πŸ›‘οΈ Privacy Footprint Analyzer

Last updated: April 7, 2026

πŸ›‘οΈ Privacy Footprint Analyzer

Detect what your browser leaks to websites β€” analyzed 100% locally, nothing sent anywhere.

Scanning browser signals
--
Privacy
β€”
Browser Fingerprint ID (partial)
β€”
πŸ–₯️ System Info
Platformβ€”
Screenβ€”
Color Depthβ€”
CPU Coresβ€”
Device RAMβ€”
Touch Pointsβ€”
🌐 Browser Info
Languageβ€”
Timezoneβ€”
TZ Offsetβ€”
Cookiesβ€”
Do-Not-Trackβ€”
Pluginsβ€”
πŸ—„οΈ Storage APIs
localStorageβ€”
sessionStorageβ€”
IndexedDBβ€”
Service Workerβ€”
Global Priv. Controlβ€”
🎨 Canvas & WebGL
Canvas FPβ€”
WebGL Vendorβ€”
WebGL Rendererβ€”
Fonts Detectedβ€”
⚠️ Leak & Risk Analysis
πŸ”¬ Entropy & Uniqueness
Estimated Entropy β€”
Uniqueness (est.) β€”
Tracking Vectors β€”
πŸ” User-Agent String
β€”
Browserβ€”
OSβ€”
UA Entropy Est.β€”

Your Browser Is a Witness Against You β€” And It Doesn't Need Cookies

Every website you load receives an instant briefing on your device before you've clicked a single thing. Not from a suspicious third-party tracker buried in the page's code, but from your browser itself β€” faithfully answering questions it was never designed to refuse. The result is a fingerprint: a composite of dozens of technical signals that, taken together, identify your specific machine among hundreds of millions with startling precision.

Most people have heard about tracking cookies. Far fewer understand that cookies are arguably the least sophisticated surveillance technique in active use today. Trackers rely on cookies as a fallback. The real action happens through browser fingerprinting, and it leaves no file on your disk, respects no incognito mode, and survives both VPNs and ad blockers when implemented well.

What Gets Leaked Without You Knowing

The canvas fingerprint is the most reliable single signal a website can extract. Your browser renders invisible shapes and text onto an off-screen canvas element, then reads back the pixel data. Because every GPU, driver version, operating system font renderer, and anti-aliasing algorithm combines differently, the resulting image is subtly unique to your hardware configuration. Two identical laptop models from the same manufacturer, purchased the same week, will produce slightly different canvas outputs if one has been updated. Academic research from Princeton's Web Transparency and Accountability Project found canvas fingerprinting present on over 14,000 of the top 100,000 websites β€” and that data is from 2014. The number has grown considerably since.

WebGL goes deeper. Through the WebGL debugging extension, a page can query your actual GPU model and the name of the driver rendering vendor. "ANGLE (Intel, Intel(R) Iris(R) Xe Graphics Direct3D11 vs_5_0 ps_5_0)" isn't just a curiosity β€” it's an identifier that effectively narrows you down to a handful of possible machines on the internet. GPU hardware combinations are far less common than people assume, particularly when paired with operating system version and installed driver release.

Fonts are perhaps the most underestimated fingerprinting vector. A script can test whether your machine has a font installed by measuring the pixel width of a test string rendered in that font versus a fallback. If the width differs from the fallback's baseline, the font exists on your system. Repeating this across a list of two hundred fonts β€” system fonts, Microsoft Office fonts, Adobe fonts, obscure language-support fonts β€” produces a binary fingerprint with over 13 bits of entropy according to research from the Electronic Frontier Foundation's Cover Your Tracks project. That's more identifying than your screen resolution and operating system combined.

The WebRTC Problem That VPNs Don't Solve

WebRTC was built to enable browser-to-browser video calls without plugins. It requires knowing local network interfaces to negotiate peer connections efficiently. An unfortunate side effect: JavaScript can trigger the WebRTC stack and receive ICE candidates β€” packets that include your machine's local IP address and sometimes your public IP before it's been routed through any VPN tunnel. The VPN hasn't failed; WebRTC bypasses it at the network stack level. This is why browser-based VPN detection scripts work even when a user thinks they're invisible. Disabling WebRTC in browser settings (or using an extension that blocks it) is the only reliable fix.

Timezone and Language as Geographic Anchors

Your browser exposes your IANA timezone string through JavaScript's Intl.DateTimeFormat API. Not just the offset β€” the named zone. "America/Chicago" tells a tracker you're in the US Central timezone. Combined with your primary browser language ("en-US" vs "en-GB"), your secondary languages, your numeric format preferences, and your operating system's locale settings, a site can often determine your country and sometimes your metro region without ever accessing GPS data or IP geolocation.

What makes this pairing powerful is its stability. Your IP address changes. Your timezone string doesn't β€” not unless you physically move across zones or manually alter your system clock. Over a multi-month observation window, timezone consistency becomes one of the most reliable anchors for linking sessions across different IP addresses and network environments.

Storage APIs: The Cookie That Survives Cookie Clearing

When users learned they could clear browser cookies, the advertising ecosystem adapted. localStorage, introduced as part of HTML5, was quickly repurposed as a persistent identifier store that survives cookie deletion. IndexedDB offers structured storage with significantly higher capacity. Service Worker caches can persist even after a full browser data wipe in some edge cases. Together these APIs give trackers redundant persistence mechanisms β€” if one is cleared, others may survive, and the next page load can silently restore the deleted cookie from a surviving store. This technique is called "evercookie" or "zombie cookie" behavior, and it was demonstrated publicly by Samy Kamkar over a decade ago. It's still in active use.

Entropy, Uniqueness, and Why This Matters Mathematically

Fingerprinting researchers use information entropy to quantify how identifying each signal is. A signal that splits users into two equal groups contributes one bit of entropy. A signal that identifies one user among 1,024 contributes ten bits. When you combine fifteen or twenty signals β€” user agent string, screen resolution, GPU details, fonts, canvas, timezone, language, color depth, plugin list, hardware concurrency, device memory β€” the total entropy climbs into the 40-70 bit range for a typical unprotected browser. That's one person among tens of billions of possible combinations, far exceeding the number of internet-connected devices in existence. In practice, it means your browser is functionally unique.

The privacy score isn't about whether tracking is theoretically possible β€” for almost everyone, it is. It's about the concentration of risk: how many high-entropy signals are exposed simultaneously, whether active leaks like WebRTC are present, and whether any mitigation signals like Global Privacy Control or Do-Not-Track headers are being sent.

What Actually Reduces Your Fingerprint

Tor Browser's approach is the most thorough: it normalizes as many signals as possible so all Tor users look identical. Canvas fingerprinting triggers a permission prompt. Screen dimensions are rounded. The user-agent is standardized. The result is that Tor users form a large anonymity set β€” each individual is indistinguishable from the others. This is the correct mental model for fingerprint protection: the goal isn't to hide, it's to look like everyone else.

For mainstream browsers, Firefox with Resist Fingerprinting enabled (privacy.resistFingerprinting in about:config) offers meaningful protection. Brave browser includes built-in fingerprint randomization that injects subtle noise into canvas and audio outputs, making cross-session linking harder without triggering the suspicion that comes with being completely unique. Chrome's Privacy Sandbox initiative proposes replacing third-party cookies with coarser-grained interest groupings, but does nothing to address JavaScript-accessible fingerprinting APIs β€” the architecture that makes this entire category of tracking possible.

Extensions like uBlock Origin in medium mode block most third-party fingerprinting scripts before they run. Canvas Blocker and similar tools add noise to canvas and WebGL outputs. Disabling WebRTC entirely (Firefox: media.peerconnection.enabled = false) eliminates that leak class completely at the cost of breaking video calling sites that rely on it natively.

The browser fingerprint problem isn't going away. The APIs that enable it are deeply embedded in the web platform and serve genuine purposes beyond surveillance. What's changed is awareness β€” and the tools available to those who want to limit what their browser reveals to the thousands of websites, ad exchanges, and data brokers watching every session.

FAQ

Does this tool send my browser data to any server?
No. Every single detection runs entirely in your browser using JavaScript. No data is transmitted, stored, or logged anywhere. The canvas fingerprint hash, WebRTC detection, font enumeration, and all other checks happen locally and disappear when you close the tab.
Why does my incognito/private window still get a high fingerprint score?
Incognito mode only prevents your browser from saving history, cookies, and form data to disk β€” it doesn't change how your browser reports itself to websites. Your GPU, screen resolution, fonts, timezone, and user-agent string are identical in private browsing to your normal window, so fingerprinting techniques work just as effectively. Browser fingerprinting was specifically developed as an alternative to cookies precisely because it bypasses privacy modes.
What is a canvas fingerprint and can I block it?
A canvas fingerprint is generated by having your browser render text and shapes onto an invisible HTML canvas element, then reading back the pixel data. Subtle differences in GPU rendering, font hinting, anti-aliasing, and driver behavior produce a unique pixel pattern for each device. You can block it by using Firefox with privacy.resistFingerprinting enabled, Brave browser's built-in canvas noise, or extensions like Canvas Blocker that inject random noise into the output to prevent cross-site correlation.
My VPN is active but WebRTC still detected a local IP β€” is that a problem?
Yes, this is the well-documented WebRTC IP leak. Your VPN encrypts and routes your internet traffic through its servers, but WebRTC operates at the browser level and can access your machine's local network interfaces before traffic reaches the VPN tunnel. The fix is to disable WebRTC in your browser settings (Firefox: set media.peerconnection.enabled to false in about:config) or use a browser extension that blocks WebRTC. Chrome does not offer a built-in toggle, requiring an extension or Brave's built-in protection.
How is the privacy score calculated?
The score starts at 100 and deducts points for each active privacy risk detected. Major deductions include: WebRTC IP leak (-20), canvas fingerprinting exposed (-15), many fonts detected (-10 to -15), WebGL renderer visible (-8), precise timezone exposed (-7), cookies enabled (-5), no Do-Not-Track signal (-5), browser plugins present (up to -12), and available storage APIs like localStorage and IndexedDB (up to -8). The score reflects the concentration of exploitable signals, not whether tracking is theoretically possible.
What is Global Privacy Control and why does it matter more than Do-Not-Track?
Global Privacy Control (GPC) is a browser signal that, unlike the older Do-Not-Track header, has actual legal weight under California's CCPA and Colorado's CPA. Sending GPC constitutes a legally recognized opt-out of sale or sharing of personal data for businesses subject to those laws. Firefox, Brave, and DuckDuckGo's browser send GPC by default. The original Do-Not-Track header was entirely voluntary with no legal enforcement mechanism, which is why most ad networks simply ignored it.