The relevance of IP addresses in the tracking ecosystem [pdf]

IPv6 improves this situation (now). At first, ipv6 was actually a lot worse, since the back 1&#x2F;2 of your address was your MAC address, allowing your device to be tracked around the internet no matter where it went.<p>People quickly realized this flaw, and updated the standard so that basically your client gets to pick the second 1&#x2F;2 of your address now. And the nice thing is, most major platforms will actually run multiple addresses in parallel, allowing new connections to use a new address while old connections keep using the old one.<p>So while ipv4 adds some protection by having multiple clients behind the firewall, ipv6 actually makes it better by looking like <i>even more</i> clients behind the firewall.<p>Combined with a browser that blocks fingerprinting you get slightly better privacy with ipv6.

from the abstract....<p>&quot;In this paper, we study the stability of the public IP addresses a user device uses to communicate with our server. Over time, a same device communicates with our server using a set of distinct IP addresses, but we find that devices reuse some of their previous IP addresses for long periods of time. We call this IP address retention and, the duration for which an IP address is retained by a device, is named the IP address retention period. We present an analysis of 34,488 unique public IP addresses collected from 2,230 users over a period of 111 days and we show that IP addresses remain a prime vector for online tracking. 87 % of participants retain at least one IP address for more than a month and 45 % of ISPs in our dataset allow keeping the same IP address for more than 30 days.&quot;

I worked on a document a few years back on anonymizing IP addresses. If you find yourself in a situation where you need to balance anonymization of IP addresses with research needs, this paper may be useful.<p><a href="https:&#x2F;&#x2F;www.icann.org&#x2F;en&#x2F;system&#x2F;files&#x2F;files&#x2F;rssac-040-07aug18-en.pdf" rel="nofollow">https:&#x2F;&#x2F;www.icann.org&#x2F;en&#x2F;system&#x2F;files&#x2F;files&#x2F;rssac-040-07aug1...</a>

The big conclusion to be drawn from this paper is that IP address tracking can be combined with client-side tracking techniques to perform reidentification.

IP is just one more data point. There are already so many ways a browser can be fingerprinted, it doesn&#x27;t make things that much worse.<p>While you can limit your exposure a bit, I long ago reached the conclusion that strong privacy is impossible in the current client&#x2F;server web model. There is too much surface area.

I suppose this only works if you combine IP with some other information, like username or browser fingerprint. Otherwise you could be tracking multiple &#x27;users&#x27; at the same IP.

Most users will at the very least use two IP addresses - home broadband and mobile SIM broadband.<p>Then you have wifi hotspots, friends wifi. The average user uses many IP&#x27;s and not limited to the range of one ISP.<p>SO whilst you can fingerprint devices and usage patterns, the IP address will by itself be useless to identify such users, it may well augment a little but is no solution.<p>But then IPv4 shares many IP addresses across mobile and broadband users in various ways. Most do not have a fixed IP and even those that do, do not have a fixed IP upon their mobile data activities - unless they VPN into their home broadband. Though if they use service VPN offerings, then another layer of IP ranges.<p>So the potential towards false assertions based upon an IP and user usage may well trip up and fail. Imagine using an ISP with dynamic IP and the next user of that IP uses it for crime, well with some bad logging and aggressive association, you can mislabel somebody for a crime they did not commit.<p>Roll on IPv6 and with that, mobile carriers would of been the obvious benefit of that, yet I&#x27;m not aware of any progressing that in any timely manner and chug along using a pool of IPv4 and various tricks to make those cater for many.