Free & open — no account required
Eye Opener is a free privacy auditing tool built for everyday internet users. Every website you visit can silently collect dozens of data points about you — your device, location, habits, and identity — without ever asking permission. This is the engine of surveillance capitalism: your attention and personal data sold to the highest bidder. We built Eye Opener to show you exactly what's being collected, and how to stop it.
These vectors are detectable but do not affect your score. Most are unavoidable on a functional browser. Blocked means your privacy tools are working. Active means normal browser behaviour — not a threat.
These values are transmitted to every website you visit. Most cannot be changed without breaking basic web functionality — they are shown here so you understand what sites can see, not as a call to action. Items highlighted in red have known mitigations that do not break normal browsing.
deviceMemory is capped at 8 GB by spec — even if you have 32 GB. platform returns standardised strings like "Win32" regardless of architecture. If your specs look "wrong", that's the protection working as intended — your browser is feeding websites a deliberately fuzzy version of your hardware.
Your installed fonts are detectable via canvas rendering. The combination of fonts installed narrows your fingerprint significantly — most people have a unique font set.
WebRTC can expose your real IP address to any website — even through a VPN — by initiating peer connections that bypass proxy routing.
Every external domain your browser contacts while loading a page receives your IP, browser data, and timing information. This is the primary mechanism of cross-site tracking.
Active tests for tracking vectors beyond basic cookies. Each “exposed” item includes what that exposure enables and a direct link to a fix guide.
Recommendations are embedded in each score row on the Overview tab. This view lists them all together for easy reference. Click any item to expand.
These items are detected but do not affect your score. They are shown here for awareness — most are unavoidable on a functional browser.
Browser extensions run with elevated trust and many have permissions to read everything you do online. This scan uses indirect detection methods — DOM fingerprints and known resource probing — to identify installed extensions and flag their known data practices. False negatives are expected, particularly on Firefox where extension resource URLs use randomised IDs. This tab is educational: even undetected extensions should be reviewed manually.
These extensions are widely installed but have documented data collection practices, overbroad permissions, or have been subject to legal action. Listed regardless of whether they were detected — check your own extension list at chrome://extensions (or about:addons in Firefox).
chrome://extensions
— click any extension ’s Details to see its exact permissions.
Look for: “Read and change all your data on all websites” — this is the highest-risk permission.
about:addons
— click any extension and check the Permissions tab.
Authoritative sources used by security professionals, researchers, and government agencies — all free and public.
Cybersecurity & Infrastructure Security Agency
The US government’s primary cybersecurity agency. Publishes known exploited vulnerability catalogues, emergency directives, and joint advisories with the NSA and FBI.
Visit advisories →NSA Cybersecurity Advisories & Guidance
Publishes technical advisories on nation-state threats, hardening guides, and joint alerts with CISA. Particularly strong on infrastructure and defence sector threats.
Visit advisories →UK National Cyber Security Centre
The UK’s public-facing cybersecurity authority. Issues threat reports, incident guidance, and the widely-referenced Cyber Essentials framework.
Visit reports →FBI Internet Crime Complaint Center
Tracks internet-enabled crime trends and publishes annual reports on ransomware, phishing, and business email compromise affecting the public.
Visit alerts →EU Agency for Cybersecurity (ENISA)
Publishes the annual ENISA Threat Landscape report — one of the most comprehensive public assessments of the global threat environment.
Visit threat reports →NIST National Vulnerability Database
The authoritative US government repository of all publicly known software vulnerabilities (CVEs). Essential for checking whether software you use has known security flaws.
Search vulnerabilities →Cisco Talos Intelligence Group
One of the world’s largest commercial threat intelligence teams. Publishes detailed technical analysis of active malware campaigns, vulnerabilities, and adversary infrastructure — free and publicly accessible.
Visit blog →Mandiant Threat Intelligence (Google)
Tracks advanced persistent threats and nation-state actors. Their public reporting introduced much of the current vocabulary for attributing cyber espionage campaigns.
Visit blog →CrowdStrike Adversary Intelligence
Tracks and names cybercriminal and nation-state groups. Their annual Global Threat Report is a benchmark for understanding the evolving threat landscape.
Visit research →Recorded Future Research
Specialises in open-source and dark web intelligence. Publishes free weekly threat briefings covering ransomware groups, data breaches, and emerging criminal infrastructure.
Visit research →Secureworks Counter Threat Unit
Publishes analysis of ransomware groups, their tactics and procedures, and tracks criminal-to-nation-state relationships.
Visit blog →MITRE ATT&CK Framework
The global standard knowledge base of adversary tactics and techniques based on real-world observations. Used by defenders to understand how attackers operate.
Explore framework →Krebs on Security
Investigative cybersecurity journalism by Brian Krebs. Covers major data breaches, cybercrime operations, and fraud with deep sourcing unavailable elsewhere.
Visit site →Schneier on Security
Bruce Schneier’s long-running blog covering security technology, policy, and societal implications. Particularly strong on surveillance and privacy law.
Visit blog →The Hacker News
Daily news covering newly disclosed vulnerabilities, active exploits, data breaches, and cybersecurity industry developments.
Visit site →Electronic Frontier Foundation
The leading digital civil liberties organisation. Covers surveillance law, government overreach, and publishes accessible guides to protecting yourself online.
Visit Deeplinks →Have I Been Pwned
Check whether your email or phone number has appeared in a known data breach. A practical first step for understanding your personal exposure.
Check your email →Wired — Security section
Long-form investigative reporting on hacking, surveillance capitalism, and government surveillance programmes. Strong on stories connecting technical events to broader societal consequences.
Visit section →AlienVault Open Threat Exchange
The world’s largest open threat intelligence community. Shares live indicators of compromise, malware hashes, malicious IPs, and threat pulse data from thousands of researchers.
Visit OTX →VirusTotal
Scan files, URLs, domains, and IP addresses against 70+ antivirus engines. Free tier available. Used by researchers to triage suspicious content safely.
Scan a file or URL →Shodan — IoT search
Searches the internet for exposed devices and open ports. Used defensively to check if your infrastructure is exposed, and to understand the scale of unpatched vulnerabilities.
Visit Shodan →Privacy Guides
Community-maintained, non-commercial guide to privacy-respecting software and services. Covers browsers, VPNs, email, messaging apps, and operating systems.
Visit guides →The standard audit covers what every website already sees. This extended probe goes further — checking your browser security posture, whether your accounts appear in known data breaches, and demonstrating in real time exactly what a surveillance advertiser could have learned about you during your visit to this page.
No data leaves your browser. This probe runs entirely client-side. The email breach check uses k-anonymity hashing — only the first 5 characters of a SHA-1 hash of your email are sent to Have I Been Pwned, never your actual address. Your original dashboard results are preserved and you can return to them at any time.