It's been a while but HTTP headers do not contain such information as a MAC address. USA today will not know anything like that. OTOH if they want to they can fingerprint your browser: http://www.chrismitchell.net/Papers/tltlcw.pdf There's more than just passive fingerprinting but that's good enough in many cases. If they want more they can run some javascript or other scripting.
Most servers now have their own device recognition implemented. Gmail started it, and now it has spread. Even if they do not have the feature turned on to restrict users or public access they are still gathering this unique device information when you hit it.
Not the MAC address, or the browser, the actual device make and serial number with the proper tools on the server.
USA Today being a news organization would have every tool they can get for this even if it is a 3rd party API service added in the server it’s self and not even part of the site script.
For this reason... I have claimed for years now considering what they can get from server hits, 99% of Webmasters actually have a very high degree of personal integrity.