The five tracking mechanisms
Online tracking isn't one technology — it's a stack. Most ad networks combine several mechanisms because each has weaknesses individually. Here are the major five:
1. IP address tracking
The simplest. Sites log your IP address with every visit. Combined with a reverse-lookup, this gives them your ISP and approximate city. If your IP doesn't change much (typical for residential users), they can correlate your visits across weeks.
Effectiveness: medium. IPs change occasionally (your ISP might rotate them, you might travel), and big NAT setups (mobile carriers, college campuses) share IPs across many users. Not a unique identifier, but useful as a signal.
A VPN defeats this — sites see the VPN server's IP, not yours. Note that the VPN server IP is also shared with thousands of other users, which actually improves your anonymity at the IP layer.
2. Cookies
The classic web tracking mechanism. A site sets a cookie in your browser with a unique ID. On future visits, your browser sends the cookie back, and the site recognizes you. Third-party cookies extend this across sites: an ad network loaded on Site A and Site B can correlate that you visited both, because the same third-party cookie is sent to them in both contexts.
Modern browsers (Safari, Firefox) block third-party cookies by default. Chrome is in the middle of phasing them out (the "Privacy Sandbox" transition). First-party cookies are still ubiquitous and still effective.
A VPN doesn't affect cookies. Cookies are set and sent by the browser inside your encrypted traffic; the VPN just transports the traffic.
3. Browser fingerprinting
The most insidious modern tracking method. Sites collect attributes about your browser environment — installed fonts, screen size, timezone, language, WebGL renderer, audio processing quirks, etc. — and combine them into a "fingerprint" that's often unique to your device.
EFF's Cover Your Tracks tool will tell you if you have a unique fingerprint. Most desktop browsers do; mobile is somewhat less identifiable due to less variation.
Fingerprinting works across sessions, across cookie clears, across IP changes. It's also harder to opt out of — there's no "fingerprint" setting in your browser. Real defenses: Firefox with privacy.resistFingerprinting set, Tor Browser, or Brave with full shields.
A VPN doesn't affect fingerprinting. Your browser sends the same identifying information regardless of where the traffic is coming from.
4. Account correlation
The most powerful tracking method: knowing your identity because you logged into something. When you sign into Google, Google knows it's you. When Google's ad network (Google Ads) is loaded on a third-party site, that site can query Google's ID to recognize you as the same person.
The Big Three of cross-site account correlation: Google, Facebook, and (less now) X/Twitter. Their identity-resolution systems work across the entire web through their embedded scripts and APIs.
A VPN doesn't affect this at all. If you're logged in, you're logged in. Different IP, same account identity.
5. Mobile advertising IDs
On mobile, every device has a Mobile Advertising ID (MAID): IDFA (Apple), GAID/AAID (Google). Ad SDKs use this to recognize you across different apps on the same device.
Since Apple's 2021 App Tracking Transparency (ATT) policy, iOS apps must ask permission to access IDFA. Most users say no. Android has weaker opt-out by default but Android 13+ improved this. Effectiveness has declined sharply but mobile ad tracking is still significant.
A VPN doesn't affect MAID. The advertising ID is set at the OS level and accessed by ad SDKs running inside apps. The VPN just transports the traffic those SDKs generate.
What a VPN actually helps with
Summarizing from the above:
| Tracking method | Defeated by VPN? | What helps |
|---|---|---|
| IP-based | Yes | VPN replaces your IP |
| Cookies (first-party) | No | Private browsing, cookie blockers |
| Cookies (third-party) | No | Modern browsers (Safari, Firefox, Brave) block by default |
| Browser fingerprinting | No | Firefox resistFingerprinting, Tor, Brave |
| Account correlation | No | Log out, use separate browsers for separate accounts |
| Mobile advertising ID | No | OS settings → disable / reset advertising ID |
One in six. A VPN moves the needle on the most basic tracking method but leaves four others untouched. The implication: if your goal is "reduce online tracking," a VPN is one tool of several.
The actual anti-tracking stack
For meaningful tracking reduction (without going full Tor):
- Content blocker. uBlock Origin on desktop, AdGuard on mobile, or use Brave Browser which has it built in. Blocks ad networks and trackers at the request level.
- Privacy-focused browser. Firefox with Enhanced Tracking Protection, Brave, or DuckDuckGo Browser on mobile.
- VPN. Covers IP-level tracking, plus the network-layer privacy from your ISP.
- Account hygiene. Stay logged out of cross-site identity providers (Google, Facebook) when browsing sites that don't require them. Use Firefox Multi-Account Containers or browser profiles to isolate identity contexts.
- Mobile MAID controls. iOS: Settings → Privacy & Security → Apple Advertising → Personalized Ads off. Android: Settings → Privacy → Ads → Opt out of personalization + Reset advertising ID periodically.
- Browser fingerprint resistance. Firefox privacy.resistFingerprinting in about:config, or use Tor Browser when fingerprint resistance matters most.
Layered defense. No single tool blocks everything; the combination substantially reduces what trackers can build.
Our position
We solve the IP-level layer of this stack. We're honest that we don't solve cookies, fingerprinting, account correlation, or MAID — those need other tools. We don't ship a content blocker (different product), don't ship a browser (different product), don't ship MAID-management (it's an OS feature).
For the IP layer, we're a good free option. For the rest, the tools above are the answer.