The Tracking Stack: Seven Layers of Identity
Modern web tracking is a layered system where each method backs up the others. If one tracking vector is blocked or cleared, advertisers fall back to the next. Understanding all seven layers explains why cookie-blocking alone doesn't stop tracking and what it actually takes to be untrackable.
- IP address: Present in every HTTP request. Used for geolocation, household targeting, and fraud detection. Persists through cookie clears and incognito sessions.
- First-party cookies: Set by the site you're visiting. Used for login sessions, preferences, and analytics. Cleared by browser cookie deletion. Blocked by private browsing per-session.
- Third-party cookies: Set by embedded trackers (ad networks, social widgets). Major browsers are phasing these out — Chrome completed third-party cookie deprecation, Firefox and Safari blocked them earlier.
- Browser fingerprint: A passive identifier assembled from browser configuration, hardware signals, and rendering characteristics. Can't be cleared like cookies. Changes slowly. See below for detail.
- Local storage / IndexedDB: Persistent storage that survives cookie clears unless explicitly deleted. Used by some trackers as a cookie alternative.
- CNAME cloaking: First-party subdomains that secretly point to third-party trackers via DNS CNAME records. Bypasses third-party cookie blocking because the cookie looks first-party to the browser.
- Cross-device linking: Correlating identity across your phone, laptop, and TV using shared IP address (same home network), household targeting, and login sessions.
Cookie Tracking: Still the Foundation
Despite the decline of third-party cookies, first-party cookies remain the dominant tracking mechanism for any site you visit more than once. A first-party tracking cookie contains a unique identifier (UUID) set on your first visit. On every subsequent visit, the site reads that UUID and links your new session to your historical data — pages viewed, time on site, purchases, and behavioral events.
The transition away from third-party cookies has pushed the ecosystem toward first-party data strategies. Publishers now embed tracking code that sets first-party cookies in their own domain, while the data is actually sent to shared analytics and advertising platforms. CNAME cloaking is the technical mechanism enabling this: a publisher's DNS includes a CNAME record like analytics.publisher.com → analytics.provider.com, and the tracking cookie set by analytics.publisher.com appears first-party to the browser.
Effective cookie tracking mitigations: ITP (Intelligent Tracking Prevention) in Safari limits first-party cookie lifetimes to 7 days. Firefox's Total Cookie Protection (enabled in Enhanced Tracking Protection Strict mode) partitions cookies per site, preventing cross-site tracking with first-party cookies. uBlock Origin in medium/hard mode blocks tracking scripts before they can set any cookies. Check your HTTP headers to see what your browser reveals to sites.
See What Your Browser and IP Are Exposing
Check your IP address, HTTP headers, and run a DNS leak test to understand your tracking exposure.
Hide My IP NowBrowser Fingerprinting: The Cookie-Free Tracker
Browser fingerprinting collects dozens of technical attributes from your browser without storing anything on your device. The fingerprint is computed from: Canvas API rendering (GPU-specific pixel output), WebGL renderer information, Web Audio API processing, installed fonts (detected via CSS or Canvas), screen resolution, color depth, pixel ratio, timezone, language, platform, User-Agent, battery level (on supported devices), connection type, and touch support.
Research by the EFF's Cover Your Tracks project found that over 83% of browsers tested had a unique fingerprint. When combined with IP data, cross-site fingerprint matching accuracy approaches 95%+ for most users.
The AdTech industry has invested heavily in fingerprinting as a cookie alternative. The IAB's proposed PARAKEET and FLEDGE frameworks, Google's Privacy Sandbox Topics API, and Meta's Conversion API all seek to maintain ad targeting utility as cookies decline. Fingerprinting — being passive and technically difficult to block — is a key element of the post-cookie tracking landscape.
Strongest countermeasures: Tor Browser standardizes fingerprinting API outputs to be identical across all Tor Browser users. Brave randomizes Canvas and WebGL fingerprints per session. Firefox with privacy.resistFingerprinting = true spoofs many fingerprinting APIs. These approaches trade some functionality for meaningfully reduced trackability.
IP-Based Tracking and Household Targeting
IP-based tracking is the method most impervious to browser-level privacy settings. Your IP address is transmitted with every HTTP request — browsers have no API to hide it, and no privacy setting prevents it. This makes IP tracking the backstop layer when all other methods are blocked.
Household targeting, in particular, is a growing area of IP-based tracking. All devices in a home share the same public IP address (through NAT). Advertisers use this to:
- Link your phone, laptop, and smart TV as a household group
- Serve coordinated ad sequences across devices (see an ad on TV, get a follow-up on your phone)
- Attribute purchases across devices (view on phone, buy on laptop — still counts as one conversion)
- Build household-level income and demographic estimates from device count, brand mix, and browsing patterns
IP data enrichment from data brokers takes this further. Matching your IP to third-party consumer databases can link your internet connection to public records data — voter registration, property ownership, vehicle records — providing a household-level identity profile without any cookies or logins.
Check your current IP address and run an IP lookup to see what profile your connection currently generates.
Defending Against Modern Tracking
A layered defense approach addressing each tracking vector:
- VPN: Masks your IP from all sites. Eliminates IP-based tracking, household targeting, and ISP-level surveillance. Verify with DNS leak test.
- uBlock Origin (hard mode): Blocks first-party tracking scripts via filter lists. Prevents CNAME-cloaked trackers. Reduces cookie and fingerprint collection surface significantly.
- Firefox with Total Cookie Protection: Partitions cookies per site, breaking cross-site cookie tracking even with first-party cookies allowed.
- Brave Browser: Randomizes fingerprinting APIs, blocks ads/trackers natively, partitions network state. Strong baseline protection out of the box.
- Separate browser profiles: Maintain separate Chrome/Firefox profiles for shopping, social media, and casual browsing. Prevents cross-context fingerprint correlation.
- DNS blocking at network level: Pi-hole or NextDNS block tracker domains at the DNS level before connections are made. Effective against CNAME cloaking.
- Regular session clearing: Clear cookies and local storage regularly to disrupt persistent tracking identifiers, even if fingerprint persists.
Frequently Asked Questions
Does deleting cookies stop tracking?
It disrupts cookie-based tracking but leaves IP, fingerprint, and local storage tracking intact. After clearing cookies, your fingerprint immediately relinks your browsing history if you visit the same sites. IP-based tracking is entirely unaffected by cookie deletion.
What is CNAME cloaking and why is it a privacy problem?
CNAME cloaking uses DNS CNAME records to make third-party trackers appear as first-party subdomains. When your browser sees <code>analytics.site.com</code> setting a cookie, it treats it as first-party — bypassing third-party cookie blocking. ITP in Safari and Firefox Total Cookie Protection have implemented CNAME cloaking detection to partially address this.
Can websites track me even if I use a VPN?
Yes. A VPN hides your real IP but doesn't prevent cookie-based tracking (cookies persist through VPN use), fingerprint-based tracking (your browser fingerprint is unchanged), or login-session tracking (being logged into Google or Facebook de-anonymizes you regardless of VPN). A VPN is one tool in a multi-layer defense, not a complete tracking solution.
What is the most privacy-respecting mainstream browser?
Brave offers the strongest privacy defaults out of the box for a Chromium-based browser: built-in ad/tracker blocking, fingerprint randomization, and global privacy network (Brave's opt-in VPN/proxy layer). Firefox with uBlock Origin and privacy extensions is comparable or superior in some areas and benefits from not being based on Google's Chromium engine. Tor Browser is the most private but impractical for daily use.
