1327 words
7 minutes
You Are Never Browsing Alone
2026-05-17
Research
adtech
/
cybersecurity
/
infosec
/
privacy
/
data-privacy

Cross-Device Tracking in Action#

Major advertising platforms routinely connect user activity across phones, laptops, tablets, and apps — even when people use different accounts or networks.

Industry documentation states that more than 65% of conversions start on one device and finish on another. This is achieved through deterministic signals (logged-in accounts, email hashes) and probabilistic signals (IP, device fingerprints, behavior).

The mechanisms below are based on publicly documented features from Meta, Google, and data broker practices.

Cross-device identity resolution

The Full Threat Model: How They Know It’s You#

Before defending yourself, you need to understand what you’re actually fighting. The industry calls it ** cross-device identity resolution** . The goal is simple: confirm that your phone, your PC, your tablet, and your smart TV all belong to the same human — even if you use different accounts on each.

Here’s what they collect to make that link:

├── Shared identifiers (email, phone number, cookies)
├── Network-level signals (same IP address)
├── Behavioral fingerprint (how you type, scroll, tap)
├── Hardware fingerprint (screen resolution, GPU, fonts)
└── Temporal correlation (you use both devices at the same time)

Defeat any two of these consistently, and the confidence of the match drops dramatically. Defeat all five, and you are effectively a different person on each device. Now let’s go layer by layer.

Layer 1 — Hashed Email Matching (PII Graphs)#

A primary real-world mechanism is hashed email matching through systems like Meta’s Custom Audiences and “Offline Conversion Matching”.

When a user is logged into a Google service (YouTube, Gmail), interest signals are associated with the email. Meta maintains identity graphs that link hashed versions of the same email across its platforms. Because both sides hash the email the same way, they can match without exchanging raw addresses.

This technique is officially documented by advertising platforms and is widely used for Custom Audiences and conversion measurement. The same email logged in on multiple devices creates a reliable bridge between them.

Layer 2 — Device Graphs and Probabilistic Matching#

According to industry research on cross-device tracking, platforms build identity graphs using device hardware IDs (AAID, IDFA), logged-in Google/Facebook accounts, overlapping home IPs, behavioral patterns (typing rhythm, scroll speed), and co-location signals (Bluetooth/WiFi beacons when devices are near each other).

These are combined into probabilistic profiles. Academic and industry papers on “cross-device tracking” describe how even without perfect identifiers, statistical confidence can link multiple devices to one person.

Layer 3 — SDKs and App Telemetry#

The majority of popular mobile apps include analytics and advertising SDKs from Meta, Google, and others. These libraries report device identifiers, IP addresses, location (when permitted), and usage patterns in the background.

Research into mobile advertising SDKs has shown that these signals, combined with home Wi-Fi IPs, allow companies to link app activity on a phone with web activity on a computer in the same household.

Layer 4 — Household IP and Network Signals#

Home broadband IP addresses are used as household-level signals. When the same IP is observed from a web browser and from mobile apps (via SDKs), it provides a strong correlation that the activities belong to the same household.

This is a well-documented technique in adtech literature and is one reason why using mobile data instead of home Wi-Fi for certain activities reduces linkage.

Layer 5 — Lookalike Audiences and Seed Data#

Advertisers can upload lists of known contacts (emails, phone numbers, or customer IDs) to platforms as Custom Audiences. The platforms then create “Lookalike Audiences” — large groups of users whose profiles are statistically similar.

Official Meta documentation describes how Lookalike Audiences are built from seed lists. When combined with interest signals (e.g. “watched cybersecurity career content”) and location/demographic data, this enables highly specific targeting even for users who never directly interacted with the advertiser.

The Data Broker and Identity Graph Industry#

Large-scale data brokers and identity resolution companies (Acxiom/LiveRamp, Experian, Oracle Data Cloud, and others) aggregate data from many sources: apps, loyalty programs, ISPs, and device telemetry.

Reports from privacy researchers and consumer organizations have documented that these firms maintain profiles on hundreds of millions to billions of people and sell connectivity/identity services to advertisers. LiveRamp (which acquired parts of Acxiom) is frequently cited in industry analyses for its identity graph capabilities that link offline and online data.

This data powers the Real-Time Bidding (RTB) systems used by ad platforms, where ad slots are auctioned in milliseconds based on the rich profile assembled for the current user.

Raising the Cost of Being Tracked#

Complete anonymity is extremely difficult on the modern internet. However, users can significantly increase the effort and cost required to build accurate cross-device profiles. The goal is to make your advertising value lower than the cost of maintaining a high-confidence link.

Tier 1 — Do This Today (30 Minutes, High Impact)#

** Reset your Android Advertising ID monthly.** Settings → Privacy → Ads → Reset Advertising ID. This breaks the continuity of your device-level tracking profile.

** Clear your Off-Facebook Activity.** Go to facebook.com/off_facebook_activity and disconnect future activity. This cuts the data pipeline from third-party websites back to Meta.

** Delete your Google Activity and turn off saving.** Visit myaccount.google.com/data-and-privacy → Web & App Activity → Delete all and pause saving.

** Install Firefox with uBlock Origin on your PC.** Run uBlock in medium mode. It blocks third-party scripts, which kills the majority of tracking pixels at the source — before the data ever leaves your browser.

** Use mobile data for social media, not home WiFi.** This single change breaks IP-level household correlation. Your phone becomes a different “location” than your PC.

Tier 2 — This Week (2–3 Hours, Very High Impact)#

** Install Shelter on Android.** Shelter creates an isolated Work Profile — a sandboxed container on your phone. Move Instagram, Facebook, and other high-surveillance apps into it. A separate Google account (or no account) lives in the Work Profile. Meta’s SDK inside Instagram cannot see your main profile’s contacts, files, or other apps.

** Get a SimpleLogin account.** SimpleLogin generates infinite unique email aliases. Every service you sign up for gets a different alias. When data brokers buy leaked email lists, they get an alias that can’t be matched to your real identity — and you can kill the alias with one click.

** Switch research browsing to Mullvad Browser or Firefox with arkenfox.** Both are designed to make your browser fingerprint identical to thousands of other users. You blend into the crowd rather than standing out.

** Set up ProtonVPN on your PC for research sessions.** The free tier is sufficient. Your research browsing appears to originate from a different IP entirely.

Tier 3 — Long Term (Full Compartmentalization)#

Create three distinct email identities on ProtonMail: one for personal/social, one for research/professional, one for random signups. Never cross-link them. Never log into one while using another on the same device or network.

Set up NextDNS at the router level. It blocks tracking and ad domains for every device on your home network, including smart TVs and IoT devices you can’t install apps on. Free tier, five-minute setup.

If you ever get a Google Pixel phone, consider GrapheneOS. It’s the operating system used by journalists, security researchers, and activists who need genuine privacy. It offers per-app network permissions, sensor blocking, and the ability to feed apps fake location data — all at the OS level.

The Honest Reality#

Even with strong protections, platforms and data brokers can still correlate activity through a combination of behavioral signals, account logins, and data purchased from third parties. There is no perfect defense for most users.

The advertising industry operates on economic optimization: they will invest tracking effort only up to the point where it remains profitable. Adding consistent friction (different networks for different activities, strong browser isolation, regular ID resets, and alias emails) raises that cost.

Key real-world references and further reading:

  • Meta’s own documentation on Custom Audiences, Lookalike Audiences, and Conversions API.
  • Industry reports on data brokers (e.g. Consumer Watchdog “Data Stalkers”, analyses of Acxiom/LiveRamp).
  • Research papers on cross-device tracking and identity resolution in digital advertising.
  • Official platform features such as Offline Conversion Matching and Enhanced Conversions.

The defenses listed below are practical steps that target the most common linkage vectors used today.

This post was originally published on Medium. Generalised with real-world research references.

You Are Never Browsing Alone
https://blogs.hacck3y.me/posts/you-are-never-browsing-alone/
Author
hacck3y
Published at
2026-05-17
License
CC BY-NC-SA 4.0
IDOR in Haryana Higher Education Admissions Portal: Unauthenticated Access to Student Documents
ExpressionEngine Preview Flaw: How Anyone Could Read Private Drafts and Hidden Content
© 2026 hacck3y. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari