uR2NULL

"you are too null"

⚠️ EDUCATIONAL PURPOSE ONLY
This project is designed to demonstrate browser fingerprinting techniques for educational and research purposes.
Use at your own risk. Do not use this for unauthorized tracking or privacy invasion.

A research-oriented demonstration of how much information can be observed, inferred, and correlated from a single web visit using only legitimate browser APIs and statistical inference.

⚠️ Disclaimer

READ THIS BEFORE USING:

• This project is for EDUCATIONAL AND RESEARCH PURPOSES ONLY
• It demonstrates privacy risks inherent in modern web browsers
• DO NOT use this for malicious tracking or privacy invasion
• DO NOT store or persist user data
• DO NOT use this in production without explicit user consent
• Users should be aware that this collects browser fingerprinting data
• By using this software, you agree to use it responsibly and ethically
• The authors are not responsible for misuse of this software

If you're concerned about your privacy: Use privacy-focused browsers (Tor, Brave), browser extensions (uBlock Origin, Privacy Badger), or VPNs.

What This Actually Does

When you visit the trapbox page, your browser voluntarily tells us:

Your Hardware

• Exact screen resolution - We know if you have a 1080p, 1440p, 4K, or ultrawide monitor
• Your GPU - WebGL reveals your graphics card vendor and model (NVIDIA RTX 3080, AMD Radeon, Intel UHD, etc.)
• CPU core count - navigator.hardwareConcurrency tells us how many cores you have
• RAM amount - Chromium browsers expose navigator.deviceMemory (4GB, 8GB, 16GB, etc.)
• Touch capability - We know if you have a touchscreen
• Battery status - If you're on a laptop, we can see charging state and battery level
• Connected devices - Number of cameras, microphones, speakers

Your Network

• Connection type - WiFi, Ethernet, Cellular (4G/5G)
• Connection speed - Downlink bandwidth and RTT (latency)
• IP address - The server sees this automatically
• ISP and location - IP → GeoIP lookup reveals city, ISP, datacenter/VPN
• Network performance - DNS lookup time, TCP handshake time, TLS negotiation time

Your Browser & OS

• Exact browser and version - Chrome 120.0.6099.109, Firefox 121.0, etc.
• Operating system - Windows 11, macOS 14.2, Ubuntu 22.04, etc.
• Installed fonts - Canvas measurement reveals which fonts you have installed
• Browser features - Which APIs are available (WebRTC, WebUSB, Payment API, etc.)
• Plugins - What extensions/plugins are installed (often blocked, but sometimes visible)
• Canvas fingerprint - How your OS/GPU renders text and graphics (unique per system)
• Audio fingerprint - How your audio stack processes sound (unique per system)

Your Environment

• Timezone - Exact offset from UTC
• Language preferences - Primary language and all accepted languages
• Color scheme - Light mode or dark mode preference
• Accessibility settings - Reduced motion, high contrast, etc.
• Privacy settings - Do Not Track, cookie blocking, storage availability

Your Behavior

• Page load performance - How fast your device processes JavaScript and renders pages
• Memory usage - How much RAM this page is using
• Timing patterns - How long each phase of loading took

Why This Matters

None of this requires permission. No popups, no consent dialogs, no exploits.

This is all legitimate browser API access that every website can see.

When you combine these weak signals:

• Screen resolution + GPU + CPU cores + RAM = Device identification (gaming PC vs laptop vs phone)
• IP + timezone + language = Location verification (are they using a VPN?)
• Canvas + WebGL + Audio = Fingerprint (unique enough to recognize you across visits)
• Performance timing = Device performance tier (high-end vs low-end hardware)
• Feature detection = Browser configuration (privacy-focused vs default settings)

This is what "you are too null" means.

You think you're anonymous. You're not. One page visit reveals your entire computing environment.

Architecture

uR2NULL/
 └─ visit/
     ├─ trapbox/
     │   └─ index.html    # Single-page client (collects signals)
     └─ GENIUS/           # Server-side inference engine

trapbox (Client)

One HTML file. That's all you need.

trapbox/index.html collects the maximum legitimate signal surface:

• Browser APIs (Navigator, Screen, Performance, etc.)
• Timing and performance metrics
• Feature detection
• Canvas/WebGL fingerprints

Then sends everything to GENIUS and displays the results beautifully.

trapbox is dumb. It collects, sends, and displays. It does not interpret or analyze.

GENIUS (Server)

The inference engine that converts weak signals into probabilistic claims:

• Receives raw signals from trapbox
• Enriches with server-side context (IP → ASN, GeoIP, etc.)
• Applies statistical baselines and percentile analysis
• Outputs inferences with confidence scores and explanations

GENIUS is smart. It infers and explains. It never claims certainty.

Core Principles

One Visit Only

• No cross-site correlation
• No persistent identifiers
• Each visit is ephemeral and independent

Legitimate Only

• No forced permissions
• No exploit-based techniques
• No sandbox escapes
• No hidden persistence

Statistical, Not Deterministic

• All outputs are probabilistic
• Confidence scores accompany every inference
• Explanations show the reasoning path

Transparent, Not Secretive

• Open methodology
• Explainable inferences
• Educational intent

What This Is NOT

• ❌ User tracking system
• ❌ Fingerprinting-as-a-service
• ❌ Surveillance tool
• ❌ Attribution system

What This IS

• ✅ Research demonstration
• ✅ Educational mirror
• ✅ Statistical inference showcase
• ✅ Signal surface exploration

Documentation

• QUICKSTART.md - Get it running in 30 seconds
• SIGNALS_EXPLAINED.md - What each signal reveals about you (read this!)
• PROJECT_OVERVIEW.md - Technical architecture and roadmap
• DEPLOYMENT.md - Production deployment guide
• CONTRIBUTING.md - How to contribute responsibly
• SECURITY.md - Security policy and responsible disclosure
• CODE_OF_CONDUCT.md - Community guidelines

Getting Started

# One command to run everything:
python demo-server.py

# Then open: http://localhost:3000

That's it. Watch your device expose itself.

Contributing

We welcome contributions that align with the educational mission of this project! Please read:

1. CONTRIBUTING.md - Contribution guidelines
2. CODE_OF_CONDUCT.md - Community standards
3. SECURITY.md - Security and ethical use policy

All contributions must be for educational purposes only.

License

MIT License - See LICENSE for details.

Important: The MIT license grants permission to use this software, but you are still bound by applicable laws regarding privacy, data protection, and computer misuse. Use responsibly and ethically.

Acknowledgments

This project is inspired by research into browser fingerprinting and privacy on the web:

• AmIUnique - Browser fingerprinting research
• Panopticlick - EFF's fingerprinting test
• FingerprintJS - Browser fingerprinting library
• Academic research on web privacy and tracking

Support

• 🐛 Bug reports: Open an issue with the bug label
• 💡 Feature requests: Open an issue with the enhancement label
• 🤔 Questions: Open an issue with the question label
• 🔒 Security: See SECURITY.md for responsible disclosure

Roadmap

See PROJECT_OVERVIEW.md for the full technical roadmap and future development plans.

---

Remember: This project exists to make users realize how much the internet already knows — without breaking any rules.

Use this knowledge to protect your privacy, not to invade others'.