Skip to content

Reference

How Cassandra audits websites

01. How it works

Cassandra uses a real browser (Chromium) to visit a website exactly like a human user. While the page loads, we record every network request, cookie, and script to see what happens behind the scenes.

  • Scanning: We monitor the "DOM" (the page structure) and the JavaScript environment to find tracking tools as they initialize.
  • Reporting: If we see a tracker, we log it. We don't filter or hide results—if it was observed on the page, it goes in the report.

Standard Audit

Passive monitoring of cookies and network traffic to see what a site collects before and after interacting with a consent banner.

Active Audit

Active testing of search and form fields to see if information is shared or leaked to third parties.

02. What we look for

Cassandra identifies specific technical behaviors that often indicate privacy or regulatory risks.

01. Session Interception

Behavior: Real-time recording of user interactions, mouse movements, DOM mutations, and keystrokes.

Relevant frameworks

US: CIPA § 631 (wiretapping), CIPA § 632.7 (communication recording)

EU: GDPR Art. 6(1)(a) (consent required for processing), ePrivacy Art. 5(3) (consent for non-essential storage/access)

DAAP: Enhanced Notice required when behavioral data is collected for interest-based advertising

02. Visitor Metadata & Addressing

Behavior: Capture of technical metadata about a visitor session, including full URLs, IP addresses, and browser fingerprints, without recording on-page content.

Relevant frameworks

US: CIPA § 638.51 (pen register / trap and trace)

EU: GDPR Art. 6(1)(a) (IP addresses are personal data under GDPR), ePrivacy Art. 5(3)

DAAP: Cross-site data collection requires clear opt-out mechanism under DAA Principles

03. Third-Party Data Sharing

Behavior: Transmission of persistent user identifiers and browsing history to third-party endpoints.

Relevant frameworks

US: CCPA § 1798.150 ("sale" or "sharing" of personal information)

EU: GDPR Art. 6(1)(a) and Art. 7 (valid consent), Art. 44–49 (international transfers)

DAAP: AdChoices transparency and consumer opt-out required for all interest-based advertising

04. Data Exfiltration

Behavior: Identification of user-provided PII (emails, names, search queries) within outgoing network requests to unauthorized domains.

Relevant frameworks

US: CCPA § 1798.150 (unauthorized disclosure), CIPA § 631 (wiretapping)

EU: GDPR Art. 5(1)(f) (integrity and confidentiality), Art. 32 (security of processing)

DAAP: Sensitive data categories require heightened notice and opt-in consent

03. Limitations

What we can't see

  • Server-side tracking: We only see what happens in the browser. We cannot detect data sent from the website's server directly to a third party.
  • Encryption: While we see where requests are going, we cannot always read the contents if they are heavily encrypted or obfuscated.