Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
How accurate and reliable are device identifiers (MAC, IMEI, advertising IDs) for linking devices to individuals?
Executive summary
Device identifiers vary widely in permanence, linkability to people, and usefulness for attribution: hardware IDs like IMEI and MAC are persistent and provably device‑unique but don’t directly contain a person’s name; advertising IDs (IDFA/GAID) are resettable and intended to be unlinkable to persistent identifiers, though vendors and apps sometimes violate those rules (e.g., IMEI sent alongside ad IDs) [1] [2] [3]. Modern fraud and device‑intelligence vendors combine many signals (fingerprints, behavioral signals) to boost accuracy, but claimed success rates and real‑world linkage to an individual vary and depend on data quality, legal constraints, and whether apps leak persistent IDs [4] [5] [6] [7].
1. Hardware IDs: durable but not a straight “who” tag
IMEI, MAC and other hardware identifiers are globally unique to a radio or device and do not intrinsically carry a person’s name, but they are fixed over the device lifetime, making them powerful linkers across apps and sessions when collected [8] [9]. Regulators and privacy reviews note IMEI reveals relatively little personal information in isolation, yet when combined with network subscriber records it can tie a device to a user or account [1]. Because IMEIs/MACs are hard to reset, any actor who receives them can stitch long histories to the same device; that permanence is why app stores and platform policies discourage or ban mixing them with advertising identifiers for profiling [1] [10].
2. Advertising IDs: designed to be privacy‑preserving but practically fragile
Advertising identifiers (IDFA/GAID) are resettable and intended for ad measurement without revealing identity, and platform rules forbid linking ad IDs to persistent device or personal identifiers without consent [2] [11]. In practice, audits and reports show many apps send persistent identifiers (IMEI, MAC, serials) alongside ad IDs, undermining the resettable model and enabling re‑identification or persistent tracking despite user resets [3] [7]. Google’s and Apple’s policy updates tighten rules and require consent for linking, but enforcement and third‑party SDK behavior remain a critical weakness [12] [10].
3. Device fingerprinting and “device intelligence”: accuracy claims vs. reality
Vendor materials and academic work show combining hardware characteristics, software signals, network flows and behavioral patterns can produce high matching rates — commercial vendors sometimes quote very high accuracy (e.g., GeeTest’s platform claims) and academic ML studies report strong classification results for IoT device recognition [4] [13]. Independent industry commentary, however, suggests device graphs and cross‑device mapping are imperfect — vendors report figures like ~80% for some tasks — and results depend on sample bias, signal freshness, and attackers’ countermeasures [6] [5]. Thus fingerprinting increases the probability of linking devices to the same source, but it is not equivalent to a reliable person‑level identity in all contexts [5] [13].
4. Multi‑signal approaches: better for risk, still limited for identification
Security and fraud teams increasingly adopt layered device identity — combining explicit IDs (IMEI, serials), implicit fingerprints, network behavior and user behavioral biometrics — to detect anomalies (multiple accounts from same device, VPN use, cookie reuse) and prevent fraud [5] [14]. These multi‑layer systems improve detection and risk scoring, but they are probabilistic: they flag suspicious activity reliably in many cases, yet they do not always yield definitive person‑level attribution without corroborating account or identity data [14] [5].
5. Legal, platform and operational constraints that shape reliability
Platform policies (Google/Apple) explicitly bar using advertising IDs tied to persistent device identifiers or PII without consent, and developers can be penalized for violations — but enforcement depends on app review and SDK transparency [11] [10]. Privacy laws (e.g., CCPA) and IoT security rules also push manufacturers and services to limit unnecessary identifier exposure — meaning lawful practices will reduce easy linkability over time, even as legacy devices and misbehaving apps continue to leak identifiers [15] [1].
6. Practical takeaways for different stakeholders
- For investigators or fraud teams: hardware IDs and fingerprints are powerful signals for connecting activity to a specific device, but treat linkage to a person as probabilistic unless matched with account/subscriber data [8] [5].
- For advertisers and marketers: rely on platform advertising IDs where possible and respect consent/opt‑out rules; don’t assume resetting an ad ID alone fully severs tracking if other persistent IDs leak [2] [7].
- For privacy‑minded users and policy makers: the risk comes less from any single identifier than from combinations and leaks; platform policy plus legal limits matter to reduce cross‑app, cross‑vendor stitching [11] [15].
Limitations and open questions: existing sources document technical properties, platform rules, policy changes and vendor claims but do not provide a single, independent accuracy benchmark for person‑level linkage across all identifiers — available sources do not mention a unified, peer‑reviewed error rate for mapping device IDs to specific individuals [4] [13] [6].