Visit sinceyouarrived.world/taken and you’ll see something unsettling. Without clicking anything, without creating an account, a web page assembles a detailed portrait of you: your IP address and rough location, your screen dimensions, your operating system and browser version, your device’s battery level, the fonts installed on your system, your timezone, your network type. All of it. Volunteered by your browser before you typed a single character.
This is the tension at the heart of browser-based tools: the same browser that enables powerful, free, no-login-required software is also the most sophisticated surveillance instrument most people carry. Understanding which side a given tool falls on is the most important privacy question you can ask.
Why Browser-Based Tools Exploded
Ten years ago, the idea of running a professional-grade image editor, an audio workstation, or an encrypted file vault entirely in your browser would have seemed far-fetched. The web was for documents. Real work happened in desktop apps.
That changed primarily because of two technologies: WebAssembly and the modern Web APIs that browsers now expose. WebAssembly lets developers compile existing C, C++, and Rust codebases and run them at near-native speed inside a browser tab. Tools like Photopea — which opens Photoshop PSD files in your browser without any installation — run on this foundation. So does Squoosh, Google’s image compressor that processes files entirely on your device using compiled C++ codecs.
The economic math also shifted. Distributing a desktop app means code signing certificates, platform stores taking 30%, OS-specific builds, update mechanisms. A browser app is a URL. The developer posts it once; you run it anywhere. That’s a compelling reason to build for the web.
The result: a generation of genuinely capable free browser tools that require no download, no install, and no account. The category nologin.tools tracks has grown from a curiosity to a serious alternative to paid desktop software.
The Privacy Divide That Actually Matters
Here’s what most discussions of browser privacy get wrong: they focus on cookies and accounts. Those matter, but they’re the wrong frame for evaluating browser-based tools.
The question that actually separates privacy-respecting tools from data-harvesting ones is simpler: does your data leave your device?
When Squoosh compresses an image, the pixels never touch a server. The compression algorithms run in your browser tab using WebAssembly. Squoosh’s servers have no record of the image you processed, because they never received it. The same is true of hat.sh, which encrypts files using the Web Crypto API — cryptographic operations happen locally, and the encrypted output is generated in your browser before any network call.
Compare this to a tool that asks you to upload a file, processes it on a server, and sends it back. Even if that tool requires no login, the operator’s infrastructure now has a copy of your file, your IP address, your browser fingerprint, and a timestamp. Whether they delete it immediately or retain it indefinitely is a policy question — one you have no way to verify.
The difference between “browser-based” and “privacy-respecting” is not the same thing. A browser-based tool can still route your data through servers. The architecture is what matters, not the delivery mechanism.
What Your Browser Leaks Without Asking
The sinceyouarrived.world/taken project is a useful demonstration of how much a browser reveals through ordinary operation, no cookies required.
Your browser sends your IP address with every request — that’s unavoidable, it’s how TCP/IP works. But it also sends a User-Agent string that typically includes your browser name, version, and operating system. It reports your screen resolution and color depth through the Screen API. JavaScript can read your timezone, your system language preferences, the number of CPU cores, available memory, and how many touch points your screen supports.
Then there’s canvas fingerprinting. Every combination of hardware, graphics driver, and OS renders the same drawing instructions slightly differently. Websites can draw an invisible canvas element and hash the pixel output — your device produces a unique hash that persists across sessions with no cookies involved. The EFF’s Cover Your Tracks tool tests your browser against real fingerprinting techniques and tells you how unique (and therefore trackable) your setup is.
BrowserLeaks runs a more exhaustive battery of tests — WebGL fingerprinting, AudioContext fingerprinting, font detection, ClientRects — showing how many separate vectors exist for identifying a browser without any persistent storage.
The practical upshot: a tool that requires no login is not necessarily one that can’t track you. A well-resourced operator can maintain a probabilistic identifier for your browser using only the data your browser hands over passively.
Open Source Changes the Equation
The strongest privacy guarantee a browser tool can offer isn’t a privacy policy — it’s auditable code.
When a tool is open source, its behavior is verifiable. You can read what data it collects, confirm that file processing happens locally, and check whether any analytics libraries are bundled. A closed-source tool with a reassuring privacy page is making a promise. An open-source tool is showing its work.
hat.sh is a good example. The source is on GitHub, and you can verify that the file never leaves your browser — the Web Crypto API calls are there in plain sight. AudioMass, an open-source audio editor that runs in the browser, processes audio locally with no server uploads.
This is one reason the open-source browser tool category has grown so quickly alongside privacy concerns. Developers who care about user privacy often reach for an open architecture as a signal of intent, and users who care about privacy can verify that intent independently.
The Analytics Problem
Here’s a subtlety worth understanding: even a tool that processes data locally might still load third-party analytics.
A common pattern: the core functionality (image compression, document editing, code formatting) runs client-side with no data upload. But the page also loads Google Analytics, Hotjar, or similar scripts. These scripts collect your IP, User-Agent, pages visited, time on page, and send it to their servers. Your image was never uploaded, but your visit was logged.
This isn’t necessarily malicious — most developers add analytics to understand how their tool is being used. But it means “no server-side processing” and “no tracking” are different claims.
The tools most serious about privacy either forgo analytics entirely, use privacy-respecting self-hosted analytics (like Plausible or Fathom, which don’t fingerprint users), or make their analytics transparent. Photopea, for instance, is upfront that it uses analytics to measure usage — its file processing is local, but your visits are counted.
For the highest privacy guarantee, tools like hat.sh that can run as a self-hosted instance or downloaded and opened from a local file eliminate this class of tracking entirely.
A Practical Framework for Evaluating Browser Tools
When you’re deciding whether a free browser tool respects your privacy, these questions cut to what matters:
Does your data leave the browser? Look for explicit claims about local processing. Tools built on WebAssembly or the Web Crypto API are strong candidates for genuinely local computation. File tools that process on a server will typically show a progress indicator while uploading and downloading — that round-trip is the tell.
Is the source code available? Open source doesn’t guarantee privacy, but it enables verification. Tools on GitHub can be reviewed and forked. Closed-source tools require trust.
What third-party scripts does the page load? Browser developer tools (Network tab, filtered to third-party domains) will show you every external script the page loads. A tool loading ten marketing trackers while telling you it respects your privacy is revealing a contradiction.
Does the tool require network access to function? Some tools work entirely offline after the first load. Squoosh will function after you’ve loaded it even if you disconnect from the internet — a strong signal that processing is local.
The Tools That Get This Right
The category of genuinely privacy-respecting, no-login-required browser tools is real and growing. A few worth knowing:
hat.sh encrypts files using AES-256-GCM and ChaCha20-Poly1305 directly in your browser. The encrypted output is generated before any network activity. Use it for encrypting a sensitive document before uploading it anywhere else.
Squoosh compresses images using WebAssembly-compiled codecs (MozJPEG, WebP, AVIF). Your photos don’t touch Google’s servers. The tool is open source at github.com/GoogleChromeLabs/squoosh.
BrowserLeaks and Cover Your Tracks (by the EFF) both test your browser’s fingerprint and privacy posture. They’re inherently local — they can only test your own browser, so there’s no data to upload.
Photopea processes image files locally (it has to, since it’s running a full image editing engine in WebAssembly). Your PSD files never leave your device. Unlike Adobe, Photopea doesn’t require a cloud account to access your own files.
privacy.sexy generates OS-level privacy configuration scripts in your browser, with no server-side component. The script generation logic runs entirely client-side.
Where This Is Going
The browser is becoming the universal computing platform, and that shift has genuine privacy implications in both directions.
On the positive side: more computation moving into the browser means more opportunities for genuinely local, no-upload-required tools. WebAssembly continues to expand what’s possible — real-time video processing, machine learning inference, cryptographic operations — all runnable without any server involvement.
On the negative side: browser fingerprinting techniques are advancing as fast as privacy protections. The Chrome Privacy Sandbox initiative represents Google’s attempt to replace third-party cookies with less privacy-invasive alternatives — but critics argue it still enables tracking while centralizing more control with Google. Firefox and Safari have taken more aggressive stances on fingerprinting protection, blocking or randomizing several of the most common vectors.
The practical implication for users: the “no login required” framing is necessary but not sufficient. A tool that requires no account can still profile you, still log your files, still sell your usage data. What matters is the architecture — where computation happens, whether source code is auditable, and what the tool’s actual data flows look like.
The nologin.tools directory focuses specifically on tools that work without accounts. But within that category, the distinction between local-processing tools and server-processing tools is the real privacy story. Understanding that distinction is worth more than reading any privacy policy.
Your browser is simultaneously your most capable development environment and your most comprehensive tracking device. The good news: you get to decide which tools you run in it.