-investing in blocking SEO, that they themselves are selling two-thirds of the front page to the highest bidder instead of preferring the best content.
If you go back to the PageRank paper, which was the paper that Larry Page and Sergey Brin wrote in 1998 about the search engine that they just built, there's an appendix where they say advertising-based search engines are serving two masters, quality and sell the results, and the advertising is always going to win at the expense of search quality, and website search engines should not be advertising supported.
They understood it in 1998, more than a quarter of a century since they made this prediction, and it's come true.
Oz: That's when they were saying, do no evil. That seems to have gone by the wayside a bit.
Cory: Well, “don't be evil”, and it's an interesting distinction because the difference between do no evil and don't be evil is the recognition that you might slip up and do something wrong, but you will do it out of good faith.
You know, anyone capable of making a mistake, but everyone should strive to operate in good faith to make a better world, which is where their other motto, ‘which is organize the world's information and make it useful’, comes in.
So maybe, in that process, they'll inadvertently doxx someone or something or, you know, promote some spam or something, but they should always be striving to do it.
If you look at the memos from the DOJ case, the antitrust search case against Google, you see that there's this fight in 2019 where Google's advertising revenue was dropping off, and the reason it was dropping off, their growth was slowing was because they had 90% search market share. You can't grow once you've got 90% search market share, right? You don't get more. It's not like the remaining 10%, those people just haven't heard of Google, and once you reach them, you'll grow to 100%. Like, at 90%, that's as high as you're going to go.
Those people understand what Google has to offer, and they haven't chosen.
So that's it. You reach maximum growth, and so the only way to grow from there is not by growing market share, but by growing revenue per customer in the Google memos in the DOJ case, you see that the head of advertising revenue is butting heads with the head of search, and the head of advertising revenue is saying, if we were to make the search quality lower so that it took more than one search to find what you were looking for, we would generate more ads. Because instead of finding it in one search and then leaving, and we only show you four ads, you would do three searches and we'd show you 12 ads. The head of search is like, no, we can't do that. I've been with the company since it was a search server under a desk at Stanford, I've grown it to here, I refuse, and he gets fired. And the head of revenue becomes the head of search.
If you look back to 2019, that's about when Google search quality started to drop off. This is a big piece of the DOJ case against Google, not just that they were raising prices, but they were low on quality.
I think that this just make good web pages stuff was never great, but it's been significantly less true ever since this regime change, where we saw an emphasis on increasing the number of times you had to search for something rather than increasing the quality of the results that you got from your search.
Oz: I'll keep trying to make quality content anyway, just because it's something that I like to do. And I hope that people are reading it and finding some value in my work. And you never know maybe Google's algorithm will reward me for it.
Cory: Yeah, or maybe we'll just get rid of Google and there'll be more than one way to find information on the internet and other people will have a better theory as to how to do that. I prefer that.
I really like Kagi. I think it's a really good search tool. It's not free. It's $10 a month, but I love it. I've been using it since last spring and I've accidentally switched back to Google once or twice in my search bar on Firefox and I noticed it immediately because the search quality was so poor. Even before I noticed that the logo at the top was different, I was like, oh, the search results suck. And then I look over at the top of the page and I'm like, oh, I'm on Google.
Oz: I'll look them up for sure, Kagi. Nice one.
Thank you very much Cory for your time and sharing loads of really interesting information. All the best too with your new book and with your kids' college applications.
Cory: Well, thank you very much.
Oz: And thanks again for talking to me.
Cory: I appreciate that. Have a great day.
Oz: You too. Have a great day.
Cory: Thank you. Bye.
Oz: Bye.
My Thoughts
It was a real pleasure and privilege to speak with Cory. He's so knowledgeable and eloquent and I'm very pleased that we were able to find so much common ground in terms of the Venn diagram of his expertise as a campaigner for digital rights, privacy, and freedom of expression and my own understanding and interests related to sex workers facing discrimination on mainstream social media platforms, the political landscape as pertaining to policies and regulations likely to impact sex workers ability to do our jobs safely and lawfully, and our access to, and use of, online spaces, banking and our rights to privacy.
Every hyperlink in the text above is a link to more information on the topics we discussed. Many of the links lead back to Pluralistic, Cory's blog, which I highly recommend following via RSS or email newsletter.
Cory's ideas around coalitions have given me a lot to think about.
I really hope he's right about the lack of quality coalitions and conflicts of interest within the Trump regime meaning that Project 2025 is unlikely to ever happen.
If you're reading this and you're a sex worker or a client or a sex worker ally, please vote in elections. Please find out which politicians have policies that are pro sex work and vote for them. Or at least figure out which candidate has the policies that are the worst for sex workers and vote for someone else.
If you ever want to know how an election or referendum is going to turn out, ask me. Whatever I tell you, assume that's wrong and the exact opposite will happen.
Also, don't let me anywhere near your fence (principle). I really would kick down the fence without knowing why it's there. I genuinely wish "democracy is the worst form of Government except for all those other forms" wasn't true. There has to be something better than career politicians making promises they have no intention of keeping, getting into office and achieving nothing because other career politicians block every proposal based not on merit but purely based on perceived threat to their own political aspirations. I still think my sortition idea is worth a shot and I'd tear down every border on earth and put an AI in charge of the entire planet if I thought we'd end up with something more like Ian M Banks, The Culture and less like Donald Trump. But I'm an uninformed weirdo so I'll do my best to read more about how democracy actually works from actual experts like Cory and hopefully, for all our sakes, nobody will listen to my ideas about politics.
Regarding coalitions between sex workers and other disfavoured minorities (I very much dislike this term. Not that it's inaccurate but because it's so unjust that consenting adults trying to do business like any other sole trader should be "disfavoured"), I think following Cory's advice here could really reap rewards for us in terms of finding a path to decriminalisation of sex work and a future where we are legally protected from financial discrimination, have equal access to online platforms and the ability to insist that escort directories provide proper data security and adhere to privacy policies where our identities are not going to be sold to spammers or handed over to the feds without any kind of subpoena.
But who can we form coalitions with? Which groups face similar problems to sex workers while sharing similar enough values that we could work together to achieve our goals? Industries me might consider forming coalitions with could include Cannabis and marijuana product suppliers, Online dating and social networking, Online gaming, SEO and online marketing services, Crypto, Gambling and online casinos, Web design companies, E sports and sites and applications using AI/neural networks/large language models/machine learning.
All of the above are considered high risk merchant categories by credit card companies. Mentioning any of the above on social media is likely to lead to a shadowban. Legislation around these products and services is complicated, ever changing and inconsistent. I think we could easily find some common ground with any, or all, of the above and stand united in pursuing some common goals.
Following on from speaking with Cory about flags of convenience, I spoke to Adult Biz Law, regarding how to go about registering Sex Worker Search as an offshore company. I also got them to confirm that the requirements sent to me by a certain payment portal provider seem to be legit and that business is known and trusted in the industry so I seem to now have a path to monetising SWS which I'm very happy about. My main motivation with SWS is to encourage more sex workers to promote via their own personal websites and rely less, or not at all, on escort directories with terrible customer service and dodgy privacy policies or on hypocrite social media that makes billions from our content while treating us like criminals. If I can start charging for premium listings to appear above other search results, that will take SWS to the next level and I hope enable me to use SWS as a force to do a lot of good in the online sex work advertising space.
The DOJ case suing Visa for anti trust is potentially a really big deal for sex workers. If we end up with more competition between payment providers, we could end up being able to easily receive credit and debit card payments directly from clients via our own personal websites. No more handing over 30% of every payment to giant corporate digital pimps like Onlyfans.
Cases like this need our support. If you're in the UK, I recommend joining the Sex Workers Union (SWU) and getting involved in lobbying for issues that affect us eg the recent move by the UK finance regulator to warn banks against discriminating against sex workers wanting to open business accounts was thanks in part to lobbying from SWU. In USA the Free Speech Coalition does a lot of incredible work protecting the rights and freedoms of the adult industry and they could really use your support.
I find the concept of adversarial interoperability absolutely fascinating.
When reddit announced their plans to charge for access to their API, I spoke with the other moderators on /r/sexworkers and /r/sexworkersonly and we made the subreddits private in protest along with over 7000 other subreddits in the hope that our 500,00 users along with millions more users of other subreddits no longer generating any ad revenue might give reddit the hint that we like using third party services that depend on the API and did not want to see these apps driven out of business.
We failed.
But the blackout did give me motive to leave sexworkersonly as private and now only verified sexworkers have access so it has become a valuable resource enabling us to speak about topics like screening and blacklists in a space which non sexworkers including dangerous clients who might use the information there to figure out how to circumvent our security cannot access.
The blackout plus other sex work related subreddits getting banned leading up to the IPO, also inspired me to create a backup of /r/sexworkers so that if the entire subreddit ever gets banned, sex workers will still have access to all the posts and comments there. Doing so is technically against the rules on reddit but there's 14 years worth of knowledge on there. Losing it would be like watching the library of Alexandria burn down.
These are examples of adversarial interoperability for sex workers.
I think creating products, services, or systems that are designed to interoperate with an existing platform, system, or technology without the permission or cooperation of the original creator, eg reverse-engineering, creative workarounds, or using open standards to make different technologies compatible, are all worthy pursuits that I would love to see more of when it comes to online platforms used by sex workers.
The mass exodus of sex workers leaving twitter for Bluesky continues. Cory's thoughts on platforms making it as difficult as possible for their users to leave will ring true for all the sex workers leaving twitter. Many of us have put in immense amount of time and effort into building up our twitter accounts only to be rewarded with shadowbans. Having now reached the point where we have almost zero engagement, no new followers apart from bots, no visibility in search or on feeds, twitter has rendered itself completely useless to us. So there does come a time when we have to cut our losses and just leave no matter how hard big tech tries to make the move.
I've emailed Bluesky to ask whether sex workers are welcome on their app, or whether they will start shadowbanning us like Twitter. Here is our conversation. They replied and said adult content creators are welcome. I have emailed back and asked what about in person providers and gave them my best pep talk about why I hope they won't become another twitter. I hope to receive a positive response. Let's see. This conversation was inspired by Cory's ideas about social media and could lead to us having a social media space where we're welcome.
I've been putting a lot of work into SEO lately using AHREFS and Yoast to try to make all my websites as compliant as possible with Google algorithms tastes. It really does not sit well with me that those tastes are largely concerned with training googles bot to respond to people's search queries and discourage them from clicking on links to sites like mine so they'll stay on google and generate more ad revenue at the expense of myself and other sex workers and anyone with a website not getting any visitors to our websites. The algorithm is effectively bullying us into rendering ourselves obsolete. Cory's words on the subject of SEO for google really opened my eyes to how badly I wish not to help google get bigger and richer. The case going on at the moment with DOJ trying to make google sell Chrome and become less of a monopolist supervillain, could be a real gift to sex workers. If other, less anti sex work search engines get bigger pieces of the web search pie, we might get some hard earned rewards for those of us who have built our own personal websites.
I switched from using Google for search, to using Kagi, on Cory's recommendation and the difference is night and day. The top results on google are almost always some kind of spam, scam, fake news, or just disappointing content that's very high on SEO optimisation but very low on actually conveying any useful information.
All the links in the text above were found via Kagi.
Kagi results tend to take you directly to real content, written by real humans who have made an effort to convey actual information intended for other humans to read and understand. Try the free 100 searches and see if you think it's worth $10 per month for unlimited access.
After the interview, I went out and bought a copy of Little Brother. I'm currently in Dubai and it was nice to spend time relaxing by the swimming pool getting some vitamin D and reading about teenage hackers going up against draconian measures taken by the authorities to spy on, and take away the civil liberties of, the general public. It's a brilliant book. Great fun to read and highly recommended. Somewhat disconcertingly, for a book published in 2008, everything described within as a worst case scenarios for how things could go if we don't defend our rights to privacy are all completely normal parts of our day to day lives now in 2024. With the exception of facial recognition which Little Brother said was deemed too invasive so gait recognition was used instead. Now facial recognition anywhere and everywhere is normal too.
If you take anything away from this interview, I hope it's a sense of optimism that if sex workers do work together, form some quality coalitions, vote, support organisations fighting for our rights and make a habit of asking questions and standing up for ourselves when platforms we use online show no respect for our privacy or our rights to safely advertise and effectively conduct our business, and maybe hack a little when needs be, we can win. Even vs the biggest of big tech. We can even win in our pursuit of decriminalisation of sex work everywhere and win the fight for changes to policy and legislation that would grant us the access to payment providers as other businesses and the right to use websites and apps in the same way as any other legal business. These goals are not unreachable and ideas like those proposed here by Cory could really help us to achieve our goals.
The platforms sex workers use for advertising all have terms and conditions pages listing their privacy policies. I have taken a close interest in reading these policies since it seems that many directories give themselves permission to sell our personal details, and even our identity documents, to advertisers and to hand over our identities to the authorities without requiring a subpoena.
Escort directories have been hacked and raided before and will get hacked or raided again. Unfortunately, many directories take copies of our identity documents and selfies and just leave them lying around unencrypted.
Our identities have value in that they can be sold to spammers and used for leverage to make a deal with authorities. I don't see why escort directories need a full non redacted copy of our identity documents and an un-blurred selfie.
My recommendations
- If they need to know your year of birth, fine, send them a copy of your ID with everything except the year of birth hidden.
- If you're "face in" on your ads, why shouldn't you also be "face in" on your verification? Blur your face on your ID that you send in.
- If they get hacked, do you want your identity stolen? Put a cross Through your ID saying "for X Directory verification purposes only." (replacing the "X" with the name of whichever directory you're verifying for.)
Example
I sent emails asking about privacy policies to Tryst.link, Eros, Megapersonals, Slixa, Listcrawler, P411, Eroticmonkey, Ourhome2, Humaniplex, Adultsearch, Theeroticreview, Leolist, Terb, Adultwork, Vivastreet, Eurogirlsescort, Scarletblue, Ivysociete, Escortsandbabes, Massagerepublic, Rentmen, Hunqz and Sleepyboy.
These are my findings.
Discovery
Here are the questions I asked:
- Do you require personally identifying information from sex workers for verification?
- Identity documents?
- Selfies?
- Can these be partially obscured or redacted?
- Do you sell our identities and/or personal details to third party advertisers?
- Do you take any steps to secure our identities from hackers or in case your servers were seized?
- Are our identity documents and selfies deleted after verification?
- Stored offline?
- Encrypted?
- If you were told you could protect yourself from prosecution by freely handing over the identities of sex workers to authorities, would you do so?
- Or would you put up a fight and demand that they get a subpoena?
- Do you honour deletion requests?
- In entirety?
- How long does this take?
I sent the emails on September 2nd 2024. Only P411, Hunqz and Rentmen have replied. Tryst said they will respond to my questions in a few weeks time. (They have responded and it is included below.)
Table of platforms and known privacy standards
Note: The data displayed here is based on either responses (if received from my request) or determined by the Terms & Conditions and Privacy Policies found on those sites.
Scroll down to the "Details and Responses" section to see responses along with links to their site policies and questions or concerns I have about them.
| Platform | Accepts partially obscured or redacted identity documents | Refrains from selling personal details to third parties | Encryption used to secure our identities | Identity documents and selfies are deleted after verification | Withholds identities from authorities unless subpoena provided | Honours deletion requests partially | Deletion requests honoured entirely | Processing time for deletion requests |
|---|---|---|---|---|---|---|---|---|
| Tryst | No | Yes | Yes | Yes | Yes | Yes | Yes | Instant |
| Eros | No | No | No | No | No | No | No | 18 months? |
| Megapersonals | No | No | No | No | No | No | No | No |
| Slixa | No | No | Yes | No | No | No | No | No |
| Listcrawler | No | No | No | No | No | No | No | No |
| P411 | No | Yes | Yes | No | Yes | Yes | No | No |
| Eroticmonkey | No | Yes | Yes | No | No | No | No | No |
| Ourhome2 | No | No | No | No | No | No | No | No |
| Humaniplex | No | Yes | No | No | No | No | No | No |
| Adultsearch | No | No | No | No | No | No | No | No |
| Theeroticreview | No | Yes | Yes | No | No | No | No | No |
| Leolist | No | No | No | No | No | Yes | No | No |
| Terb | No | No | Yes | No | No | Yes | No | No |
| Adultwork | No | No | No | No | No | No | No | No |
| Vivastreet | No | No | No | No | No | No | No | No |
| Eurogirlsescort | No | Yes | Yes | No | Yes | No | No | No |
| Scarletblue | No | No | Yes | No | No | No | No | No |
| Ivysociete | Yes | No | No | No | No | Yes | Yes | 30 days |
| Escortsandbabes | No | No | No | No | No | No | No | No |
| Massagerepublic | No | No | No | No | No | No | No | No |
| Rentmen | Yes | Yes | Yes | No | Yes | Yes | No | 7 days |
| Hunqz | No | Yes | Yes | Yes | Yes | Yes | Yes | 1 day |
| Sleepyboy | No | No | No | No | No | No | No | No |
Operating Locations
Where a platform is located can impact the laws and policies of a company.
Eroticmonkey, Ourhome2, Humaniplex only operate in USA.
The USA approach to privacy laws is more fragmented and industry specific than the GDPR in Europe but they do have the Federal Trade Commission (FTC) Act.
The FTC enforces rules related to consumer protection, including privacy and data security practices. Under the FTC Act, the agency can take action against companies engaging in unfair or deceptive practices concerning the handling of personal data.
Several other states besides California, like Virginia, Colorado, and Connecticut, have introduced comprehensive privacy laws similar to the GDPR. These laws grant consumers certain rights over their data and place obligations on businesses handling personal data.
Leolist and Terb are exclusive to Canada.
Privacy laws in Canada come under the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA is the federal law that governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities across Canada. Key provisions include:
- Consent: Organizations must obtain meaningful consent to collect, use, or disclose personal information.
- Data Access and Correction: Individuals have the right to access their personal data and request corrections if necessary.
- Reasonable Use: Organizations can only collect information necessary for the purpose they have outlined, and they must handle that data responsibly.
- Safeguards: Organizations must protect personal information through appropriate security measures.
Scarletblue, Ivysociete, Escortsandbabes list sex workers based in Australia.
Australia's primary federal privacy law is The Privacy Act 1988. It regulates how personal information is handled by government agencies, organizations with an annual turnover of more than AUD 3 million, and some smaller organizations. Key elements include:
Australian Privacy Principles (APPs): The act is based on 13 Australian Privacy Principles, which outline the standards, rights, and obligations related to the collection, use, disclosure, and storage of personal information. The APPs cover areas such as:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Use and disclosure of personal information
- Data security and access rights to personal information
- Consent: Organizations must generally obtain consent to collect, use, or disclose personal information, unless exceptions apply (e.g., for law enforcement purposes).
The remaining directories all operate in Europe.
Tryst.link, Eros, Megapersonals, Slixa, Listcrawler, P411, Adultsearch, Theeroticreview, Adultwork, Vivastreet, Eurogirlsescort, Massagerepublic, Rentmen, Hunqz and Sleepyboy all list advertiser profiles based in Europe so they are all required by law to comply with GDPR.
The General Data Protection Regulation (GDPR) is a European Union law that sets guidelines for the collection, processing, and storage of personal data of individuals within the EU. It aims to enhance individuals' control over their personal information and imposes strict penalties on organizations that fail to comply.
Details and Responses
Tryst.link
Tryst's Privacy Policy and Tryst's Terms.
Tryst.link has replied to my email:
Do you require personally identifying information from sex workers for verification?
Identity documents?
Yes, a form of government issued ID is required to advertise on Tryst. This became a requirement as a result of changes made by Payment Processors in 2021.
Selfies?
To sign-up for Tryst, we require two different selfies which is processed internally by our verification team:
- A selfie where you’re holding up your identification. This helps us to make a match your face to your ID. These photos (and any additional photos of ID) are automatically deleted as soon as possible, for example within 24 hours after approval.
- A selfie where you’re holding a handwritten sign. This photo is stored until your account is deleted.
Both selfies are processed at the same time, ensuring that the person in the first selfie is the same as in the second. The selfie with the sign is kept for the life of the account to help match future photo uploads and assist in verifying your identity if you lose access to your account.
Can these be partially obscured or redacted?
We can’t accept redacted identification documents as a result of the requirements set out by Payment Processors terms of service for adult sites.
You can read more about these changes and the impact financial discrimination has had on the sex working community via the #AcceptanceMatters campaign and the Free Speech Coalition’s: financial discrimination report. You can also find out more about our verification process in our Age verification on Tryst.link knowledge base article.
Do you sell our identities to third party advertisers?
No, we do not and will not ever sell any data to third-parties.
Do you take any steps to secure our identities from hackers or in case your servers were seized?
- Tryst is a collective of current and former sex workers and technologists, we know how damaging a data breach is to the community and to our reputation. We take the security of our platform seriously, and commit to notifying our users if there was ever a data breach.
- We tightly control who has access to your information. We think it's important that your sensitive information is only viewed when it needs to be, and only by the person who needs to see it.
- We use multiple layers of encryption when accessing and storing your information, where each layer adds additional protection to the one inside it. These layers include encryption of your data, held on encrypted servers, accessible only via encrypted connections and authenticating with multiple factors. We also log all access and have auditing processes that monitor access to this information.
- We specifically chose to host your sensitive data only on servers in the EU due to the higher level of protections provided through the privacy and international human rights laws that apply there.
- While technological protections are important, they're not a complete solution. We also have strong internal policies and processes that minimise how much of your personal information our team members see. This includes deleting your data as soon as we can, once we are in compliance with the requirements we needed it for. We audit the access logs regularly and make sure that there are no unapproved actions.
Are our identity documents and selfies deleted after verification?
As soon as we can, answered in more detail in the answer to the ‘selfies’ question.
If you were told you could protect yourself from prosecution by freely handing over the identities of sex workers to authorities, would you do so?
From our reading, we take this question as “Would we hand over all of our users data if it meant we’d walk away from prosecution” the answer is no, we have not, do not, and would not.
Or would you put up a fight and demand that they get a subpoena?
As a standard, all websites should require a valid and verifiable subpoena for data requests to ensure its upholding basic legal standards, and most importantly the human rights and privacy of its users.
All data requests must be accompanied by a valid and verifiable subpoena. The subpoena must be issued by a recognised authority and comply with all the relevant legal standards. We will thoroughly verify all legal requests for its authenticity and scope before considering the release of any data, and will only disclose information when legally obligated to do so.
Do you honour deletion requests?
Yes. We try to minimise the data we store on active users, as well as deleting inactive accounts, which you can read more about here. https://help.tryst.link/en-gb/23-profile/174-what-happens-if-i-stop-using-my-account
In entirety?
For all profile information, including photos, yes. With the caveat that we are required by law (as disclosed in our Terms) to maintain financial records.
How long does this take?
This depends on how the deletion request is initiated, you can delete your account at will (https://help.tryst.link/en-gb/14-faq/142-how-do-i-delete-my-tryst-account) or you can raise a support request (https://app.tryst.link/support/new) with our team who can assist if you’ve lost access to your account, but this will take some additional time as our team will need to verify you to complete your request.
For inactive accounts, see this article on our knowledge base that outlines when we consider your account to be inactive, how long you have to reactivate it, and when each step in the process to deletion happens (https://help.tryst.link/en-gb/23-profile/174-what-happens-if-i-stop-using-my-account).
I also asked Tryst.link some follow up questions.
Tryst.link Privacy Terms state =
"We may disclose personal information to: third party service providers for the purpose of enabling them to provide their services, including (…) marketing or advertising providers, (…) (and to) courts, tribunals, regulatory authorities and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights; "
Why does it say you disclose personal information to advertising providers? and to defend our (tryst's) legal rights without mention of requiring a subpoena?
“Why does it say you disclose personal information to advertising providers?”
This is considered a standard clause because of how the internet works, but when we say “We may disclose personal information to third party services for the purpose of enabling them to provide their services” this means we may share some of your information with other services who are acting on our behalf to run the platform - it doesn’t mean we are selling your data.
For example, let’s consider analytics, we pay a third-party company to license their software to process that we host to process this data internally. In the event we require support from this company, we would be obliged to give them access to our system in order for them to provide us that support, which in turn, may result in the disclosure of information but access to our system and data is covered by confidentiality and licensing agreements.
“and to defend our (tryst's) legal rights without mention of requiring a subpoena?”
There are two parts to this question, both are fairly standard clauses:
- We have used broad language in this clause such as “as required by law, legal proceedings, regulatory and law enforcement authorities” to ensure that we cover the different type of legal obligations, including subpoenas and their local variants.
To reiterate, we will thoroughly verify all legal requests for its authenticity and scope before considering the release of any data, and will only disclose information when legally obligated to do so.
- When a policy states “In order to establish, exercise or defend our legal rights” it means that if a user of the platform makes a legal claim or accusation of wrong doing against the platform, the platform may be required to use or share information about the user to legal representation or the courts to defend against the claim.
Also Tryst.link terms says "Upon termination of your account, in accordance with our Privacy Policy, the platform will remove your profile and photos but we will keep data required for business operations such as but not limited to; verification information, payment information, support conversations, and audit history."
Does that apply if someone deletes their own account? The verification information you keep according to that quote doesn't include the selfies and pics of identity documents since you said those are deleted within 24 hours of approval?
"Upon termination of your account, in accordance with our Privacy Policy, the platform will remove your profile and photos but we will keep data required for business operations such as but not limited to; verification information, payment information, support conversations, and audit history."
There are two parts to this question, the audit history and the verification information:
Audit history is referring to the actions taken by a team member (such as the outcome of a photo review) but when an account is deleted, the associated user data (any identifying information and the actual photo) is removed, but the audit record is kept to state that this team member performed an action on our platform.
This clause is worded this way to cover instances that fall outside of the platform, specifically our support system. This system falls into its own data retention schedule which is separate from the platform, and depending on the classification of the ticket it will determine how long it’s stored for, such as if it’s business critical that has regulatory requirements, or non-business critical tickets such as account deletion where a user has lost account access and must be verified to action.
To add to that, support tickets that are deleted will include a record that it was deleted, the time it was deleted, the ticket number, and an anonymised user for record integrity.
Eros
I didn't get a reply from Eros. Their data processor, based in Switzerland, with this email address: [email protected] ignored my email.
Of all the escort directories, Eros has by far the worst track record regarding privacy and data security.
They've been raided before by Homeland Security , had servers full of unencrypted sex worker identities seized and it's rumoured they continue to operate due to some kind of deal involving continuing to hand over the identities of sex workers.
Their privacy policy makes no mention of allowing people to obscure any part of their identity documents or selfies used for verification.
They do sell our personal data to advertisers. Their terms say:
"We may use your personal information or share your personal information with third parties to: (...) Serve marketing or advertising materials to you; and Provide any other good or service to you with your consent."
They also give themselves permission to hand over our identities to the authorities.
"We may disclose your personal information to third parties, without notice if, in our sole discretion, we believe that it is reasonable to do so to: (...) Protect ourselves."
Their terms are clear about retaining personal information.
"We reserve the right to retain publicly available information and de-identified information for any legitimate business purpose without further notice to you or your consent."
Their terms say they will delete personal data on request.
"Right of erasure/deletion/omission ("right to be forgotten"): You have the right to request that personal data relating to you be deleted immediately and the personal data must be deleted immediately if one of the reasons listed in the Swiss or European legislation applies, for example that the data are no longer necessary for the purpose for which they were collected."
But I have screenshots of emails to prove that when this is requested, they refuse and tell people to just log out and leave their accounts inactive for 18 months and then their data will be deleted automatically. I have screenshots of follow up emails from after the 18 months to show that even this did not happen.
Megapersonals
Megapersonals' Privacy Policy says:
"authorized agents may require you to provide additional information as necessary to verify the accuracy of your identity and your information."
Doesn't say whether identity documents and/or selfies are required in all cases or whether these can be partially anonymised.
They do sell personal details to advertisers.
"To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you."
They make no mention of any measures taken to secure our identities or personal details. They do say regarding if they get hacked...
"...we shall not be liable for any recording or release of private information, personal data, or your Posts, and you hereby release us from all liability and claims associated therewith."
The paragraph "We will fully cooperate with law enforcement authorities or orders from courts of competent jurisdiction which request or direct us to disclose the identity or location of any user in breach of these Terms of Use, in accordance with our privacy policies, law enforcement policies, and applicable law or regulation." implies they don't care about subpoenas or court orders and will identify us to any and all authorities who ask.
Regarding deletions:
"Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request."
So they might delete your personal data. Partially. Maybe.
Slixa
Slixa Advertiser Agreement "requires that all advertiser accounts are subject to age verification. Advertisers must supply a true and accurate color copy of a current, valid, government issued ID via the website’s secure verification page."
Doesn't say if the ID can be partially redacted or if it's deleted after verification.
Slixa's Privacy Policy says Slixa does use our personal details to "tailor marketing". Does this mean they sell our identities to advertisers?
A big win for Slixa with their data security statement:
"We use all reasonable measures to protect Your personally identifying information that is stored within our database (including data encryption, SSL, strong password requirements and firewalls), and we restrict access to member information to those employees who need access to perform their job functions, such as our customer service personnel and technical staff."
That's what we like to hear.
Slixa will share our identities with third parties
"6.1.1 To comply with any laws including, but not limited to, the Electronic Communications Privacy Act or any other legal or governmental requests for information;
6.1.2 If disclosure is necessary to identify, contact, or to bring legal action against a person who may be in violation of Slixa Terms and Conditions;
6.1.3 As is reasonably necessary to operate the Website;
6.1.4 To protect Slixa, its Users, its Advertisers, and the general public. Slixa will only disclose a User’s information when it is compelled and /or required to do so by law (for example, in response to a court order or subpoena). Where permitted by law, Slixa will not disclose any information pertaining to any User without first presenting the User with an opportunity to object to said disclosure."
If it was just 6.1.4, that would be perfect.
Doesn't seem to say anything about deletion requests.
Listcrawler
Listcvrawler's Privacy Policy says they'll give our identities to anyone who asks for pretty much any reason:
"We may disclose IP addresses, and/or associated email address, telephone numbers, or other information about, if (i) required to do so by law, court order or subpoena, or as requested by other government, law enforcement, or investigative authority, (ii) we in good faith believe that such disclosure is necessary or advisable, including without limitation to protect the rights or properties of the Site, (iii) we have reason to believe that disclosing your personal information is necessary to identify, contact or bring legal action against someone who may be causing interference with our rights or properties, or has breached an agreement, or if anyone else could be harmed by such activities or interference, (iv) if we determine an ad posted violates our Terms of Use or the rights of a third party, or (v) there is an emergency involving personal danger. We may also share information if we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required or permitted by law."
Doesn't say anything about data security, selling personal details to advertisers or deletion requests.
P411
P411 replied to my email.
"Thanks for taking the time to write.
The only time we would release that information is if a Spanish court (we are in Spain and abide by Spanish law only) issued a subpoena specifically asking for that information. Of course, we would have our legal counsel review the subpoena first before doing anything. To this date, we have never been subpoenaed for any information.
We retain age documentation images to match account holders to other accounts. This is particularly important when it comes to accounts that have suspended or revoked for negative behavior. However, it's much less important when an account has never shown us any indication there are any issues, and those identification images would be deleted by request."
P411's Privacy Policy says:
"COMPANIONS: When you sign up for a companion account, Preferred411 collects some personal information for verification purposes, including and not limited to: full name, e-mail address, telephone number, website url, etc. Preferred411 also requires images of you and your government identification to prove that you are over the age of 21. These images are kept as encrypted data to ensure that companion accounts are not shared with anyone other than the account holder. We also require a username, email address and security questions."
Regarding Deletion of Information
"Other than your P411 Id, all information found on your profile is wholly within your control and can be updated at your convenience. You can view what other members see about you, by clicking Companion View (admirers) or clicking on your thumbnail (companions). If you would like your information to be completely deleted from our servers, provide us with a detailed written request. This will result in your account and information being permanently removed from Preferred411 and the complete loss of use of member areas of the site. In limited cases, where we suspect unfavorable, fraudulent or criminal activity is taking place, as well as any activity that violates our Terms & Conditions, your information will not be deleted for the protection of Preferred411 and/or its members."
Their data security policy:
"The entire Preferred411 site is secured by using 128 bit SSL technology. Every effort is made to ensure the security of our servers and the data we retain. However, we are unable to make any guarantees that our measures will prevent an illegal hacking, which could result in the data on our servers being compromised. You assume this risk by voluntarily providing your information to Preferred411, with the understanding that such hacking incidents can occur despite reasonable security measures being in place."
Eroticmonkey
Eroticmonkey's Privacy Policy doesn't say whether they require ID or selfies or what they do with these.
They talk about personally identifying information (PII) in their terms and say
"We will never sell, rent, or loan your PII without your express written consent. We sometimes use third parties to help with some of the services available through the Site, such as third party software and service vendors, partners and consultants. When we supply PII to these third parties, we require them to use it only for the function they are helping us with. (...) We will disclose PII as required by law, or if in our judgment it is necessary to protect our company or our users from loss or liability."
So they won't sell PII to advertisers but will give PII freely to authorities without requiring a subpoena to protect themselves.
No mention of deletions.
Re data security
"We keep PII you provide on servers that are protected by industry-standard firewalls and other technological means against intrusion or unauthorized access. They are located in a physically secure facility, and only our employees and agents with a need to know the information are given access. While no amount of security can give a perfect guarantee, you can have a high degree of confidence that the personally identifiable information you give us is protected from unauthorized access and use."
Ourhome2
Doesn't have a Privacy Policy.
All they say on the subject is:
"Only anonymized registrations are allowed; as far as GDPR/CCPA goes, OH2 follows the protocol outlined below: Anonymous information, as information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable'. The GDPR/CCPA do not apply to anonymized information."
This is not very helpful eg if you're a sex worker who wants their personal details deleted from their site.
Humaniplex
Humaniplex's Privacy Policy doesn't say whether they require sex workers to send identity documents and/or selfies for verification.
They do say loud and clear:
"Your Information Is NEVER Used for Marketing, Promotion, or Advertising by Third Parties! - We do not sell or lease personal information. Many websites, specifically socials networks such as this one, choose to sell their users' personal information to third parties so that those third parties can advertise to you. Worse yet, many sites profile your browsing habits to try to generate a picture on the things you might buy and then sell that information to third parties. That is not the case here, and never will be."
This is the best statement I've seen on the topic on any of the escort directories. All the directories should have words to this effect in their privacy policies.
Sadly their statement regarding legal requests is a failure.
"If we have a good faith belief that the response is required by law, we may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters). This may include honoring requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Terms of Service. This may include sharing information with lawyers, courts or other government entities."
There's no need for this. Just say "We won't give your personal details to any law enforcement, legal or government entity unless we receive a subpoena from a court of law."
They don't say anything about deletions.
Adultsearch
Adultsearch's Privacy Policy uses almost the exact same phrase as Eros re:
"We may disclose your personal information to third parties, without notice if, in our sole discretion, we believe that it is reasonable to do so to: (...) Protect ourselves."
The full quote on Adultsearch says:
"we may disclose passively-collected information about Users, (...) for any reason without notice if, in our sole discretion, we believe that it is reasonable to do so, including, but not limited to: To satisfy any laws, such as the Electronic Communications Privacy Act, regulations, or governmental, or legal requests for such information; To disclose information that is necessary to identify, contact, or bring legal action against someone who may be violating our Terms of Use and other policies and procedures; To operate our Services properly; To protect ourselves, our Users, and the general public. We specifically reserve the right to disclose any and all information to law enforcement in the event that a crime including, but not limited to, fraud-related offenses is committed, is suspected, or if we are compelled to do so by lawful criminal, civil, or administrative process, discovery requests, subpoenas, court orders, writs, or reasonable request of authorities or persons with the reasonable power to obtain such process;"
I don't like that bit about "reasonable request". It's far too ill-defined and open to interpretation. If you require a subpoena, just say you require a subpoena.
In the next paragraph they say:
"We do not intend to cooperate with private-party litigants and others seeking information unless compelled to do so through lawful court or administrative process, such as subpoenas, court orders, or writs."
So why do they need to they need to give themselves permission to give our identities to whomever, to protect their own interests, without requiring a subpoena via that "reasonable requests"?
Theeroticreview
TER is primarily a review site aimed at getting clients to register and write reviews about sex workers.
It is possible to register as a provider but I couldn't find anything in their terms saying whether ID or selfies are required, whether they can be partially redacted or whether they're deleted after verification.
TER's Privacy Policy says:
"we will keep your Personal Information private and will not share it with third parties, unless such disclosure is necessary to: (a) comply with a court order or other legal process; (b) satisfy our legal obligations to cooperate with law enforcement or other investigating agencies; (c) satisfy any laws or regulations, or, governmental or legal requests for such information; (d) protect our rights or property, or the rights or property of others; or (d) enforce our Terms of Use Agreement."
Their data security policy says:
"We take measures, including data encryption, to protect the transmission of all sensitive user information. We make every reasonable effort to help ensure the integrity and security of our network and systems, and use commercially reasonable safeguards to preserve the integrity and security of your Personal Information. Nevertheless, we cannot guarantee that our security measures will prevent third-parties from illegally “hacking” into our computers and obtaining this information. You assume the risk of such breaches to the extent that they occur despite our reasonable security measures."
They don't say anything about deletions.
Leolist
Leolist's Privacy Policy says they will sell your personal information to advertisers.
"We may use your Data to show you LeoList adverts and other content on other websites. If you do not want us to use your Data to show you LeoList adverts and other content on other websites, please turn off the relevant cookies (please refer to the section headed “Cookies” below). (...) any of our group companies or affiliates - for the purpose of marketing where relevant;"
They say they will hand our data to:
" relevant authorities, such as law enforcement - to facilitate the detection, prevention, or investigation of a crime or offence, or in connection with other lawful requests for your Data;"
They do not say what they consider to constitute a lawful request.
They won't fully delete personal details on request.
"we will only hold your Data on our systems for the period necessary to fulfil the purposes outlined in this privacy policy or until you request that the Data be deleted. 19. Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes."
No mention of encryption or any other steps taken for data security.
Terb
Doesn't have a contact email on their site. I filled out the contact form but they haven't replied.
Privacy Policy is very brief and basic.
It does say they'll honour deletion requests. (you) "have the right to request the erasure of your personal data. Please contact us if you would like us to remove your personal data."
Re data security "We are committed to ensuring that any information you provide to us is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable measures and procedures to safeguard and secure the information that we collect."
That doesn't really tell us anything about their data security.
Doesn't say anything about not selling info to spammers or giving identities to authorities.
Adultwork
Does require identity documents and does not accept anything partially redacted.
They also have quite invasive and weirdly old fashioned verification requirements eg making sex workers get their picture taken next to a phonebox while holding up a copy of that days newspaper.
Their Privacy Policy says they will sell your identity to advertisers "To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you".
Regarding data security they say "We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business 'need to know'. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so."
They do say you have the "Right to Erasure. Every individual has the right to be forgotten upon request. The Data Controller must remove your Personal Data from its systems and request the same of any third-party systems of that controller." under GDPR.
But "In the event of a law enforcement request involving your account or the data we hold about you on file. We are obliged by law to comply with the request and retain the data until the case has been closed by Law enforcement. Data may be held beyond the deletion request for the basis of complying with law enforcement."
I've heard from multiple UK based sex workers that they are entirely face in and have only ever shown their face in one place = Adultwork verification selfies and identity documents sent to AW, and yet they have been denied entry to USA due to facial recognition detecting a connection to sex work. ie Adultwork has given at least some, possibly all, of the selfies and ID they hold to USA border control.
Vivastreet
I sent them a message on twitter where I've spoken to Viva before. They read the message. It's marked as "seen". They haven't replied.
Does require "ID Verification for the purpose of registering as a Registered Escort on the Site".
No mention of partially redacted ID.
Vivastreet's Privacy Policy says they will hand over our identities "Where we need to comply with a legal or regulatory obligation. Where we consider it to be in the interests of our Users (Registered Escorts or otherwise) or in the public interest, we may provide Personal Data to law enforcement to assist them with an investigation. If we believe that you are a victim, we may provide your Personal Data without obtaining your prior consent for your protection."
They say "To undertake an Identity Verification Check, you will be asked to upload a ‘selfie’ photograph of yourself and a supporting identity document. These will then be verified by third-party technology"
Doesn't say who the third party is, which country they're in or which data protection laws they are subject to.
"We may also disclose your Personal and Biometric Data if required to do so by law, or if we believe that disclosure is necessary to comply with any applicable law, or to defend our own rights or property, or to safeguard you or others. This may involve discussing the information we hold with law enforcement agencies if we believe or suspect that you are using the Site to engage in criminal and/or illegal activity. Law Enforcement may also choose to disclose this information further to other security services to comply with any applicable law or if they believe doing so will safeguard others."
The "defend our own rights" line could mean they'll give our identities to anyone who asks if they think it is good leverage to protect themselves from prosecution.
Doesn't mention encryption.
You can request data erasure but they might not honour that request.
"Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. "
They will sell your identity to advertisers, possibly even if you specifically ask them not to.
"You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms."
Eurogirlsescort
Eurogirlescort's Privacy Policy says verification using ID and selfies is optional.
"We as the administrator do verify profiles. These profiles have VERIFIED status (in blue). Each girl who advertise on our site has "verification" option in the account. We require verification pictures or face + ID picture as proof that profile is real. If the girl sends required verification pictures we give "verified" status."
Unless you look underage.
"Our company will manually review each post and pictures before it goes LIVE online. If we determine that age of the model/escort is in question, we may ask for ID and age verification and we reserve the right to refuse to post"
This is good to see "We do not collect personal information to trade, sell or give away in any way. (...) Any and all the information collected on this website will be kept strictly confidential and will not be sold, reused, rented, disclosed, or loaned! We respect the right of users to remain anonymous and will endeavour not to knowingly disclose user identities unless directed by a court of law."
Also good = " several layers of encryption and several layers of security to prevent unauthorised access protect all of the sensitive customer data we collect."
No mention of deletion requests.
Scarletblue
says they do collect "results of any identity checks or verifications".
Nothing about partially redacted ID or selfies.
"We do not ask for or collect your identity documents, such as your drivers licence, passport, or any other identity documents, or verify your identity. A third-party service provider may complete identity checks on our behalf from time to time when you provide your identity documents to the service provider through their function on our website. This function is not linked with us, and we do not have access to any information that is entered into the function. The third-party service provider will handle your personal information in accordance with its privacy policy."
Doesn't say who the third party is, where, or what legal requirements they are subject to. When this policy was announced, the announcement went over like a lead balloon on sex work twitter and reddit.
They sell our personal information to advertisers and will give our identities to authorities.
"We may disclose your personal information to the following third parties: (a) our business or commercial partners; (b) our professional advisers, dealers and agents; (c) third parties and contractors who provide services to us, including customer enquiries and support services, IT service providers, data storage, webhosting and server providers, marketing and advertising organisations, payment processing service providers; (d) payment system operators and debt-recovery functions; (e) third parties to collect and process data, such as Google Analytics, Google Display Network, DoubleClick, Yahoo, Adobe, Campaign Manager, and Microsoft; and (f) any third parties authorised by you to receive information held by us. If you are a contractor, we may disclose your information to payment system operators and debt-recovery functions. We may also disclose your personal information if we are required, authorised or permitted by law. We may send information to third parties that are located outside of Australia for the purposes of providing our services. These third parties are located in Cyprus, although this list may change from time to time. Disclosure is made to the extent that it is necessary to perform our functions or activities."
Again with the unnamed third parties =
"We take all reasonable steps to protect personal information under our control from misuse, interference and loss and from unauthorised access, modification or disclosure. We hold your personal information electronically in secure databases operated by our third-party service providers. We protect the personal information we hold through using secure ‘bcrypt’ hashing when storing user passwords, not storing any credit card information in the Scarlet Blue databases, using secure hosting providers, storing data in secured internal databases, firewalls and login password protocols and secure and access-controlled premises."
No mention of right to erasure.
Ivysociete
Ivysociete posted on reddit asking for feedback about their site. Here is our conversation =
Oz>
I'd like to ask about your commitment to privacy if I may.
Your terms and conditions page says you require identity documents and face pictures for verification and then your privacy policy says =
We may disclose personal information to:
- a parent, subsidiary, or affiliate of our company
- third party service providers for the purpose of enabling them to provide their services, for example, IT service providers, data storage, hosting and server providers, advertisers, or analytics platforms
- our employees, contractors, and/or related entities
- our existing or potential agents or business partners
- sponsors or promoters of any competition, sweepstakes, or promotion we run
- courts, tribunals, regulatory authorities, and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise, or defend our legal rights
- third parties, including agents or sub-contractors, who assist us in providing information, products, services, or direct marketing to you third parties to collect and process data
My one regret as a sex worker is that I signed up for various directories and gave them my selfies and identity documents. Directories have been hacked and raided before and it will happen again. I wish I'd just built my own personal website on day one and promoted it via writing on my blog regularly for SEO, getting backlinks, co-promoting with other providers, social media etc.
I wish I'd never registered on any directories and I would love to see a future where more sex workers keep their identities safe and secure by not using directories and clients find our personal websites on search engines instead of using directories.
If a genie would grant me 3 wishes, I'd decriminalise all sex work everywhere on the planet such that it would be illegal to treat a sex worker differently to any other sole trader business, wipe all the selfies and identity documents every sex worker has ever sent to a directory off the internet, and give every sex worker their own personal website.
My question is, is all that disclosing of our personal information really necessary? Could you not just do your verification and then delete the identity documents and selfies without a trace? If you must keep them eg to protect yourself in case you get accused of advertising minors, could you not put them on a secure, encrypted hard drive, offline, somewhere secure and write into your terms that you'll never share the contents of that drive with anyone unless a court of law forces you to?
IS>
Thank you for your feedback. Please note that all advertisers on ivysociete.com are required to submit a verification image to ensure the legitimacy of profiles. However, advertisers have the option to blur their face in the image. The only requirements for this verification are to wear the same outfit, take a full-body photo, hold a sign, and raise three fingers on the other hand. As a "face-in" escort myself, who prefers not to show my face in photos, I completely understand the importance of maintaining privacy.
Regarding ID verification, it's optional for clients and not mandatory. It's simply another way to verify themselves if they feel more comfortable with it.
As for the terms and conditions, we don't share private images with a third party. Including a clause about sharing information with third parties is a common practice in terms and conditions.
Oz>
Thank you for replying.
So ID verification is optional for clients but is it mandatory for sex workers?
I would have thought mandatory otherwise there's nothing preventing minors from being pimped out on your site?
If you're not going to share private images or identity documents with third parties, why not say that in your terms and conditions?
Sorry to be difficult about this but I think this is a big problem in our industry. Our identities have value to advertisers and to the authorities. I just don't believe many, if any, of the platforms we use are trustworthy, or competent, enough to be entrusted with our identities.
The way your terms are worded sounds like you reserve the right to hand over our identities to anyone and everyone who offers to pay you or threatens to indict you, or offers you some kind of legal deal or immunity in exchange.
IS didn't reply. I tried messaging them as a reply to their tweet about the redesign but they deleted my tweet reply.
Escortsandbabes
Escortsandbabes's Privacy Policy doesn't say whether they require identity documents or selfies or if so, how these are handled.
"Unless you object, your personal information may be used to: (...) assist us with our marketing"
Sounds like they do sell personal info to advertisers.
"we may disclose personal information in special situations where we have reason to believe that doing so is necessary to identify, contact or bring legal action against anyone damaging, injuring or interfering (intentionally or unintentionally) with our rights or property, users or anyone else who could be harmed by such activities."
and they'll disclose to authorities. No mention of requiring a subpoena.
No mention of encryption.
Doesn't say they honour deletion requests.
Massagerepublic
Massagerepublic's Privacy Policy
"Advertiser registration form – the object and the basis of the data processing Your personal data provided through this form are processed in order to register your account on our server. Providing us with your personal information is necessary, and abstaining results in our inability to register your account."
So they do require identity documents. Doesn't say about selfies.
"your personal data might be disclosed to third parties, including (...) the marketing agencies, the e-commerce agencies"
Translates as they do sell your personal information to advertisers.
No mention of encryption.
Their GDPR page mentions "the right to delete personal data (the right to be forgotten)" but doesn't say how this happens or how long it takes.
Rentmen
I got a reply from Rentmen responding to my questions as follows:
Do you require personally identifying information from sex workers for verification?
We require personal identifying information from all of our advertisers, aiming to confirm the users’ identity and age.
Identity documents?
The users are requested to present a state-issued document, confirming their date of birth. Any document with a photo of the user and date of birth is sufficient.
Selfies?
In some cases, when the administration needs more information to confirm the user, the so-called photo verification is required. The user needs to take a selfie holding a sign with the website name and the date the selfie is taken.
Can these be partially obscured or redacted?
Yes, the user can partially cover the ID - compulsory information that must
be visible is:
- Face - we need to be sure the person from the ID is the same as the
person in the profile gallery.- Data of birth - to confirm the user is over 18.
- Expiration date - we need to be sure the document is valid, not expired.
- Name - KYC (Know Your Customer) requirements by the card operators.
Do you sell our identities and/or personal details to third-party advertisers?
We do not sell or share personal data of our users to third-party advertisers under any circumstances. We believe that apart from the moral and ethical norms that the company follows in this direction, any proposals would be rejected due to the fact that we believe that such an act would have an extremely negative impact on the image of the company and the products that we manage.
Do you take any steps to secure our identities from hackers or in case your servers were seized?
Yes, as I mentioned, we follow the rules and regulations of the GDPR and the highest standards for storing the personal data of our users. We have implemented state-of-the-art security measures to prevent any data breaches. Furthermore, your data is encrypted, meaning that in case of a data breach, it will not be readable for the hackers.
Are our identity documents and selfies deleted after verification?
In order to comply with our legal obligations, photo and ID verifications are stored and are needed regarding ongoing monitoring of profile accuracy. For example, if a user changes entirely the photos of their profile gallery and replaces them with others, we need to be sure the newly uploaded photos match the users' photo verification previously provided.
Stored offline?
For security reasons, such information cannot be provided.
Encrypted?
As I previously mentioned, the personal data of our users is protected and encrypted and only limited and licensed staff members have access.
If you were told you could protect yourself from prosecution by freely handing over the identities of sex workers to authorities, would you do so?
We would share data with authorities only if the request is legally valid and in compliance with GDPR and other applicable privacy regulations.
Or would you put up a fight and demand that they get a subpoena?
As I have already specified, we follow the principles of the GDPR, where the reasons and methods for requesting personal data of a user are regulated. Here I should specify that mass provision of personal data to users is absolutely prohibited and would not be respected for any reason. A request for the provision of personal data may be made to investigative authorities in connection with an active criminal investigation. In such a situation, the investigating authority should identify itself by providing documents containing the reason for the request for personal data, as well as what specific personal data are needed for the relevant investigation. For example, if an investigative body were to contact us and request all available data of our user, their request would be considered unlawful and would not be honored.
Do you honour deletion requests?
Yes, of course. Again, following the GDPR, we accept requests for deletion of personal data. Also, any user can request from us what personal data we collect about them.
In entirety?
In some specific cases, we may retain personal information for a longer period. For example, accounting information such as invoices contain personal information. Under the law, we must retain this information for 10 years.
How long does this take?
The period for consideration of requests for the provision of personal data is processed for a period not longer than 7 days.
Hunqz
Hunqz replied to my email and responded to each of my questions:
Do you require personally identifying information from sex workers for verification?
No
Identity documents?
No
Selfies?
Only needed if profile gets reported multiple times for being fake
Can these be partially obscured or redacted?
Not, if we need to check a user's identity
Do you sell our identities and/or personal details to third-party advertisers?
Of course not
Do you take any steps to secure our identities from hackers or in case your servers were seized?
Of course
Are our identity documents and selfies deleted after verification?
Users upload their verification picture if needed to a private folder for us to review the user's identity. Afterwards the user can delete the picture.
Stored offline?
N.A
Encrypted?
N.A
If you were told you could protect yourself from prosecution by freely handing over the identities of sex workers to authorities, would you do so?
Or would you put up a fight and demand that they get a subpoena?
It wouldn't be legal in the Netherlands to hand over our user's identities to authorities.
Do you honour deletion requests?
Of course. This is also covered under the GDPR
In entirety?
Yes, see our privacy statement for more information (https://www.romeo.com/en/privacy/)
How long does this take?
These requests are normally processed within one working day.
I replied with a few additional questions, querying the term "legitimate interest" and "if the police demand this" and they kindly replied again:
"By legal terms (GDPR) it wouldn't be a legitimate interest to share user data with advertisers.
In our privacy statement (https://www.romeo.com/en/privacy/) we also list what kind of third party we are sharing data with. In this particular case we share some data with an external Fraud Prevention System to keep "the bad guys" (e.g. commercial profiles created through bots) from our platform. This for instance is a legitimate interest, because Fraud harms both our platform and also potentially our users.
If any local police contacts us, they are sent the following text which clearly defines what's needed to receive any data:
Dear Sir or Madam,
There are two ways in which information can be sought from the Netherlands, either using IP (Interpol/Europol or Liaisons) channels for police to police non evidential requests
- or –
if requiring information evidentially then you will need to engage your prosecutor office for them to send an International Letter of Request to the Netherlands to ask for the information on a formal basis.
It is a requirement in the Netherlands for information that is sought as evidence from a foreign jurisdiction to be requested via an European Investigation Order (EIO), which then provides the Netherlands a legal basis to gather the evidence from the business, institution etc. on your behalf. Your prosecutor will be in a position to provide the necessary EIO and sent by post to the Dutch authorities. (...)
This means that we also never hand out any data directly to local police offices but always go through our contacts at the Dutch police."
Sleepyboy
Sleepyboy's Privacy Policy says "Sleepypro SL may disclose your Personal Data in the good faith belief that such action is necessary to comply with a legal obligation, to protect and defend the rights or property of Sleepypro SL, to prevent or investigate possible wrongdoing in connection with the Service, to protect the personal safety of users of the Service or the public, and to protect against legal liability."
So they can identify you to law enforcement and here's no mention of requiring a subpoena.
"Advertising Cookies. Advertising Cookies are used to serve you with advertisements that may be relevant to you and your interests."
"To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information"
So they do sell our personal data to advertisers.
No mention of encryption. Only the disclaimer "The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security."
They recognise right to deletion "Sleepypro SL aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data." but it doesn't say whether this will be entirety or commit to a timeframe.