Visitors to porn sites have a “fundamentally misleading sense of privacy,” warn the authors of a new study that examines how tracking software made by tech companies like Google and Facebook is deployed on adult websites.

The authors of the study analyzed 22,484 porn sites and found that 93 percent of them leak data to third parties, including when accessed via a browser’s “incognito” mode. This data presents a “unique and elevated risk,” warn the authors, as 45 percent of porn site URLs indicate the nature of the content, potentially revealing someone’s sexual preferences.

researchers say “everyone is at risk” from tracking porn habits

“[E]veryone is at risk when such data is accessible without users’ consent, and thus can potentially be leveraged against them,” write the authors. “These risks are heightened for vulnerable populations whose porn usage might be classified as non-normative or contrary to their public life.” This might include countries where homosexuality is illegal, for example, or instances when a public figure’s sexuality is not public knowledge.

But while it’s clear that people are being tracked when visiting porn sites, it’s less certain what happens to this data, and in what cases it can be linked to someone’s identity.

Trackers made by Google and its subsidiaries, for example, appeared on 74 percent of the porn sites the researchers examined. But the company denies its software is collecting information that is used to build advertising profiles.

“We don’t allow Google Ads on websites with adult content and we prohibit personalized advertising and advertising profiles based on a user’s sexual interests or related activities online,” a Google spokeswoman told The New York Times, which was first to cover the findings of the study. “Additionally, tags for our ad services are never allowed to transmit personally identifiable information.”

Google and Facebook deny using trackers on porn site for advertising

Facebook, whose trackers appeared on 10 percent of the sites the researchers looked at, made a similar denial to the NYT, though the code it release to track users can be embedded in any site without Facebook’s permission. Another US tech giant Oracle, whose trackers appeared on 24 percent of sites studied, has not commented on the study.

Putting these findings in context is difficult, as trackers are endemic across the web, and many have banal applications. Some cookies are used to remember your login details when you visit a site, for example, while others feed data about web traffic back to companies. A huge number are dedicated to coordinating online advertising, helping firms serve ads across multiple sites.

The type of data collected by trackers varies, too. Sometimes this information seems anonymous, like the type of web browser you’re using, or your operating system, or screen resolution. But this data can be correlated to create a unique profile for an individual, a process known as “fingerprinting.” Other times the information being collected is more obviously revealing, like a user’s IP address or their phone’s mobile identification number.

“This isn’t picking out a sweater and seeing it follow you across the web.”

“The fact that the mechanism for adult site tracking is so similar to, say, online retail should be a huge red flag,” Elena Maris, the study’s lead author and a researchers at Microsoft, told The New York Times. “This isn’t picking out a sweater and seeing it follow you across the web. This is so much more specific and deeply personal.”

The study, which is due to be published in the journal New Media & Society, also found that without using specialized software it’s practically impossible for users to know when a porn site is tracking them. Privacy policies that might disclose such information were only available for 17 percent of the 22,484 sites scanned, and the authors note that when such policies are offered, they’re usually so specialized as to be unreadable to most users.

Even if tracking companies themselves are not connecting users’ porn habits to personalized advertising, there’s a clear risk that such data could be hacked by outsiders. In recent years, a number of adult sites like Digital Playground have been attacked, with hackers retrieving emails, passwords, usernames, and credit card details.

The study’s authors conclude that the “overwhelming leakiness” of porn sites’ data needs urgent attention. They suggest that government regulation could help enforce new privacy norms, and that users must be made aware of the information they are potentially revealing.

Correction, Friday July 19th 2:30PM ET: An earlier version of this article stated incorrectly that YouPorn had been hacked, in fact, YouPorn’s discussion forums, YouPorn Chat, which are administered separately to YouPorn, were hacked. We regret the error.