Your Search, YouTube, Gmail, Maps, and Chrome data don't live in separate silos anymore — they're now merged into a single account-level profile that persists on every device you use.
Permanent, account-level trackers: Google's promised replacement for tracking cookies never materialized. Instead the permanent replacements are permanent and you can't delete them. They are anchored to your account.
The AI boundary (for now): Google maintains that private Gemini and Assistant conversations aren't used to target ads. But ads are already appearing inside AI Overviews in Search — where the line between answering a question and serving an ad is blurring fast.
This does not account for Android, which is a separate and deeper layer of device-level data collection that operates outside the browser entirely.
You didn't log in. You didn't click “Accept.” You just opened a link a friend sent you.
But in the milliseconds it took for this text to appear, your location, your device ID, and your browsing history were already in transit to data brokers.
Here’s what they know.
They know where you are, and your ISP helped.
Two signals are cross-referenced constantly to pinpoint you: your IP address and your timezone.
While you browse, an IP lookupThe digital return addressYour device can't request a website or app without revealing its IP address. An IP lookup is a background check that websites run to identify you, your physical city, region, and zip code. runs silently on 76% of the world's top websites — typically before the page finishes loading. Your ISP assigned that IP and keeps a record of who holds it. Because they also have your billing details, your “anonymous” session is one legal request away from your real name.
They know your specific browser configuration, and it's trackable.
Web browsers silently volunteer an inventory of signals before a single tracking script has loaded. This page collected yours in milliseconds, without asking.
Individually these stats are mundane and useless. But combine them and they can uniquely identify your device among millions.
Trackers can monitor your viewport to identify unique window-snapping behaviors and multitasking patterns, using the specific pixel dimensions of your browser window to distinguish your device from a crowd. When you resize your viewport, the change is visible to trackers in real-time.
They know how exposed you are.
Trackers don't just read your hardware. They audit your defenses, before you click a single button.
They check if your “Do Not Track” sign is hanging, if you’ve blocked cookies, if they can fingerprint your browser, or if you’re using a privacy extension. To a tracker, your security posture is just another part of your unique profile.
They know your battery level and charging state.
Your browser exposes your exact battery percentage and charging status in real-time, no permissions required.
While it seems mundane, these numbers are granular enough to act as a short-term ID. If you clear your cookies and jump to a new site, your specific battery level (e.g., 87% and discharging) can "stitch" your identity back together across different pages.
They know your fonts make you uniquely identifiable.
Between system defaults, office suites, and design tools, no two people have the exact same font library.
Trackers exploit this by "probing" your browser to see which fonts respond. This silent inventory narrows you down from a crowd of millions to a group of one. No permissions required, no way to opt-out—just a unique signature you carry to every site you visit.
They know your graphics card makes you permanently trackable.
When you load a website on their network, trackers secretly force your browser to draw a Canvas image, that you'll never see, using a specific sentence in a specific font with specific colors. It's a process called Canvas Fingerprinting.
Every GPU and driver combination renders slightly differently — one might smooth the edge of a letter by a fraction of a pixel; another might render a color shade just a little differently.
By measuring those microscopic differences, trackers can identify your device(s) from millions, and it's permanent until you swap your hardware.
The image above is identical every time (on the same device). It is then hashed to produce the fingerprint above.
Incognito doesn't change it. Clearing cookies doesn't change it.
They know they can track you by blanketing their network with permanent IDs.
Advertising networks use JavaScript to generate a unique identifier and write it into your browser's storage the moment a page loads. Every site running the same ads reads that ID back and adds your visit to a cross-site profile. This is how a shoe ad follows you from a news site to a recipe blog to your weather app.
They know where you came from before you arrived.
Your browser automatically tells every new website the address of the previous page you were on. This is the HTTP referrer, it's been part of the web since 1996 and is transmitted without asking. If you came from a Google search, a social post, an email, or a news article, the destination knows. You made no choice to share it.
Build your defense. They can’t track what they can't identify.
You can't disappear on the grid, but you can make yourself very expensive to track. Do not give information they don't need to know, stop their tracking scripts, make your hardware look like everyone else's, and opt out where you can.
- DuckDuckGo Browser automatically blocks hidden cookies and trackers, clearing all tab and browsing data is a single click.
- Mozilla Firefox is best when you enable
privacy.resistFingerprintinginabout:configto spoof hardware signals. - Tor Project makes every user’s fingerprint identical, by design.
- uBlock Origin — Not just an ad-blocker. It stops tracking scripts from ever loading, preventing most fingerprinting before it starts.
- Privacy Badger — Learns to block invisible trackers based on their behavior as you browse.
- NAI opt-out — 100+ ad networks, one form
- See other links below
The Meta Pixel is on roughly 30% of popular websites, reporting your behavior back to Meta whether or not you have an account. Meta builds "shadow profiles" on people who have never signed up — assembled from data purchased from brokers and reports from any site running its tracker.
Financial data: On tax-filing and banking sites, the Pixel has been found "siphoning" sensitive form fields, including labels and values for income, debt, and filing status, which are then used to refine advertising algorithms.
AI training: All public posts and images uploaded to Meta platforms since 2007 are eligible to be used for AI training.
Amazon has what every other tracker craves: your receipts.
Your purchase history doesn't stay on Amazon. Through Amazon DSP, it follows you across the internet. Tagging you on news sites, blogs, and apps that have nothing to do with shopping.
Then there's your home, the ultimate data collection environment. Americans added their microphones into our homes and their cameras to our front doors. In 2022, Amazon confirmed it will hand footage from your Ring doorbell camera to law enforcement, without warrants or your permission.
It doesn't matter how you use your Roku TV, their Automatic Content Recognition technology is constantly taking fingerprints of your screen and matches it against a database of known content to identify exactly what you’re watching.
This runs across every input: streaming apps, cable boxes, HDMI-connected laptops, and gaming consoles. Roku sees what Netflix sees. What your cable provider sees. What your PlayStation sees. All of it, independently logged and sold.
This surveillance requires no camera, no microphone, no app. It runs in the firmware, on by default.
Microsoft doesn’t need to guess who you are — they own the environment where you work, search, and play. By moving from a software company to a services company, Microsoft has integrated identity tracking into the bedrock of the operating system. Your Windows login, Bing searches, and Outlook communications are no longer isolated events. They’re streams of data feeding a central profile of your behavior, intent, and professional life.
The surveillance is baked into the plumbing. Windows Telemetry is a persistent heartbeat sending diagnostic and usage data back to Redmond. They say it's “essential for security”, but they also use it to refine ad targeting and product nudges. Your computer is now a witness to everything you do, and that witness reports to Microsoft.
Through LinkedIn, Microsoft also holds the world’s largest database of verified professional identity. The LinkedIn Insight Tag is embedded on over one million third-party websites, including fertility clinics and mental health platforms. In October 2025, a federal judge allowed class-action lawsuits to proceed, ruling that LinkedIn may have “highly offensively” matched anonymous patients to their verified professional profiles without their knowledge.
By cutting off the data flow to rivals like Meta and Google, Apple successfully "walled the garden", becoming the sole owner of the data and the measurement tools for iOS.
What they don't tell you
The "Ask App Not to Track" prompt applies to everyone except Apple. While rivals were blinded, Apple’s first-party data collection across the App Store, News, and TV+ remained wide open. Apple didn't just stop the tracking; they centralized it.
Gatekeeper and Keymaster
By controlling the only way to install software on iOS, Apple acts as a private tax authority. They take a 15–30% cut of the digital economy and force every advertiser to use SKAdNetwork—Apple’s own measurement system. They didn't just build a better browser; they built the stadium and the scoreboard.
According to CEO Jeff Green, The Trade Desk has such a large surveillance reach by maintaining real-time bidding connections to over 14 million advertising opportunities. Every second.
Retail Surveillance: Major retailers like Walmart, Target, and Kroger have agreements that allowing them to close the loop between an ad you saw and a purchase you made in a physical store — proving, for example, that a TV commercial led you to buy a specific brand of medication.
From partner to landlord: In 2026, The Trade Desk launched their own smart TV operating system to move from being a tenant inside streaming services like Disney+, Netflix, and Hulu to owning the software that runs the television itself, giving them visibility into what you watch across every app, independent of what any individual streaming service shares.
Acxiom takes your offline life (voting records, property deeds, bank loans, and grocery receipts), and stitch it to your online behavior. Ensuring you can never truly be anonymous.
Real-time API: When you interact with a company, they can instantly query Acxiom's Real-time API to pull your full history and profile you as an individual, with the goal being able to do that in under two-seconds.
Audience Propensities: Acxiom uses machine learning to calculate scores predicting your likelihood to buy a car, switch banks, have a child, or respond to specific offers. These aren't guesses — they're off-the-shelf products marketed to any company willing to pay.
LiveRamp's mission is that you never truly disappear from the advertising ecosystem. They combine online and offline fragments of your identity into a single permanent identifier called a RampID, which you can not delete.
Bypassing Privacy Laws: LiveRamp allows companies to "match" their records on you. For example, your bank and a streaming service can cross-reference your identity in a "blind" environment. They claim this protects privacy, but it effectively allows them to share your habits without ever technically "exchanging" your raw name.
No Humans: In March 2026, LiveRamp allowed autonomous AI agents to enter their Data Clean Rooms and build audience profiles, license your behavioral data, and optimize targeting. Decisions about how your data is used are now being made by systems that answer to no one.
They know before your doctor does. LiveRamp's 2026 healthcare marketplace sells "Pre-Rx Stage" targeting — predicting when you are about to be prescribed a specific medication before the prescription is written. "Script Lift" measures whether a pharmaceutical ad influenced that prescription. These are products. Pharma companies are the customers.
Oracle’s BlueKai was the largest third-party data marketplace ever built. They called it an “Identity Spine” of six billion profiles, updated two trillion times a month. In 2020, a misconfigured cloud server left billions of those records (home addresses, political views, and purchase histories) sitting in a public bucket. Oracle shut down the entire advertising division in 2024 under legal and regulatory pressure.
The marketplace is gone. The leaked data isn’t. Once a broker exposes your life story, they can’t un-expose it when things go wrong.