How the Internet Knows Who You Are — Digital Identity and Cross-Platform Tracking

The TLDR

You carry multiple persistent identifiers online: your IP address, cookies, advertising ID, browser fingerprint, device identifiers, and your logged-in accounts. Clearing cookies removes one. The rest remain. The advertising and surveillance ecosystem specializes in linking these identifiers together — across devices, across browsers, across sessions — to maintain a continuous identity profile that survives every privacy measure short of a complete digital lifestyle change.

The Reality

Here’s a complete inventory of your digital identifiers and which ones survive common mitigations:

The advertising ecosystem doesn’t need all of these. Any two or three, correlated across time, are enough to maintain a persistent identity.

How It Works

The Identifier Stack

IP Address: Your public IP identifies your network connection. It’s visible to every server you connect to. It typically maps to your ISP and a city-level location. It changes if you switch networks (WiFi to cellular, home to work) and may change periodically with dynamic addressing. A VPN replaces your visible IP with the VPN server’s IP — but the VPN provider knows your real IP.

Carrier-Grade NAT (CGNAT) means multiple subscribers share a single public IP, reducing IP’s value as a unique identifier. But combined with other signals (user agent, timing), it’s still useful.

First-Party Cookies: Set by the site you’re visiting. They remember your login session, preferences, and shopping cart. They’re specific to that site and can’t directly track you across other sites.

Third-Party Cookies: Set by advertising and tracking domains embedded in the site you’re visiting. A single ad network (Google’s DoubleClick, for example) is present on millions of sites. Its cookie follows you across all of them. This is the foundation of cross-site tracking — and it’s being phased out, which is why the industry is pivoting to fingerprinting and first-party data collection.

Evercookies: Tracking identifiers stored in multiple browser storage mechanisms simultaneously — cookies, localStorage, sessionStorage, IndexedDB, canvas, and even browser cache. If you clear one storage mechanism, the identifier is recreated from the others. Difficult to clear completely.

Advertising ID (IDFA on iOS, GAID on Android): A device-level identifier designed for ad tracking. Every app on your phone can read it and share it with their advertising SDKs. This is how advertisers link your behavior across multiple apps. You can reset it (or delete it on Android 12+), but apps often also collect hardware identifiers that survive a reset.

Browser Fingerprint: Your browser’s unique combination of screen resolution, fonts, GPU, timezone, language, plugins, and hardware capabilities. No cookies needed. Unique enough to identify you among hundreds of thousands of browsers. See the rh-browser-fingerprinting deep dive.

Device Identifiers (IMEI, MAC Address): Hardware-level identifiers that are permanent (IMEI) or semi-permanent (MAC can be randomized, and iOS/Android now do this by default for WiFi). Apps with sufficient permissions can read these, providing an identifier that survives factory resets.

Logged-In Identity: When you’re signed into Google and browse the web, Google tracks you by account — not by IP, cookie, or fingerprint. Your Google account is the most powerful tracking identifier because it’s persistent, cross-device, and tied to a verified identity.

How Identifiers Get Linked

Cross-device graphs are databases that link your phone, laptop, tablet, and work computer into a single identity. Companies like Oracle, LiveRamp, and Tapad specialize in building these graphs.

The linking methods:

Deterministic matching: You logged into the same Google account on your phone and laptop. Google now links both devices to your identity with 100% certainty.

Probabilistic matching: Your phone and laptop share the same IP address (home WiFi), have similar browsing patterns (same news sites at the same times), and the browser fingerprints are from the same city. An identity resolution algorithm assigns a high probability that these are the same person.

Login correlation: You visit a news site on your phone (not logged in) and later visit the same site on your laptop (logged in). The ad network that was present on both visits links the anonymous phone visit to your authenticated laptop identity via timing and content overlap.

Social Login as a Tracking Layer

“Sign in with Google” and “Sign in with Facebook” are authentication services — and tracking mechanisms. When you use social login:

1. The site gets your identity from Google/Facebook
2. Google/Facebook learns that you use that site
3. Your activity on that site can be correlated with your Google/Facebook profile
4. The site gets a persistent, cross-device identifier (your Google/Facebook account) for free

Every “Sign in with…” button is an identity correlation point.

How It Gets Exploited

The Surveillance Advertising Pipeline

Your digital identity profile feeds real-time bidding auctions (see rh-ad-tracking). Advertisers bid on access to your attention based on your identity profile — which includes your browsing history, location patterns, purchase behavior, app usage, and demographic attributes.

This isn’t hypothetical. It’s the business model of the $600 billion digital advertising industry.

Government Purchase of Identity Data

Government agencies purchase commercial identity data — including cross-device graphs — from data brokers. The EFF has documented how this allows surveillance without warrants: the data was collected commercially, so the Fourth Amendment’s warrant requirement doesn’t apply (a legal position that’s being challenged but hasn’t been definitively resolved).

Stalking and Harassment

Identity resolution tools that marketers use to link online behavior to real-world identities are available to anyone willing to pay. Data broker reports that match online accounts to physical addresses enable stalking, doxxing, and harassment.

What You Can Do

The Hierarchy of Mitigations

From least to most effective:

1. Clear cookies regularly — removes one tracking vector. The others persist.
2. Use private/incognito mode — prevents cookies from persisting between sessions, but doesn’t change your IP, fingerprint, or device identifiers.
3. Use a different browser for different activities — work in one, personal in another. This segments your fingerprint and cookies.
4. Use a VPN — changes your visible IP. Doesn’t affect cookies, fingerprint, or logged-in tracking.
5. Use Tor — changes your IP, randomizes your fingerprint, and prevents most cross-site tracking. Slow and attracts scrutiny.
6. Don’t log in — the single most effective tracking mitigation. A logged-in account is the most powerful identifier.

Practical Steps

• Delete your advertising ID (Android 12+) or limit ad tracking (iOS)
• Use separate browsers for logged-in services and anonymous browsing
• Minimize social login — create separate accounts instead of “Sign in with Google”
• Use a VPN on networks you don’t trust
• Review connected accounts — disconnect services you don’t actively use

The Hard Truth

Complete digital anonymity requires using Tor, never logging in, never using the same device for anonymous and identified activities, and never making a mistake. For most people, the practical goal isn’t anonymity — it’s reducing the resolution of the identity profile built around you. Every mitigation you implement removes a data point from that profile.

Sources & Further Reading

• Mozilla: How Tracking Works — clear explanation of web tracking mechanisms
• EFF: Why Your Private Browsing Isn’t Private — limitations of private browsing modes
• Google Cross-Device Attribution — Google’s own documentation on cross-device tracking
• EFF: Cover Your Tracks — browser fingerprint testing tool
• EFF: Data Brokers and Government Surveillance — government purchase of commercial identity data