A webpage can learn a depressing amount about you before you click anything.
Taken is a neat, uncomfortable demo of that. It shows what your browser exposes by default: IP-derived location, installed fonts, screen size, GPU details, canvas fingerprints, clipboard permissions, login-state tricks, and other small signals that become very identifying once stitched together.
The page says it stores nothing and collects almost nothing. That is the point. The creepy bit is not what Taken does. The creepy bit is what any normal website can do with the same browser surface area, usually while hiding behind a cookie banner that talks about “improving your experience”. Lovely.
The fingerprint is the product
Browser fingerprinting works because your device leaks lots of boring details that become less boring together.
Your browser, OS, timezone, language, fonts, screen dimensions, graphics stack and rendering behaviour can form a profile distinct enough to follow you around without cookies. The Electronic Frontier Foundation’s Panopticlick project showed this years ago, and the newer Cover Your Tracks test still demonstrates how unique many browser configurations remain.
Canvas fingerprinting is one of the more annoying examples. A site asks your browser to draw hidden text or shapes, then reads tiny rendering differences caused by your GPU, drivers, OS and fonts. Princeton researchers found canvas fingerprinting in active use across the web in their 2014 paper on large-scale web tracking measurement.
Nobody sane thinks “ah yes, drawing invisible text to identify visitors” when opening a recipe site. Yet here we are.
Some APIs got fixed. Some did not.
Taken also highlights a useful distinction: some leaks came from browser APIs that eventually got nerfed.
The Battery Status API became a privacy problem because battery level, charging state and discharge timing could help identify and track users. Researchers published the issue in 2015 in The leaking battery, and browsers later restricted or removed parts of the API. Good.
But other surfaces remain active because the web still needs them. Canvas, WebGL, screen information, fonts and hardware hints all support legitimate features. They also support tracking. That is the usual web privacy mess: the same capabilities that make rich web apps possible also give advertisers and analytics vendors a lovely little surveillance toolkit.
The part users never see
The most useful thing about Taken is that it makes invisible behaviour visible.
It is one thing to say “websites track you”. Everyone has heard that sentence so many times it has become wallpaper. It is another thing to open a page and watch your browser quietly hand over enough attributes to build a persistent fingerprint.
The fix is not perfect. Safari and Firefox generally push harder on anti-fingerprinting than Chrome. Brave’s fingerprinting protections go further by randomising certain values. Extensions help, but they can also make your fingerprint more unique if you stack too many odd ones together. Very funny. Very web.
Best practical setup: use a browser with built-in tracking protection, block third-party scripts where possible, avoid installing random extensions, and assume private browsing does not make you anonymous. It mainly clears local state. It does not magically make your GPU forget how to render pixels.
Taken is worth opening once, preferably in a few different browsers. Not because it catches anyone doing something exotic, but because it shows the baseline.
The baseline is already bad enough.