Larger text size Very large text size Garth Bruen long has investigated the seamier corners of the internet, but even he was shocked to discover Rapetube. Bruen gradually discovered dozens of similar sites offering disturbing variations - attacks on drunken women, on lesbians, on schoolgirls - to anyone with a credit card.
Some made clear that the clips were fictional, but other sites had the word "real" in their titles.
At least a few touted videos that he feared might show actual crimes. Sickened, the private investigator tried to determine who operated the sites, a first step towards possibly having them shut down.
But he quickly hit a wall: The contact information listed for websites increasingly is fictitious or intentionally masked by "privacy protection services" that offer ways around the transparency requirements built into the internet for decades. That is especially true for sites offering illicit or controversial content, studies have found.
As a result, although governments have increasingly powerful tools for tracking individual behaviour on the internet, it's harder than ever for private citizens to learn who is responsible for online content, no matter how objectionable. To Bruen, this is the dark side of internet privacy. Advertisement "That's not privacy. That's secrecy," said Bruen, 42, a security fellow at the Digital Citizens Alliance, a Washington-based advocacy group that combats online crime.
Bruen seeks a finer line that, while shielding personal conversations and other private behaviour, would demand those selling content to accept a measure of accountability by making their identities known.
That long has been required by the Internet Corporation for Assigned Names and Numbers, a California-based nonprofit group that, under contract with the US Commerce Department, has broad authority over the issuing of web addresses worldwide. The group, typically called by its acronym, ICANN, requires that site operators provide "accurate and reliable contact details" but has struggled to enforce compliance amid the transnational lawlessness of cyberspace.
Among "adult" websites, nearly half used services to mask the identities of site operators or listed no contact number at all. When investigators attempted to reach site operators whose numbers were listed, the effort was successful for less than 6 per cent of the "adult" sites surveyed.
Yet he acknowledged that it often is not, with the "dark corners" of the internet most resistant to efforts at accountability. When Bruen sent emails, they bounced back as "undeliverable". When he called the phone number, nobody answered.
Still, whoever operated the site remained active, promising in text posted amid pictures of bound, sometimes bloodied women that there would be "regular updates" to what it claimed was "the biggest rape porn site for violent sex videos".
Transparency was built into the internet from its earliest days, when site operators needed to reach one another to resolve technical problems. That led to the creation of the "Whois" database, a consolidated source of contact information that became a popular tool for police, journalists, political activists and companies looking to combat abuse of their brand names and registered trademarks.
When activists against domestic violence in discovered a site called wifebeatersunion. But such tactics have little chance of success when protesters can't figure out whom to target in their protests. The declining reliability of the Whois database is quietly embraced by many privacy advocates, who see the forced provision of contact information as contrary to free speech protections.
US courts recognise a right to speak anonymously as central to the First Amendment, on the grounds that voicing controversial ideas can be dangerous. Most nude images of people younger than 18 are illegal to record, share or view. Some activists for women's rights in recent years have been pushing for legal sanctions against non-consensual pornography - often called "revenge porn" - in which pictures or videos of sexual acts are uploaded to websites after a relationship ends, typically to embarrass a former romantic partner.
Some of these depict consensual acts, but others are from assaults, as was the case with video last year of a year-old girl in Steubenville, Ohio, who was raped while intoxicated.
But if websites show videos of attacks that are not real, there are few practical legal restrictions. When asked about sites that feature "rape porn", the FBI said in a statement: We use a variety of operational strategies to combat this problem and remain committed to identifying those people who would exploit children.
In terms of other types of pornography other than child pornography that would draw FBI scrutiny - we make that determination on a case by case basis. Sites offering what they describe as "fantasy" videos of sexual assaults receive little attention from law enforcement or the kinds of activist groups that track child pornography.
Determining the amount of money involved - or even who receives the profits - is made difficult by the sketchy information available in the Whois database.
Archived versions of Rapetube. He runs a small security-research firm called KnujOn. KnujOn, which grew out of work Bruen did in a previous job as an IT manager for a state agency, investigates sources of spam, those solicitations that jam email inboxes worldwide with offers of easy money or discounts on drugs such as Viagra. During one investigation, Bruen came across hundreds of sites - featuring pirated software, unlicensed pharmaceuticals and get-rich schemes - registered to a single man, Henry Nguyen Gong, with an address and phone number supposedly based in France.
Both the web address and the privacy protection service came from a domain registrar, Bizcn. As Bruen searched for other sites registered to the same person, he was startled to find Rapetube. The images and descriptions Bruen found there only deepened his concern, prompting him to complain to ICANN and raise questions about the site in an email to the organisation's chief executive, Fadi Chehade.
Bruen eventually would file more than complaints against Bizcn. They were among more than complaints Bruen filed to ICANN about faulty contact information in one four-month period last year.
When Bruen requested a review of the cases from ICANN's in-house ombudsman, the ombudsman wrote in a report, "There is no substance to the complaints" and ruled the contractual requirement that sites provide "accurate and reliable contact details" did not mean that the information had to be "verifiable". Bruen was more angry than surprised at the outcome. ICANN has repeatedly voiced support for transparency and required domain registrars - the companies that sell web addresses - to collect contact information on site operators.
Their contracts give ICANN authority to suspend registrars that failed to do so, but enforcement has been lax for years, according to experts and studies. After 30 days, the errors remained for 33 of the sites, nearly three-quarters of those checked.
Enforcing these rules is hard It would be a lot easier to ignore the problem," said Benjamin Edelman, a Harvard Business School professor and former ICANN employee, who once testified to Congress that the Whois database was "substantially fiction".
Those seeking to falsify contact information once favoured fanciful names, such as Mickey Mouse and Donald Duck. Now they increasingly rely on "privacy protection services" that typically are offered, for a small fee, by the same domain registrars that sell web addresses. These services are supposed to furnish contact information upon request, but in practice, they rarely do, according to Bruen and other critics.
The ICANN report in September found that the use of such services was "very high" or "extremely high" for sites featuring pornography, financial scams and unlicensed pharmaceuticals. For legal pharmacies, law firms and executive search consultants, the use of "privacy protection services" was much less common. Even the domain registrar's industry group, the Domain Name Association, has endorsed the idea of a more accurate database, at least in concept.
The association also has argued that more rigorous record keeping would add to the costs for registrars if they have to verify identities through passports or other official documents.
You've got to make sure it's policed. Efforts by The Washington Post to reach the operator of Rapetube. Calls were not answered. Emails were returned as undeliverable. Efforts to mail a letter failed because the listed address in Nimes, a city in southern France, is on a street that does not appear to exist.
The domain operator, Bizcn. But after Bruen expressed his frustration publicly, in a post on his personal blog in September, Rapetube. Instead of images of naked women with gags in their mouths or shackles on their bodies, error messages appeared.
He wasn't sure why, although he guessed that some internet providers had quietly blacklisted the site, making it impossible for users to access it. A few days later, with Rapetube. He quickly found more than Nearly a year after discovering this extreme pornographic niche, Bruen was little closer to learning who operated the sites.