Pillar 3 of 4
Hunt down trackers your tag manager forgot about
A real browser, real network interception, and a full set of fingerprinting API hooks. We catch the trackers everyone catches — and the ones nobody else does.
The fingerprinting that hides in plain sight
Privacy laws are catching up to fingerprinting. Cookie-style consent banners don't help, because fingerprinting doesn't write a cookie — it reads stable browser characteristics to identify you. Most scanners can't see this. We inject a small init script before any of your page's JavaScript runs. It wraps the four APIs most commonly used for fingerprinting and counts every call. If your site loads a third-party script that probes the canvas to derive a hardware-specific image hash, we'll see exactly which script and how many times. This is how The Markup's Blacklight project works, and it's the only reliable way to detect fingerprinting from outside the running script.
Network interception, done right
We listen to every outbound request from page load through 4 seconds of scrolling, so trackers triggered by lazy-loaded content (the ones that fire when the user reaches a chat widget or product card) aren't missed. First-party vs third-party is determined by registrable domain comparison — a request to cdn.example.com from example.com is correctly first-party, whereas px.facebook.com is third-party even if loaded from a same-name subresource. Each request is recorded with its category, owner organization, and known-tracker name where applicable.
Why classify? Because counting matters less than naming
Telling a customer "your site loads 47 third-party requests" is a number without action. Telling them "your site loads Hotjar (session replay), Mixpanel (analytics), and Meta Pixel (advertising) before consent" is a punch list. Every known tracker comes with the owning organization so your privacy team has the right vendor to negotiate with.
Exempel på findings
Canvas fingerprinting upptäckt
Ett script från cdn.fingerprintjs.com anropar HTMLCanvasElement.prototype.toDataURL() 3 gånger under sidladdning. Tillsammans med WebGL och audio-context reads från samma script är detta förenligt med deterministisk browser fingerprinting och bör avslöjas i din privacy policy och ligga bakom explicit samtycke.
API : canvas.toDataURL Anropas av : https://cdn.fingerprintjs.com/v3/iife.min.js Antal anrop : 3 Sker samtidigt med: webgl.getParameter, audioContext, navigator.plugins
Session-replay-verktyg laddas före samtycke
Hotjar (hotjar.com/c/hotjar-XXXXX.js) laddas och initieras innan användaren interagerat med consent-banner. Session replay registrerar musrörelser, klick, scrollar och formulärinmatning — EDPB har varit tydlig med att detta är special category processing enligt GDPR och kräver opt-in-samtycke, inte legitimate interest.
Tracker : Hotjar (session replay) Ägare : Contentsquare Laddad : t=0.4s (före banner renderas) Kategori : session-replay (hög risk) Fix: skjut upp hotjar.com-förfrågningar tills användaren väljer in "analytics" eller "functional"-kategorin i din CMP.
WebGL fingerprinting probe
En first-party-bunt läser WebGLRenderingContext.getParameter() med UNMASKED_RENDERER_WEBGL-extensionen — vilket exponerar användarens GPU-modell. Det finns ingen rendering-användningscas för den strängen i din app; det är en fingerprinting-signal som bör avslöjas eller tas bort.
API : WebGLRenderingContext.getParameter Parameter : UNMASKED_RENDERER_WEBGL (37446) Anropas av : /static/js/main.4f8a2c.js (first-party bundle) Antal anrop : 1 Det exponerar GPU-renderer-strängen (t.ex. "ANGLE (Apple, Apple M2 Pro, OpenGL 4.1)").
Scanna din site på 60 sekunder
25 fria credits. Inget kreditkort. Riktiga findings på sidan du bryr dig om.