Technical Overview: Identity Resolution Graphs
Identity resolution is the process of combining IP addresses, browser fingerprints, login events, and device identifiers to determine which devices belong to the same person or household.
Data brokers maintain large identity resolution graphs used to link activity across devices and sessions to the same person. In these systems, IP addresses often serve as one of several major linking signals. By observing the shared IP address used by a household, data brokers can correlate behavior between a desktop, a smartphone, and a smart TV. This helps build a long-term profile of browsing and purchasing behavior even when users are not logged into a specific service. See the specific tracking signals and network metadata your browser is exposing right now.
Network IP Type and Tracking Accuracy
The type of IP address you use significantly impacts how easily a data broker can associate your activity with a specific household identity.
| IP Type | Stability | Tracking Accuracy | Household Link |
|---|---|---|---|
| Residential | High (Weeks/Months) | Very High | Strong Household Identifier |
| Mobile Carrier | Low (CGNAT) | Medium/Low | Individual/Group |
| VPN/Proxy | Very Low (Per Session) | Low | Shared Exit Node |
| Public Wi-Fi | Transient | Very Low | Shared temporary network |
Cookies vs Browser Fingerprinting vs MAIDs vs IP Tracking
| Mechanism | Persistence | User Control | Accuracy | Cross-Device Capability | Easy to Reset |
|---|---|---|---|---|---|
| Cookies | Temporary (Can be cleared) | High (Browser settings) | Medium | Limited | Easy |
| Browser Fingerprinting | High (Persistent hardware signals) | Low (Hard to block) | High | Strong | Difficult |
| MAIDs | Medium (Resettable via OS) | Medium (User can reset) | High | Strong | Moderate |
| IP Tracking | Variable (Depends on ISP) | Low (User cannot control) | Variable | Household Level | N/A |
Note: IP tracking alone is rarely sufficient today. Most modern identity graphs depend on combining IP data with login events, cookies, MAIDs, and browser fingerprints.
Deterministic vs. Probabilistic Matching
Tracking companies usually rely on two main matching methods to build a more accurate user profile:
- Deterministic: Links activity via verified login data, such as a phone number, a hashed email, or loyalty program identifiers. Single sign-on providers can also act as strong identity anchors because the same login is reused across multiple apps and websites. Hashed email addresses are typically normalized by trimming whitespace and converting to lowercase before being transformed into a SHA-256 hash for consistent cross-platform matching. Email newsletter signups, ecommerce checkouts, and phone number matching serve as additional deterministic signals.
- Probabilistic: Uses statistical weighting to correlate 'soft' signals like your IP address, browser type, ZIP code, and usage schedule. While less reliable than a direct login, combining many signals can still identify a user or household with relatively high confidence.
| Signal Type | Example | Confidence Level | Cross-Device Value | Easy to Reset |
|---|---|---|---|---|
| Deterministic | Hashed Email / Phone Number | Very High | High (Strong) | No |
| Probabilistic | IP + Browsing Patterns | Moderate | Moderate | Variable |
| Device Identity | MAIDs, Roku ID | High | Strong | Easy/Moderate |
Scan your outbound metadata for shared identifiers and hashing patterns here.
How Email Providers and Newsletter Signups Feed Identity Graphs
Newsletter signups, password resets, and single sign-on (SSO) providers handle massive amounts of authenticated user data. These services often share hashed email identifiers (such as SHA-256 hashes) that act as persistent cross-device anchors. By connecting browsing sessions to a verified email hash, data brokers can build larger identity graphs that tie seemingly anonymous web traffic back to a real individual across multiple devices.
How Loyalty Cards and Payment Processors Link Offline Purchases
Retail loyalty programs, payment cards, and receipt scanning apps are powerful deterministic signals. When you provide a phone number, use a registered credit card, or scan an app at an offline checkout, real-world purchase history is linked directly to your digital identity. Retail data aggregators combine POS (Point of Sale) data with browsing history, loyalty accounts, and online activity. If the loyalty app on your phone connects to your home Wi-Fi, the data broker can more easily associate offline purchases with your household profile and home network, adding that information to the identity resolution graph.
How Identity Graphs Bridge IP Changes
A residential IP address is a consistent identifier for a household, but it is not permanent. When a DHCP renewal or router power cycle changes your public IP, brokers use 'bridging' techniques to maintain your profile. By observing that the same unique browser fingerprint and hashed email session have moved from 'IP A' to 'IP B' at the same time, the identity graph reconnects the new address to your existing history.
The Multi-Signal Tracking Profile
Public IP: 198.51.100.25 Browser Fingerprint: [Canvas_Res, AudioContext_Hash, WebGL_Model, GPU, Device_Memory] Screen: 2560x1440 @ 144Hz Mobile Ad ID (MAID): 550e8400-e29b... Hashed_Email: a6c4b1... (Verified User Match) Home Wi-Fi SSID: HomeNetwork_5G Nearby Bluetooth Beacon IDs: Detected Likely Household Match: Yes
Advanced Browser Fingerprinting
Beyond traditional cookies, companies use Browser Fingerprinting to uniquely identify hardware. This includes analyzing your Canvas API rendering, WebGL rendering, GPU model, CPU core count, device memory, AudioContext latency, installed fonts, time zone, and even battery-related device telemetry where still available. These signals can create a signature that remains relatively stable even in incognito mode. Some browsers now reduce fingerprinting accuracy by randomizing canvas outputs, limiting font access, or masking hardware details. Fingerprinting scripts may also examine CPU architecture, browser plugins, preferred languages, and hardware concurrency values. Analyze your browser's hardware-level leakage markers in real-time here.
How Smart TVs and Streaming Devices Feed Identity Graphs
Your living room is one of the most consistent sources of IP-linked data. Smart TVs and streaming boxes (like Roku, Apple TV, or Amazon Fire) rarely change networks, acting as stable household identifiers. Through Automatic Content Recognition (ACR), platforms such as Samsung, LG, and Roku can identify what is playing on the screen regardless of whether the content comes from cable, streaming apps, or HDMI devices. These systems often rely on TV advertising identifiers—including the Roku Advertising ID, Samsung ACR, and LG ACR—to continually track what is being watched. This streaming telemetry is often added to household advertising profiles. Some connected TV platforms also collect app usage patterns, voice assistant activity, and viewing schedules. Some streaming devices also maintain household-level advertising IDs even when cookies are unavailable. Because the TV shares the same IP address as your personal devices, advertisers can associate viewing habits with browsing behavior across devices.
Why Incognito Mode Does Not Stop Identity Resolution
Incognito or private browsing only prevents local storage of cookies and history. It does not stop the browser from exposing hardware characteristics, nor does it hide the IP address or MAID that the device presents to remote servers. As a result, fingerprinting, IP-based linking, and MAID tracking can still continue in many cases, allowing tracking companies to continue linking activity across normal and private sessions.
Advertising IDs and Mobile Tracking
On mobile devices, tracking often focuses on Mobile Advertising IDs (MAIDs) like Apple's IDFA and Google's GAID. However, the landscape is shifting: Apple increasingly restricts IDFA access via App Tracking Transparency (ATT), and Google is gradually replacing the Android GAID with Privacy Sandbox APIs in some cases. Some streaming platforms and connected TV ecosystems also assign advertising IDs or household identifiers to smart TVs and media boxes. These matching methods can still work even when official mobile identifiers are restricted or unavailable. Despite these controls, many apps employ other matching signals—such as matching your IP address and Wi-Fi environment to nearby Bluetooth beacon or location signals—to continue linking users across devices when the official ID is restricted.
GPS Data vs IP Geolocation
While IP-based geolocation provides broad network-level location, precise mobile location data (GPS) is often more valuable than IP-based location data for identity resolution. Continuous GPS telemetry allows data brokers to track real-world movement patterns, correlating browsing behavior with real-world movement rather than just estimating ZIP codes via a shared IP address. Location history from mobile apps can often reveal where a person lives, works, shops, and spends time.
Privacy Mitigation Comparison
| Technique | Helps Against IP Tracking | Helps Against Fingerprinting | Helps Against Cross-Device Tracking |
|---|---|---|---|
| VPN | Yes | No | Partial |
| Separate Browser Profiles | Partial | Partial | Yes |
| Anti-Fingerprinting Browser | No | Yes | Partial |
| Tracker Blockers | Partial | Partial | Partial |
| Public Wi-Fi | Yes | No | Partial |
Browser Isolation and Profile Separation
Using separate browser profiles for work, shopping, social media, and anonymous browsing can reduce the amount of data that advertising networks can combine into a single identity graph.
Technical Limitations: NAT and IPv6
The transition to IPv6 introduces Privacy Extensions (RFC 4941), which rotate temporary device interface identifiers, making device-level tracking harder while still allowing household-level tracking through the shared IPv6 prefix. On mobile networks, Carrier-Grade NAT (CGNAT) assigns thousands of users to a single IP, making reliable individual identification difficult via IP alone unless combined with MAIDs or fingerprinting data.
Operational Mitigation and VPN Limitations
Using DNS over HTTPS (DoH) can reduce the amount of DNS-based metadata visible to internet providers, but it does not stop household-level tracking by advertising networks. While a VPN masks your home IP, it cannot prevent tracking based on browser fingerprints, active logins, or third-party scripts. Residential IP tracking also becomes less reliable when households use dual-WAN failover, ISP backup links, or regularly changing VPN endpoints. For better privacy protection, combine network masking with hardened browser settings, regular resets of your mobile advertising IDs, and, where possible, limit the exposure of Wi-Fi SSIDs and Bluetooth beacons. VPNs are most effective when combined with tracker blocking, browser isolation, and separate browser profiles. Separate browser profiles can help reduce the risk of identity graph linking between work, personal, and anonymous browsing sessions. Review our 2026 Privacy Hardening Checklist for enterprise and home networks.
Privacy Regulations and Opt-Out Rights
In some regions, privacy laws such as GDPR and CCPA allow users to request access to the data held about them or opt out of certain types of data sharing. Many data brokers also maintain separate opt-out pages, although the process is often manual and may need to be repeated regularly.