When you clear cookies on your laptop, the advertiser's identity graph still has your mobile advertising ID, your IP address history, and the hashed email you used to log into a retailer's website three years ago. The profile doesn't disappear — it just loses one data point from a web of corroboration. This is the architecture that makes modern ad targeting resilient to most individual privacy measures: it's redundant by design.
Understanding cross-device tracking starts with the two fundamentally different ways device identities get linked: deterministic linking and probabilistic linking. They have different accuracy profiles, different data requirements, and different resistance to privacy measures.
Deterministic Linking: The High-Confidence Method
Deterministic linking happens when you provide your identity directly — by logging into the same account on multiple devices. When you log into Gmail on your phone and on your laptop, Google knows those are the same person. When you create an account with your email address at a retailer and shop on both your phone and your desktop, that retailer (and any data partners they share with) can link those sessions.
The mechanism that operationalizes this at scale is called a people-based ID or universal ID. Companies like LiveRamp (whose product is called RampID, formerly IdentityLink) and The Trade Desk (whose product is Unified ID 2.0, or UID2) take email addresses and phone numbers, hash them, and create persistent identifiers that can be passed between publishers and advertisers without exposing the raw email.
The hashing provides only cosmetic privacy. A hashed email is a deterministic transform of the underlying address — the same email always produces the same hash. If you know the email address (or have a lookup table of common email/hash pairs), the hash provides no protection. Email address hashes are routinely used for audience matching between advertising platforms precisely because they are consistent and linkable.
A publisher asks you to log in with your email. They hash it and pass it to their ad server. The ad server maps the hash to your UID2 — a standardized identifier recognized by hundreds of demand-side platforms. Advertisers can now target you with precision across any UID2-participating publisher, on any device where you've logged in with that email.
Probabilistic Linking: The Scale Method
Deterministic linking requires that you log in somewhere — it only works when you've provided an email or phone number across platforms. Probabilistic linking works even when you haven't. It uses statistical inference to assign a likelihood that two devices belong to the same person.
The primary signals are:
- IP address: Devices sharing the same household IP, at similar times, are likely the same household. This is the most widely used probabilistic signal. It's cheap to observe and relatively stable (home IPs don't change daily).
- Wi-Fi network: The SSID of your home network may be visible to apps with location permissions. Two devices consistently appearing on the same named network are likely in the same household.
- Behavioral patterns: Active hours, browsing rhythms, app usage patterns, and geographic movement patterns can be compared across devices to infer shared ownership.
- Device fingerprinting characteristics: Screen resolution, font rendering, graphics card, battery behavior, and other hardware signals can be compared. Two devices with similar fingerprint clusters appearing at the same IP addresses strengthen the probabilistic match.
Companies like Tapad (now owned by Telenor) and Oracle Data Cloud built significant businesses around probabilistic cross-device identity. The output is a "device graph" — a list of (device, device) pairs with associated confidence scores that get sold to advertisers.
Television: The Third Screen Problem
Smart TVs and streaming devices have introduced a particularly opaque layer of cross-device tracking: Automatic Content Recognition (ACR). ACR is a technology built into most modern smart TVs from Samsung, LG, Vizio, and others that captures frames of whatever is playing on the screen — HDMI input, streaming apps, broadcast TV — and matches them against a content fingerprint database to determine exactly what you're watching, with second-level precision.
This data is sold to advertisers and data brokers. The link from TV viewing to mobile advertising is then made through the IP address: if the same IP address appears in ACR data as watching a specific show and in mobile ad exchange data as belonging to a specific device, those can be probabilistically matched.
ACR data allows advertisers to close the "living room gap" — understanding what audiences actually watch rather than relying on self-reported demographics. From a privacy standpoint, it means your TV is reporting your viewing habits to third parties, regardless of whether you're watching a streaming app or a Blu-ray disc through HDMI.
ACR is almost always opt-in by default (active consent required in the EU; opt-out consent in most US states). Look for it under settings labels like "Viewing Information Services" (Samsung), "LivePlus" (LG), or "Smart Interactivity" (Vizio). Disabling it stops the TV from reporting viewing data but does not remove existing data already collected.
Apple's ATT and the Probabilistic Shift
Apple's App Tracking Transparency (ATT), introduced with iOS 14.5 in 2021, requires apps to obtain explicit permission before accessing the IDFA — the unique Identifier for Advertisers that had been the primary deterministic linking mechanism in the iOS ecosystem. Most users, when prompted, declined. IDFA opt-in rates dropped to roughly 20-25% across most app categories.
This did not end cross-device tracking in iOS apps. It shifted the industry toward probabilistic methods that don't require the IDFA. SKAdNetwork (Apple's privacy-preserving attribution framework) provides aggregate campaign-level data without user-level identifiers. But the data broker ecosystem, which operates largely outside the ATT framework, adapted by leaning harder on IP-based linking, email hashes, and first-party login data.
The practical effect of ATT has been significant for mobile app attribution (advertisers lost precision in understanding which app installs came from which ads) but more modest for the broader tracking ecosystem, which has enough redundant signals to maintain cross-device profiles even without IDFA.
Where Each Defense Actually Works
| Privacy measure | Blocks deterministic | Blocks probabilistic | Notes |
|---|---|---|---|
| Ad blocker | Partial | Partial | Blocks many tracking pixels; doesn't help with server-side tracking or login-based linking |
| Browser fingerprint protection | No | Partial | Reduces one probabilistic signal; IP and behavioral signals remain |
| VPN | No | Partial | Masks your IP; VPN IP still visible; deterministic (login-based) linking unaffected |
| Unique email per service | Strong | No | Breaks email-hash matching; email aliases or SimpleLogin-style forwarding needed |
| Declining ATT / IDFA opt-out | Partial | No | Removes one deterministic signal; probabilistic alternatives remain |
| Disabling ACR on TV | Yes | Partial | Stops TV-based identity linkage; other signals still available to advertisers |
What the Identity Graph Means in Practice
The cross-device profile enables a category of advertising called "sequential messaging" — showing you the same brand message first on your laptop, then on your phone, then on your TV, in a coordinated sequence. It also enables "suppression" — if you've already bought something, exclude you from seeing ads for it. These are the use cases advertisers pitch. The data infrastructure required to enable them is a comprehensive behavioral record.
That data doesn't stay in the advertising system. Identity graph data is sold to insurers, employers, and in some documented cases to government agencies. The data broker ecosystem and the advertising identity graph overlap significantly — data collected for targeting ads often ends up in broker databases sold for entirely different purposes.
The realistic defense against cross-device tracking isn't any single measure — it's reducing the number of unique, corroborating identifiers associated with your devices. Unique email addresses per service (which is also good hygiene for breach exposure reduction), consistent VPN use, IDFA opt-out, and ACR disabling together make probabilistic linking materially harder. Complete elimination isn't realistic for anyone actively using the web, but reducing the density of the identity graph is achievable.