.png)
Google and Meta don’t “magically” know your phone and laptop are yours.
They build that link by stitching together multiple overlapping signals until the probability becomes very high.
Here we’ll break down how each company typically does it in practice.
1) The core idea: identity graphs
Both Google and Meta Platforms build what’s called an identity graph.
Instead of:
“This is user X”
They store:
• devices
• browsers
• app sessions
• login events
• IP history
• behavioural patterns
..and connect them with confidence scores like:
“These devices likely belong to the same person or household”
2) The strongest link: login accounts
If you’re signed into:
• Gmail
• YouTube
• Chrome
• Android
…you’ve essentially provided a hard identity anchor.
Once logged in:
• laptop browser ID
• phone app ID
• tablet session
..all get tied to the same Google Account automatically. Even if you switch devices, the login connects them instantly.
Meta
Same idea with:
• WhatsApp (partial linkage depending on settings)
If you log in on:
• phone app
• laptop browser
Meta immediately links those sessions under one identity.
3) Device IDs (especially on mobile)
Phones are much easier to link than browsers.
On mobile:
• Android Advertising ID (resettable but persistent in practice)
• iOS Identifier for Advertisers (IDFA, now heavily permissioned but still used when allowed)
• app installation IDs (per-app unique identifiers)
These allow Meta/Google apps to recognise:
“this is the same device as before”
4) Cross-device login stitching (the big bridge)
Once you log into the same account on multiple devices:
Example:
• Phone logs into Instagram at 8am
• Laptop logs into Instagram at 8:10am on same Wi-Fi
System infers:
• likely same person, different devices
Over time:
• repeated overlaps
• shared locations
• consistent timing
..build a strong device cluster.
5) IP + network correlation (supporting evidence)
Even though IPs change, they still help connect devices:
If your:
• phone and laptop frequently appear on the same Wi-Fi IP 》at similar times 》accessing same accounts
That becomes a strong signal that they belong together.
Even mobile data helps:
• same carrier ranges
• same region patterns
• repeated co-occurrence
6) Browser + app fingerprinting
On web (laptop)
They can use:
• canvas/WebGL fingerprint
• fonts
• screen resolution
• extensions
• time zone
In apps (phone)
They use:
• device model
• OS version
• battery / hardware signals (limited, privacy-restricted)
• app-level identifiers
Apps are often more stable identifiers than browsers.
7) Behavioural linking (surprisingly powerful)
They look for patterns like:
• same YouTube videos watched on phone and laptop
• same Instagram accounts engaged with similar search queries
• similar activity times (morning commute vs evening browsing)
Even without explicit login, behaviour can suggest linkage.
8) “Probabilistic matching” (how they actually decide)
They don’t need certainty. They use scoring systems like (Signal / Weight):
Same login account: Very high
Same device ID: Very high
Same Wi-Fi network: Medium-high
Similar fingerprint: Medium
Similar behaviour: Medium
Same IP occasionally: Low-medium
When enough signals stack up:
“Device A and Device B likely belong to same user”
9) Real-world example
Let’s say:
Morning:
• Phone opens Instagram on home Wi-Fi
• Watches reels
Afternoon:
• Laptop logs into Instagram at work/home VPN
System sees:
• same account login → strong link
• similar browsing patterns → behavioural reinforcement
• overlapping IP history → weak but supportive
Result:
• phone + laptop = same identity cluster
Even if they never directly “share a cookie.”
10) What breaks this linkage (and what doesn’t)
Hard to break:
• logging into Google/Meta accounts
• mobile app usage
• repeated cross-device behaviour
Easier to reduce:
• browsing without login
• separating browser profiles
• using privacy browsers (like Tor for web only)
• limiting app permissions
Still works despite privacy tools:
• account-based identity linking (strongest factor)
• app-level tracking (especially mobile)
Key takeaway
Google and Meta don’t rely on one method. They build confidence through overlap:
“We don’t need to know for sure—just that it’s highly likely.”
So your phone and laptop become linked not because of a single identifier, but because:
• they repeatedly show up together
• in similar contexts
• under the same accounts
How Google/Meta link people in the same household
Both Google and Meta Platforms don’t just track individuals—they build household-level identity graphs.
That means they often model:
“these 2–5 devices likely belong to the same real-world home”
A) Shared Wi-Fi (the strongest household signal)
If multiple devices regularly appear on the same:
• home broadband IP
• router fingerprint (yes, indirectly inferred)
• time window (evenings, weekends)
They get grouped as:
“co-located devices”
Example pattern:
phone + laptop + smart TV all appear on same IP every evening
→ very strong household cluster signal
B) Co-usage timing patterns
Households have repeatable rhythms:
• morning activity (phone-heavy)
• daytime laptop activity (work/school)
• evening shared Wi-Fi usage
If devices consistently overlap in:
• time of day
• location
• activity bursts
Systems infer shared physical environment.
C) Shared login or shared services
Household members often:
• log into the same streaming accounts
• use the same YouTube recommendations on shared devices
• cast to the same TV (Chromecast, etc.)
This creates explicit cross-device bridges:
“device A and B both used account X”
D) Smart devices as anchors (important one)
Things like:
• TVs
• smart speakers
• Chromecast / casting devices
..act as stable household identifiers because:
• they rarely move
• always stay on the same network
• are used by multiple people
These devices often become “hub nodes” in the identity graph.
E) Behavioural clustering
Even without login or shared accounts, systems look at:
• similar browsing interests
• overlapping app usage times
• shared location signals (home + school/work patterns)
Then they use statistical clustering:
“These devices behave like they belong to the same environment”
What this enables
Once a household cluster is built, platforms can:
• infer age ranges (e.g. parent vs child devices)
• target ads to “household decision makers”
• predict shared purchasing behaviour (cars, groceries, etc.)
• avoid showing the same ad too many times per household
They don’t need to know who is who immediately.
They just build:
“these devices are co-located often enough that they likely belong to one household”
Then refine from there.
How logged-out tracking works (the sneaky one)
This is the part most people underestimate.
Even if you:
• don’t log in
• clear cookies
• use private browsing
..you are still partially trackable through anonymous identifiers and pattern recognition.
First-party tracking scripts (silent backbone)
Many websites include analytics/ads scripts from Google/Meta.
So when you visit a site:
• the site itself sends data to Google/Meta
• not your browser directly
That data includes:
• page views
• clicks
• time spent
• device/browser characteristics
Even without login, your visit is still recorded as:
“anonymous browser session X”
Fingerprinting without identity
Even logged-out, your browser still exposes:
• screen size
• GPU behaviour
• fonts
• timezone/language
• browser version
So systems can say:
“this looks like a browser we’ve seen before”
Not a name—just a persistent anonymous profile.
Click & navigation graphs
Ad networks don’t just track sites—they track paths:
Example:
• you click Ad on Site A
• visit Site B
• spend time on Product Page C
Even without login, that sequence becomes part of a behavioural signature.
So your identity becomes:
“a pattern of navigation events”
IP + session stitching (weak alone, strong combined)
Even if IP changes:
• short-term consistency (same session, same ISP region)
• repeated return visits
• similar fingerprint
..lets systems probabilistically link sessions:
“this anonymous session is likely the same browser as yesterday”
“Conversion attribution” systems (big one in ads)
This is how ad platforms measure effectiveness.
If you:
• see an ad (logged-out)
• later visit a site
• perform an action (purchase, signup, etc.)
They try to connect:
• ad exposure event
• later behaviour event
This is done using:
• click IDs
• browser fingerprint matching
• server-side event matching
So even without identity, they can say:
“this anonymous user was influenced by ad X”
Why logged-out tracking still works well
Because modern tracking doesn’t require identity.
It only needs:
• stable device fingerprint
• repeatable behaviour patterns
• enough repeated observations
Over time:
anonymous session → semi-stable profile → inferred identity cluster
The combined system (household + logged-out tracking)
This is where it becomes powerful:
• Logged-out browser on laptop → anonymous profile A
• Phone on same Wi-Fi → anonymous profile B
• Smart TV → profile C
Over time:
A, B, C appear together repeatedly
→ grouped into one household cluster
→ later partially linked to logged-in identity if any device signs in
So identity emerges gradually:
anonymous → cluster → household → individual (if login occurs)
Key reality check
Even without cookies or login:
• you are usually not “named”
• but you are often recognisable as the same device or household cluster
Tracking today is less about knowing who you are and more about:
“can we reliably recognise this pattern again?”
Comments
Post a Comment