Hiding Your IP Doesn't Affect Tracking

IP addresses alone are less identifiable than you think.

Hiding Your IP Doesn't Affect Tracking
Photo by Tobias Tullius / Unsplash

The IP address is one of the most marvel pieces of computer networking to exist. Without it, the internet as we know it wouldn't work. I wouldn't blame you for thinking that an IP address is something you need to keep sacred from all sorts of prying eyes, and it's how every single company in existence tracks you. That may have been true in the past, however, the concept of tracking has evolved beyond the IP address. You'll either be very surprised as to how little an IP address matters or you have known this all along.

WTF is an IP address?

An IP address, or in full terms an "Internet Protocol" address, is the minimal basis for identifying devices. Think of it as virtual street addresses, so your erotic narwhal fanfiction gets delivered to your screens only and not your neighbors down the road. That'd be very embarrassing. Every networked device in existence has an IP address, so it can communicate with devices to its heart's content. Right now you might be thinking "if every single device has an IP address, wouldn't that be identifiable?" and I wouldn't blame you. But, unless you're running some kind of server you likely have two IP addresses on any network you're on.

The Local Area Network and NAT

A local area network is a network that is cut off from the broader reaches of the internet. Like regular networks, they assign your device a specific IP address such as This is handy for several reasons, one being devices on your network can communicate seamlessly without needing internet, but these days IoT garbage still relies on the cloud when it doesn't need to be.

But this doesn't do much help when you want to access the latest spicy memes at your cheesy fingertips from Doritos. This is where NAT or Network Address Translation comes in, and it will send traffic from your device to your router. Your router will intelligently send and receive traffic on your behalf and send it back to your device, all while keeping your memes safe from anyone else in your house. These fundamentals founded the internet and the glorious communication era as we know it. What good would it have been if computers could just talk to themselves? They have feelings of loneliness too.

However, that means you also have a public-facing IP address that is assigned to your router. This is the IP address that you use to talk to websites and other assorted internet things. This IP address is usually given to you by your internet service provider (ISP).

So what does that have to do with anything?

This means that in almost all cases, servers cannot see your local IP address. They don't need it because they can't access it. Everything has to be talked out between the server and your router, which is acting as your very own exclusive bouncer making sure that only allowed traffic is getting in and out. Almost every router has a firewall that smartly allows traffic that you established and other things you may have configured, like port forwarding.

So at the most, servers would have your public IP address to work with. You can check your public IP address on many websites, or search it into Google/DuckDuckGo and it'll tell you. Your public IP address, at first glance, contains a variable amount of information. This can include:

  • Your Internet Service Provider
  • Your approximate geolocation, such as your region/city/country
  • At the ISP level, your account info (such as name/address, which websites cannot see)

Spooky stuff, I know. If I ran a server and you connected to it, I would see your public IP address. That could give me a guess as to where you are in the world, and combined with info I might know about you, it could theoretically be possible to narrow down a search. However, if you're a normal user browsing I can't identify you based on your IP alone. I need more information than that. There are also additional reasons why trying to say "haha I got your IP" is an empty threat.

Your IP changes ALL the time

Some things in life aren't meant to stay the same, and it sure applies to your IP address. Unless you're living comfortably up in the mountains, chances are you have a phone or laptop you carry around. When you leave your house to go to work or a friend's place, you are likely connecting to other networks around you. Sipping on your overpriced latte at Starbucks using their WiFi? You're on another network, and you've got a different public IP address.

Chances are, just simply unplugging your router for a few minutes and plugging it back in will give you a new one too. Sound like magic? It isn't really, your internet service provider just gave you something called a dynamic IP address. Your ISP likely does this to save on IP space since currently, we are running short. Likely also to avoid nonstop calls because you talked trash in a Call of Duty or GTA Online lobby and got DDoS'd because those games run on peer-to-peer technologies.

Your ISP could have even taken it a step further and integrated this technology called carrier-grade NAT. In layman's terms, this sits a router between well... your router. This can mean that your IP address can change at any time and without you even doing anything. Just simply visiting another website can change it. If that's the case, I feel happy and sad for you. Happy because you've got a nice IP shuffler on the fly, and sad because you can't do cool things like hosting stuff without VPN or other alternatives.

Users & Liability

You may not be aware, but because of this structure, every device on the network shares the same public IPs. This is why in typical institutions like businesses and schools, traffic auditing and network firewall policies are put into place. Without it, there would not be much of a way to know who accessed what, and to process data accordingly. These are the technical shortcomings of an IP address.

VPN providers have also used this claim. Because the VPN is not an ISP nor an IP provider, they cannot be held responsible for traffic that is passed through their network. The provider did not engage in this traffic, therefore it cannot be applied here.

Some United States courts have also ruled on the actual legal standing of IP addresses being enough to sue someone for DMCA violations. In 2018, a ruling was given in a BitTorrent-related case, Cobbler vs Gonzales. The judge ruled that the subscriber of the IP address was not liable for infringement and dismissed Cobbler's complaints for failure to state a claim.

Approximate means approximate

Locations for IP addresses can be wrong like you accidentally put the wrong address into Uber when you're drunk. ISP's don't usually provide this information to geolocation databases like MaxMind and instead they rely on external traffic to determine it. This could lead to your IP address appearing as if it's in another city, state, or even country. If you want to see for yourself, iplocation.net aggregates IP geolocation data with a majority of providers. You might see that your IP address appears in other cities, or it might all be in your relative region.

On one hand, this can give tracking companies some insight as to where users are. This is also useful for streaming and news companies to serve region-based content, such as local news and what's popular around your area.

But on the other, there isn't much to be done here. Companies are well aware that IP address geolocation data can be unreliable, and instead moving to other solutions which are arguably even more invasive. Web browsers and phones have become the largest goldmine in the world when it comes to your information, and they are taking advantage of this to the absolute most.

Tracking beyond the IP address

Within the last decade, major advancements in terms of user identification and cross-service tracking have been made. Almost all of them have been centric around ridding the IP address from their toolbox and only using it as a small point to maybe determine your general location.

Geofencing & Location Access

You might have seen that sites are starting to get too comfortable with the permissions that they request. One of them is permission to collect location or to collect a "geofenced" location. If you granted the service an exact location, they can see where you are at all times when you're using the site. This is 10 times better than an IP address, not because they can serve you relative data but they can sell this off to third-party marketers for higher markups. Money talks.

But, maybe you're a bit smarter than that and only granted them geofence or partial access. If that's the case they can only see the specific area you're in, which can be a mile or two. This is still a LOT better than an IP address though since an IP can be many miles away as reported.

Third-Party Cookies

If there's a time to check for the Cookie Monster, it's right now because there's an unholy amount of cookies he can eat. Many sites you visit embed JavaScript code that injects scripts from external resources. Among these resources include advertising, analytics/metrics, tracking, and well more tracking. These cookies are allowed to stay in your browser and track you across every single site you visit which has the same code. If you've noticed that you search for reviews on that industrial-grade hair dryer you're having second thoughts about and then getting bombarded with advertisements for hairdryers on every single site, third-party cookies might have something to do with it. Yuck.

The good news is that more modern browsers are beginning to restrict/block third-party cookies. This means that these little devils can't track you as easily across the web, but the Cookie Monster is sad because there are fewer cookies to eat. Sorry, it's for the better.

BUT, the bad news is that these scheming folks did not stop at third-party cookies.

Browser Fingerprinting

Browser fingerprinting is arguably one of the most accurate ways to track someone online. Rather than focusing on cookies till the end of time, scripts will instead gather information about your device. This is possible thanks to browsers' APIs spreading its legs, allowing you to determine installed fonts, enabled sensors, screen resolution, type of device (mobile/desktop), the operating system, version of OS, extensions you have installed, and so much more. All of this information gets combined to generate a unique fingerprint of your browser which escapes the conventional incognito mode which you totally don't use for porn.

If you don't believe me, head on over to fingerprintjs.com and let it get a fingerprint. Then, fire up your private mode and go back. You might notice that even with an IP change it is still able to fingerprint your browser unless you use one that blocks or mitigates it.

What's even worse is that it is now possible to fingerprint your browser without JavaScript, thanks to CSS magic. Wonderful.

Browser fingerprinting is the leading way to track someone online in 2021, and there's little that can be done to stop it. Before you say it, no, an IP change will not help you.

Device Identification

Following browser fingerprinting, applications and websites can determine specific things about your device without that. Every browser sends something called a user agent. A user agent looks like this:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

From this string of information, I can determine the following:

  • You are using Windows 10
  • You are using a 64-bit edition of the operating system
  • You are using Chrome 95, or a Chromium browser

Additionally, browsers send headers that can determine other things:

  • Encoding accepted
  • Referer (extremely important!)
  • Language

The browser referer can contain the site you last visited. Whenever you click on a hyperlink to go to another page, it will send the website where you came from. As I said with third-party cookies, however, browsers are starting to phase this out. However, it can tell the site where you were last which can almost certainly be used to track you.

Hiding your IP doesn't fix these problems

As you just saw, the issue at hand does not involve just your IP address alone. Browsers and apps are the nosiest pains in the ass you will ever meet in your life, and their name isn't Karen. Browsers have been taken advantage of for trackers to collect more data than they need, and the apps we use every day are snooping on your device's sensors and taking advantage of user permissions to build a unique identifier and track you everywhere. But, the money-making machine that is VPN advertising doesn't want to tell you that and would prefer you spend money on a service that doesn't stop these problems effectively enough.

Also, advertisers/trackers are fully aware of the limited amount of information an IP address can give, which is why they have shifted to other tools to track and collect data on users with more accuracy. Humans can be too trusting, and with some psychology, they can be easily tricked. However, there is the lowest of the low where all of this happens under your noses.

When hiding your IP is useful, and how to fix these problems

With all that said, however, there are still very legitimate reasons to hide your IP address. Maybe you're looking to access Netflix or region-locked content in another country, or you're torrenting Linux ISO's like the good moral people of society you are, or to not get DDoS'd because some companies refuse to use dedicated servers for games.

In addition, while as I've made a long article about how IP addresses are not that identifiable as you think, they are still just one dataset. If you're looking to make it just a fraction bit harder, then sure.

Whatever the case is, those reasons mentioned above can be good reasons to use a VPN or other IP masking tools.

But all of this means squat if you just change your IP with a VPN. You need to do more than this if you want to make tracking less and less effective. This starts with your browser. Stop using Chrome or Edge, seriously. Switch to an alternative such as Brave or Firefox with appropriate tweaks. Install a Pi-Hole or use DNS services that block ads or trackers at the network level. Install uBlock Origin in your browser to block a majority of the additional garbage (Avoid AdBlock/AdBlock Plus like the plague).  Install the Tor Browser to use on the side for research or temporary purposes, but do not install extensions or tweak the browser as it's the equivalent of wearing a bright neon pink shirt when lining up in the dorms of Squid Game.

There's much to be said about how much an IP address matters these days, however in tracking and other spooky internet stuff it's not much. We've gotten to a point where our trusty browsers and computers violate our privacy in the background and we have limited control over it. I hope this helps you to realize that just hiding your IP alone does little if anything to protect your privacy. Some would like to tell you this, but it isn't too true. In this day where misinformation is rampant, what else can be said. There's one statement that is true though, and that's...

Trust no one.