About

Webbkoll monitors privacy-enhancing features on websites, and helps you find out who is letting you exercise control over your privacy. We check to what extent a website monitors your behaviour and how much they gossip about the monitoring to third parties, based on what can be observed when visiting a given page. We’ve also compiled a set of recommendations for how to not track or gossip in digital environments.

How it works

Webbkoll attempts to simulate what happens when a user visits a page with a typical browser without interacting with anything. The specified page is visited with Chromium, the browser that Google Chrome is based on; i.e., a typical end-user browser. Data (requests/responses, cookies, etc.) is collected, analyzed and presented. The browser has no addons/extensions installed, and Do Not Track (DNT) is not enabled (since this is the default setting in most browsers). Nothing is clicked, no consent is given.

Limitations

Webbkoll can only observe what happens when visiting a single page. It cannot tell you how the website is doing as a whole, how data is stored internally, what parties the data might be shared with, if the privacy policy is adequate, how the internal procedures are, and so on and so forth. A "good" Webbkoll result doesn't mean that everything is well (but a "bad" result certainly means that not all is well).

This tool is primarly meant to be used as a starting point for web developers. It can only help with one piece of the puzzle.

Authors and tech

Webbkoll is developed by Anders Jensen-Urstad (programming, design) and Amelia Andersdotter (FAQ, legislative information) of Dataskydd.net, a Swedish non-governmental organization working on making data protection easy in law and in practice. We are not affiliated with any political party.

Webbkoll uses Phoenix Framework (Elixir), Puppeteer and numerous open source libraries; see here for specifics.

We don't provide an API as we have limited resources, but the code is available under the MIT license. See also the options below.

The initial development of Webbkoll was funded by Internetfonden / IIS in 2016. In late 2018 we received a small grant from Digital Rights Fund. Other than that, we maintain this tool in our spare time. You can support our work, if you wish.

Alternatives and resources

The only other similar service that we are aware of that uses a real browser for testing is PrivacyScore (open source). It does many of the same checks as Webbkoll, but additionally also checks e.g. TLS, and lets you create a list of sites to check (and rank).

For more rigorous and systematic testing we recommend that you check out OpenWPM, which can be (and is) used to conduct large-scale studies.

Observatory by Mozilla (open source) analyzes CSP, HSTS, TLS and various other things (some of the Webbkoll tests are based on code from Observatory). See also Google's CSP Evaluator.

Hardenize is similar to Observatory, but also checks a domain's mail servers.

Report URI has many useful tools: CSP analyzer/builder, header analyzer (securityheaders.com), SRI hash generator, etc.

Qualys SSL Server Test is an excellent tool for analyzing a server's TLS/SSL configuration. testssl.sh is an open source alternative.

See also Pros and cons of online assessment tools for web server security from InfoSec Handbook (a site that also has many other relevant articles).