I'd like to continue my quasi-useful unhinged ramblings by killing something that many of you love.

P411, aka Preferred411. TL;DR; don't use it, if you do use it, stop using it and tell them to delete your data. Do it now, tell your friends. Here's why:

 

 Now now, I can hear you already "No sauce, P411 is cool, they're legit, no way they'd cause us any harm", to which I'll reply, surely you realize that, someone not meaning to harm you can indeed end up harming you... right?

 I have no doubt that, the folks behind P411 have the best of intentions. I mean that in earnest, if there were going to be issues with them, there would have already been issues with them. My objection, and, what your objection should be, is the storage of PII, so let's have a look shall we? https://preferred411.com/privacy

 P411 requires that you send them, digitally, your full name, e-mail address, telephone number, website url, etc, use your imagination in terms of what "etc" means. Basically they have, initially, the full monty, all of your PII, But they delete that, or say they delete it, and, well, they seem trustworthy so, what don't they destroy? What do they gather after the fact? Well they define that as well.

 They keep, "P411 Id, email address, user name, security questions, and partial phone number", additionally, as you use their website, they keep "All communications made through Preferred411", "all communications with Preferred411", " All activity within accounts", your IP address, geolocation, browser type, HTTP referrer information, and track you via their login cookie via uniqueID, and in addition to that, for the ladies, they store photos of your government-issued ID.  

 Additionally, they disclose "This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply", which means that, your communications with P411 directly are likely directed to a google apps account, so google has access to them. Additionally, any time they serve you a reCAPTCHA, google has access to your information as well. Google, of course, packages and sells that information to advertisers, who then package and sell it to other advertisers, etc etc. That's because reCAPTCHA as a service, is Google's code, running on their website. That code knows what website it's running on, and that you're interacting with it.  

 
 Now, if you've been paying attention, you can see the problem here.  
For those that don't, it's simple. They say they delete your information, but, they then store and continue to collect enough information that, you could easily be identified by them or anyone else with access to their databases, and, they're sharing enough information with google that it would cost somewhere around $25 to reveal your real name via access to any number of marketing data services. A VPN will not protect you from this, if you've been using the site, you're already exposed, and will remain exposed for awhile even if you cancel your P411 membership and request they delete your data (which they require you to do so via email).

 
 That's not really even the worst part. See, a website isn't infallible. P411 even admits this "we are unable to make any guarantees that our measures (security measures) will prevent an illegal hacking, which could result in the data on our servers being compromised.", and boy howdy do I have a treat especial for you, their site currently has a rank of "C" on the Mozilla Observatory (MZO). That's, pretty good, however, and this is a big however, their site on April 11, 2016 had an "F", a hard "F", a **zero**, on MZO, on November 23, 2020, another "F", with a score of 10, and it wasn't until recently, within the last year, that they got things secure enough to earn a "C". I now consider it safe enough to report this to you, as in their current state, they're likely as secure as most websites you use, and revealing this to you, and the world, presents no additional risk to anyone as this data is already public elsewhere.

 But it gets worse, see, MZO isn't a well known tool outside of security researchers and hackers. It also doesn't just go scanning websites willy-nilly, one has to request that they scan a site. That means, some interested party, in 2016, scanned P411, and found it wildly insecure, it was scanned again four years later, maybe by the same person, maybe not, and again found wildly insecure, and it remained as-such until recently, all the while, those scan results were available to the public, searchable, findable, and there's no guarantee that any of those interested parties were at all affiliated with P411, nor is there any guarantee that those results were used in a benevolent manner. I've linked those results below so you can see for yourself.  

 

 I'll wrap this up with, if you have used P411, they've betrayed your trust, they've sold themselves as one thing, and delivered you another by remaining massively insecure for years, and allowing Google, a 3rd party, to run code on their website that deanonymizes their users. They likely have no idea if they were compromised between 2016 and now, and neither do you, nor do they have to disclose a breach to you (as per their TOS). The best move was to never use them, the second best thing is to stop using them today.

 
disclosure: I've never used P411, I have no interest, personal or otherwise, in P411, or any competing ventures. I simply like you and want to try and help keep you safe.

So let me ask...what do guys do when asked for RW info or p411? I mean p411 got them around the issue of just giving it to one entity instead of giving it out to every women for every date request. So which is the bigger risk? I guess p411 is a bigger target certainly but it's only one target. I am trying to determine the risk assessment and not knocking your main point at all.  
For the ladies that demand more than references, aren't you taking away a valuable tool for the guys if they heed your advice? I know the simple answer is only see girls who screen with references but that is a pool that grows smaller by the day. Interested in your thoughts.

I have been saying this for years . . . . You draw a line through their name and move on to the next lady on your TDL, tell the next lady you have recent provider references and if that's not good enough, you will draw a line through their name, too.  There is no reason for a provider to need more than a few good references in order to book an appointment.  This RW stuff is all recent, and all it does it give providers something to hold over your head if they don't like ANYTHING you say or do.  If the girls who screen for references become the only ones getting business, the others will fall into line or starve.  That would be an easy choice for most people.  There are one or two ladies who post here who look like they don't miss many meals, probably paid for with deposits.  Lol

 
For the record, I have never been on P411 for the very reasons the OP describes.  There have been plenty of threads here about guys getting hacked and threatened with blackmail.  Why make it any easier for them by having your information in a database that you do not control?

-- Modified on 2/21/2024 5:03:31 PM

Some guys live in smaller cities and have much less choice. In other larger cities, it is now par for the course to be asked for RW info by most women charging $500-600 and up. Everyone has to balance their own risk vs the perceived reward. Its not like it used to be, thats for sure.

If you're asked for RW info, you have a simple choice. You either tell them you will not give it out, you lie, or you pass. Personally, I try not to lie whenever possible, but I especially do not lie when it's going to harm someone, or potentially harm someone. I think that's a 'good enough' policy for this industry.

 
 In terms of what the bigger target is, it's P411, by far. There's way more potential value in gaining access to P411's databases for a threat actor than there is even a popular provider. That exactly that value is depends on the threat actor in question, but it'd be a juicy score for any of them to be sure.

 
 Make no mistake, it really pains me that I'm taking a tool off the table without being able to offer any sort of alternative. I know, roughly, how a 3rd party verification system should work, you can certainly make it safe for everyone to use with a zero trust model that doesn't require an all-knowing trusted 3rd party.  
 Think of something akin to humaniplex, but end-to-end encrypted like keybase. The servers it runs on have zero-knowledge of the content they serve, the decryption happens in-browser with public/private key pairs. Then, you take HX's ranking feature, and apply a ranking algorithm to determine who vouches for whom, and who's vouch is worth what. Nothing ever gets tied to a real identity, the users exist as a username and a public key. Discovery is where it gets tricky, because you have to, in some ways, prevent discovery, and then create easy, secure ways for that to happen out of band, so, in person, on other networks, etc. I haven't quite figured that part out, so the idea's not in parity with P411, I think it's possible, I just immediately know how.

 From there you need devs, which, no shortage of mongers who are developers, I'm sure, and you need a way for people to pay for it, and you need a place to host it, and some runway to get it off the ground, and, a way to continually fund it. You might be able to get it skinny enough to run on IPFS/ENS which can be hosted via a number of decentralized ETH domains, and likely should be on all of them at once, and you have a proper web3 app, open source, auditable, etc.

 Then you have to win over the hearts and minds of every hooker and whoremonger in the world, which is the hard part. Design=Easy, Dev=Easy, Deployment=Easy, Marketing=Hard and, again, aside from an idea, I don't have any desire to actually do this myself, my day job keeps me busy, and very mentally stimulated, I've just thought about what would actually work as a replacement here.

It's just a big ask to tell guys they cant use something they have relied on for what, 15 years or so, to see hot women. You know what has happened to the business in the last 3-4 years. Even tough dudes like you and CDL know what clients are going through. lol.
Seriously though, in an environment where the guys feel like they have been beaten down to a pulp with pricing, deposits, RW info, selfies, LinkedIn, etc etc etc you are asking them to take yet another hit.  
That doesn't mean your warning isn't valid or what you are saying isn't true, it's just that I think most guys will sit tight as they know no other way at this point and to a degree, stopped caring, or are caring much less, about risk in general then they used to.
I think you are looking out for the community and I appreciate that, it's just that the community, on the demand side, is so bloodied, battered and beaten, it may not care anymore.
Thought provoking post. Thanks.

It's not just the mongers here, it's the providers as well. If anything, the providers have more potential liability given that their RWinfo is stored directly on P411's servers.

 
Realistically, that's where the change is likely to happen first, given how skeeved out most of the ladies are about their private information getting/being out there.

 
Which, if that does indeed end up being the case, which would take some significant work, I don't see things getting worse really. Remember Bob, my friend, anything that gets in the way of money changing hands is bad for business. Even if a lady doesn't know that verbatim, if she's been in the game for any kind of time, she knows it intuitively.

Many of us have used it for years . If something better pops up and proves itself over time we will all flock to it in droves. However we live in today . Over the years verification sights have come and gone many ,many times. Some resulted in large busts and exposed people.  I would suggest rather than bitching about what is working. What is your ready made available today solution ???????    

Does not have any of my PII/RWI. I'm sure I'm not the only one in this position.

Nor do they have mine. I was fortunate enough years ago to be verified by 2 wonderful providers that allowed me to join p411 without having to divulge any RW info.

" P411 requires that you send them, digitally, your full name, e-mail address, telephone number, website url, etc, "
This is false.  
I don't know about the rest of it, but when the part of a screed that I can check for truth fails that check, the rest of it becomes far less persuasive.

100% of that was taken from P411's privacy policy, which I included a link to.

 
I'm not coming up with anything new here, I'm connecting the dots so the folks that use this service can understand how incredibly vulnerable it makes them.

I joined in 2017 and only needed a vouch from one provider and my first 6 months were free.

Remember that, even if you did manage to get in without directly submitting any RW info, P411 using google's services, and operating for the better part of a decade with abysmal security practices, means that you've defacto given them your RW info.

 
The only reason you haven't seen any direct consequence of that is due to a lack of interested, capable parties, and that situation is 100% P411's fault. Or put another way, having a bad idea and getting away with it doesn't mean it's not a bad idea, it's still a bad idea and you've just got lucky. It really is fairly trivial to connect an advertisingID to a real life person nowadays.

The basic chain of events is, P411 leak via google, google sells that data to brokers, brokers connect data to RW information heuristically, and those heuristic models are terrifyingly good, they then sell that packaged, deanonymized data to other brokers, and marketing endpoints. All of this is public facing, and takes little more than a credit card to gain access to. And that's completely discounting the very real potentiality that they've been hacked and not known it or not disclosed it to you.  
 
Personally, I only roll the dice after a pretty girl blows on them.

END OF MESSAGE

It potentially has my credit card number and name on the CC.  Although they claim to not keep that info, and therefore don't do recurring billing.   I was "invited" to p411 by one provider I saw, and then got a second to verify me.  At that time I didn't need to give any real world ID.  But did do the CC after the first six months free.  This was around 2017 or so.

I guess this one will just have to take a number behind the 16 other corporate data breaches that I have to deal with already 🤪

a provider needs anyone's RW info.
All a provider needs is to know  your a respectable hobbyist who plays by the rules of what this hobby is suppose to be about.

That's all.

HaveIBeenPwned.com is a cruel, cruel mistress, and not in the fun way.

 
 
As they say though, knowing is half the battle.

If a hacker with talent and resources wants data badly enough, they'll get it. Pretty much every website is one determined hacker or a subpoena away from their data becoming public.  

That said, P411 appears to be offshore which helps with subpoenas. And I think we can assume it's not running on custom software (that's good!), but is on some sort of content management platform that has a business interest in security and tries to keep up with new threats. That will deter all but the most serious attempts.

Given that the site hasn't yet been compromised or destroyed -- although that's possibly what led to the F security rating in 2016 -- it's a fair assumption that the people who could crack it don't see the value in doing so. Hacking is almost always about money and P411 doesn't offer any. Providers wouldn't be worth blackmailing nor would the vast majority of mongers. Too much risk not enough reward.

You're right in assuming that *most* hacking is done for profit. Don't count out the hacktivist though, they're the ones who dumped Ashley Maddison's databases onto the internet for all to peruse. They also were selling curated lists to those in the scene prior to them announcing it, that's not public information, but it certainly happened, so motivations aren't as black and white as the news makes them seem.

 
There's also zero guarantee that they'd notify their users of a breach. Sure they're in Spain and under GDPR, but their TOS/Privacy policy doesn't follow GDPR guidelines, so, no reason to assume they'd follow them either. They seem to shift all the blame of any sort of negligence on their end onto their users with "You are responsible for any loss of data or damage that may arise from your use of Preferred411" in their TOS, though, like I said, their privacy policy and TOS aren't legally enforceable anyway, so, it's likely that a more realistic take is "we're going to do whatever we want".  

 In terms of technologies used, I have no idea what they were using in 2016, I never checked, and checking now, looks like a fairly standard react/goober/next website, full of all the standard google ad/tracking spyware that a normal website would have. I haven't poked at it, aside from viewing the source code, no real need to. I would assume that they didn't ever fix their 2016 site, they likely rebuilt it and launched a new page somewhat recently, no telling if they swapped out their CMS backend at the same time, but, safe to assume they did. And nowadays they have a C-rating, some issues, nothing particularly egregious, about average. The kinda thing you'd see on a typical webpage that hasn't been updated in a couple years.
 
And again, I really want to be clear here, I'm not a pentester, nor would I pentest their site for free or without consent, there could be vulnerabilities I'm not privvy to, and that doesn't matter. Google tracks everything you do on P411 and sells that data, that's enough to not use it for anyone who knows how modern adtech works.

Flame me  .. these days literally 99.% of people do not browse securely. This is because 100% of the internet requires unsafe browser capabilities. Why because the data it captures is valuable.

Unless you are over the top careful.. its easy to triangulate your access even un autehticated requests across the internet.. Yes even with TOR and with VPN..  Machine Learning and Ai have become common place.. all you need is a decent but of compete power and some Basic skill and you can identify most people.  

The effort you would have to put into anonymity is mountain sized. Just be a good person, don't do anything abhorrent to anyone and stay away form people who would look to harm or exploit you.. thats the best you can do.

If the legal system is looking for you, state or federal  they will find you if you are online.. period.. ... you'd have to go AIR gap ..

It's important to realize that very little in life is boolean, privacy is no different, opec/exposure/etc is no different.

 
Governments, the powers that be if you will, don't tend to target specific people doing something, they use dragnet surveillance to identify potential targets, then further dragnets to identify easily targetable people within that group. The resulting dataset is then hand filtered by people down to those that they can make an easy case against.
 

 
So what you're trying to do is avoid the dragnet, because you're correct in assuming that most cannot often avoid the actual humans involved. You want to be under the radar, being invisible is too hard for most, and, not really necessary for this sort of thing. We're trying to get our beaks wet, not break into fort knox here.  
 
P411 though, that's an easy dragnet. I'm not pulling any punches by calling it a honeypot, it is, and many people in this hobby are willfully stuck in it. They're 1 breach away from being caught in it, and they have no way of knowing if that's already happened or not.

Burner phone number, old expired id from way back , email is for hobbying purposes  only  etc.  
Eight years running and no issues with them so far. No under age thing going on there,they rebranded themselves as a verification site,the operator are former  high end sex workers , so,.... so far so good.

After my hiatus, I wanted to get back on there. They required me to send them a FULL, 100% un-blurred photo of me holding my ID. I could not even cover part of my name. (I suggested, say my name was Kimberly Kardashian, I would blur all but the first 3 letters, i.e. Kim***** Kar*******)

They said no. It has to be 100% ub-blurred.  

An absolute NO.  

So, you will not catch me on there - and I know I have made the right choice by reading the above.

It's a verification site about the safety of providers and clients. So if you have something to hide and murder a providers  you met on their site, and they can't  identify you, then the site is not serving  it's purposes .

YOU complaining about another website's screening when a potential customer cannot even access your own website without a login?  I would think this experience with P411 would make you a little more circumspect about expecting too much merely to have a look at your website.  Got duplicity?   Lol

And saw everything one might expect: an about me section, ~two dozen very sexy photos, etiquette and cancellation info, touring schedule, rates, and one of those booking forms. I definitely didn’t log in. Maybe it’s just you she’s blocked lol. I’m guessing she has two sites?

 
Simply requiring a login wouldn’t necessarily be duplicitous, depending on what’s required to obtain the password. When you were asked for a login on her site, did you try to apply for one and see what you’d need to hand over? “Prove to me you’re a human being and not a bot for a scraper” is not even in the same library with “send me an unedited photo of your government issued ID”, let alone on the same page. Without knowing what’s needed to login, you’re comparing apples to question marks.

in her TER profile. And no login is required.

 
But I think you’re onto something with the suggestion that certain people could be blocked. lol

END OF MESSAGE

BEFORE I posted about the password protection.  I could not get past the homepage without a login and password.  She obviously took it off after she read my post.  Go ahead and ask her if you want.  If she says "no", perhaps I can come up with a screenshot showing the password requirement.  I often keep screenshots to show a rules violations.  Provider links must be accessible to the public.  Other providers and agencies have been dropped from TER for having password protection on their websites.  I always PM the provider first to tell them about the rules violation before reporting it to TER. This gives them a chance to remove it discretely to come into compliance with TER review rules.  In fact, YOUR post alleging full access is what told me she had taken care of it on her own.  I had not PM'd her yet.  

 
Nevertheless, kudos to Callie for responding so quickly by removing the password requirement.  She did the right thing.  

 
No, Frank, I didn't apply.  I object to handing over my email address in order to get access to a provider's photos.  I have been consistent on this point from the first time I started posting here.  Requiring a login may not "necessarily be duplicitous", but it's a rules violation just the same.  Please pass this on to your "me, too" squad.  Lol

I'd guess she was on a break, and had just forgotten to remove the password requirement.  
 
That keeps the domain 'hot' as far as SEO is concerned, so, better than taking things down entirely.  

 
 
Also, in terms of the rules, when I'm on a board janitor kick, I usually only report sites that are paywalled or outright 404's, I'm not quite sure what the real guidelines are, but, I'm with you in terms of absolutely not giving anything close to a real email address to someone's wordpress contact form plugin. No thanks, hard pass.

I have come across sites that, you can feed it a fake address and it just lets you in. I've also come across sites where sharklasers.com works to get an access code and satiate your curiosity. Which in Cali's case, now I'm just more curious because I do wonder if 5 large gets you actual breakfast in bed, or if it's just a blowie.

I have a squad? Why was I not informed of this earlier? And who the hell is on it? I never even met Harvey.

Then it would have to be a blowie + snowball.  
I guess?
Personally, I would just wait till lunch.

Ew, I knew there was a good reason I never eat breakfast