# I Audited the Privacy of Popular Free Dev Tools — The Results Are Terrifying
Every day, millions of developers paste sensitive code, API keys, passwords, database queries, and proprietary business logic into free online tools. JSON formatters. Diff checkers. Base64 decoders. Regex testers. Most developers never think twice about it.
I did. I opened Playwright, navigated to the most popular free developer tools on the internet, pasted test data containing fake API keys and passwords, and monitored every single network request that left my browser.
What I found ranges from mildly concerning to genuinely alarming.
---
The Methodology
For each tool tested, I followed the same process:
- Opened the site in a clean browser with Playwright
- Recorded all network requests from the moment of page load
- Entered test data containing simulated sensitive information (fake API keys, passwords, tokens)
- Triggered the tool's primary action (format, diff, decode, etc.)
- Analyzed every outgoing request for tracking, fingerprinting, and data exfiltration
- Checked cookies set, console messages, and JavaScript behavior
The test data used across all sites:
API_KEY=sk-secret-test-12345
DATABASE_PASSWORD=hunter2
SECRET_TOKEN=abc123xyzThis is the kind of data developers paste into these tools every day.
---
Site 1: jsonformatter.org — 20+ Ad Networks Before You Format Anything
What it does: JSON formatting and validation
What actually happens when you visit:
The moment jsonformatter.org loads, before you type a single character, your browser contacts over 20 advertising networks and tracking services. A real-time bidding auction begins immediately, with companies like Rubicon Project, Media.net, PubMatic, and AppNexus competing to show you ads based on your profile.
The tracking stack on page load:
| Tracker | What It Does |
|---|---|
| Google Analytics | Full device fingerprint including screen resolution, CPU architecture, timezone |
| Freestar Ad Platform | Manages the entire ad auction process |
| Prebid.js Header Bidding | Runs simultaneous auctions across 15+ ad exchanges |
| ID5 Identity Sync | Cross-site identity resolution to track you across the web |
| CrowdControl (Lotame) | Data management platform that builds audience profiles |
| DoubleClick (Google) | Cookie syncing and ad targeting |
| Rubicon Project (Magnite) | Real-time bidding exchange |
| Media.net (Yahoo) | Contextual ad network |
| PubMatic | Programmatic ad exchange |
| AppNexus (Xandr/Microsoft) | Demand-side ad platform |
The JSON formatting itself appears to happen client-side. But here is the problem: you are doing it on a page that is simultaneously running a surveillance operation. Every ad network on that page receives your IP address, browser fingerprint, screen resolution, timezone, language, and a unique identifier that follows you across the web.
When you visit jsonformatter.org and then visit a news site, a shopping site, or any other site in the ad network, those networks know it was the same person. Your visit to a JSON formatter becomes part of your advertising profile.
---
What it does: Text comparison and diff checking
What actually happens when you paste and diff:
This one is the most concerning finding in the entire audit.
Finding: Server-Side Storage of Your Diffs
When you click "Find Difference" on diffchecker.com, the URL changes to something like:
https://www.diffchecker.com/unsaved/5Y8tGhtf/That /unsaved/{id} path with a unique server-assigned identifier means your diff content was transmitted to and stored on their servers. Every piece of code you paste, every config file you compare, every secret you accidentally include — it goes to their backend.
Their own marketing confirms this. The homepage banner reads:
> "Diffchecker Desktop — The most secure way to run Diffchecker. Get the Diffchecker Desktop app: your diffs never leave your computer!"
Read that carefully. "Your diffs never leave your computer" is a selling point for the desktop app. The implication is clear: on the web version, your diffs do leave your computer.
Finding: Page Title Leaks Your Data
After diffing, the browser page title changes to show truncated content from both inputs:
API_KEY=sk-secret-test-12... <-> API_KEY=sk-new-key-67890 D... - DiffcheckerThis means your sensitive data appears in:
- Browser history
- Browser tab bar (visible during screen sharing)
- Any analytics that reads
document.title— including Google Analytics
Finding: Mixpanel Tracking with IP Collection
Diffchecker runs a self-hosted Mixpanel instance at t.diffchecker.com. The tracking endpoint explicitly enables IP collection with the query parameter ?verbose=1&ip=1.
Every diff operation sends an event to Mixpanel containing:
- A persistent device fingerprint ID
- The diff type and size (rows, character count)
- Your plan tier
- Full page URL (which includes the diff ID)
- Your IP address
Finding: Google Analytics Receives Your Diff URLs
Google Analytics (property G-HZ6SVF19DN) receives the full page URL after every diff. Since the URL contains the server-assigned diff ID, and the page title contains your actual data, Google now has a record of your diff operation tied to a persistent client ID.
The full tracking stack:
| Service | Domain | What It Collects |
|---|---|---|
| Mixpanel (self-hosted) | t.diffchecker.com | Page views, diff metadata, device fingerprint, IP address |
| Google Analytics 4 | analytics.google.com | Page URLs with diff IDs, page titles with your content, device info |
| Google Tag Manager | googletagmanager.com | Script orchestration |
| Google AdSense | googlesyndication.com | Full device fingerprint |
| Google DoubleClick | doubleclick.net | Ad tracking with extensive profiling |
| Google Sign-In (GSI) | accounts.google.com | Attempts Google account identification on every visit |
| BuySellAds | srv.buysellads.com | Ad targeting data |
What their privacy policy says:
They claim the right to "compile, aggregate, combine with other information, conduct data analytics, develop and manipulate the data and any personal information included therein, without compensation."
They also list FullStory (session replay that records everything you do) and Facebook remarketing among their integrations.
---
Site 3: base64decode.org — 1,570 Advertising Partners for a Base64 Decoder
What it does: Base64 encoding and decoding
What actually happens when you visit:
This site might be the worst offender in terms of sheer tracking volume. A single page load of base64decode.org triggers 639+ network requests to 96 unique external domains.
Before you even interact with the page, a consent dialog appears (powered by InMobi CMP) that states:
> "We and our 1,570 partners store and/or access information on a device..."
One thousand five hundred and seventy partners. For a tool that converts text to and from Base64.
The numbers:
| Metric | Value |
|---|---|
| Total network requests (single page load) | 639+ |
| POST requests | 133 |
| Unique external domains contacted | 96 |
| Declared advertising partners | 1,570 |
| Real-time bidding exchanges | 30+ |
| Cookie syncing partners | 18+ |
The real-time bidding free-for-all:
When you click "AGREE" on the consent dialog (which most people do reflexively), a massive programmatic ad auction fires. Here are just some of the ad exchanges that participate:
Google Ad Manager, Amazon Publisher Services, Criteo, Rubicon Project (Magnite), AppNexus (Xandr/Microsoft), PubMatic, Media.net, The Trade Desk, Index Exchange, TripleLift, Sonobi, Teads, SeedTag, OneTag, Rich Audience, ConnectAd, Smart AdServer, and at least 15 more.
Each of these exchanges receives your browser fingerprint, IP address, screen resolution, timezone, and a unique identifier.
Cookie syncing across the ad ecosystem:
The site performs aggressive cross-platform identity matching. DoubleClick's partner pixel system syncs your identity with:
- Dotomi, 360Yield (Improve Digital), AdKernel, OneTag, Pangle/TikTok, Temu, Criteo, Lotame, AdNXS/Xandr, The Trade Desk, Bidr.io (Beeswax), OpenX, Yahoo Analytics, and more.
The cm.g.doubleclick.net/partnerpixels request contains a consent string listing 600+ individual vendor IDs that receive consent to track you.
GPU fingerprinting:
The ad-score.com script loaded on this page performs GPU fingerprinting via WebGL. This means your graphics card becomes part of your unique identifier — a fingerprint that persists even if you clear cookies.
Forced redirects:
During testing, the browser was forcibly redirected away from the page to completely unrelated sites including diffchecker.com and regex101.com. This is driven by aggressive ad scripts that hijack navigation. Your browsing context gets exposed to additional third parties without your consent.
What about the actual decode operation?
The site claims "Live mode decodes immediately with your browser's built-in JavaScript functions, without sending any information to our servers." But with Live mode OFF (the default), clicking DECODE sends data to the server via a POST request. Any data processed server-side passes through a site running 96 external tracking domains.
---
Site 4: codebeautify.org — 540 Cookies From a Single Page Load
What it does: JSON viewer, beautifier, and various code formatting tools
What actually happens when you visit:
CodeBeautify.org achieves the dubious distinction of setting 540 tracking cookies across 205 unique domains on a single page load.
The numbers:
| Metric | Value |
|---|---|
| Third-party requests per page load | 605-800 |
| Third-party cookies set | 540 across 205 domains |
| Ad network domains contacted | 88 |
| Cookie sync operations | 30 domains |
| Data broker connections | 21 domains |
| RTB auction requests | 21 POST requests |
Console messages reveal the attitude:
The site's JavaScript outputs this message when it detects no ad blocker is running:
"Yay no ad blocker available! Yay"That tells you everything you need to know about the priority hierarchy. It is not "Yay the user can format JSON!" It is celebrating unblocked ad revenue.
Data broker connections:
Beyond ad networks, CodeBeautify connects to 21 data broker and data management platforms:
- Lotame (CrowdControl DMP)
- Adobe Audience Manager (Demdex)
- Oracle BlueKai DMP
- Quantcast
- Rocket Fuel (Zeta Global)
- LiveRamp
- DataXu (Roku)
- Neustar/TransUnion AdAdvisor
- And 13 more
These are not ad networks. These are companies whose entire business model is building profiles of individuals and selling that data.
Forced redirects (again):
Like base64decode.org, CodeBeautify's ad scripts caused the browser to be forcibly redirected to unrelated sites including diffchecker.com, regex101.com, and even temu.com. These forced redirects trigger additional tracking on those destination sites.
The one positive:
The JSON formatting itself happens client-side. The test data containing fake API keys and passwords was not found in outgoing POST requests. So your code stays in your browser — it is just your entire digital identity that gets harvested while you use the tool.
---
What it does: Regular expression testing and debugging
Why it is different:
regex101.com stands out as significantly more privacy-respecting than the others tested. Here is what they do right:
- Client-side processing via WebAssembly: Regex patterns and test strings never leave your browser. The PCRE2 engine is compiled to WASM and runs entirely locally.
- Self-hosted Plausible Analytics: Instead of Google Analytics, they use Plausible (self-hosted), which sends only the page URL and referrer. No cookies, no fingerprinting, no user IDs.
- Zero first-party cookies:
document.cookiereturns empty on their domain. - Minimal ads: Only Carbon Ads (BuySellAds), a developer-focused network known for non-intrusive placement.
regex101 is proof that a free developer tool can exist without turning its users into advertising inventory.
The one concern: during testing, ad scripts triggered browser redirects to tracking-heavy sites (diffchecker.com, base64decode.org, codebeautify.org), exposing the browser to their tracking ecosystems indirectly.
---
What Does This Mean for Developers?
The exposure is real
When you paste an API key into jsonformatter.org, your browser simultaneously contacts 20+ ad networks. Each one records your IP address and a persistent identifier. If that API key is in the page title or URL (as with diffchecker.com), it could end up in analytics databases.
The fingerprint follows you
The identity syncing observed across these sites means your visit is not isolated. The same advertising ID that watched you format JSON will recognize you when you shop online, read news, or browse social media. Your development activity becomes part of your consumer advertising profile.
The scale is staggering
base64decode.org declares 1,570 advertising partners. CodeBeautify sets 540 cookies across 205 domains. These numbers are not normal for any website, let alone a simple utility tool.
Your code may not stay client-side
While most tools tested do process data client-side, diffchecker.com stores diffs server-side (confirmed by the server-assigned URL ID and their own desktop app marketing). And even on sites where processing is client-side, the page is simultaneously running a surveillance operation through the ad ecosystem.
---
How to Protect Yourself
Option 1: Use an ad blocker
An ad blocker will eliminate most of the tracking described in this audit. uBlock Origin is the most effective. But this is a band-aid — it does not prevent server-side data storage (diffchecker.com) or first-party analytics.
Option 2: Use browser DevTools
Your browser's DevTools Network tab shows every request a page makes. Open it before pasting anything sensitive and watch what happens. You might be surprised.
Option 3: Use privacy-first alternatives
Tools exist that process everything client-side with zero tracking, zero ads, and zero external requests. ToolBox is one example — every tool runs entirely in your browser with no data ever leaving your machine. No ad networks, no cookies, no consent dialogs needed because there is nothing to consent to.
Option 4: Use local CLI tools
For sensitive operations, use local tools like jq for JSON formatting, diff for text comparison, and base64 for encoding/decoding. They never touch the network.
---
Summary Table
| Site | External Domains | Cookies Set | Ad Networks | Sends Data to Server | RTB Auctions |
|---|---|---|---|---|---|
| jsonformatter.org | 20+ | Many | 20+ | No (client-side) | Yes |
| diffchecker.com | 10+ | Multiple | Google Ads, BSA | Yes (diffs stored server-side) | No (but ad auctions via partners) |
| base64decode.org | 96 | 1,570 partners declared | 30+ | Default mode: Yes | Yes (30+ exchanges) |
| codebeautify.org | 161+ | 540 across 205 domains | 88 | No (client-side) | Yes (21 requests) |
| regex101.com | 2 | 0 (first-party) | 1 (Carbon Ads) | No (WASM client-side) | No |
| ToolBox | 0 | 0 | 0 | No | No |
---
The Bottom Line
The free developer tools most of us use every day are not just tools. Many of them are advertising platforms that happen to offer a utility on the side. The tool gets you in the door. The real product is the data about you that gets sold to hundreds of companies through real-time bidding auctions.
There is nothing inherently wrong with ad-supported free tools. Developers need to make money. But there is a meaningful difference between showing a banner ad and running a real-time auction across 30 ad exchanges while syncing your identity with data brokers, enabling GPU fingerprinting, and storing your diffs on a server.
Developers deserve to know what happens when they paste code into a browser tab. Now you do.
---
*This audit was conducted on March 2, 2026, using Playwright browser automation to capture and analyze all network traffic. All findings are based on observable network behavior and publicly available privacy policies. The test data used was entirely synthetic — no real credentials were exposed during testing.*
*If you want to try the privacy-first alternative, check out ToolBox — 139+ developer tools, all running client-side, zero tracking.*