Post cover image
Privacy tools are not all-or-nothing. Each one closes some windows. The question is how many windows you need closed and for what purpose.

June 16, 2026

The Death of Anonymity

What incognito mode, VPNs, and fake names actually protect you from, and what they don’t.

Bhumika Verma

12 min read

You have done it. We all have.

Opened incognito mode for something you did not want in your history. Switched on a VPN before searching something sensitive. Used a fake name on a forum. Deleted an app and assumed that was that. Maybe you even felt a small sense of satisfaction, like you had actually done something, like you were, briefly, a little bit invisible.

Here's the thing: that feeling of invisibility is one of the most carefully maintained illusions on the internet. Not because anyone sat down and decided to deceive you specifically, but because the systems built to identify you have become so sophisticated, so layered, and so invisible themselves that the gap between what most people think protects them and what actually protects them has grown into something vast.

Before we get into what actually tracks you, here's a story about a dataset that was supposed to be anonymous.

In 2006, Netflix released 100 million movie ratings as part of a public competition to improve its recommendation algorithm. Names were removed, user IDs were replaced with random numbers, and by any reasonable definition, the data was anonymous. Two researchers at the University of Texas then cross-referenced it with public IMDb reviews, and by matching rating patterns and timestamps, they re-identified specific individuals from the supposedly anonymous data, including, in some cases, their political views and sexual orientation, inferred from their film choices.

Netflix hadn't been careless. They had done what anonymization is supposed to look like, and it still wasn't enough. Understanding why is most of what you need to know about online privacy right now.

The incognito screen was designed to look like privacy

The grey color palette. The hat and glasses icon. The little "you've gone incognito" message: someone made every one of those design decisions, and none of them hide you from the websites you visit.

Incognito mode does exactly one thing: it stops your browser from saving your local history, cookies, and form data after the session ends. The website you visit still sees your IP address. Your internet service provider still sees where you went. Your employer, if you're on a work network, still sees everything.

In 2024, Google settled a $5 billion lawsuit over exactly this gap. The company that built the incognito screen paid billions because it tracked people who genuinely believed they were invisible inside it. That's not a small detail buried in a legal filing; it's the company that made the grey screen admitting, in the most financially consequential way possible, that the grey screen was not what it looked like.

The incognito tab is aesthetic, not functional. The feeling of privacy and the actual state of being private are two entirely different things, and the gap between them is where most of the interesting stuff happens.

It starts with something as basic as a number.

None

Your IP address is the obvious part

Every device connected to the internet has an IP address: a numerical label that identifies where you're connecting from. Every website you visit logs it automatically, and your IP address alone can tell a website your city, your internet provider, and often your neighborhood. In some countries, with a court order and a timestamp, it can identify your front door, before anyone has even looked at anything else about you.

A VPN hides your IP by routing your traffic through a server somewhere else. This is genuinely useful, but it comes with a limit that most VPN marketing quietly skips over: the VPN provider itself sees everything you do. You've simply moved your trust from your internet service provider to your VPN company. Many free VPN services log your activity and sell it. Even paid ones can be compelled by governments to hand over records, and your VPN connection itself can often be detected and flagged by websites that maintain lists of known VPN server addresses.

IP masking is a real layer of protection. It's just not very many layers.

Here's what harder looks like.

Browser and device fingerprinting: the tracking that needs no cookies

When you visit a website, your browser automatically reveals a remarkable amount of information about itself: your browser version, operating system, installed fonts, screen resolution, time zone, language settings, whether you have an ad blocker installed, the way your graphics card renders images, and your audio processing characteristics. None of this requires your permission, and none of it leaves a cookie you can delete.

One technique worth understanding specifically is canvas fingerprinting. When you visit a site, JavaScript instructs your browser to draw an invisible image: a string of text rendered in a specific font at a specific size. The way your graphics card, browser, and operating system combine to render that image varies in tiny but measurable ways between devices. The site reads those pixel-level differences and hashes them into a unique identifier. You never see any of this happening; it takes milliseconds. And because it depends on hardware and software characteristics that don't change when you switch tabs, clear cookies, or open an incognito window, it follows you everywhere that uses it.

None

When all of these attributes are combined, they create what researchers call a browser fingerprint: a configuration profile that is, in most cases, unique to your specific setup. Research from the Electronic Frontier Foundation found that over 80% of browsers have a fingerprint distinctive enough to identify and track them without any cookies at all. This works across sessions. It works across VPNs. It works in incognito mode, because incognito mode doesn't change any of those attributes; it only stops saving your history locally.

Device fingerprinting goes further still. Your phone's battery level at a given moment, the precise way your screen renders a particular color, tiny variations in your device's audio processing, the refresh rate of your display: these create a hardware-level signature that persists even if you clear every cookie, switch browsers, or change your IP address entirely. You carry it the way you carry a serial number, invisibly, constantly, with no ability to change it.

But your device isn't the only thing giving you away.

Your body gives you away

Here's the part that genuinely surprised me when I first read about it.

Even without a device fingerprint, even with a masked IP, even with no cookies at all, your behavior alone can be enough to identify you.

None

The way you type has a rhythm. The speed between keystrokes, the pattern of which keys you press harder, the time between pressing shift and the next character: this is called keystroke dynamics, and it's measurable, consistent, and individual in the same way a handwriting sample is. Banks already use it to verify identity passively, in the background, while you type your password. You're being biometrically authenticated without a fingerprint reader, without a face scan, and without your knowledge.

Your mouse movement has a signature too. The arc you make when navigating to a link, the way you pause before clicking, the speed at which you scroll: these micro-behaviors are collectively distinctive in ways that wouldn't feel intuitive until you saw the research. Companies selling behavioral biometric software claim accuracy rates above 99% for user identification from movement patterns alone.

And then there's writing style. Stylometry, the analysis of writing patterns, can identify anonymous authors from vocabulary range, sentence length, punctuation habits, and word choice with surprising accuracy. Researchers have used it to help identify authors of books published under pseudonyms. It's been used in criminal court cases, and intelligence agencies use it to attribute anonymous documents. Your writing voice, it turns out, is a fingerprint that follows you every time you type anything in public.

Sit with that for a moment. Even if you had no device, no IP address, no cookies, and no name attached to anything, the rhythm of your hands and the pattern of your sentences would still leave a trace. You're not just identified by what you carry; you're identified by how you move.

Why anonymized data isn't actually anonymous

Back to the Netflix problem, because the researchers who cracked that dataset weren't doing anything exotic. They were doing something that's now routine.

The technical concept behind this is called a linkage attack. A dataset is considered k-anonymous if every record is indistinguishable from at least k-1 other records, meaning you can't be singled out from at least a handful of people with similar attributes. The problem is that as datasets become more granular, with more data points per person and more precise timestamps, the value of k collapses toward one. You become unique. And a linkage attack doesn't require cracking either dataset directly; it just requires finding where two datasets intersect, cross-referencing enough shared attributes until one person falls out of the overlap.

A 2019 study found that just 15 demographic data points are enough to re-identify 99.98% of Americans from any anonymized dataset. Not 15 deeply personal data points, either: fifteen ordinary attributes like age bracket, gender, postcode, and a handful of category-level interests.

This means that when a company tells you they've anonymized your data before sharing it, what they mean is they've removed your name. That's not the same thing as making you unidentifiable. Anonymity isn't a property of a single dataset; it's a relationship between that dataset and everything else that exists alongside it. As more data is collected about more people, the re-identification risk for everything grows, including data that was collected years ago under a genuine promise of privacy.

Think about the data you gave to a fitness app three years ago, that a healthcare company bought from a broker last year, that an insurance company is modelling against this year. None of those transactions required your name to make the chain possible.

So who exactly is running these transactions?

The infrastructure nobody asked you about

Almost everyone with a website and a business reason to know who you are.

Here's a concrete example of how the chain works in practice. You search for symptoms of a health condition on Google. That search is logged with a timestamp and your IP address. A health information site you visit afterwards uses an advertising pixel that reports your visit back to a data broker. The broker adds it to a profile that already contains your approximate age, postcode, purchase history from a loyalty card programme, and the apps installed on your phone. That profile, with no name attached, is then sold to a health insurance underwriting firm. Your name was never part of any transaction. You're still findable, and your premiums may already reflect what was found.

None

Ad tech companies built fingerprinting infrastructure specifically because cookies were too easy to delete and gave users too much visible control. Data brokers buy, combine, and resell profiles assembled from dozens of sources, operating almost entirely outside public awareness. Social media platforms cross-reference your on-platform behavior with your behavior on every other site that carries a share button or a tracking pixel. Search engines log queries with timestamps, building a detailed record of your health concerns, relationship troubles, financial anxieties, and political leanings over years. Internet service providers see most of what isn't encrypted. Apps request permissions that have nothing to do with their stated function. Governments issue legal requests for all of the above.

None of this required a single dramatic decision to surveil you. It accumulated gradually, driven by advertising economics, competitive pressure, and the basic logic of knowing your customer. The result is a surveillance infrastructure more comprehensive than anything that could have been built deliberately, because it would never have been politically possible to propose it all at once, and almost none of it is visible to the person being tracked.

What actual anonymity requires (and why most people don't have it)

Meaningful anonymity online is still technically possible. Most people have just dramatically underestimated what it actually requires.

Real anonymity means using Tor: a network that works by wrapping your traffic in multiple layers of encryption (hence the onion metaphor in its name) and routing it through at least three volunteer-operated relays around the world. Each relay decrypts one layer and knows only the relay before it and the relay after it, so no single node in the chain knows both who you are and where you're going. This makes traffic analysis extremely difficult, though not impossible for a sophisticated adversary with visibility over enough of the network.

None

It also means using a device that's never been connected to any of your accounts, connecting from a public network you've never used before, and using the Tor Browser specifically, which standardizes the fingerprinting attributes that would otherwise make you unique. Everyone using it looks identical to a finger printer, which is precisely the point. And it means writing nothing recognizable, because stylometry is a real tool and your sentence patterns follow you.

Most people aren't willing to do any of this for everyday browsing, and that's entirely reasonable. But there's a meaningful gap between what most people do and what most people think they're doing. The incognito tab, the VPN, the fake name: these aren't nothing, they're just much less than they feel like.

Things that genuinely help, without turning your life into a security operation

None
  • Use Firefox with uBlock Origin installed. It blocks a substantial portion of the fingerprinting and tracking infrastructure at the network request level, without changing how you browse in any meaningful way. It's the single highest-return privacy action available to most people, takes ten minutes to set up, and costs nothing.
  • Understand what a VPN actually does before paying for one. It hides your traffic from your ISP and masks your IP from websites. It doesn't make you anonymous, and it doesn't protect you from fingerprinting. Use it as one layer of a privacy posture, not the whole thing. If you're choosing a VPN, look for one with an independently audited no-logs policy, not just a marketing claim of one.
  • Be skeptical when companies say your data has been anonymized. Ask yourself what other datasets it might be combined with. The answer is almost always: more than you expect, and more than the company is telling you.
  • Use a separate browser for sensitive research, one that has never been logged into any account and never will be. The smaller the entanglement between a browser and your personal identity, the smaller its combined fingerprint.
  • Check what permissions your apps are actually using. On both iOS and Android, you can see which apps have access to your location, microphone, camera, and contacts, and more importantly, whether they're using those permissions in the background when you're not actively using the app. The answer is frequently surprising.

And if you're genuinely concerned about something specific, the Tor Browser isn't as technically demanding as it sounds. It works like a regular browser; it just protects you like one designed for journalists operating in places where being identified is dangerous. Most of us don't need that level, but it exists, it's free, and it works.

What this conversation is missing (and what comes next)

There are several dimensions of this topic that a single post can't fully cover, and each of them deserves its own exploration.

The metadata problem is one. Even when your message content is encrypted, metadata, who you contacted, when, for how long, and from where, is often completely unprotected. The NSA has stated publicly that it makes lethal targeting decisions based on metadata alone. The content of your messages may be private. The pattern of who you talk to and when rarely is.

Cross-device tracking is another. Companies link your phone, laptop, and tablet into a single identity profile by combining shared WiFi networks, Bluetooth proximity signals, IP address patterns, and login behavior. You may have cleared your history on one device, but the profile built across all of them persists regardless.

The fingerprinting arms race is worth understanding too. Browsers like Safari and Firefox are actively working to limit fingerprinting surface by standardizing attributes and restricting JavaScript access to hardware characteristics. This is a genuine technical effort, and it's having some effect, but fingerprinting techniques evolve in response, and the arms race is ongoing.

And then there's the legal geography of privacy. Where you live determines how much protection you actually have. European users under GDPR have meaningful rights over their data that users in most other jurisdictions simply don't. Privacy, it turns out, is partly a postcode lottery, and that has significant implications for who the current system serves and who it doesn't.

The question worth sitting with

If meaningful anonymity requires significant technical knowledge and deliberate effort, then privacy online has quietly become a function of privilege: available to people with the time, understanding, and willingness to implement it, and largely theoretical for everyone else.

That's a real shift in what kind of thing privacy is. It used to be a default condition that people chose to give up. It's increasingly becoming an advanced setting that people have to actively opt into, using tools most people have never heard of, to protect themselves from systems most people don't know exist.

Whether that's the internet we meant to build is worth asking out loud, and the fact that most of us are only now thinking to ask it, while this infrastructure has been quietly assembling itself for twenty years, is itself part of the answer.

The curtain you pulled across the window was always a little transparent. Most of us just never thought to check.

Written out of genuine curiosity and mild unease after opening an incognito tab and realizing I had no clear idea what it actually did.

References

  1. Narayanan, A., & Shmatikoff, V. (2008). Robust De-anonymization of Large Sparse Datasets. IEEE Symposium on Security and Privacy.
  2. Rocher, L., Hendrickx, J.M., & de Montjoye, Y.A. (2019). Estimating the success of re-identifications in incomplete datasets using generative models. Nature Communications, 10, 3069.
  3. Eckersley, P. (2010). How Unique Is Your Web Browser? Electronic Frontier Foundation. Proceedings of Privacy Enhancing Technologies Symposium.
  4. Dingledine, R., Mathewson, N., & Syverson, P. (2004). Tor: The Second-Generation Onion Router. USENIX Security Symposium.
  5. Zheng, N., et al. (2011). Keystroke Dynamics for User Authentication. IEEE Computer Society Workshop on Biometrics.
  6. Mosteller, F., & Wallace, D. (1964). Inference and Disputed Authorship: The Federalist. Addison-Wesley.