What Your Browser Confesses Before You Finish Typing

On the IP address that reveals more than a postal code, the browser fingerprint that no cookie deletion will ever remove, and the WebRTC channel that bypasses your VPN as though it were not there at all.

The Frustration That Produces Useful Software

There is a particular kind of professional irritation that eventually produces something worth sharing. Mine arrived on an unremarkable afternoon when I needed to check which IP address a network configuration was presenting to the outside world, a task that should take no more than 4 seconds and which in practice required clicking past a rotating carousel of animated advertisements for VPN services, closing a cookie consent dialog that demanded 3 separate confirmations, dismissing a popup that suggested I subscribe to a newsletter about digital security, and then waiting for the actual number to appear beneath a banner that was advertising the privacy solution I apparently urgently required.

The website, nominally dedicated to helping me understand my own network identity, was simultaneously running Google Analytics, serving programmatic advertisements through a real-time bidding network, loading 2 third-party tracking pixels, and placing 14 identification cookies in my browser before the page had finished rendering. That the most visited IP checker websites finance themselves through the surveillance advertising infrastructure they claim to help users understand is not a footnote. It is a structural description of an entire product category, and it should be read as such.

I do not have the patience for irony of that particular flavor, so I built IP Beacon instead. Version 3.5 is live at https://my.0at.de/ and available for download from the same address as a single MIT-licensed HTML file. It shows you everything I could find a method to display, stores nothing I could find a method to avoid storing, and accepts no advertising revenue of any kind. Whether that makes it unusual or merely minimally honest depends on one’s expectations of the category.

Try IP Beacon: my.0at.de

What Your IP Address Tells a Stranger About You

The mental model most people carry of an IP address is that of a routing label, a technical artifact that servers require in order to know where to send their response, roughly comparable in function to a return address printed on an envelope. This model is accurate and misleading in approximately equal measure.

Your public IP address, the one the outside world observes when you make a connection, is assigned by your internet service provider from a block of addresses registered with one of the 5 Regional Internet Registries: ARIN covers North America, RIPE NCC covers Europe and the Middle East, APNIC covers the Asia-Pacific region, LACNIC covers Latin America, and AFRINIC covers Africa. These registries maintain publicly accessible databases that map every registered address block to the organization that holds it, the country it has been assigned to, and a range of associated metadata. The correspondence from IP address to geographic location and service provider is therefore not a matter of inference or intelligent guessing. It is a matter of reading a public record maintained precisely so that network operators can route traffic correctly.

IP Beacon retrieves your IPv4 address through ipify.org and your IPv6 address through api64.ipify.org, then submits the IPv4 address to the geolocation service at ipapi.co, which returns a structured JSON response containing your country, region, city, postal code, latitude and longitude coordinates to decimal precision, timezone, and the registered name of your internet service provider. The accuracy of IP-based geolocation varies by region, but at the country level it exceeds 99% in virtually all systematic studies, and at the city level it typically places users within a 50-kilometer radius (MaxMind, 2023, GeoIP2 Accuracy Documentation, maxmind.com). The service provider name is generally exact, because the assignment is a matter of public registry record.

What this means practically is that before you have taken a single deliberate action on any website you visit, the operator already knows roughly where on earth you are, who provides your internet access, whether your address block is registered to a residential subscriber or a corporate entity, which country’s data protection laws nominally govern the interaction, and whether your IP address appears in any maintained list of known VPN providers, datacenter ranges, or proxy services. No cookie is required. No consent has been requested. No personal information has been voluntarily disclosed. The data transfer is an unavoidable technical consequence of making the connection.

IP Beacon displays all of this in the IP Analysis panel, alongside both of your addresses, so that you can see at a single glance the full geolocation profile your connection presents to every server you contact.

The Browser as an Involuntary Witness

Beyond the network-level information that your IP address carries, your browser contributes a second and entirely independent information layer through what the web development community calls the Navigator API, a standard programming interface that allows JavaScript executing on any page to query your browser for details about the environment in which it is running. Those details include your browser name and version, your operating system name and version, your screen resolution in pixels, your browser’s configured language preference, the number of logical CPU cores accessible to the browser, and the precise local time on your device including the timezone offset, which in certain network configurations can reveal your physical location independently of whatever your IP address might suggest.

IP Beacon gathers all of this through the Device Info panel and presents it next to the network-level data, so you can see both categories together, the same way a website’s analytics and advertising infrastructure receives them. The combination makes the picture complete, and the completeness is what most users find surprising, because checking your IP address rarely prompts any thought about the fact that the same request also declares your operating system version and the exact pixel dimensions of your screen.

Understanding why this matters requires knowing what researchers in browser privacy have established through 15 years of systematic measurement. The Panopticlick project of the Electronic Frontier Foundation, which has been measuring browser distinctiveness since 2010, found that 83.6% of the browsers it analyzed carried a fingerprint that was unique among all browsers the project had ever observed, and that this figure rose above 94% when JavaScript was enabled (Eckersley, 2010, How Unique Is Your Web Browser?, Proceedings of the Privacy Enhancing Technologies Symposium). More recent large-scale studies, analyzing Web API outputs from tens of millions of real Chrome browsers in ordinary use, confirmed that the combination of available signals constitutes a high-entropy identifier capable of re-identifying individual users across multiple sessions, across different websites, and even across private browsing modes, because none of the signals that make up a browser fingerprint are cleared when you activate incognito mode (Laperdrix, Bielova, Baudry & Avoine, 2020, Browser Fingerprinting: A Survey, ACM Transactions on the Web, 14(2), 1-33).

Fingerprints That Cannot Be Wiped Away

Browser fingerprinting is interesting from 2 distinct perspectives, one commercial and one analytical. The commercial interest is that it enables advertisers to maintain identification of users who have explicitly declined cookie consent, and the evidence that this is occurring in practice rather than merely in theory has become considerably more substantial over the past 2 years. The analytical interest is that it represents a remarkably durable method of re-identification, because the hardware and software attributes that constitute a browser fingerprint are determined by factors that users do not routinely alter: screen resolution, GPU model, installed font set, and the specific rendering behavior of the graphics hardware when asked to draw geometric test elements.

A study presented at the ACM Web Conference in 2025, conducted by researchers at Texas A&M University and Johns Hopkins University using a measurement framework called FPTrace, provided what the authors described as the first definitive empirical evidence that fingerprinting data is being actively employed for cross-site user tracking rather than merely collected (Saxena, Dani, Cao & Liu, 2025, FPTrace: Tracing Browser Fingerprinting in the Wild, ACM WWW 2025). The FPTrace methodology involved making controlled, targeted modifications to browser fingerprints and measuring corresponding changes in advertising bid values observed downstream. The researchers found statistically significant bid value disparities that correlated tightly with fingerprinting events, indicating that fingerprint data was flowing through real-time bidding systems and influencing what advertisers were prepared to pay for a given impression. The effect persisted even in sessions where the user had declined all cookie consent, which is the specific finding that matters most: the opt-out mechanism that data protection regulation requires websites to provide is being systematically circumvented by a technique that operates through a channel those regulations did not explicitly address.

IP Beacon displays the canvas fingerprint generated by rendering test operations in your GPU, alongside the other fingerprint signals your browser exposes, so that you can see the specific combination of attributes that constitutes your browser’s unique signature. The purpose is not to alarm you into purchasing a privacy product. The purpose is to make visible what has been deliberately engineered to remain invisible, because a process that cannot be observed cannot be evaluated or addressed.

The Hole in Your VPN That WebRTC Drilled

When a VPN is functioning correctly, it routes your internet traffic through an encrypted tunnel terminating at a server under the VPN provider’s control, so that the sites you visit see the VPN server’s IP address rather than your own. This is the fundamental function of a VPN, it is what the industry has marketed for years, and it works for standard HTTP and HTTPS traffic. For WebRTC traffic, it frequently does not.

WebRTC, an abbreviation for Web Real-Time Communication, is an open W3C standard that enables peer-to-peer audio, video, and data exchange directly within the browser, without plugins and without external software installations. It powers the browser-based version of Google Meet, the web client of Zoom, Discord voice channels accessed through a browser, and a range of other real-time communication services that have become routine infrastructure. The protocol requires knowledge of the actual network addresses of both endpoints in order to negotiate the most efficient connection path, and to discover those addresses it employs a mechanism called ICE, which stands for Interactive Connectivity Establishment. ICE queries STUN and TURN servers and enumerates the network interfaces of the local device to build a list of candidate connection addresses.

According to IETF RFC 8828, published by the Internet Engineering Task Force in 2021, the IP handling requirements of WebRTC were designed with connectivity as the primary goal rather than privacy, and the specification explicitly acknowledges the IP address exposure risk as an accepted design consequence rather than an oversight (Uberti & Shieh, 2021, WebRTC IP Handling Requirements, RFC 8828, IETF). The practical consequence is that JavaScript executing on any webpage, without displaying any visible interface element and without requesting any user permission, can initiate a WebRTC ICE gathering sequence, receive the resulting list of ICE candidates which includes the device’s actual IP addresses, and transmit those addresses to any server it selects. The VPN tunnel is irrelevant to this sequence because WebRTC operates at the browser application layer rather than at the OS network layer where the VPN tunnel intercepts outgoing traffic.

A 2025 research report from Surfshark measured that approximately 23% of active VPN connections leak the user’s real IP address through WebRTC, a figure that deserves careful reading (Surfshark, 2025, VPN Leak Research Report, surfshark.com). It does not indicate that 23% of VPN products contain defects. It indicates that in 23% of measured real-world connections where a VPN was active, the underlying IP address was nevertheless accessible through the WebRTC API. Chrome and Microsoft Edge require browser extensions to block WebRTC leaks effectively. Firefox permits native disabling of WebRTC through its advanced configuration settings. Brave blocks WebRTC leaks in its default configuration. Safari offers no native WebRTC disable option at the time of this writing.

IP Beacon includes a complete WebRTC leak test as a standard component of its analysis, showing you which addresses the WebRTC API would make available to any page that requests them, and flagging clearly whether any of those addresses differ from the address your VPN is supposed to be presenting. If you are among the 23%, the test will confirm it before you discover it through a less convenient circumstance.

A Privacy Score That Does Not Flatter You

One of the characteristics that distinguishes IP Beacon from most tools in this category is a privacy score calculated from what the tool actually finds rather than from what someone has a financial incentive to report. The score considers the full picture that the analysis assembles: whether your IP address is associated with a known VPN or proxy service and whether that VPN is functioning as advertised, whether WebRTC is exposing your real IP address, what the entropy of your browser fingerprint suggests about its uniqueness, whether your DNS configuration is internally consistent with your apparent location, and several additional signals.

For most users connecting through consumer hardware on a residential internet subscription, the result is not a reassuring number. This is not a design failure. It is a design commitment. A privacy evaluation tool that consistently reports satisfactory privacy outcomes has either been built incorrectly or has been optimized for a purpose other than honest evaluation, and in the consumer digital tool landscape, the gap between those 2 explanations is not always immediately transparent. IP Beacon was built for honest evaluation. The score reflects what the analysis finds, not what anyone would benefit financially from it finding.

The score display includes the individual contributing factors, so you can understand not only your overall privacy exposure but specifically which factors are producing the result, and if you choose to address any of them, which changes would have the most substantial effect.

Port Scanning and Network Diagnostics That Professionals Actually Use

The IP analysis, device information, browser fingerprint, and WebRTC leak test together constitute a thorough picture of the passive information disclosure that occurs with every connection. IP Beacon V3.5 extends beyond passive display into active network diagnostics with a port scanner and a DNS timing measurement that carry genuine utility for the network administrators and IT professionals who form a substantial portion of the tool’s regular users.

The port scanner tests a configurable range of ports on your connection and identifies which ports are open, filtered, or closed, information directly applicable to verifying firewall configurations, confirming that services are reachable on their expected ports, and understanding how the connection appears from an external perspective. Network professionals who previously reached for command-line tools for simple port visibility checks can use IP Beacon to obtain equivalent information in a browser tab, with results exportable as a PDF document suitable for attaching to a support ticket, a client report, or a post-incident review.

The DNS timing module sends minimal requests to the public resolvers operated by Google, Amazon, Microsoft, and Apple, measuring query latency from the current network location to each of those resolvers. The measurements reveal which resolvers respond fastest from the user’s location, whether DNS queries are being intercepted or redirected by the ISP, and whether DNS lookup times are consistent with the apparent network location, a check capable of detecting certain VPN configurations that alter the visible IP address but leave DNS behavior unchanged. A network speed measurement component rounds out the diagnostic capabilities available in a single page load.

All of these tests execute within the browser and contact only the external services named in the privacy notice. Nothing is sent to me. The PDF export, which produces a complete report of all analysis results, is generated entirely through client-side JavaScript using the open-source jsPDF library and downloaded directly to the device, never passing through any server.

One File, Any Server, Any Device, No Configuration Required

IP Beacon V3.5 is available for download from https://my.0at.de/ as a single HTML file under the MIT license. The MIT license is among the most permissive open-source licenses in widespread use: you may read the code, modify it, deploy it commercially, redistribute it, integrate it into other projects, and use it in any context you find appropriate, with no obligation beyond preserving the copyright notice in the file header.

The single-file architecture means the complete tool, including all JavaScript logic, CSS presentation, API integration, and analysis functions, is contained in 1 file. You can double-click it on your desktop and open it immediately in any modern browser. You can upload it to a shared hosting account and have it available at a public URL within minutes of the upload completing. You can deploy it on a corporate intranet, on a Raspberry Pi running a minimal HTTP server, on a NAS device with web-serving capability, on any cloud instance that can serve a static file, or in any other environment where a browser can reach an HTML document. No PHP environment is required. No Python runtime. No Node.js installation. No database. No environment variables. No configuration files. 1 file.

Earlier versions of IP Beacon required a directory structure with several interconnected files and a degree of familiarity with web server configuration that not every potential user possesses. I simplified because simplification serves the purpose of the tool better than completeness serves it. A privacy awareness instrument that functions only for people already comfortable with deployment complexity reaches a narrow audience. The users who have been most affected by what IP Beacon shows them, and for whom understanding their digital exposure changed the way they think about the web, have often been precisely the people who would have stopped at a multi-file deployment. The single-file format removes that obstacle entirely.

If you want to add a favicon, generate one from any online favicon generator and place it in the same directory as the HTML file. That is the complete installation documentation.

Who Finds This Useful and Why

I built IP Beacon initially for my own use, as described, and discovered that the people who found it valuable fell into roughly 5 categories that overlap less than one might expect.

IT professionals and network administrators use it for rapid diagnostics, specifically for the combination of IP address, geolocation, ISP identification, open port status, and WebRTC exposure assessment within a single page load, and for the PDF export that documents those results for ticket systems, client deliverables, and post-incident records. The client-side nature of the PDF generation is relevant in environments where information about client network configurations must not leave the local network perimeter.

Privacy-conscious users employ it to verify that their protective tools perform as claimed. There is a meaningful practical difference between knowing that a VPN provider advertises WebRTC leak protection and being able to confirm, with specific evidence, that the protection is active and functioning in a particular browser and operating system combination. IP Beacon provides that confirmation in approximately 5 seconds.

Web developers use it to understand what their own pages passively receive from site visitors, which is directly applicable to GDPR compliance documentation, privacy impact assessments, and the increasingly specific inquiries that data protection authorities across EU member states are directing at web service operators regarding the categories of personal data their infrastructure processes.

Security researchers use it as a rapid reference for verifying network configurations and confirming whether specific fingerprinting countermeasures are producing the expected effects.

And then there are the people who have simply never considered any of this before, who arrive at the tool because someone sent them the link, and who learn within a few seconds of the page loading that a site they have never interacted with already knows their city, their ISP, their operating system, their screen resolution, their browser language, their local time, and a browser fingerprint that is statistically unique across hundreds of millions of browsers. The most common response I receive from this group is a silence that eventually resolves into questions rather than outrage, which seems the more productive outcome by a considerable margin.

A Polemical Observation Before the Conclusion

Something that the rest of this article has implied without directly stating deserves to be made explicit. The current condition of the web, in which every page load is simultaneously a service request and an involuntary data disclosure, in which the tools nominally designed to protect privacy routinely finance themselves through the surveillance mechanisms they claim to protect against, in which the engineers who build tracking infrastructure and the engineers who build privacy tools sometimes share the same institutional funding and occasionally the same employment history, is not the product of technical inevitability. It is the cumulative result of decisions made over 25 years about which values to optimize in the design of commercial web infrastructure, and it reflects choices rather than constraints.

The General Data Protection Regulation, which entered force in May 2018, was the first substantial regulatory attempt to rebalance this situation, and its effects have been visible, quantifiable, and insufficient. The 2025 FPTrace study demonstrated that browser fingerprinting is being actively deployed to circumvent the GDPR cookie consent mechanisms the regulation requires, meaning that the opt-out procedures regulators mandate are being systematically bypassed through a technical channel the regulation did not specifically anticipate (Saxena et al., 2025). I am not offering a legal analysis here, and IP Beacon is not legal advice. I am noting the gap between what a regulatory framework says it protects and what the technical evidence indicates it actually protects, and that gap is one that anyone engaging seriously with the data is obligated to acknowledge.

The Agreement You Never Read Because It Was Never Written Down

I opened this piece with the frustration of a routine professional task turned into an obstacle course by the advertising infrastructure that wraps every tool in this category. I want to close in the same register, because the frustration is not incidental. It is the diagnostic signal.

When a digital privacy tool is financed through advertising, the advertising infrastructure must be paid for by someone’s data. That data is provided by the users who visited the tool because they wanted to understand what data they were exposing. The circular structure is elegant in the way that a well-constructed mechanism is elegant, and it persists because most users never notice it, and most of those who do notice it have no immediately available alternative.

IP Beacon is an attempt to be that alternative, without claiming that a single HTML file constitutes a comprehensive response to the data economy, or that technical awareness substitutes for the political and regulatory action that the structural problem actually requires. What IP Beacon offers is a clear view of precisely what your connection and browser disclose, without ceremony, without advertisements, and without the specific irony of a privacy tool that is itself violating the privacy it claims to discuss.

If that view changes the way you think about the web, something has been accomplished. If it confirms what you already understood and simply provides a faster, cleaner instrument for checking it, that is equally useful. And if you decide to deploy it on your own server, distribute it to a client, or run it locally on your own machine without it ever contacting a network, the MIT license and the single-file format make all of those options available to you immediately, without requiring my continued interest in maintaining a public service.

The data your browser transmits before you finish typing will be transmitted regardless. The only question is whether you know about it.

References

• Eckersley, P. (2010). How unique is your web browser? Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS 2010), Berlin, Germany. https://doi.org/10.1007/978-3-642-14527-8_1
• Englehardt, S., & Narayanan, A. (2016). Online tracking: A 1-million-site measurement and analysis. Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS 2016). https://doi.org/10.1145/2976749.2978313
• Laperdrix, P., Bielova, N., Baudry, B., & Avoine, G. (2020). Browser fingerprinting: A survey. ACM Transactions on the Web, 14(2), 1-33. https://doi.org/10.1145/3386040
• MaxMind. (2023). GeoIP2 accuracy documentation. https://www.maxmind.com/en/geoip2-city-accuracy
• Saxena, N., Dani, J., Cao, Y., & Liu, Z. (2025). FPTrace: Tracing browser fingerprinting in the wild. Proceedings of the ACM Web Conference 2025 (WWW 2025). Texas A&M University & Johns Hopkins University.
• Surfshark. (2025). VPN leak research report. https://surfshark.com
• Uberti, J., & Shieh, C. (2021). WebRTC IP handling requirements (RFC 8828). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc8828