How 200 Companies Learn Everything About You in 100 Milliseconds

What your profile actually contains

Every major ad platform keeps a detailed profile of you that's more complete than anything in your own files. It is built without asking. It is updated every time you open a page, a tab, or an app. It is traded in real time to hundreds of companies you have never heard of, multiple times per second, for every URL you visit.

This isn't an exaggeration. It's the architecture of the modern ad-supported web.

If you have never checked, open [myadcenter.google.com](https://myadcenter.google.com). The page shows Google's inferred demographics: age range, gender, parental status, relationship status, household income bracket, employer industry, homeownership, estimated education level, and an inferred-interests list that often runs 300+ categories deep. You never told Google any of this directly. It was inferred from your search history, YouTube views, Gmail, Chrome browsing, Android usage, and the physical locations you visit.

Facebook / Meta maintains an equivalent profile. So does TikTok. So do Amazon, Microsoft, Apple (to a lesser degree), and dozens of data brokers you do not know by name.

Real-Time Bidding: the worst leak on the internet

Every ad slot on every page you visit that uses programmatic advertising runs through Real-Time Bidding (RTB). The workflow:

1. You load a page with an ad slot.
2. The publisher's ad server constructs a bid request describing the slot *and describing you*.
3. That bid request is broadcast to hundreds of demand-side platforms (DSPs) and ad networks simultaneously.
4. Each recipient has roughly 100 milliseconds to evaluate the request and return a bid.
5. The highest bidder wins, serves the ad, and pays.

The bid request is where the damage happens. A typical RTB bidstream payload includes:

• Precise device identifier (IDFA on iOS before App Tracking Transparency, GAID on Android)
• User-agent, screen resolution, OS version, browser
• Coarse geolocation (often lat/lon to ~100m precision)
• IP address
• URL of the page being loaded (including query strings — which often contain PII)
• Segments the user has been tagged with ("in-market for cars," "recently pregnant," "LGBTQ," "diabetic")
• Cookie IDs and hashed emails enabling cross-site linking
• First-party context from the publisher (user account ID, session data)

Every one of the hundreds of recipients gets a copy of that payload, whether they actually bid or not. The Irish Data Protection Commission estimated that a typical browsing session leaks this data to 2,000+ companies per day. Dr. Johnny Ryan's research documented U.S. military personnel bidstream data being sold to Russian and Chinese buyers via intermediaries.

January 2026 Google settlement. The $23M RTB class action settlement forced Google to create an "RTB Control" surface that lets users see and limit bidstream participation for their own Google Account. It is the first practical consumer-facing remedy. Most users do not know it exists.

Canvas, WebGL, AudioContext: the fingerprint triangle

Cookies are cleanable. Browser fingerprinting isn't.

Canvas fingerprinting: a site instructs your browser to draw a specific image (usually text with emoji, non-Latin characters, and curved paths) on an HTML5 canvas, then reads back the pixel values. Tiny differences in GPU, GPU drivers, OS-level font rendering, and anti-aliasing implementation produce a consistent image for your device that differs from nearly every other device. Uniqueness rate: ~60-70%.

WebGL fingerprinting: queries the WebGL renderer for detailed GPU info, supported extensions, maximum texture size, and rendering artifacts. Uniqueness rate: ~40-60%.

AudioContext fingerprinting: generates an oscillator tone, passes it through the browser's audio processing graph, and reads back the waveform. Minute differences in audio-stack implementation produce a stable per-device signature.

Combined with user-agent, screen resolution, installed fonts (via CSS font-face probing), installed browser extensions (via DOM-injection detection), and HTTP Accept headers, the combined fingerprint identifies 80-90% of browsers uniquely and remains stable across cookie deletions, incognito mode, and VPN switching.

Chrome as of April 2026. Chrome still lacks meaningful fingerprinting defenses. Google has publicly prioritized its own Privacy Sandbox (which it cancelled in October 2025 for Chrome) over blocking fingerprinting. The only browsers with genuine fingerprinting resistance: Tor Browser, Brave (with aggressive shields), LibreWolf, and Mullvad Browser.

Cross-device graphs

Advertisers don't want to track your phone, your laptop, and your tablet as three separate users. They want to unify them into one identity. Three techniques do the heavy lifting.

Deterministic linking: you log into Google, Facebook, or any major platform on all three devices. Same account ID, same user. This is the highest-confidence signal and it's available any time you use a platform that runs on multiple devices.

Probabilistic linking: devices are matched via IP address (devices on the same network), Wi-Fi SSIDs, behavioral patterns (all three devices browse the same niche sites at similar times), location co-presence, and timing patterns. Probabilistic linking is roughly 80-90% accurate at scale.

Ultrasonic cross-device tracking: some apps and web pages play ultrasonic audio (~18-20 kHz, inaudible to humans) that nearby devices with microphones can detect. The receiving device reports the tone, linking the two devices as co-located. This was documented in 234 Android apps as far back as 2017 (Braun et al., TU Braunschweig). The practice has declined but not disappeared.

Bluetooth Low Energy beacons: the offline tracking layer

The BLE beacon industry is projected to grow from $22.7 billion in 2025 to $718.6 billion by 2033. Most of that growth is retail and logistics. A meaningful chunk is consumer tracking.

How it works: retail locations, transit systems, stadiums, and many municipal areas deploy small BLE beacons that broadcast a UUID every few seconds. Apps on your phone (including some you probably do not realize) listen for those UUIDs and report to a cloud service every time they see one, along with a timestamp and GPS location. The cloud correlates: "device X was near beacon B at time T."

Aggregated across millions of beacons and tens of thousands of apps, this produces a physical-world movement graph. Advertisers use it for attribution ("did the user who saw the ad walk into the store?"). Data brokers use it to enrich profiles ("user X visits methadone clinics, gun ranges, fertility clinics").

The app that's actually doing the tracking usually has a plausible excuse for needing Bluetooth or location permission: a weather app, a coupon app, a retailer loyalty app. The tracking rides along as a side-channel.

The identifiers that were supposed to die

Apple IDFA (Identifier for Advertisers). Opt-in required since iOS 14.5 (April 2021) via App Tracking Transparency. Current opt-in rate: 25-30%. For the 70-75% of users who deny, advertisers fall back to probabilistic fingerprinting and Apple's own SKAdNetwork attribution. Less granular, but still plenty for profile construction.

Google Advertising ID (GAID). Android's equivalent of IDFA. Still alive and kicking. Google announced the Privacy Sandbox as GAID's replacement, then killed the Privacy Sandbox for Chrome in October 2025 and quietly shelved any firm GAID deprecation date. As of April 2026, GAID remains fully functional and the default on nearly every Android device.

Third-party cookies in Chrome. Google reversed course in July 2024. Chrome still supports them. Safari and Firefox block them by default. This is the single biggest reason Chrome profiles are more detailed than Safari profiles.

What an actual enrichment chain looks like

This isn't theoretical. Here's how a single page load builds out a profile entry:

1. You search for "blood pressure medication side effects" on Google.
2. Google logs the query against your Google account.
3. You click a WebMD link. WebMD loads. WebMD's page has 40+ third-party trackers (Google Ads, Facebook Pixel, Taboola, Outbrain, Criteo, LiveRamp, The Trade Desk, etc.).
4. Each tracker fires a bid request to RTB. The bid request includes your IDFA, your IP, coarse geolocation, and the URL — which contains the medication name in the query string.
5. The bid request gets broadcast to ~300 DSPs. All 300 store a copy tagging you as "interested in hypertension medication."
6. One DSP wins the auction and serves you an ad for a hypertension drug.
7. Separately, Facebook Pixel fires on the page load. Even if you're logged out of Facebook, the pixel still sees your IP, your fingerprint, and the URL. Facebook correlates to your logged-out profile via its shadow-profile system.
8. 30 seconds later, you open Facebook in another tab. Facebook serves you a hypertension drug ad. You never mentioned hypertension on Facebook. You didn't click anything. The data traveled.
9. LiveRamp (an identity-resolution broker) picks up a version of the bid request. It correlates your IDFA to your email address via previous first-party data shares, then sells the "hypertension" tag to insurance quote aggregators.
10. Your auto and health insurance quotes, when you eventually request them, reflect the underwriting company's purchased segment data. You never consented to any of that. You searched WebMD for a medication.

What actually stops it

Most effective, ranked:

1. Tor Browser for anonymous browsing. Strongest fingerprinting resistance, no persistent identity. Slow, and breaks many sites.
2. Brave with aggressive shields as a daily driver. Blocks most trackers, randomizes fingerprint surfaces, has reasonable site compatibility.
3. uBlock Origin + Firefox with the privacy.resistFingerprinting = true setting. Free, works on existing install.
4. DNS-level blocking with NextDNS or Pi-hole + tracker/ad/analytics blocklists. Blocks tracking even in apps where browser extensions cannot reach.
5. iOS App Tracking Transparency, set to deny all. Cuts IDFA-based tracking substantially.
6. Disable Google Advertising ID in Android Settings → Privacy → Ads. Resets the ID and opts out of personalized ads. Does not fully stop probabilistic tracking.
7. VPN. Useful for IP-layer concealment. Doesn't stop fingerprinting, cookies, or logged-in tracking.
8. Ad blockers in-browser. Blocks ad loading, which blocks many (but not all) trackers. Doesn't stop first-party analytics.

What doesn't meaningfully help:

• Incognito mode. Does not block fingerprinting. Does not block trackers.
• Deleting cookies. Fingerprints persist.
• Private browsing in most browsers. Same problem as above.
• "Do Not Track" header. Voluntary. Almost universally ignored.
• Opting out on individual ad network sites. You would need to visit every ad network's opt-out page. Each opts you out via a cookie. The cookies expire or get deleted. The opt-out is gone.

The regulatory reality

GDPR (EU) and CCPA/CPRA (California) have forced opt-in cookie banners but haven't meaningfully reduced profiling. The banners are often dark-patterned to push users toward consent. Publishers argue economic necessity. Enforcement has been inconsistent.

The Irish DPC's 2025 ruling against IAB Europe's Transparency and Consent Framework forced structural changes to the European bidstream but didn't stop the practice. U.S. state privacy laws (CCPA, Colorado, Virginia, Connecticut, Utah) provide opt-out rights that most consumers do not exercise.

The honest summary. The regulatory regime slows profile enrichment at the margins. It doesn't eliminate the profile.

What actually matters

The profile exists. It's more detailed than you realize. It's shared more widely than you realize. The legal and technical systems built to moderate the practice have had limited effect. The practical question isn't "should I care." It's "which of my activities do I want in the profile, and which do I want out."

For activities I want out of the profile: Tor Browser, paid VPN, phone in Faraday bag, separate email, separate devices. For activities I'm fine being tracked on: any browser.

That is the decision framework. Everything else is noise.

Sources

1. [Real-Time Bidding Systems — Irish Council for Civil Liberties (ICCL)](https://www.iccl.ie/digital-data/rtb-report/)
2. [Johnny Ryan — The Biggest Data Breach Ever Recorded](https://www.iccl.ie/digital-data/biggest-data-breach/)
3. [Google RTB Settlement 2026 — Reuters Coverage](https://www.reuters.com/legal/google-rtb-settlement/)
4. [How Unique Is Your Web Browser? — Panopticlick / EFF](https://coveryourtracks.eff.org/)
5. [Canvas Fingerprinting in the Wild — Acar et al. (CCS 2014)](https://dl.acm.org/doi/10.1145/2660267.2660347)
6. [Ultrasonic Cross-Device Tracking — Arp et al. (TU Braunschweig, 2017)](https://christian.wressnegger.info/content/projects/sidechannels/2017-eurosp.pdf)
7. [App Tracking Transparency Opt-in Rates — Flurry Analytics (2023)](https://www.flurry.com/blog/ios-14-5-opt-in-rate-att-restricted-app-tracking-transparency/)
8. [BLE Beacon Market Projection — Business Research Insights 2025](https://www.businessresearchinsights.com/market-reports/ble-beacon-market-100540)
9. [Chrome Privacy Sandbox Cancellation — The Register, Oct 2025](https://www.theregister.com/2024/07/22/google_privacy_sandbox/)