It was the second week of February when the first post went up, exposing the social media profiles of thousands of women interested in bondage.

It’d all started the previous day, when a Bitcoin baron by the name of Mircea Popescu found himself with a few minutes to burn on a simple bit of code to help him find female users on the kinky social network FetLife. Some 24 hours later, having mined around 100,000 profiles, he began publishing the results — a list of the usernames, ages, sexual orientations, kinky roles and locations of women 30 and under — in a series of blog posts that he dubbed “The Fetlife Meatlist.”

It would be weeks before users on FetLife would learn of the Meatlist’s existence — and when the news came, it would not be from the social network itself. By then, FetLife had already threatened to sue Popescu and failed to follow through, exposing both its inability to protect user information and its unwillingness to disclose this fact.

This is a story of false promises, dubious legal claims, two lists, and one social network.

The Network

FetLife is a social network for kinky people. Like Facebook, it enables users to share their writings and media, create events, make groups, and hold discussions. Like Facebook, it doesn’t let users do dating site-style searches for other users by age, gender and location.

While both networks see their users as their “product,” Facebook is completely free to use, as its revenue comes from advertisers who pay to show their products to potential buyers. FetLife, on the other hand, operates on a freemium model. Creating content is completely free on FetLife, but consuming it is not: users must pay for access to other user-generated content, including the ability to go back beyond a few days on their own home streams to see their friends’ content.

Because FetLife is overwhelmingly about sexuality and because sexuality is so stigmatized in society, the social network must jealously guard its reputation as a safe place for users to post their personal sexual photos, videos, events and anecdotes. The problem is that for anyone who isn’t out and proud about their sexual choices, this social network isn’t a safe place to post such media.

“We have a fetish for security,” FetLife tells users on their sign-up page and even in a recent announcement about changes to the site. It sounds nice. But one need only look a little closer to see that it doesn’t mean anything.

FetLife issues frequent assurances to users that any content they provide is protected, but the fine print explains this protection extends only as far as the standard practice of safeguarding user passwords by encrypting them and transmitting them over a secure connection, as well as preventing attacks through the site itself via cross-site scripting vulnerabilities. Stripped of the technobabble, this is akin to hearing your realtor assure you that the house they’re about to show you has glass in its windows. Likewise, these “privacy” measures aren’t something to brag about — they’re what every social network user deserves.

FetLife depends on users not having the technical knowledge to grasp that the words FetLife uses when discussing how they protect users — encryption, secure connections, vulnerabilities — don’t have anything to do with ensuring that users are not outed on parts of the web that are indexable by Google.

Among those who do understand how little protection the network actually offers, FetLife relies on their failing to grasp the most likely threat to their privacy. The likely scenario no longer looks like a single person getting mad at another, targeting that user explicitly, and sharing screengrab of that user’s kinky profile on Facebook or LinkedIn where their mom and colleagues may see it. The most likely threat is indiscriminate: FetLife is designed in such a way that mining information on the network is trivial. That means that a bit of code can easily — and legally — access and copy everything on the network. All 3,835,973 profiles, 19,953,160 pictures, 183,139 videos, 1,816,804 blog posts, 4,916,747 discussion threads, and 340,881 events.

Users should know this. But they don’t. FetLife has done everything in its power to silence concerns among the more technologically aware, while assuring its userbase that protecting kinksters from being outed is its top priority.

The Meat

“[FetLife] doesn’t have a search function implemented because ‘it doesn’t want to turn into a meat market,'” Mircea Popescu mocked in an introduction to his Meatlist series. “Which is silly, seeing how the first driver for people getting together in the first place, and therefore the foremost underlier of all society, is exactly trade. Not to mention that the prototype of all trade is the trade of women for that purpose. Whether done by the women themselves or whatever way it’s organized, that is still the most important function of the marketplace, which is the most important underpining [sic] of society. So… tough. Let’s turn FetLife into a meat market together.”

The rage from FetLife users that met Popescu’s Meatlist is curious considering that while FetLife bills itself as a place for kinksters of all stripes, it only serves its users one thing: female bodies.

The Kinky & Popular section on FetLife is a curated stream of the site’s most popular photo, video and text posts, which gives users access to about 50 items per day unless they pay five dollars per month. According to the site’s own call-to-action text, paid users get to “perv to over 5,000 items per day.”

perv on, they call it

I’ve been on FetLife longer than Kinky & Popular has existed and I’ve yet to see a single sexualized male body in that section.

Clearly there’s a difference between a person who shares a piece of media of their own free will with a site and a person who is exposed without their consent. But the difference begins to shrink as one enumerates the ways that FetLife has failed users: by creating a false sense of security, by using their media as a commercial incentive by default, and by failing to fully delete their media when users try to take it down.

We — the female-identified users, and especially those of us who are submission-oriented — are FetLife’s meat. We’ve always been FetLife’s meat.

The History

Hacking is like breaking and entering. What Popescu did wasn’t even trespassing. The truth is that users are so easy to enumerate on FetLife, it’s almost as though FetLife was designed for data mining.

And this isn’t the first time it’s happened, either.

In 2012, I covered a number of security and safety issues on FetLife, explicitly mentioning the ease with which the network could be mined. John Baku, the social network’s founder, responded to the piece, saying, “With respect to your technical concerns… I am not sure where you got your facts from but this is not the case. Though, if you can prove us wrong then we would for sure fix the problem.”

Baku had to deflect. Three weeks before my piece, a FetLife user and hacktivist by the name of maymay had, in fact, illustrated just how easily profile information could be mined and exposed outside the walls of FetLife with a simple bit of code that remains available.

FetLife refused to admit it had failed its users. Baku labeled that incident an “ill-intentioned attack” and spun it as a one-time situation — the work of a malicious hacker that FetLife bravely thwarted.

“Within an hour of being notified of this tool we blocked it,” Baku wrote in a post that announced the network’s response to the crisis.

It was a lie that it was an attack. It was a lie that the tool had been blocked — the single server that had been running the code was blocked, not the ability for this or any other bit of code to easily mine everything on FetLife. This has been illustrated twice since: last year, when a site called FetLifeSearcher made it possible for anyone to search through FetLife profiles, and again, with the release of the Meatlist.

It’s not lost on me that maymay’s illustration of this issue didn’t get the media attention that the Meatlist has generated: maymay’s code exposed the profile information of FetLife users in positions of power and overwhelmingly male, rather than focusing exclusively on potentially vulnerable women under the age of 30. If we, the female-identified users on Fetlife, are the meat, then we, the media, are actively contributing to the consumption of female-identified bodies, even as we set out to raise awareness about what this “blatant case of misogyny and predation,” as the Meatlist has been described, says about BDSM culture.

The Other List

By mid-April Popescu’s Meatlist had transcended discussions among users and begun to draw media attention. That’s around the time that an e-mail from maymay landed in my inbox: “[The data mined from FetLife] can be cross-referenced with the database [detailing reports of abuse among FetLife users] collected by Predator Alert Tool for FetLife, and can thus be used to answer questions like, ‘What is the most known dangerous city for submissive-identified women?’, ‘what is the average age of an accused male dom?’ and so on.”

The first thing maymay did with the mined data was release a collection of all dominant, male-identified users with paid accounts on FetLife under the name “The FetLife Creeplist.” The second thing maymay did was put the information to work.

Analyzing 15,495 premium FetLife accounts — that is, the network’s paying customers — maymay discovered that 73 percent are men. As has been pointed out, this stands in contrast to trends on social networks, where women tend to dominate, but is more in line with porn sites, where one third of users or less are women.

Of these male users, the majority (42 percent) identify with a dominant type of sexual role (daddy, dom, master, sadist, and top), compared to 11 percent who identify with submissive roles (babygirl, bottom, brat, kajira, pet, slave, sub). Only 18 percent of all paid users identify with a submissive type of sexual role.

Suddenly, it makes sense that Kinky & Popular would be dominated by imagery of sexualized, submissive women.

Next, maymay looked over data collected by the Predator Alert Tool for FetLife, an add-on independent of the social network that users can install to read and report consent violations while browsing FetLife. This add-on came into being following a 2012 campaign by FetLife to silence victims of sexual assault; it’s been available for almost three years and holds reports on 652 individual FetLife users.

Paid users make roughly over one percent of total users on FetLife, but they make up 13 percent of alleged abusers. Of these, over 60 percent were male-identified, with the most likely roles for abusers being “dom,” “sadist” and “switch” (someone who alternates roles between dominance and submission).

“If you ever wanted a clear idea of why [ … ] continues to insist on the protection of rapists time and time and time again ad nauseum, here’s a big clue,” maymay wrote, referring to FetLife’s policy of removing posts that accuse people — by username — of sexual assault or other types of consent violation.

The numbers are interesting and well-worth the analysis, though one would need to do a multivariate regression for both usage and paid status to understand if there is a statistically significant relationship between paid users and abuse.

The Nonsense

When it learned of the Meatlist, FetLife did the same thing it did when it became aware of FetLifeSearcher and maymay’s 2012 so-called “attack”: it issued a copyright takedown notice under the Digital Millennium Copyright Act (DMCA) to Popescu’s host and other online service providers.

At first glance, this maneuver seems odd — a DMCA takedown notice is an instrument that copyright holders can use to force online service providers to remove material that infringes on their copyright. Online service providers that host user-generated content are not liable for a user’s infringement of someone else’s copyright unless they know about it or fail to respond to notifications about it. Issuing a takedown notification is a surefire way to get them to jump into action.

The problem with FetLife issuing a takedown notice to address the Meatlist and other such instances where mined data is publicized is that details from users’ profiles are not subject to copyright. That a person is 25, lives in Los Angeles, identifies as a female submissive and uses the name Retour_à_Roissy online is not subject to copyright by FetLife or that person for the simple reason that facts cannot be copyrighted.

As Supreme Court Justice Sandra Day O’Connor put it in the 1991 case Feist Publications, Inc., v. Rural Telephone Service Co., “Census takers, for example, do not ‘create’ the population figures that emerge from their efforts; in a sense, they copy these figures from the world around them. [ … ] Census data therefore do not trigger copyright because these data are not ‘original’ in the constitutional sense.”

Whether something can be copyrighted depends on its originality: a user can claim copyright over any essay she writes on FetLife, or a photo she takes that she shares on the network, but the mere fact that FetLife has compiled profile information from its users does not make it the copyright holder of this information.

The copyright avenue would only work if the content that was mined from FetLife and shared outside of the network was creative in nature, such as a user’s writings, videos, or photos. Because it is the individual users who are the copyright holders, it is usually they who have to issue a DMCA takedown to a copyright infringer’s host and other online service providers. The reason BitLove feels so confident in abusing the DMCA process is that FetLife’s terms of use grant the company “the right and authority to enforce [a user’s] DMCA and any and all intellectual property rights against alleged infringers at [that user’s] request.”

Even if the takedown was for a legitimate copyright violation, there’s no guarantee that it would immediately remove the infringing content from the internet. Popescu and maymay might play by the rules, but not everyone does — if the proliferation of “revenge porn” sites has taught us anything, it’s that.

The Abuse

FetLife uses the DMCA process in lieu of real security mechanisms because it’s very easy to abuse it. To avoid liability, the host of the content that receives a DMCA takedown notice may disrupt access to the content, pending a response from the person alleged to be infringing copyright. For users who are unfamiliar with the DMCA process, the disruption of service often intimidates them into backing down — even in cases where takedowns are fraudulent or the work said to be infringing is protected by fair use.

This has been changing over the past decade, helped in no small part by the number of legal fights undertaken by the Electronic Frontier Foundation against known DMCA abusers and the press these cases have generated.

BitLove, Inc., FetLife’s parent company, would fall under the category of a DMCA abuser. The takedown request sent to Popescu’s webhost, for example, listed an incorrect U.S. copyright registration number and claimed that BitLove holds copyright over the “Entire FetLife database.”

The copyright I eventually found for the company appeared under a different number and, rather than cover its entire database, refers to FetLife’s software stack; the text that BitLove developed for the site; the manner that information provided by users is arranged and presented on the site; and any changes BitLove may subsequently make to these things.

It’s worth noting here that copyright law in Canada, where BitLove is headquartered, is different than it is in the U.S., and could be interpreted to offer more protection to the collection of information. Unfortunately for BitLove, Canada lacks a DMCA-like process by which alleged copyright-holders can rip content off the internet without having to prove they truly hold copyright.

But the fact that takedown requests in the United States are issued under penalty of perjury and that it’s possible to seek damages against companies that abuse the takedown process isn’t BitLove’s only problem. A FetLife agent’s claim — in a legal document — of copyright for the whole of FetLife could be construed to constitute a claim of responsibility for the “creation or development of information provided” within its database, as specified in Section 230 of the Communications Decency Act of 1996 (47 U.S.C. § 230).

Such a claim would weaken BitLove’s position on one of the most important protections for online service providers offered by American law: the above-mentioned Section 230, which states “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Holding the copyright to everything means being responsible for everything on the site, including the pornographic content that is FetLife’s bread and butter. As anyone who distributes pornographic content and is subject to U.S. law knows, that means keeping records that verify the age of every person engaged in sexual activity in all media on its database (18 U.S.C. 2257).

Even though BitLove’s claim to copyright over the entire database is incorrect, even if the takedown request fails under Feist, their having made a public claim to being recognized as the rightful author of the information may, in itself, be enough to jeopardize their 230 standing.

(Jurisdiction is an open question when it comes to FetLife, as Alana Massey has written, given that the company is based out of Canada, its domain was registered in Arizona and its servers are in Texas.)

The Aftermath

After BitLove issued its DMCA notice, Popescu took down the Meatlist and sent a counternotice. BitLove’s next move would have been to file a lawsuit against Popescu to keep the content offline, but the legally-mandated 14-day window in which BitLove could have brought legal action came and went and Popescu made the Meatlist available once again.

The lack of legal action on BitLove’s part is telling, as are the FetLife content guidelines that illustrate that BitLove’s officers have at least a basic understanding of how the DMCA process works. Nevertheless, almost two months after failing to file a suit against Popescu, BitLove issued a takedown notice to maymay’s host, which took the post down pending maymay’s counter-notice and the expiration of the 14-day window for BitLove to file a lawsuit.

Two days after Popescu published the eleventh installment of the Meatlist last week, FetLife’s founder John Baku defended him in an podcast interview, saying “the people who have been scraping FetLife weren’t doing it because they were malicious. [ … ] What they wanted to do was more easily find people. And what I mean by ‘find people,’ is find people that they might be interested in having a relationship with. So in that perspective, I’m not going to say these people are bad people, they’re just people who are technologically savvy and see a problem that wants to be solved. Because FetLife is the anti-dating site, it’s also the site that has the highest ratio of female to male members, so it’s the best place to go for dating. So I think it needs to be said that they’re not trying to be malicious, they’re not trying to be mean, they’re not trying to be bad people, they’re just trying to scratch their own itch.”

Baku additionally claimed to have no knowledge of the Creeplist or the Predator Alert Tool for Fetlife.

Today, Mircea Popescu published the twelfth installment of his list of FetLife women under 30. The Creeplist will be legally clear to return to maymay’s blog this week as well — but then, the Creeplist never left the internet. In a clear illustration of how inadequate the DMCA takedown process is as a security mechanism, someone captured the contents of the Creeplist with a internet archiving tool before the post was taken down. This capture was almost immediately indexed by Google, meaning everything on the list has remained only a search away despite BitLove’s legal maneuvers, and very well could remain available, even if maymay decided not to republish the post.

If anything positive can be said to have come from this, it is that enough users have raised concerns about data mining that FetLife has been forced to address the issue. Recently, Baku announced that FetLife’s newly-expanded team of engineers was working to “combat automated traffic” and reduce the likelihood of data-mining. These changes will not make it impossible for things like the Meatlist and Creeplist to happen, but they will make scraping more time-consuming, which can be a deterrent.

It’s unclear why FetLife failed make such a change when it became aware of this problem in 2012. The social network has yet to accept responsibility for the role its own code played in both lists or acknowledge the risks that users of their network still face.

Image by Marius Boatca (Flickr, CC BY-SA 2.0). Correction: This piece initially failed to mention that FetLife’s terms of use grant BitLove the authority to issue DMCA takedown requests on behalf of FetLife users. That doesn’t change the crucial points of this piece, but we believe in transparency, so we wanted you to know.