.png)
Ad networks don’t usually “know you” in a single, direct way. They assemble a stitched-together identity from many weak signals collected across different websites.
Think of it less like a passport and more like reconstructing the same person from repeated patterns of behaviour and device traits.
Here’s how that identity merging actually works.
1) The shared tracking script ecosystem (the backbone)
Most websites don’t run their own tracking from scratch. They embed third-party scripts from large ad platforms and analytics providers.
When you visit Site A and Site B, both might load the same tracking code from the same company. That means:
• The same tracking infrastructure sees both visits
• It can compare signals across millions of sites
• It builds a cross-site activity graph
So even if the websites are unrelated, the tracker is the common observer linking them.
2) Cookie syncing (classic cross-site identity linking)
Historically, ad networks used third-party cookies to recognise you. Modern browsers restrict these, so networks evolved:
Cookie syncing process:
You visit Website A → Ad Network X assigns you ID “123”
You visit Website B → Ad Network Y assigns you ID “ABC”
Both networks compare notes via redirects or shared scripts
They map:
“123 = ABC = same browser”
Over time, multiple ad companies merge their separate IDs into a shared identity graph.
Even with restrictions today, similar techniques still exist via first-party contexts.
3) First-party tracking as a workaround (the modern trick)
Because third-party cookies are restricted, companies shifted to:
• first-party cookies (set by the site itself)
• server-side tracking (data sent directly to backend systems)
Example:
You log into Site A
Site A sends behaviour data to its ad partners
Those partners link it to your existing profile
This bypasses browser restrictions because it looks like normal site activity.
4) Fingerprinting as a cross-site “glue”
Even without cookies, ad networks can recognise the same device using fingerprinting.
Across different sites, they compare:
• Canvas/WebGL rendering signature
• screen resolution
• system fonts
• time zone + language
• browser configuration
If enough traits match, they infer:
“This is probably the same device we saw earlier on another site.”
This is especially useful for linking visits that happen:
• without login
• in private browsing mode
• after cookie deletion
5) IP-based linking (weak alone, strong in combination)
IP addresses are not stable identifiers on their own, but they help clustering:
same household = same IP
mobile networks = shared IP ranges
VPN exit nodes = repeated shared IPs
Ad systems use IP as a supporting signal, not a primary identifier.
It becomes powerful when combined with:
• fingerprint match
• timing patterns
• browsing behaviour
6) Behavioural graph building (the real end goal)
Once signals are collected, ad networks build a graph model, not a simple ID list.
They connect:
• devices
• browsers
• logins
• interests
• locations (approximate)
• time patterns
So instead of:
“User = John Smith”
They build:
“Cluster of devices likely belonging to the same user or household”
This is called identity resolution.
7) Login-based identity bridges (the strongest link)
If you ever log into a major platform (Google, Meta, etc.), that becomes a hard identity anchor.
From there:
• browsing behaviour on partner sites can be linked (via embedded scripts or measurement tools)
• ad interactions are tied back to a known account
• cross-device linking becomes easier (phone + laptop + tablet)
This is the closest thing to a “real identity key” in the system.
8) Data brokers (the aggregation layer)
Separate from ad networks are data brokers, which:
• collect data from multiple sources (apps, loyalty cards, public records, ad data)
• merge and sell enriched profiles
They act as a middle layer that helps reconcile:
“this browser identity probably corresponds to this real-world demographic profile”
Putting it all together (how merging actually happens)
A simplified version looks like this:
You visit Site A → fingerprint + cookie ID assigned
You visit Site B → different cookie ID, same fingerprint
Ad network notices fingerprint similarity → links IDs
IP + timing patterns strengthen confidence
Later login on Site C confirms identity match
All data merged into one persistent profile
Result:
multiple “anonymous” interactions become one continuous behavioural identity
Key takeaway
Identity merging isn’t one technique—it’s many weak signals combined statistically:
• cookies (declining but still used)
• fingerprinting (increasing importance)
• login systems (strong anchors)
• IP + behaviour patterns (supporting evidence)
• shared tracking infrastructure (connective tissue)
Individually, each method is imperfect.
Together, they’re often enough to reliably recognise a device or household across the web.
Comments
Post a Comment