# How Private Am I? — extended LLM reference > Free browser privacy check: fingerprint analysis, privacy score (0–100), and what your User-Agent, headers, and JavaScript signals reveal to websites. Summary index: https://howprivateami.com/llms.txt ## Privacy score methodology (summary) - Privacy score is 0–100 (higher = more private / less trackable). - Weighted from attributed inferences across User-Agent, HTTP headers, JavaScript signals, IP geolocation, and cross-signal consistency. - Exposure bands: low, moderate, high. - `fingerprint_entropy_bits` estimates independent signal rarity; `probe_richness` counts succeeded probe classes (0–8). - Full public explanation: https://howprivateami.com/guides/privacy-score - Interactive what-if simulator on the methodology page. ## Active fingerprint probes - `canvas_hash` — 2D canvas hash (text + shapes) - `canvas_emoji_hash` — Emoji canvas render hash - `canvas_text_metrics_hash` — measureText metrics hash - `canvas_randomized` — Double-draw mismatch (protective when true) - `webgl` — Vendor/renderer, extensions, limits, WebGL2 - `audio_hash / audio_hash_2` — Dual OfflineAudioContext pipeline hashes - `fonts_detected` — ~90 font candidates (width + height) - `math_hash` — JS engine floating-point expression hash - `media_queries` — 12× matchMedia() features - `speech_voices_hash` — Hashed speech synthesis voice list - `webrtc` — ICE candidate counts (no raw IPs) - `storage` — localStorage/sessionStorage, IndexedDB, Storage Access API - `automation` — Window shape, chrome object, notification permission heuristics - `protection` — Ad/tracker bait elements (bait_blocked) ## Inference catalog Each analysis returns `inferences[]` with `id`, `source`, `category`, `title`, `summary`, and `confidence`. No raw fingerprint hashes, IPs, or full User-Agent strings are published on static pages or public stats. - `audio_blocked` (javascript, protective): Audio fingerprint probe blocked - `audio_fingerprint` (javascript, scored): Audio pipeline fingerprint available… - `automation_signals` (javascript, scored): Multiple automation heuristics (… indicators) - `avail_screen` (javascript, scored): Usable screen smaller than full (…×…) - `browser_identity` (user_agent, scored): browser identity - `browser_privacy_profile` (combined, indirect): … privacy profile detected - `canvas_fingerprint` (javascript, scored): Canvas rendering fingerprint available - `canvas_multiprobes` (javascript, scored): Secondary canvas probes succeeded - `canvas_randomization_active` (javascript, protective): Canvas fingerprint randomization detected - `client_hints_browser` (http_headers, scored): Client Hints report browser brands - `client_hints_mobile` (http_headers, display_only): client hints mobile - `client_hints_platform` (http_headers, display_only): Client Hints platform: … - `color_depth` (javascript, scored): Color depth: … bits - `compression_support` (http_headers, display_only): Compression: … - `connection_details` (javascript, scored): Network hints: … - `cookies_disabled` (javascript, protective): Cookies disabled in JavaScript - `cookies_enabled` (javascript, scored): Cookies enabled - `cpu_cores` (javascript, scored): ~… CPU threads reported - `device_class` (user_agent, scored): … device (coarse) - `device_memory` (javascript, scored): ~… GB RAM (bucket) - `device_model` (user_agent, display_only): … - `dnt_js` (javascript, protective): Do Not Track active (JavaScript) - `few_headers` (http_headers, protective): Limited header visibility - `fingerprint_probes_blocked` (javascript, protective): Fingerprint probes blocked: … - `fingerprint_strength` (combined, indirect): Estimated fingerprint entropy: ~… bits (…) - `font_enumeration` (javascript, scored): … installed fonts detectable - `gpc_js` (javascript, protective): Global Privacy Control active (JavaScript) - `hidpi` (javascript, scored): HiDPI screen (ratio …) - `http2_connection` (combined, display_only): HTTP/2 transport - `http3_available` (combined, display_only): HTTP/3 / QUIC signal present - `intl_locale_surface` (javascript, scored): Intl locale surface: … - `ip_country` (ip_geolocation, scored): Likely country from IP: … - `ip_network` (ip_geolocation, scored): Likely network operator: … - `ip_region` (ip_geolocation, scored): Approximate location: … - `ip_timezone_vs_js` (combined, indirect): IP timezone differs from browser timezone - `ipv6_connection` (combined, display_only): IPv6 connection detected - `js_languages` (javascript, scored): UI languages: … - `language_mismatch` (combined, indirect): HTTP language differs from JavaScript languages - `large_screen_mobile_ua` (combined, indirect): Mobile UA with large screen - `locale_preference` (http_headers, display_only): Preferred language: … - `math_engine_fingerprint` (javascript, scored): JavaScript math engine fingerprint available - `media_query_fingerprint` (javascript, scored): Media query profile (… active features) - `mobile_desktop_mismatch` (combined, indirect): Mobile UA but desktop Client Hint - `network_type` (javascript, scored): Connection type: … - `no_privacy_signals` (combined, indirect): No tracking opt-out signals detected - `operating_system` (user_agent, scored): operating system - `pdf_viewer` (javascript, scored): Built-in PDF viewer disabled - `plugins_count` (javascript, scored): No browser plugins reported - `pointer_fine` (javascript, display_only): Fine pointer (mouse/trackpad) - `possible_bot` (user_agent, scored): Possible bot or crawler - `privacy_preference` (http_headers, protective): Privacy opt-out signal sent - `probe_coverage` (combined, indirect): Core fingerprint probes: … succeeded - `rendering_engine` (user_agent, display_only): … rendering engine (typical) - `request_context` (http_headers, display_only): Fetch context: … - `screen_resolution` (javascript, scored): … (…×…) - `speech_voices` (javascript, scored): … speech synthesis voices - `storage_access_available` (javascript, display_only): First-party storage APIs available - `timezone` (javascript, scored): Timezone: … - `timezone_offset_mismatch` (combined, indirect): Timezone name and offset disagree - `tls_fingerprint_observable` (combined, scored): TLS fingerprint hash observable at edge - `touch_device` (javascript, scored): Touch-capable device - `tracker_blocking_active` (javascript, protective): Tracker or ad blocking likely active - `ua_ch_high_entropy` (javascript, scored): High-entropy Client Hints: … - `ua_ch_mismatch` (combined, indirect): User-Agent and Client Hints disagree - `user_agent_data` (javascript, scored): User-Agent Data API: … - `webdriver` (javascript, scored): WebDriver detected - `webgl2_available` (javascript, scored): WebGL2 context available - `webgl_parameters` (javascript, scored): WebGL parameter bundle (… extensions) - `webgl_privacy_mode` (javascript, protective): WebGL privacy / spoofing signals detected - `webgl_renderer` (javascript, scored): WebGL renderer: … - `webrtc_blocked` (javascript, protective): WebRTC unavailable or blocked - `webrtc_ip_leak` (javascript, scored): WebRTC may expose network addresses - `webrtc_no_leak` (javascript, protective): WebRTC ICE gathering completed without leak indicators - `webrtc_timeout` (javascript, display_only): WebRTC ICE gathering timed out ## API endpoints - GET https://howprivateami.com/health — Liveness and subsystem readiness - GET https://howprivateami.com/openapi.json — OpenAPI 3 schema (when OPENAPI_ENABLED=true) - GET https://howprivateami.com/docs — Swagger UI (when OPENAPI_ENABLED=true) - GET https://howprivateami.com/api/v1/analyze/me — User-Agent + HTTP headers only (rate limited) - POST https://howprivateami.com/api/v1/analyze — Full analysis with optional client_signals (rate limited) - GET https://howprivateami.com/api/v1/stats/public — Anonymized aggregate benchmark JSON (cacheable) - GET https://howprivateami.com/stats/feed.xml — RSS 2.0 daily stats rollup - GET https://howprivateami.com/stats/feed.json — JSON Feed 1.1 daily stats rollup ## What this tool does NOT do - No user accounts, advertising profiles, or cross-site tracking cookies - Does not persist full analysis results as a personal user record - Does not use your data for authentication or security decisions about you ## Data retention - Analysis output is returned in the HTTP response only - Privacy benchmark: rolling window of up to 1,000 anonymized scores - Request logs: operator-configured JSONL logs may include IP, User-Agent, path, and metadata ## Citation - Tool: Privacy analysis via How Private Am I? (https://howprivateami.com/) - Stats: Privacy statistics via How Private Am I? — https://howprivateami.com/stats ## Developer guide Human-readable tables and links: https://howprivateami.com/guides/for-developers