Reference
How the Exposure Score works
Transparency is the whole point of SysLeak, so the scoring methodology is public, the numbers below are the exact constants the code uses, and the engine is deterministic — the same inputs always produce the same score. This page is generated from the same source file the scoring engine imports.
Step 1 — entropy per signal
Each fingerprint signal carries information, measured in bits. One bit halves the number of people who match you: 10 bits puts you in a group of roughly one in a thousand, 20 bits one in a million, 33 bits would identify one person among everyone on the internet. Our per-signal values are conservative estimates drawn from published research — Eckersley's Panopticlick study (2010) and the AmIUnique project (Laperdrix et al., 2016) — not live measurements of you against a population.
Every signal is capped at 10 bits, because surprisal estimates for rare values are noisy, and an unsupported signal contributes exactly zero.
| Signal | Est. bits | Basis |
|---|---|---|
| user-agent | 9 | Browser name, exact version and OS build combinations are highly diverse (Eckersley 2010 measured ~10 bits; modern UA reduction lowers this). |
| platform | 2 | A handful of common values (Win32, MacIntel, Linux x86_64, iPhone, …). |
| languages | 5.5 | Ordered language preference lists vary by region and personal setup (AmIUnique measured ~5.9 bits). |
| hardware-concurrency | 2.5 | CPU core counts cluster around 4–16 but the tails are revealing. |
| device-memory | 1.8 | Chrome reports RAM in coarse steps (0.25–8 GB), a few common values. |
| screen-resolution | 4.8 | Resolution plus pixel density spreads across dozens of common combinations. |
| available-screen | 3 | Taskbar/dock geometry shifts available space in OS-specific ways. |
| color-depth | 1 | Almost always 24 or 30 — low information, still a coherence check. |
| pixel-ratio | 2 | Display scaling (1, 1.25, 1.5, 2, 3, …) correlates with hardware class. |
| timezone | 3 | A few dozen populated IANA zones; strong geographic signal. |
| locale | 2 | Resolved formatting locale, largely correlated with languages. |
| canvas | 8.5 | Pixel-level rendering differences (GPU, driver, fonts, antialiasing) make canvas hashes highly distinctive (AmIUnique: ~8.5 bits). |
| webgl-renderer | 6 | Exposed GPU vendor/renderer strings are specific to hardware + driver. |
| webgl-hash | 4.5 | Rendered-output differences add discrimination beyond the renderer string. |
| audio | 5 | DSP output of a fixed signal chain differs subtly across hardware/OS audio stacks. |
| fonts | 6.5 | Installed font sets reflect OS, language packs and installed software (Eckersley 2010: ~13.9 bits via Flash; measurement-based detection sees less). |
| features | 3 | Presence/absence of newer browser APIs partitions browsers into cohorts. |
Step 2 — sum, with caps
The capped per-signal bits are summed, and the total is capped at 33 bits — roughly log₂ of the number of internet users, since nobody can be more unique than “one person on the internet.”
Honest caveat: signals are correlated. Your user agent and your platform overlap; your timezone and your locale overlap. A plain sum therefore overstates true entropy. We accept that bias, state it here, and use the global cap to bound it — the alternative (a joint-distribution model) requires exactly the kind of large-scale fingerprint database we refuse to build.
Step 3 — the 0–100 score
Fingerprint entropy maps linearly to up to 80 points (33 bits = 80 points). Three binary exposure flags add the rest, because they leak in ways entropy doesn't capture:
- WebRTC leak (+10): WebRTC surfaced IP addresses that ordinary HTTP did not — the classic VPN bypass.
- Timezone mismatch (+6): your browser's clock disagrees with your IP's region, which itself flags VPN or proxy use to anyone who checks.
- Direct connection (+4): you browse with your bare ISP address, so every site sees a stable network identity.
The result is clamped to 0–100 and labelled:
- 0–24 — low exposure
- 25–49 — moderate exposure
- 50–74 — high exposure
- 75–100 — extreme exposure
What we don't do
We don't store your signals, so we can't compute your uniqueness against a personal-data corpus — and that's deliberate. The aggregate comparison (“more unique than X% of visitors”) uses only salted hashes and coarse buckets that are shared by many visitors by construction. The scoring code is open to inspection, and this page is rendered from the same constants it imports.