General information about how device tracking, partly written from the perspective of ad companies which describe privacy as "a problem." This is dated 2017, so things may have advanced since then.
www.finjanmobile.com/mobile-device-ad-tracking/
Device-specific Identifiers
It’s not uncommon today for one person to own and operate several devices for browsing the internet and engaging in online commerce – be they cell phones, laptops, or tablets. So how do the sellers know that it’s you, as you move from site to site, and device to device?
Manufacturers and platform providers have solved this problem to some extent by associating client or device-specific identifiers (like serial numbers) to each smartphone or tablet they sell, or to each instance where their client software is installed and run.
[...]
Though opting out is a choice presented to mobile users, there remain issues about privacy in all cases, rooted in concerns over any static fingerprinting that can uniquely identify a user’s device.
Mobile Device Ad Tracking – Settings and Installations
An alternative to device identifiers, this method of ad tracking follows user-specific traits revealed in a mobile device owner’s individual settings for time zones, fonts, and other UI (user interface) parameters, together with the apps and plugins installed on their device. The more customizations you set for your device, the easier it is to uniquely identify you.
Privacy is also an issue here, as this kind of tracking can easily identify a user across the apps on a single device. But extending this approach to cover several devices or platforms is not quite so straightforward.
Digital Fingerprint Algorithms
To extend the reach of ad tracking across the divide between operating systems and devices, several companies are now selling digital fingerprinting solutions to advertising networks and marketing enterprises. These systems use mathematical algorithms with accuracies ranging from 60% to over 85% – with improvements on these figures expected imminently.
Each vendor has its own formula, but the algorithms generally combine data streams from device identifiers, the various WiFi and cellular networks you use to reach the internet, language settings, time zones, your frequently visited sites, and numerous other factors. This information is collated to reveal a pattern of usage across different devices and platforms.
The privacy concern here is even greater than that for device IDs and settings-based tracking methods.
Click-generated IDs
As their name suggests, these ad tracking techniques generate a unique identifier (number or code) each time you click on a button or banner to perform a desired action – like installing an app, or making an in-app purchase. Tracking software is then able to associate your action with the specific ad, message, or banner that prompted it – and send a “callback” or “post back” to the publisher of that particular promotion.
First-party Ad-serving
For advertisers, Apple has long presented something of a hitch, as far as tracking is concerned. The elephant in the room is the Safari browser, which places a blanket ban on serving third-party cookies from web sites (Chrome, Firefox and Internet Explorer don’t have this problem). With Safari enjoying around 36% of the global market share for browsers, its exemption from the simplest tracking methods represents a real loss in revenue for the ad networks.
Their way around this is via first-party ad-serving, whereby promotional materials may be served directly from an advertisers own domain – together with their associated cookies or per-click identifiers. There are even proprietary vendors who offer this as a service.
Cross-device Strategies
With the proliferation of users accessing the internet from several touch points (phone, tablet, laptop – all owned by one user), advertisers have intensified their efforts to perfect tracking algorithms that can span multiple device types and operating platforms.
So-called “probabilistic matching” techniques and algorithms can involve the study of millions of web users in a bid to differentiate between who’s who. Other players in this field scour the billions of ad requests and real-time exchanges occurring on the internet for IP addresses, user device IDs, browser settings, and other identifiers.
Opting Out Options
If you’d rather not be tracked, there are some counter-measures that you can employ beyond the official “opt-out” clause which may or may not be featured prominently in the Terms & Conditions of the web site or service you’re using.
Whenever you log in to Facebook or Google (or any third-party app which uses their services to validate its own operations) you leave a trail that can be used to identify your device. So diligently signing out of these accounts each time you finish using them is one option to avoid this.
If you subscribe to a lot of services, using a selection of different email addresses to sign up can help confuse your trail. Alternatively, you can use dedicated masking software, or a VPN (Virtual Private Network)/data management app which can block certain other applications from using your data connection whenever you’re online – which they’ll often do to push advertising to you directly, or to feed information back to an ad network that will serve you with promotions later.