While the industry celebrated the “death of the third-party cookie,” advertising platforms built a more persistent and standardized identity system based on your email address.
Unified ID 2.0 (UID2) is now powering a significant portion of open-web advertising. Created by The Trade Desk and open-sourced, it standardizes how companies turn email addresses into stable identifiers.
How UID2 Works
UID2 has two layers:
- Raw UID2: A static SHA-256 hash (Base64) of your normalized email address. Deterministic and permanent — same email = same hash everywhere.
- UID2 Token: An encrypted, rotating token used in the bidstream. This is what gets the “privacy-friendly” headlines.
The rotating token protects the bidstream, but the raw UID2 hash lives in backend databases across publishers, advertisers, and data platforms. That hash is the real backbone of the identity graph.
The Gmail Plus-Sign Trick Doesn’t Work Here
UID2’s normalization rules explicitly strip everything after the + sign for Gmail addresses (and remove dots). So user+shopping@gmail.com and user@gmail.com produce the exact same UID2 hash.
A common privacy workaround is rendered useless inside the UID2 ecosystem.
The Phishing Risk Nobody Talks About
Because the algorithm is fully public (no secrets, just SHA-256 + normalization), anyone can generate UID2 hashes from a list of email addresses.
An attacker with breached UID2 databases can now map which services you actually use and craft highly targeted phishing emails that impersonate those exact services. Hashing doesn’t anonymize — it creates a reproducible lookup key.
EUID (the European variant) improves consent flows under GDPR but doesn’t fix the underlying structural vulnerability.
The Alias Solution
The most effective defense is simple: never give sites your real email address.
Use unique aliases per service. Each alias produces a completely different UID2 hash with no mathematical link to your real identity or other aliases. This breaks the identity graph at the source.
EMail Parrot goes further by also stripping tracking pixels, unwrapping tracking links, and cleaning metadata at the relay layer before delivery.
Read the full article here:
UID2: The Standard That Replaced the Cookie
What are your thoughts on UID2? Is it a necessary evolution for a cookieless web, or does it introduce new privacy and security risks?
I’d love to hear from developers, privacy engineers, and ad-tech folks.
