Pillar 3 of 4
Hunt down trackers your tag manager forgot about
A real browser, real network interception, and a full set of fingerprinting API hooks. We catch the trackers everyone catches — and the ones nobody else does.
The fingerprinting that hides in plain sight
Privacy laws are catching up to fingerprinting. Cookie-style consent banners don't help, because fingerprinting doesn't write a cookie — it reads stable browser characteristics to identify you. Most scanners can't see this. We inject a small init script before any of your page's JavaScript runs. It wraps the four APIs most commonly used for fingerprinting and counts every call. If your site loads a third-party script that probes the canvas to derive a hardware-specific image hash, we'll see exactly which script and how many times. This is how The Markup's Blacklight project works, and it's the only reliable way to detect fingerprinting from outside the running script.
Network interception, done right
We listen to every outbound request from page load through 4 seconds of scrolling, so trackers triggered by lazy-loaded content (the ones that fire when the user reaches a chat widget or product card) aren't missed. First-party vs third-party is determined by registrable domain comparison — a request to cdn.example.com from example.com is correctly first-party, whereas px.facebook.com is third-party even if loaded from a same-name subresource. Each request is recorded with its category, owner organization, and known-tracker name where applicable.
Why classify? Because counting matters less than naming
Telling a customer "your site loads 47 third-party requests" is a number without action. Telling them "your site loads Hotjar (session replay), Mixpanel (analytics), and Meta Pixel (advertising) before consent" is a punch list. Every known tracker comes with the owning organization so your privacy team has the right vendor to negotiate with.
Eksempler på findings
Canvas fingerprinting detekteret
Et script indlæst fra cdn.fingerprintjs.com kaldte HTMLCanvasElement.prototype.toDataURL() 3 gange under page load. Kombineret med WebGL og audio-context reads fra samme script er det i tråd med deterministisk browser fingerprinting og bør offentliggøres i din privacy policy og gated bag eksplicit samtykke.
API : canvas.toDataURL Called by : https://cdn.fingerprintjs.com/v3/iife.min.js Call count : 3 Co-occurs with: webgl.getParameter, audioContext, navigator.plugins
Session-replay tool indlæst før samtykke
Hotjar (hotjar.com/c/hotjar-XXXXX.js) blev indlæst og initialiseret før brugeren interagerede med samtykkebanneren. Session replay optager musebevægelser, klik, scrolls og form input — EDPB har været eksplicit om, at dette er special-category processing under GDPR og kræver opt-in samtykke, ikke legitimate interest.
Tracker : Hotjar (session replay) Owner : Contentsquare Loaded : t=0.4s (before banner mount) Category : session-replay (high-risk) Fix: udsæt hotjar.com-requests, indtil brugeren tilvælger "analytics" eller "functional"-kategorien i din CMP.
WebGL fingerprinting probe
Et first-party bundle læser WebGLRenderingContext.getParameter() med extensionen UNMASKED_RENDERER_WEBGL — som eksponerer brugerens GPU-model. Der er ingen render-use-case for den streng i din app; det er et fingerprinting-signal, der bør offentliggøres eller fjernes.
API : WebGLRenderingContext.getParameter Parameter : UNMASKED_RENDERER_WEBGL (37446) Called by : /static/js/main.4f8a2c.js (first-party bundle) Call count : 1 Det eksponerer GPU renderer-strengen (fx "ANGLE (Apple, Apple M2 Pro, OpenGL 4.1)").
Scan dit site på 60 sekunder
25 gratis credits. Ingen kreditkort. Reelle findings på den side, du faktisk går op i.