Close to 1.5 percent of the Internet’s top websites track users without their knowledge or consent, even when visitors enable their browser’s Do Not Track options, according to a research team in Europe.

The team is among the first to expose the real-world practice of “device fingerprinting,” a process that collects the screen size, list of available fonts, software versions, and other properties of the visitor’s computer or smartphone to create a profile that is often unique to that machine, according to Ars Technica. The researchers scanned select pages of the top 10,000 websites as ranked by Alexa and found that 145 of them deployed code based on Adobe’s Flash Player that fingerprinted users surreptitiously. Out of the top million sites, 404 used JavaScript-based fingerprinting.

The researchers say these figures should be taken as the lower bounds of the spectrum.

Device fingerprinting serves many legitimate purposes, including mitigating the impact of denial-of-service attacks, preventing fraud, protecting against account hijacking, and curbing content scraping, bots, and other automated nuisances, the article says. However, few websites disclose the practice in their terms of service. Marketing companies advertise their ability to use fingerprinting to identify user behavior across websites and devices.  

According to the article, device fingerprinting may have given the National Security Agency and its counterparts around the world an avenue to identify people using the Tor privacy service. The Guardian reported that the agency is capable of injecting script redirections into the traffic of Tor users.