Thirty million Americans regularly watch porn online , according to the Wall Street Journal. That's a lot more than fess up to it, even in anonymous surveys: In 2013, just 12 percent of people asked copped to watching internet porn at all. But thanks to pervasive online tracking and browser fingerprinting, the brazen liars of America may not have a say in whether their porn habits stay secret. Porn watchers everywhere are being tracked, and if software engineer Brett Thomas is right, it would be easy to out them, along with an extensive list of every clip they've viewed.

Thomas argued that "almost every traditional website that you visit saves enough data to link your user account to your browser fingerprint, either directly or via third parties." He's definitely right that most web pages you visit (certainly not just porn sites) have installed tracking elements that send your data to third-party corporations, probably without your knowledge. Many, for instance, run Google Analytics, which companies use to monitor traffic to the website. Others have social media "share" buttons and third-party ad networks built in.

Thomas's case went something like this: Your browser (Chrome, Safari, whatever) has a very unique configuration , and it broadcasts all sorts of information that can be used to identify you as you click around the web. You're basically leaving "footprints," as Thomas calls them (others prefer "fingerprints"), all over the webpages you visit. Thus, it's a matter of linking one footprint to another—an expert could spot the same prints on Facebook and NYTimes.com as on Pornhub and XVideos.

"If you are watching porn online in 2015, even in incognito mode, you should expect that at some point your porn viewing history will be publicly released and attached to your name," Thomas proclaimed in a blog post titled "Online Porn Could Be the Next Big Privacy Scandal," shortly after.

Thomas, who lives in San Francisco, recently found himself at a bar, chatting with a member of the online adult-entertainment industry. They got to talking about economics, naturally. While the porn professional insisted that collecting and selling the personal data of users who visited erotic websites wasn't part of the industry's business model, Thomas wasn't convinced.

Pornhub was the only porn site that returned a request for comment. They issued me a statement calling Thomas's conclusions "not only completely false, but also dangerously misleading." In their lengthy, compelling rebuttal, Pornhub pointed out the vast amount of server space they would need to store users' viewing histories—they get 300 million requests a day, and they estimate that storing all of that would require 3,600 terabytes of space. Not to mention that sifting through all of it would be nearly impossible and maddeningly time-consuming. "Pornhub's raw server logs contain only the IP and the user agent for a very limited time, never a browser footprint," a Pornhub spokesperson wrote me in an email.

This, of course, has any number of damaging implications, even beyond the potential humiliation for an outed porn watcher—if you think erasing your internet history wipes out the record of those food-fetish vids or CGI beast porn, think again. Worse, there are still plenty of places around the world where individuals are persecuted for their sexual orientation. A revelation that someone in an oppressive country watched a series of gay porn videos could put that person at serious risk.

All that, paired with the continued rise of casual hacking, Thomas says, means that a complete catalog of your personal porn habits is perennially on the verge of being leaked to the public. Thomas believes that it's not only possible but likely that a hacker will whip up a database that can share your porn-viewing history with the entire internet.

So, for example, when you click on "Leather Fetish #3" on XNXX, you're not just sending a request to the porn site—a so-called first-party request. You're sending third-party requests to Google, to the web-tracking company AddThis, and to a company called Pornvertising, too, even if you're browsing in private mode. You're also sending other data that can be used to identify your computer, like your IP address.

Regardless, it is true that each of the internet-security researchers and experts I interviewed for this piece all agreed that porn viewers' browsing habits aren't nearly as private as they think, even if not agreed with the extent of Thomas's pornpocalyptic pronouncements.

"I think it's absolutely a legitimate concern," Justin Brookman, a privacy expert at the Center for Democracy & Technology, told me. "Private browsing modes don't prohibit all cross-service tracking mechanisms." In other words, switching to private when you browse and clearing your history won't stop porn companies from being able to track you.

To get a better idea of what, exactly, is watching porn-site visitors, I used the privacy app Ghostery, which identifies and blocks tracking elements installed on web pages, to investigate the top five most visited porn sites—XVideos, XHamster, Pornhub, XXNX, and Redtube. (It's worth noting here just how big these porn sites are: According to Alexa, the analytic service, XVideos is the 43rd most visited website in the world. By way of comparison, Gmail is 66th. Netflix is 53rd.)

Ghostery revealed that each site has tracking elements installed, and thus is transmitting data to a number of third-party corporations, including Google, Tumblr, and industry-specific ad services like Pornvertising and DoublePimp.

Furthermore, most of the top porn sites made explicit the exact nature of the film being viewed right in the URL—XVideos, XHamster, and XXNX are all sending URL strings like http://www.pornsite.com/view/embarrassing-form-of-... to the companies listed above. Only Pornhub and Redtube masked the nature of the video viewed with numerical strings, such as www.pornsite.com/watch_viewkey=19212.

88 percent of the top 500 porn sites have tracking elements installed

"The URL is one of the basic pieces of information in all HTTP requests," privacy researcher Tim Libert told me, "so whoever sneaks in their code [e.g., Google, Tumblr] on the page gets that by default. Purely numerical strings [e.g., '?id=123'] may not tell you what somebody's particular sexual preferences are, but you know they are looking at a porn site. In contrast, really descriptive URLs can tell you exactly what somebody is into, so if it says something naughty, well, that's not a secret anymore."