I used to think that deleting your social media accounts and using a VPN was enough to go off the radar online. Then I read a paper published at the Privacy Enhancing Technologies Symposium in 2025. Researchers tracked over 150,000 users and found that AI-powered behavioral analysis strips away 78–85% of a person’s anonymity within just 60 seconds of browsing, even after cookie deletion, IP rotation, and browser fingerprint protection. In ten minutes, that number reaches 90%.

In 2025 I wrote this :

🕵️ How to erase your digital footprint?

Marison Souza

·

March 24, 2025

Read full story

Well guys, the rules changed. This is the 2026 update!

The new threats you probably don’t know about

Before getting to the practical steps, you need to understand what you are actually up against now. The old enemy was data collection. The new enemy is inference! AI doesn’t need to collect your data directly. It figures out what it needs from data you already shared voluntarily.

A team from ETH Zurich showed that GPT-4, when given only a person’s Reddit posts, correctly inferred their location, income, age, occupation, and relationship status with roughly 85% accuracy. No name, no email, no phone number required. Just the way you write and what you talk about. Scart hã?

A separate 2025 paper titled “I Can Find You in Seconds!” demonstrated that large language models can identify the author of a piece of code or text from a single reference sample, with nearly 70% accuracy across hundreds of anonymous authors. And in early 2026, researchers re-identified 67% of users from an anonymous Hacker News dataset at a cost of about $2 per person.

The problem isn’t just AI. Your phone’s accelerometer has a unique hardware defect from manufacturing. The cambridge researchers called this “SensorID” and it can identify your specific device in under one second, without any app permission, even after a factory reset. Your GPU has the same problem. A technique called DrawnApart fingerprints your graphics card by measuring tiny variations from when it was built, with 98% accuracy in 150 milliseconds, purely through your browser. And your mouse movements, the speed, the curve, the hesitation before a click, are unique enough that 2–3 seconds of tracking can predict your demographics.

None of this is stopped by a VPN or any security software you are thinking of buying.

I thought about some options you can work to avoid these new kind of detections:

Option 1: Obfuscate your writing style

If you write online under a pseudonym , blog posts, forum comments, anything, your writing style alone can identify you. The way you structure sentences, your punctuation habits, words you favor, average sentence length, these form a fingerprint.

The most practical defense right now is to run your text through an AI paraphraser before posting. Not to change the meaning, but to flatten your stylistic signature. The important detail: use a different AI model than the one you normally use for writing, since each model has its own stylistic tendencies, and using the same one consistently creates a new pattern. Alternating between different AI tools for rewriting is more effective than always using the same one.

Manual obfuscation also works, of course, deliberately write shorter sentences than you normally would, avoid your signature phrases, and vary your punctuation. It’s tedious, but according to research by Brennan and Greenstadt on adversarial stylometry, manual obfuscation still defeats automated classifiers better than any software tool available today.

Option 2: Separate your contexts, completely

The biggest reason people get re-identified isn’t technical. It’s context collapse! information shared in one place gets combined with information from another, and the combination reveals something neither alone would.

I wrote some articles ago about “linkage attack” - very similar.

Your health app data plus your pharmacy loyalty card plus a political comment on Reddit plus your Strava route creates a profile more detailed than anything you consciously shared. AI does this combination automatically and at scale.

The practical answer is strict context separation: use genuinely different browser profiles for different parts of your life. Your work browsing and your personal browsing should never share a browser, an account, or even a Wi-Fi network if you care about keeping them separate. Never log into a personal account on a work device, and vice versa. The moment you authenticate anywhere, even once, all your previous anonymous sessions on that device get retroactively linked to your real identity by identity graph systems.

Tools like Firefox Multi-Account Containers or dedicated browser profiles for each context help here. So does using a separate email address per context, with no shared recovery information between them.

Option 3: Disable sensor access on your phone

Go into app permissions and revoke motion sensor access from every app that doesn’t explicitly need it. Most apps request accelerometer data for analytics, not functionality. On Android, go to Settings > Privacy > Permission Manager > Body Sensors. On iOS, go to Settings > Privacy > Motion & Fitness.

For browser-level sensor fingerprinting, the Brave browser adds random noise to sensor readings by default, which significantly disrupts hardware fingerprinting. Firefox with the privacy.resistFingerprinting setting enabled does something similar. Using either won’t make you invisible, but it raises the cost of tracking you considerably.

Option 4: Treat your email metadata as public

Even if you use an encrypted email provider, the metadata, who you email, when, how often, from which IP, on which device, well, is always visible. Former NSA director Michael Hayden once said “we kill people based on metadata.” That wasn’t rhetorical (LOL..Sorry).

More practically: over 50% of emails now contain tracking pixels that log when you opened the email, where you were, and what device you used. Apple Mail’s Mail Privacy Protection blocks most of these on iOS and macOS. For other clients, the extension PixelBlock (Chrome) blocks tracking pixels automatically.

For sensitive communication, tools like SimpleX Chat, which has no user identifiers at all, not even a phone number, go further than Signal, which still requires a phone number and reveals communication patterns to anyone monitoring your traffic.

Option 5: Remove yourself from data broker databases

The infrastructure that makes all of the above dangerous is the data broker industry. Companies like LexisNexis, Acxiom, and hundreds of others compile profiles on hundreds of millions of people, names, addresses, relatives, purchase history, location patterns, and sell access to anyone who pays.

If you are in California, the DELETE Act created a new tool called the DROP platform, launched January 1, 2026, that lets you submit a single deletion request to all registered data brokers at once. If you are outside California, services like DeleteMe or Kanary automate opt-out requests to the major brokers. Brokers re-add data over time, so this needs to be repeated periodically. But it raises the cost of profiling you significantly.

Even so…

Complete disappearance from the internet in 2026 is not realistic for anyone with an economically active life. What is realistic is making yourself expensive to track, raising the cost of profiling to the point where you fall below the threshold of automated surveillance.

The shift in mindset matters more than any specific tool. Privacy in 2026 is not about hiding. It is about minimizing what can be inferred from what you share, separating your contexts, and understanding that AI can connect dots you never thought were connectable.