IP are also constantly changing, at least once a month. For sure, they can't rely on one identifier, which is the IP address, because after it changes, all of the data is gone.

Also, you say things I didn't say. I said THE IP is not a really good identifier, but you also say I meant also other identifiers.

The IP can't survive on its own. The algorithm needs more than just one thing. It needs multiple things while if one is not applicable then we get another one.

An ad blocker already eliminates you to 40% of the internet users, which is a lot.

Anyway the very idea that people are making money from me keeps me up at night so I use FF with a bunch of privacy aiding extensions. The war to fingerprint users is endless though. Ad tech is a billion dollar industry.

Define "not good enough"(for who is it not good enough? for advertisers?).

I used to work on a project linking cookies together in anonymous profiles (for advertising), initially the plan was to separate household/individual profiles using different heuristics, but I think eventually it turned out that nobody cares that much - the advertisers just wanted a rough cross-device profile, not perfect accuracy. I mean sure, for marketing purposes (as well as engineering/ "performance" reasons) you needed figures to brag about accuracy and whatnot. But it's really really hard to get those figures right, and ultimately the thing that will convince advertisers is "using cross-device profile improved conversion rate by 10%"; everything else is a detail in comparison.

I am addressing your assertion ("I personally see IPv6 adoption going to a full stall if users are told that advertisers found a way to tattoo cookies on their machines.") with facts that demonstrate that today, even behind an IPv4 double-layered CGN, your web browser makes your machine just as trackable as if you had a single, globally-unique IP address.

(In fact, if you've a mobile device of any sort, your web browser makes you more trackable than IPv6 [as deployed] does, as your address changes as you change attach points, but your device and browser fingerprint does not.)

ay is addressing your misunderstanding of the effectiveness of browser and device fingerprinting.

Neither of us are talking about removing "privacy" addresses.

Browser fingerprinting is absolute FUD. It makes no sense for advertisers, and it's pretty useless for anyone else, too. Every time I visit the EFF site that checks my fingerprint, it tells me I'm still unique. That's perfect anonymity!

Revealing a user's personal IP when they're using a VPN is a real problem, though, where the computer isn't doing what an even an experienced user would expect.

The “I don’t care if they track my household but it’s critical that Daddy’s activity not get disambiguated from my dealing daughter” is just not a valid reason to abandon the benefits of IPv6.

Please stop with this line of argument.

If you’re really desperate to ensure that the ads shown to your daughter are based on your porn viewing habits, then just set up IPv6 NAT.

I don’t think it’s insane because the more common use is just to pattern match to identify the individuals. While lots of people may share, many do not (eg, everyone in my home shared an external IP but that is frequently just one person).

Google can use this IP and browser traffic to separate out individuals (eg, I don’t watch YouTube and my kid never checks vanguard) to the level they convince advertisers that they know the individual. I expect this is why my kindergartner sees ads for car insurance.

Even those actions have limited value as long as you have any other reasonably reliable signature as you navigate the Web. Anyone with a static IPv4 address for their home computers does. Anyone with a browser that will allow queries for a bunch of collectively-almost-unique properties of the host system does. Even certain standard web protocols inherently act in this way when used for their intended purpose.

That means almost the entire web-using population is carrying around at least triple signature information, and if too many people start to block ads and trackers served via third-party systems, the major networks providing those things will just move to a model where sites hosting their ads act as proxies and serve the content from their own domain, which if anything would be slightly worse for privacy.

This risk will remain until we get fixes for each issue I mentioned above. Leaving aside TOR and the like, we could move towards dynamic and rapidly rotating IPv6 addresses as points of origin with sufficient ISP support. Browsers could then close the other loopholes, but some of them will be difficult to fully eliminate and keep eliminated without compromising the user experience, because unfortunately some features that are useful for legitimate purposes are also inherently leaky.

The online tracking and advertising industry and companies selling to that industry such as Google believe IP addresses, when combined with other information, tell something valuable about consumers.

Perhaps users of the "modern web browsers" cannot or will not manually control generation or storage of source address tokens. Hence the need for papers like this one, pleading with the organisations controlling the browsers to change the software. That software is of course written by employees of companies and parents of companies that are paid directly or indirectly from sales of internet advertising services.

Probably the folks creating these protocols never thought about the implications of the design on internet advertising services. However, from the perspective of people selling internet advertising services, the association/non-association of IP addresses with public keys seems like it might be significant, regardless of its intended purpose to the protocol designers. People buying those online ad services are likely to understand the potential value of IP address information, e.g., they might think it tells them something about geo-location. If so, they might also see the added value in the combination of IP address with a unique identifier.

How so? You're just retrieving the data and displaying it.

> And if you care about "uniqueness" you have that already with your IP

There are many ISP's that use NAT to save IP addresses, hence an IP is not really an identifier. Even if not, an IP is identifieing the all network, and all the ones that are connected to the same network. You can see how in YouTube (incognito mode) you will always get personalized videos based on your IP approximate geolocation (usually just the state) if it's your first time.

from a technical viewpoint, yes, it's totally nuts.

from a business viewpoint, it solves a hole lot of problems very cheap. i.e. good enough

The paper/study here used a combination of IP address and a UUID to track 'users' which are presumably but not necessarily individual humans. It was the use of this UUID that allowed the authors to draw conclusions about how often a given user is seen at the same IP address. The IP address by itself did not provide enough tracking to draw the conclusions in the paper.

Is IP address identification 'good enough' for advertising, maybe. But IP is no where near definitive for identifying individual humans.

The paper does not say how often they found multiple 'users' using the same IP address. The paper focuses on individual reuse of IPs. How often did they find different users using the same IP in their study?

In internet advertising no one expects every ad to trigger a sale. Since there is some amount of acceptable waste in the system this paper has decided that IP is 'good enough' for targeting - because its okay if we are throwing away 20% or more of the ads (we didn't expect any traction from them anyway seems to be the thinking).

And the authors admit that a larger or different dataset might show different results.

> Advertising that is relevant to my wife probably isn't relevant to me, using IP is not good enough.

Advertisers do not care about what you as a human do in the same way that e.g. some government agencies might. Both the paper and you talked about "user tracking" in the context of advertising. My claim is that "IP address identification is actually 'good enough' for advertising" (for some kinds of advertising, at least, but the discussion here is complex and I really don't want to get into it - on short, the problem is not so much with the 'tracking'/building the profile, but with being confident enough that you're not targeting the wrong person/household member during the delivery of the more sensitive ads; and with not spooking/startling the user with "how the hell do they know this about me" - sometimes the user needs to be e.g. logged in so that he understands why he received an ad).

In particular, there are large swaths of companies that don't care whether it's you, your wife or your child - Disney e.g. will happily serve you ads based on activity performed by your children or wife, and will make no effort to figure out if it was you or them because it doesn't matter.

Currently, even with the limitations of IPv4, most trackers can use cookies and browser fingerprints (your browser's headers, fonts, etc.) to individually identify you even behind NAT. But with IPv6, ad engines could potentially identify that you're running two different browsers on the same laptop or device, and associate both of those browsers to _you_ (some type of single targeting profile).

They also have a more precise way to track you without a browser fingerprint.

The point in 1:6,000 is that whether it's ad targeting or just regular internet traffic, there isnt enough specificity to "leak" data about the person.

You can split hairs over, "Well what of they join that 1:6000 with other PII" and it's the same with Geo IP. The user gives up that data but it's not different than just visit the page normally.