You just opened a link. Here's what it already knows.
Everything below was visible to this page the instant you tapped it.
No login. No permissions prompt. Nothing was sent yet — this is a snapshot,
shown to you, on your own screen.
What's happening: This page is part of a privacy awareness demo run by
someone you trust. It will not save any of this information unless you
tap the orange button below. You can also delete anything later.
Network · who & where
Public IP…
Approx. location…
ISP / carrier…
VPN / proxy hint…
Server time…
Round-trip latencymeasuring…
Device · phone & browser
Operating system…
Browser…
In-app browser…
Device type…
Device model hint…
CPU cores…
Device memory…
Touch input…
Screen · language · time
Screen size…
Window size…
Pixel ratio…
Language(s)…
Timezone…
Local time…
Dark mode…
Reduced motion…
Link · how you got here
URL opened…
Tracking params…
Referrer…
JS enabledyes — that's how this page works
Cookies enabled…
Storage available…
Ad blockerchecking…
Fingerprint · a quiet ID nobody asked for
Combining the things above produces a unique-ish ID for your browser.
No cookie required. This is recomputed live, not stored:
computing…
Behaviour on this page0 taps · 0 scrolls · 0s
The point.
A page you've never been to, that you opened by tapping a link,
can see all of the above without asking you anything. A real attacker would:
Not show you any of this. The page would look empty, or like a login screen.
Send everything to their server the instant the page loads.
Use the device + IP + fingerprint to recognise you again on other sites.
Use what they learned (carrier, city, device) to craft a follow-up message that feels personal: "Hi, this is [your bank], we noticed a login from [your real city]…"
Rules that actually help:
don't tap links from unknown senders, look at the domain before tapping,
use a browser (not the in-app one) when something feels off,
and treat any page that already knows things about you as suspicious — not impressive.