You, right now

Network round-trip time (RTT) cannot fall below 2 × distance ÷ speed-of-light-in-fiber (~204,000 km/s). Probing region-pinned cloud endpoints yields an upper bound on your real distance to each, a physical bound no VPN can erase, because your signal still has to travel that far in real fiber.

Your browser whispered an identifying handshake to this server before any JavaScript ran. This layer sits below page scripts: privacy extensions, "Brave-style" canvas farbling, and ad blockers do not change a single byte of it. A VPN replaces your IP but never rewrites your TLS hello. Industry bot-detection (Cloudflare, Akamai, DataDome, PerimeterX) uses exactly these signals, and they remain identifying even when every JavaScript-visible surface is hidden.

A formal information-theoretic proof, computed locally from your visible browser signals. Each attribute's entropy contribution is taken from peer-reviewed fingerprinting literature (Eckersley 2010, Laperdrix 2016, Englehardt & Narayanan 2016, Cao 2017, Vastel 2018). The joint entropy applies an empirical correlation correction; the final bound is reported as min-entropy (worst-case adversarial re-identification), not average-case Shannon entropy. The math admits when a visitor is not uniquely identifiable; nothing is rounded in your favor.

Building proof from collected signals…

Educational demonstration: this module runs a calibrated cross-site timing experiment. It first proves that the page scheduler is healthy and that a same-origin iframe acknowledgement can be created quickly; only then does it load the five opt-in whitelist URLs. The local baseline no longer depends on data: or srcdoc iframe load events, because those events can be delayed by browser policy and create false failures. Repeated samples are now outlier-aware: a first-sample cold-start spike is separated from the post-warm-up core instead of being silently hidden inside a “stable” label. The page cannot read target response bodies, response headers, target DOM, or cookies. Target services may still receive normal browser requests depending on cookie policy and browser privacy settings. Results are timing signals only, never certain logged-in/logged-out facts.

Typing rhythm is a behavioral biometric. Dwell time (how long each key is held), flight time (gap between keys), and digraph latency together expose physical keyboard layout, touch-typing skill, and physiological tremor. Analysis runs locally; keystrokes are never uploaded and the input is not autofilled anywhere.

Web Locks API, BroadcastChannel, and ServiceWorker registration reveal how many instances of this page are running simultaneously across your browser tabs and windows, without cookies, storage, or any server-side session tracking.

A share-safe summary of this visit. Exact coordinates, ZIP code, full ISP details, and full fingerprint values are redacted by default.

Try to make the next scan reveal less. This does not make you anonymous; it only shows which browser-visible surfaces changed.

Your IP address, browser clock, language, hardware, and WebRTC stack can expose separate evidence. This section separates real contradictions from ordinary browser residue and preference signals.

A normal page can inspect which advertising and attribution surfaces your browser exposes. No ad request is made here; this is a local capability audit, plus Topics API output when the browser itself makes it available.

This page will not request physical-device access automatically. The buttons below deliberately trigger browser permission flows so visitors can see how close a website can get to keyboards, USB devices, serial ports, and Bluetooth hardware after explicit consent.