About
Webbkoll monitors privacy-enhancing features on websites, and helps you find out who is letting you exercise control over your privacy. We check to what extent a website monitors your behaviour and how much they gossip about the monitoring to third parties, based on what can be observed when visiting a given page. We’ve also compiled a set of recommendations for how to not track or gossip in digital environments.
How it works
Webbkoll attempts to simulate what happens when a user visits a page with a typical browser without interacting with anything. The specified page is visited with Chromium, the browser that Google Chrome is based on; i.e., a typical end-user browser. Data (requests/responses, cookies, etc.) is collected, analyzed and presented. The browser has no addons/extensions installed, and Do Not Track (DNT) is not enabled (since this is the default setting in most browsers). Nothing is clicked, no consent is given.
Limitations
Webbkoll can only observe what happens when visiting a single page. It cannot tell you how the website is doing as a whole, how data is stored internally, what parties the data might be shared with, if the privacy policy is adequate, how the internal procedures are, and so on and so forth. A "good" Webbkoll result doesn't mean that everything is well (but a "bad" result certainly means that not all is well).
This tool is primarly meant to be used as a starting point for web developers. It can only help with one piece of the puzzle.
Authors and tech
Webbkoll was developed by Anders Jensen-Urstad (programming, design) and Amelia Andersdotter (FAQ, legislative information). It was a project of Dataskydd.net (2015-2024), a Swedish non-governmental organization that worked on making data protection easy in law and in practice. Since 2024, Webbkoll is run by the 5th of July Foundation, a Swedish foundation that protects the human rights of internet users by providing them with concrete tools.
Webbkoll uses Phoenix Framework (Elixir), Puppeteer and numerous open source libraries; see here for specifics.
We don't provide an API as we have limited resources, but the code is available under the MIT license. See also the options below.
The initial development of Webbkoll was funded by Internetfonden / IIS in 2016, and a small grant was received from Digital Rights Fund in 2018. Other than that, the developers maintained this tool in their spare time.
Translations
- German: Tomas Jakobs
- Norwegian: Tom Fredrik Blenning - Elektronisk Forpost Norge
Alternatives and resources
The only other similar service that we are aware of that uses a real browser for testing is PrivacyScore (open source). It does many of the same checks as Webbkoll, but additionally also checks e.g. TLS, and lets you create a list of sites to check (and rank).
For more rigorous and systematic testing we recommend that you check out OpenWPM, which can be (and is) used to conduct large-scale studies.
Observatory by Mozilla (open source) analyzes CSP, HSTS, TLS and various other things (some of the Webbkoll tests are based on code from Observatory). See also Google's CSP Evaluator.
Hardenize is similar to Observatory, but also checks a domain's mail servers.
Report URI has many useful tools: CSP analyzer/builder, header analyzer (securityheaders.com), SRI hash generator, etc.
Qualys SSL Server Test is an excellent tool for analyzing a server's TLS/SSL configuration. testssl.sh is an open source alternative.
Internet.nl checks HTTPS/TLS, DNSSEC, headers, etc.
check-your-website checks HTTPS/TLS, DNSSEC, headers, cookies, content, etc.