Here’s how the de-anonymization system works: The researchers figured that a person is more likely to click a link that was shared on social media by a friend—or a friend of a friend—than any other random link on the internet. (Their model controls for the baseline popularity of each website.) With that in mind, and the details of an anonymous person’s browser history in hand, the researchers can compute the probability that any one Twitter user created that browsing history. People’s basic tendency to follow links they come across on Twitter unmasks them—and it usually takes less than a minute.

For testing, the researchers recruited volunteers to download a Google Chrome extension that extracted their browsing history. Since Twitter uses a proprietary URL shortener—t.co—it was easy to tell which sites were arrived at via the social network. The study pulled as many as 100 recently visited t.co links from each user and ran them through the de-anonymization system, and within seconds, the program spits back the top 15 results from all possible Twitter users, in order of confidence. Volunteers were asked which profile was theirs, if it appeared at all, and had the option to sign into Twitter to prove their identity. The algorithm picked the right profile 72 percent of the time; 81 percent of the time, the right profile was in the top 15.

For this technique to work in the real world, where people don’t readily volunteer their browsing history for science, a snooper would need to access their target’s digital trail another way. From advertisers to internet service providers to spy agencies, many groups have access to at least a part of your browsing history.

An advertiser with trackers deployed across the web might have a good-enough snapshot of individuals’ activity to be able to de-anonymize their profiles. But there are a few ways that users can stymie trackers: Ad-blockers like Ghostery and Privacy Badger, for example, can keep them from gathering the data they need.

Internet service providers like Comcast and Verizon can access many details about where their customers go on the internet—except when customers visit websites that use HTTPS, a protocol that encrypts traffic sent to and from the website. Service providers—or someone snooping on an open coffee-shop wi-fi network—can’t see details about visits to URLs that begin with https://. Even so, people can still be identified by the unencrypted HTTP sites they visit: The researchers were able to unmask nearly a third of the volunteers in the experiment using just their HTTP traffic.

And a powerful nation-state actor would have an even easier time accessing people’s browsing histories. The National Security Agency’s “upstream” collection programs, which scoop up enormous amounts of data as it passes through critical pieces of the internet’s infrastructure, could piece together someone’s history without any trouble at all. (Of course, there are probably other ways that the NSA could figure out who you are without resorting to these researchers’ de-anonymizing methods.)