What the browser fingerprint test measures
The audit measures coherence: whether independent browser subsystems give compatible answers about the same machine. It can compare JavaScript with CSS, the main page with a worker or iframe, a claimed browser family with engine-only APIs, and a reported GPU with the rendering pipeline that actually produced an image.
This is different from measuring rarity. An unusual but internally consistent device can pass. A common-looking identity can fail when two surfaces contradict one another. Most checks therefore need no population baseline; the browser supplies both sides of the comparison.
How the coherence score is calculated
The score is the share of applicable, scored checks that agree. It is not a probability that a visitor is human, not a detection rate, and not a guarantee that an automation session is invisible. A score of 92 means 92 percent of the scored comparisons that applied were coherent.
Contextual findings are excluded because ordinary environments can produce them: accessibility tools, extensions, remote desktops, policy-managed browsers, privacy protections, and missing hardware all change observable surfaces. Checks that cannot run are reported as not measured and never counted as passes.
Why some measurements require a network probe
JavaScript cannot read the TLS ClientHello, HTTP/2 frame ordering, QUIC transport parameters, or the public address used by WebRTC. Those facts exist below the page runtime. Measuring them requires a server to report what arrived on the wire.
The audit opens two connections to tls.clearcotelabs.com to compare independent TLS handshakes. Its WebRTC leak test contacts stun.l.google.com, which means Google sees the connecting IP, and compares that address with the one serving the audit. If either service is unreachable, the corresponding result is not measured rather than clean.
Data collection and the research corpus
Running the audit sends a browser profile to Clearcote for internal analysis. The consent notice on the tool names the fields before the run begins. The separate research corpus stores a coarser, unlinkable configuration record used to study coverage and false positives; it is not a fraud or account-reputation database.
The complete retention, deletion, and field-level disclosure lives in the audit privacy policy. Keeping that policy separate lets the test remain concise without hiding what leaves the browser.
What a public browser test cannot establish
A public page cannot see global profile age, cross-site browsing history, account reputation, private cookies on other origins, or the server-side risk models used by commercial anti-bot systems. Behavioral input can demonstrate mechanical timing or perfect interpolation, but a short interaction is not a trained behavioral classifier.
A high score should therefore be read narrowly: the measurements that ran did not reveal many internal contradictions. It says nothing definitive about reputation, intent, account history, or every signal a production detector may combine.