Pillar 3 of 4
Hunt down trackers your tag manager forgot about
A real browser, real network interception, and a full set of fingerprinting API hooks. We catch the trackers everyone catches — and the ones nobody else does.
The fingerprinting that hides in plain sight
Privacy laws are catching up to fingerprinting. Cookie-style consent banners don't help, because fingerprinting doesn't write a cookie — it reads stable browser characteristics to identify you. Most scanners can't see this. We inject a small init script before any of your page's JavaScript runs. It wraps the four APIs most commonly used for fingerprinting and counts every call. If your site loads a third-party script that probes the canvas to derive a hardware-specific image hash, we'll see exactly which script and how many times. This is how The Markup's Blacklight project works, and it's the only reliable way to detect fingerprinting from outside the running script.
Network interception, done right
We listen to every outbound request from page load through 4 seconds of scrolling, so trackers triggered by lazy-loaded content (the ones that fire when the user reaches a chat widget or product card) aren't missed. First-party vs third-party is determined by registrable domain comparison — a request to cdn.example.com from example.com is correctly first-party, whereas px.facebook.com is third-party even if loaded from a same-name subresource. Each request is recorded with its category, owner organization, and known-tracker name where applicable.
Why classify? Because counting matters less than naming
Telling a customer "your site loads 47 third-party requests" is a number without action. Telling them "your site loads Hotjar (session replay), Mixpanel (analytics), and Meta Pixel (advertising) before consent" is a punch list. Every known tracker comes with the owning organization so your privacy team has the right vendor to negotiate with.
Eksempel på funn
Canvas fingerprinting oppdaget
Et script lastet fra cdn.fingerprintjs.com kalte HTMLCanvasElement.prototype.toDataURL() 3 ganger under side lasting. Kombinert med WebGL- og audio-context-lesing fra samme script, er dette konsistent med deterministisk browser-fingerprinting og bør opplyses i personvernpolicyen din og sperres bak eksplisitt samtykke.
API : canvas.toDataURL Called by : https://cdn.fingerprintjs.com/v3/iife.min.js Call count : 3 Co-occurs with: webgl.getParameter, audioContext, navigator.plugins
Verktøy for session replay lastet før samtykke
Hotjar (hotjar.com/c/hotjar-XXXXX.js) ble lastet og initialisert før brukeren interagerte med samtykkebanneret. Session replay registrerer musebevegelser, klikk, scroll og inndata i skjema — EDPB har vært tydelig på at dette er behandling av en spesiell kategori under GDPR og krever opt-in-samtykke, ikke «legitimate interest».
Tracker : Hotjar (session replay) Owner : Contentsquare Loaded : t=0.4s (før banner mount) Category : session-replay (high-risk) Fix: utsett hotjar.com-forespørsler til brukeren velger «analytics» eller «functional»-kategorien i CMP-en din.
WebGL fingerprinting-probe
En first-party-pakke leser WebGLRenderingContext.getParameter() med UNMASKED_RENDERER_WEBGL-utvidelsen — som eksponerer brukerens GPU-modell. Det finnes ingen gjengivelsesbrukssak for denne strengen i appen din; det er et fingerprinting-signal som bør opplyses om eller fjernes.
API : WebGLRenderingContext.getParameter Parameter : UNMASKED_RENDERER_WEBGL (37446) Called by : /static/js/main.4f8a2c.js (first-party bundle) Call count : 1 Dette eksponerer GPU-renderer-strengen (f.eks. «ANGLE (Apple, Apple M2 Pro, OpenGL 4.1)»).
Scan nettstedet ditt på 60 sekunder
25 gratis credits. Ingen kredittkort. Reelle funn på siden du bryr deg om.