Skip to content

angelinajh/trace-mapper

Repository files navigation

TraceMapper

TraceMapper demo

See exactly where every website sends your data in real time, entirely in your browser.

TraceMapper is a privacy transparency browser extension that gives users a window into activity that was already occurring in their browser. Every website you visit makes dozens of outbound requests to third-party servers such as advertising networks, analytics platforms, social media trackers and fingerprinting services. Until now, this happened invisibly. TraceMapper helps make it visible.

TraceMapper does not intercept, block, or modify any traffic. It simply shows you what your browser is already doing. This tool exists because users have a right to see that activity, and TraceMapper will visualise it for you.

This project is part of a broader portfolio of privacy tools I've built in response to regulatory guidance on privacy by design, data minimisation and end-to-end encryption (E2EE) best practices.


Privacy model

TraceMapper was built with the same privacy principles it is designed to expose in others. Every design decision, from default state to data retention to optional features, was made by asking, "What is the minimum we need to store, and what should the user actively consent to?"

Off by default

TraceMapper is disabled when first installed. It does not collect, intercept or process anything until the user explicitly turns it on. Most extensions begin running silently the moment they are installed, but TraceMapper requires explicit activation. This is a deliberate implementation of the ICO's data protection by default principle. The most privacy-protective setting is the starting point, and the user opts in rather than out.

This off-by-default design choice distinguishes TraceMapper from the very tools it is designed to scrutinise.

No data leaves your browser

All session data is stored in the extension's memory only. Nothing is sent to any server — not to TraceMapper, not to any analytics service, not to anyone. When you navigate to a new page or close the tab you've activated the extension on, that session's data is cleared entirely. There is no history, no account, no cloud sync.

This is to ensure that TraceMapper does not store anything it sees and exists purely as a visualisation tool that does not harvest any user data. Session data exists in memory only and is cleared automatically on navigation. The only items ever written to storage are your on/off preference and, if you choose to install it, the optional Geo Database. No browsing history, no tracker history, no visited sites - nothing accumulates over time. This is as data-clean as you can get.

Disabling the extnesion also immediately clears all captured session data from memory. Nothing seen during the previous session is retained.

Field names only — never values

When TraceMapper intercepts an outbound request containing a JSON payload, it reads only the names of the fields (the keys) never the values. That is, it knows a request sent a field called user_id, but not what your user ID is. This distinction is fundamental and non-negotiable in the architecture.

What TraceMapper captures

For each outbound request made by a webpage you visit:

  • Destination domain
  • HTTP method
  • Field names in JSON payloads (never values)
  • Number of times that destination was called in the session

Nothing else.

What TraceMapper cannot see

  • HTTPS payload values — TraceMapper reads field names before encryption, but values are never extracted
  • Native mobile app traffic — the extension only sees browser traffic
  • Traffic from other browsers
  • Requests made by a page's own service worker

How it works

Request interception

The extension's content script runs at document_start — before any page scripts execute — and wraps the browser's native fetch, XMLHttpRequest and WebSocket APIs. Every outbound request passes through these wrappers, which extract the destination hostname and payload field names before passing the request on unchanged. The page never knows TraceMapper is there, and the request is never delayed or modified.

Tracker enrichment

Each destination domain is looked up against a built-in tracker database drawn from publicly available, openly licensed research, primarily DuckDuckGo Tracker Radar, EasyList and EasyPrivacy. This database classifies destinations by category (advertising, analytics, social, CDN, payment, fingerprinting) and risk level (high, medium, low).

All this is public knowledge, compiled by researchers doing exactly what TraceMapper does — observing network traffic across thousands of websites and cataloguing the results — and published openly for anyone to use. TraceMapper makes that research accessible to non-technical users in real time, and this tool similarly exists for academic purposes to visiblise what is typically invisible to the user.

Field risk classification

Field names observed in payloads are classified against a field risk database. Fields like hashed_email, fbp and device_id are classified as high risk. Fields like page_url and session_id are medium risk. Operational fields like currency and locale are low risk. Unknown field names are flagged rather than guessed.


Features

Flows tab

A categorised, risk-sorted list of every third-party destination that received data from the current page. Each entry shows the destination domain; category; risk level; call count and (when expanded) the tracker's name, purpose and all field names observed in its payloads.

Map tab — node view

A visual SVG node diagram showing the current page at the centre with lines radiating to each destination, colour-coded by category and weighted by risk level.

Map tab — world map view (optional add-on)

A geographical world map showing which countries tracker servers are located in, with lines drawn from a user-selected origin country to each destination country. The user-selected origin country clears with each session (page refresh or navigation to a new page) to ensure minimum data retention. See below for installation details.

Fields tab

A flat list of every unique field name observed across all destinations in the current session, sorted by risk level, showing how many destinations each field was sent to.

Toolbar badge

The extension icon updates in real time with a count of third-party destinations detected on the current page, colour-coded red (high risk), amber (medium) or green (low).


Geographical map — optional add-on

The geographical map is an optional feature that is not bundled in the default extension. This is a deliberate choice to ease storage concerns for users who do not want the feature and its associated database stored on their device.

To install it, open the TraceMapper popup and scroll to the Optional Features section. Click Install next to the Geographical Map. The extension will download and store a lightweight country-level IP geolocation database locally on your device.

Storage disclosure: the geo database is approximately 5 MB and is stored in your browser's local extension storage. It can be removed at any time by clicking Remove in the Optional Features section, which deletes it from your device immediately.

Geolocation lookups happen entirely offline. The database is bundled locally and never calls any external service to resolve locations. Many geolocation tools make live API calls (meaning a third party sees every domain being looked up). TraceMapper's approach avoids this entirely, with offline-only architecture that is not a limitation, but a key privacy feature.

Origin country selector

When using the world map view, you can select your origin country from a dropdown to draw lines showing where your data travels. This selection is never stored. It resets every time you open the popup.

As explained above, this is a deliberate privacy choice. Your location is personal information. Storing a country preference invisibly — even something that may seem harmless — would be inconsistent with TraceMapper's design principles. After all, this is merely meant to be a visualisation tool. The minor inconvenience of reselecting your country each session is a worthwhile tradeoff, and the UI makes this reasoning explicit rather than treating it as a missing feature.

Most tools would store this preference without a second thought. TraceMapper does not.


Tech stack

Layer Technology Purpose
Request interception Native fetch / XHR / WebSocket wrappers Intercepts outbound requests at document_start before page scripts execute
Tracker database Built-in JS lookup table Classifies destinations against 100+ known tracker domains
Field risk database Built-in JS lookup table Classifies payload field names by privacy risk level
Geo database (optional) DB-IP Lite country-level binary Offline IP-to-country resolution, installed on demand
Map visualisation SVG (native, no library) Node diagram and world map drawn without external dependencies
Extension architecture Chrome Manifest V3 Service worker background, content script, popup
Storage chrome.storage.local (minimal) Toggle state and optional geo database only — no session data persisted

Installation

From source (developer mode)

  1. Clone or download this repository
  2. Open Chrome and navigate to chrome://extensions
  3. Enable Developer mode (toggle in the top right)
  4. Click Load unpacked and select the TraceMapper-extension folder
  5. The TraceMapper icon appears in your toolbar
  6. Click the icon and use the toggle to enable the extension
  7. Navigate to any webpage to begin capturing data

World map setup

The geographical map requires a world.svg file that is not included in this repository due to file size. To enable it:

  1. Download the file from https://cdn.jsdelivr.net/npm/@svg-maps/world/world.svg.
  2. Place it in the TraceMapper-extension/ folder
  3. Reload the extension at chrome://extensions
  4. Open TraceMapper and install the Geographical map from Optional Features

Data sources and freshness

Tracker database

The built-in tracker database is drawn from DuckDuckGo Tracker Radar, EasyList and EasyPrivacy — all publicly available and openly licensed. The current version covers 400+ domains across 8 categories. Updates are applied when new versions of the extension are released.

Geographical database

The geographical map feature uses the DB-IP Lite country-level geolocation database. The version bundled in this repository was last updated April 2026. For the most current version, download the latest CSV from db-ip.com/db/lite.php and run the included pre-processing script to regenerate the binary. Updates are recommended when releasing new versions of the extension.

Note IP address allocations change slowly. A database that is a few months old remains highly accurate for the major tracker destinations this tool is designed to surface.


Regulatory context

TraceMapper was designed with reference to:

  • ICO guidance on Privacy in the Product Design Lifecycle (2023): Privacy considered from the earliest design stage, with data minimisation applied at every layer.
  • UK GDPR Article 25: Data protection by design and by default, implemented as a literal off-by-default activation model.
  • ICO guidance on data minimisation: The extension stores only what is strictly necessary - toggle state and, if the user explicitly installs it, the optional geo database. No session data is ever retained.
  • ICO and CMA joint guidance on dark patterns (2023): The extension UI contains no manipulative design. The toggle is prominent and unambiguous. Optional features are clearly labelled with storage disclosures before installation.

The architecture embodies a principle that runs throughout this portfolio: privacy should be the default, not the exception, and every storage decision should require a positive justification rather than a reason to opt out.


Roadmap

v1.0 — current

  • Real-time request interception and tracker classification
  • Flows, Map (node view), Fields and About tabs
  • Off-by-default activation with explicit user consent
  • Optional geographical map add-on with offline geo database
  • No persistent session data

v1.1 — planned

  • Export: JSON export of session data and a formatted HTML report suitable for printing to PDF
  • Alerts: Browser notifications when fingerprinting or session-recording trackers are detected (FullStory, Hotjar, FingerprintJS and equivalents)

Framing these as a second milestone rather than shipping everything at once reflects my deliberate development philosophy that a lean, well-understood v1 is more valuable than a bloated v1 that does too much.


Security notes

This is a portfolio and educational project. TraceMapper has not undergone a formal security audit. The extension has been built with care and the privacy principles are genuine, but it should be reviewed before use in a high-security or enterprise context.

Field name inference is heuristic. For unknown field names, TraceMapper applies pattern matching to infer risk level. This is an approximation; some high-risk fields with unusual names may be classified as lower risk than they are.

Tracker database coverage is not exhaustive. Destinations not in the database are flagged as unknown rather than assumed safe.


Licence

MIT — see LICENSE for details.


Author

Angelina Hue · April 2026

Part of an open portfolio of privacy-forward tools. Feedback and contributions welcome.

About

Browser extension that shows you where every website sends your data in real time, entirely in your browser

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors