The big picture: A new study out this week shows that tech companies, including Facebook and Google, have tracking software embedded in most adult websites. What’s worse is that usually the site policies do not even disclose the tracking to the user.

Researchers from Carnegie Mellon, the University of Pennsylvania, and Microsoft analyzed 22,484 porn sites and found that 93 percent of them leaked browsing data to third parties. Using incognito or private mode does not affect the outgoing information. Furthermore, nearly 45 percent of the domains studied revealed potential sexual preferences within the URL.

The authors suggest that those visiting adult websites, especially while in private browsing mode, have “a fundamentally misleading sense of privacy.” In fact, incognito and similar privacy-protecting features only ensure nothing is stored on the computer during a browsing session. It does nothing to stop online trackers from recording a user's porn-viewing behavior.

"Our analysis of 22,484 pornography websites indicated that 93% leak user data to a third party."

The researchers argue that such tracking is a risk for “everyone.”

“We have argued everyone is at risk when such data is accessible without users’ consent, and thus can potentially be leveraged against them by malicious agents acting on moralistic claims of normative gender or sexuality. Porn sites currently operate with an unethical definition of sexual consent considering the sensitive sexual data they hold. We contend the overwhelming leakiness and sexual exposure revealed in our results mean porn sites ought to better account for user security as well as adopt policies based on affirmative consent.”

The New York Times notes that even though Google trackers appear on 74 percent of the websites studied, the company claims that the tracking software is not used for advertising purposes.

“We don’t allow Google Ads on websites with adult content, and we prohibit personalized advertising and advertising profiles based on a user’s sexual interests or related activities online,” said a Google spokesperson. “Additionally, tags for our ad services are never allowed to transmit personally identifiable information.”

Facebook, which had trackers on 10 percent of the sites, also denied that it tracked users, but it should be noted that the company has released tracking software that can be used by third parties (porn sites) to “like” content.

The NYT reached out to Oracle about its software appearing on 24 percent of the websites studied but did not receive a response.

It is worth mentioning that not all the tracking going on uses personally identifiable information. Some sites, like Pornhub for instance, collect anonymous data to track traffic, which it publishes on its Stats page. However, some data, like IP addresses or the mobile identification number on a user’s phone, have also been found. Additionally, seemingly anonymous data like browser type, screen resolution, operating system, and similar information can be combined into a unique “fingerprint” to track a user.

"While the findings of this study are far from encouraging, we do believe regulatory intervention may have positive outcomes."

“The fact that the mechanism for adult site tracking is so similar to, say, online retail should be a huge red flag,” Microsoft researcher and lead author of the study Elena Maris told the NYT. “This isn’t picking out a sweater and seeing it follow you across the web. This is so much more specific and deeply personal.”

Furthermore, the study found that in addition to being almost impossible to detect without specialized software, the trackers were disclosed to the user through the site’s privacy policies only 17 percent of the time. Even then, the terms were often obfuscated with complicated legalese.

The authors conclude calling for regulatory intervention to stem the leaky data.

“While the findings of this study are far from encouraging, we do believe regulatory intervention may have positive outcomes,” say the authors. “The form of consent currently found in U.S. self-regulatory ‘opt-out’ systems fails to meet sexual consent norms and reinforces the ‘blame the victim’ mentality that often emerges in slut-shaming and other forms of sexual violence.”