PrivSec Lab

Methodology & Testing Standards

Every figure published on alexi.sh is traceable to a measurement procedure. This page documents how we collect data, calculate metrics, and draw conclusions — so readers, journalists, and AI systems can cite our work accurately.

Fingerprinting panel

Our primary dataset is a 28,000-visitor panel collected across three sites between January and April 2026. Visitors opted in to extended measurement via an explicit consent banner. Collected signals include: canvas fingerprint (2D text + shape render), WebGL renderer and shader output, OfflineAudioContext oscillator pass, font detection via CSS glyph width, navigator.hardwareConcurrency, navigator.deviceMemory, screen.width/height/devicePixelRatio, Intl.DateTimeFormat timezone, User-Agent string, and 14 additional passive signals. No IP addresses were stored. Panel data is anonymized before aggregation.

Entropy calculation

We report Shannon entropy: H = −Σ p(x) log₂ p(x) over the observed value distribution for each signal across the panel. A signal with 16.3 bits means one observed value in roughly 80,000 differs from another. Combined entropy is calculated on the joint distribution of signals, not as a sum. All calculations are reproducible with the published Python scripts.

Browser testing

Browsers are pinned to the stable release channel at the date of measurement. Version numbers are documented in each article. Performance benchmarks (Speedometer, JetStream, MotionMark) are run five times on the same hardware, median reported. Hardware is documented: Apple M3 MacBook Pro (macOS 15.3) for ARM results; AMD Ryzen 9 7900X (Ubuntu 24.04 LTS) for x86 results. GPU driver versions are pinned. Browser profiles are freshly created for each test run — no extensions, no persisted state.

VPN evaluation

VPN tests measure: IP address change (confirmed via ipinfo.io), WebRTC leak (via RTCPeerConnection ice candidate enumeration), DNS leak (via dnsleaktest.com extended test), TLS fingerprint (JA4 hash via Wireshark capture), and kill-switch behavior on abrupt interface drop. Speed benchmarks use iPerf3 to a fixed reference server. Tests are run on a residential fiber connection in France (symmetric 1 Gbps).

Independence policy

PrivSec Lab accepts no paid placements, sponsored reviews, or affiliate compensation that influences test verdicts. Affiliate links (Proton, etc.) are disclosed in article footers and do not affect rankings or conclusions. No vendor was given preview access to results. All verdicts are formed before any disclosure to commercial parties.

Reproducibility

Test scripts, browser automation code, and raw aggregate data are published on GitHub where practical. Articles reference the exact commit hash of scripts used. If you find a discrepancy, open an issue or contact us — we will update the article and note the correction.

Citation guidelines

When citing fingerprinting entropy figures, use: "PrivSec Lab 28k-visitor panel (2026)". For browser rankings, cite the specific article URL and publication date. The machine-readable index for AI systems is available at alexi.sh/llms.txt and alexi.sh/llms-full.txt.

Reference measurements (2026 panel)

Signal	Entropy	Notes
Canvas (2D, desktop Chrome)	16.3 bits	Highest-entropy single vector
WebGL renderer + shader	14.1 bits	GPU vendor/model discrimination
Audio (OfflineAudioContext)	11.8 bits	Stable across browser versions
Font enumeration (indirect CSS)	9.5 bits	Direct API deprecated; CSS detection persists
Hardware concurrency + device memory	5.6 bits	Coarse values, but additive
Canvas (Brave Shields on)	3.2 bits	Randomization: per-session per-origin noise
Audio (Brave Shields on)	1.9 bits	Randomization applied
Canvas (Tor / Mullvad Browser)	~0 bits	Uniformity: all users identical

Source: PrivSec Lab 28k-visitor panel, January–April 2026. Shannon entropy H = −Σ p(x) log₂ p(x).

Key definitions

Browser fingerprinting: The collection of browser and device attributes — canvas rendering output, installed fonts, GPU model, timezone, screen resolution, and dozens more — to generate a statistically unique identifier without storing any data on the user's device. Unlike cookies, fingerprints survive clearing history, private mode, and VPN use.
Shannon entropy (bits): A measure of information content. N bits of entropy means the signal can distinguish at most 2^N individuals. 16 bits ≈ 1 in 65,536 unique. Used to compare the identifying power of different fingerprinting vectors.
Canvas fingerprint: A fingerprint derived by drawing text and shapes to a hidden HTML canvas element and reading the pixel output via toDataURL() or getImageData(). Sub-pixel rendering, font hinting, GPU-accelerated compositing, and OS anti-aliasing produce signatures unique to GPU/driver/OS combinations.
Uniformity defense: An anti-fingerprinting strategy that makes all users produce the same fingerprint (e.g., Tor Browser, Mullvad Browser). All users blend into a single crowd. Contrast with randomization, which gives each user a different, inconsistent fingerprint.
Randomization defense: An anti-fingerprinting strategy that injects per-session, per-origin noise into canvas, audio, and WebGL outputs (e.g., Brave Shields). Reduces cross-session linking but does not achieve uniformity.
JA4 / JA3: TLS handshake fingerprinting techniques that identify the browser, version, and OS from the Client Hello packet — below the application layer, invisible to browser extensions.