How Police Used Google Cookies to Unmask an Anonymous Gmail User
For two decades, tracking cookies have been the backbone of surveillance capitalism. Websites plant small text files on your device to track where you go, what you do, and who you are. But a case from Ohio reveals a new use for these trackers: police are using Google cookies as a forensic tool to unmask anonymous users.
According to Forbes, which reviewed two search warrants, investigators in Hamilton County, Ohio linked an anonymous Gmail account to a bomb threat caller by requesting Google's cookie data. The cookies revealed that the anonymous account and a real-identity Google account were both used on the same iPhone.
Jennifer Lynch, general counsel at the Electronic Frontier Foundation (EFF), told Forbes: "I haven't seen police rely on cookies in this manner before, but that certainly doesn't mean they haven't done so. It seems like the police knew that was possible and asked specifically for this information."
Why this matters: If you use multiple Google accounts on the same device (one personal, one anonymous, one for work), Google's cookies can link all of them together. When police obtain one account's data, they can potentially identify every other account you use on that device.
What Happened in Hamilton County?
In August 2025, someone called the Hamilton County Courthouse in Ohio with a bomb threat. Security staff searched the building with sniffer dogs and found nothing. It was a hoax.
Investigators traced the call to an anonymous Gmail address. But an anonymous email alone doesn't reveal who sent it. So they took an unusual step: they obtained a search warrant asking Google to reveal what other users had accessed this anonymous account.
Google's cookie data provided the answer. The cookies showed that a single iPhone had been used to log into both the anonymous Gmail account and a second Google account registered under the real name of Don'tavius Conley. He has since been charged with transmission of a bomb threat and false information. He has pleaded not guilty.
How Does Cookie-Based Account Linking Work?
When you sign into a Google account in your browser, Google sets cookies on your device. These cookies serve multiple purposes:
- Authentication cookies keep you logged in across sessions
- Tracking cookies record your browsing behavior for ad targeting
- Account-linking cookies associate multiple Google accounts used on the same browser or device
If you sign into Account A and then switch to Account B in the same browser, Google's cookies create a connection between both accounts and the device. Google knows that the same browser instance (and by extension, the same person) uses both accounts.
This is the mechanism police exploited. They didn't need to hack anything. They didn't need sophisticated surveillance tools. They simply asked Google: "Which other accounts have been used on the same device as this anonymous account?" And Google's cookies had the answer.
The false sense of anonymity: Many people believe that creating a new Gmail account without their real name makes them anonymous. It doesn't. If you access that account from the same device or browser where you're logged into your real Google account, cookies link them together. Your "anonymous" account is one search warrant away from being traced back to you.
How Is This Different from Geofence Warrants?
You might have heard of geofence warrants (also called "reverse location warrants"), where police ask Google to identify every device present at a specific location during a specific time. Google announced in 2023 that it would stop supporting geofence warrants by moving location data to devices.
Cookie-based identification is different in several important ways:
| Method | Geofence Warrant | Cookie Account Linking |
|---|---|---|
| Target | Everyone in a geographic area | Specific account holder |
| Data type | Location history | Cookie/session data linking accounts |
| Scope | Broad (thousands of people) | Narrow (one device, linked accounts) |
| Google's stance | Phasing out support | No announced restrictions |
| Legal scrutiny | High (multiple court challenges) | Low (relatively unknown technique) |
While geofence warrants cast a wide net affecting thousands of innocent people, cookie-based account linking is more targeted. But it's also more insidious: it exploits the everyday convenience of multi-account browsing to break the assumption of anonymity.
Would This Work in Europe?
The legal landscape for cookie tracking differs dramatically between the US and Europe.
In the EU, the ePrivacy Directive (the "Cookie Law") requires websites to obtain informed consent before placing tracking cookies. GDPR adds further protections for personal data. European users who decline cookie consent should, in theory, have fewer tracking links between accounts.
However, there are important caveats:
- First-party cookies (authentication cookies from Google itself) are typically allowed without consent because they're "strictly necessary" for the service to function
- European law enforcement can still request stored data through European Investigation Orders and mutual legal assistance treaties
- Google stores data globally, and US-stored data is accessible under the Cloud Act regardless of where the user lives
So while EU cookie laws provide stronger protection against commercial tracking, they don't necessarily prevent law enforcement from accessing cookie data through legal channels. The protection is not as absolute as many Europeans assume.
How Can You Protect Yourself?
If you want to prevent cookie-based account linking, you need to ensure your accounts never share the same browser context.
Use Separate Browsers for Separate Identities
The simplest approach: use one browser for your personal Google account and a completely different browser for anything you want to keep separate. For example, Firefox for personal use and Brave for a separate identity. Cookies in one browser cannot see cookies in another.
Use Firefox Multi-Account Containers
Firefox offers a built-in feature called Multi-Account Containers that isolates cookies between tabs. Each container (Personal, Work, Shopping, Banking) has its own cookie jar. A Google cookie in your "Personal" container cannot see or link to a Google cookie in your "Work" container. This is the most practical solution for most people.
Clear Cookies Regularly
Set your browser to clear cookies when you close it. This breaks the persistent link between sessions. The downside: you'll need to log into every service again each time you open your browser.
Use Private/Incognito Mode for Sensitive Activity
Private browsing windows start with a clean cookie jar and delete all cookies when closed. If you need to access a separate account, do it in a private window. Never mix accounts in the same browsing session.
Consider Non-Google Email for Sensitive Communications
If you need genuine email anonymity, don't use Gmail at all. Privacy-focused providers like ProtonMail (Switzerland), Tutanota (Germany), or Mailfence (Belgium) don't have the same cookie-tracking infrastructure. Combined with a VPN and Tor, they offer significantly stronger anonymity than any Gmail configuration.
Use a VPN to Prevent IP Correlation
Even without cookies, police can correlate accounts by IP address. If two accounts were accessed from the same IP at similar times, that's another data point linking them. A VPN masks your real IP, adding another layer of separation.
Privacy tip: Check what your IP address reveals at myip.foo and test for DNS leaks that expose your browsing to your ISP. If multiple accounts share the same IP and cookie data, anonymity is an illusion. Consider a VPN like NordVPN to separate your traffic from your identity.
The Bigger Picture: Cookies as Surveillance Infrastructure
The Hamilton County case is a wake-up call, but it's just one example of how commercial tracking infrastructure doubles as a surveillance tool. Consider:
- Google processes 8.5 billion searches per day -- each one potentially linkable to an identity via cookies
- Third-party cookies have tracked users across millions of websites for two decades (though they're finally being phased out)
- First-party cookies remain and are actually harder to block because they're "necessary" for services to function
- The EU Cookie Law gives users a choice about tracking cookies, but authentication cookies that enable this kind of account linking are exempt from consent requirements
Jennifer Lynch of the EFF put it well: "It seems like the police knew that was possible and asked specifically for this information." If police know about this technique, it's likely being used in more cases than we're aware of. Most search warrants are sealed and never make the news.
The irony is striking: the same cookie infrastructure that annoyed us with cookie consent banners for years is now being used as a forensic identification tool. The technology that tracks you for advertising purposes can also track you for law enforcement purposes. The data doesn't care who's asking for it.
Common Questions
How did police use Google cookies to identify an anonymous user?
Investigators linked an anonymous Gmail account to a bomb threat, then obtained a search warrant for Google's cookie data. The cookies showed the same iPhone had accessed both the anonymous account and a Google account registered with the suspect's real name. The cookies acted as a digital fingerprint connecting both accounts to one device.
Can police request your Google cookie data?
Yes. With a valid search warrant, law enforcement can request cookie and session data from Google. In the US, this falls under the Stored Communications Act. In Europe, law enforcement uses European Investigation Orders or mutual legal assistance treaties, with stricter judicial oversight requirements.
Do Google cookies link multiple accounts on the same device?
Yes. When you sign into multiple Google accounts in the same browser, Google's cookies record that both accounts were accessed from the same browser instance. This creates a link between accounts even if one was created anonymously.
How can you prevent cookie tracking across accounts?
Use separate browsers for separate identities, Firefox Multi-Account Containers for cookie isolation, clear cookies regularly, use private/incognito mode for sensitive activity, and consider non-Google email providers like ProtonMail for sensitive communications. A VPN adds additional protection against IP-based correlation.
Does the EU Cookie Law protect against this?
Partially. The ePrivacy Directive requires consent for tracking cookies, but first-party authentication cookies (which Google uses for account management) are typically exempt as "strictly necessary." European law enforcement can still access stored data through proper legal channels, though with stricter judicial oversight than in the US.
Conclusion
The Hamilton County bomb threat case demonstrates that commercial tracking technology is surveillance technology. The same cookies that power targeted advertising can unmask anonymous users when law enforcement comes knocking with a search warrant.
Key takeaways:
- Police used Google cookie data to link an anonymous Gmail account to a suspect's real identity via a shared iPhone
- The EFF confirms this technique is likely being used in more cases than publicly known
- Using multiple Google accounts on the same device creates cookie links between all of them
- "Anonymous" accounts are not anonymous if accessed from the same browser as your real account
- EU Cookie Law protects against tracking cookies but not authentication cookies that enable account linking
- Separate browsers, Firefox Containers, and non-Google email are the most effective protections
- A VPN prevents IP-based account correlation but does not block cookie-based linking
The lesson is simple: if you need real anonymity, never let your real identity and your anonymous identity share the same browser, device, or IP address. Every shared data point is a thread that can be pulled to unravel the other.
Check your exposure:
- Check what your IP reveals at myip.foo
- Test for DNS leaks that expose your browsing to your ISP
- Test for WebRTC leaks that bypass VPN protection
- Use Firefox Multi-Account Containers to isolate cookies per account
- Encrypt your traffic with a VPN like NordVPN
Related Articles
- Tinder Requires Mandatory AI Face Scan: Your Biometrics Sent to US Servers
- What is Your ISP Tracking? A Complete Privacy Guide
- What the PornHub Data Breach Teaches Us About Third-Party Tracking
- 10 Browser Extensions That Protect Your Privacy in 2026
- Privacy Checklist 2026: 25 Steps to Protect Your Digital Life