How Gecko Advisor Calculates Privacy Scores

What websites actually do, not what they promise. We analyze real network behavior to assess website privacy practices.

What We Analyze

Gecko Advisor examines publicly observable signals from websites — what they actually do, not what their privacy policies claim. Our automated scanner checks:

  • Tracking scripts — Known analytics and advertising trackers from databases like EasyPrivacy and WhoTracks.me
  • Third-party connections — External services loaded by the page that may share visitor data
  • Cookies — Cookie security flags (Secure, HttpOnly, SameSite) and duration
  • Security headers — CSP, HSTS, Referrer-Policy, Permissions-Policy, X-Content-Type-Options
  • TLS configuration — Encryption strength, protocol version, and certificate validity

Scoring Categories

Privacy scores start at 100 and are reduced based on detected concerns. Each category has a maximum penalty cap to prevent single issues from dominating the score:

CategoryMax PenaltyWhat It Measures
Tracking50 pointsKnown trackers, fingerprinting scripts, ad networks
Security45 pointsTLS grade, security headers, mixed content
Third-Party15 pointsExternal domain connections (not tracking)
Cookies10 pointsMissing Secure/HttpOnly/SameSite flags
Compliance5 pointsPrivacy policy presence

Bonus points (up to +10) are awarded for excellent TLS configuration (A+ or A grade).

Score Interpretation

80-100Low Privacy Risk — Minimal tracking detected, good security configuration
60-79Moderate Privacy Risk — Some tracking or security concerns detected
40-59High Privacy Risk — Significant tracking or multiple security issues
0-39Critical Privacy Risk — Extensive tracking and/or serious security gaps

What We Don't Analyze

Our scores reflect observable behavior at scan time. We do not:

  • Read or interpret privacy policy text
  • Verify GDPR/CCPA compliance claims
  • Access internal data handling practices
  • Monitor changes over time (each scan is a snapshot)
  • Test logged-in or authenticated states
  • Simulate mobile app behavior

Limitations

Privacy scores are relative measures based on detected signals. A higher score suggests fewer observable privacy concerns, but does not guarantee:

  • The website's internal data handling practices are safe
  • The website complies with all privacy regulations
  • Your personal data is secure on that website
  • The website won't change its practices after our scan

We recommend reviewing each website's privacy policy for complete information about how your data may be collected and used.

Data Sources

Gecko Advisor uses the following open-source databases and standards:

  • EasyPrivacy — Tracker detection (server-side; attribution)
  • WhoTracks.me — Tracker database (CC BY 4.0)
  • Public Suffix List — Domain classification
  • Mozilla Observatory — Security header recommendations

Prediction Validation

Gecko Advisor generates predictive insights about domain privacy trends. All predictions are tracked and validated against actual outcomes:

  • Predictions require a minimum 30-day observation window before validation
  • Rolling accuracy uses a 90-day window and excludes pending predictions
  • Unvalidated claims are never counted as wins
  • Statistical confidence intervals require a minimum of 50 validated predictions

Freeze Policy

When prediction accuracy falls below acceptable thresholds, affected prediction types are frozen — no new predictions of that type are published until accuracy recovers:

ScopeThresholdAction
Overall accuracy< 60% for 2 consecutive monthsAll predictions frozen
Per-subtype accuracy< 50% with n ≥ 20Subtype frozen

Freeze enforcement will become programmatic in Phase 1. Currently, freeze decisions are made manually based on monthly transparency report data.

Methodology Changelog

VersionDateChanges
v1.1February 2026Stabilization sprint. Added error-weighted scan confidence (Laplace-smoothed beta mean) to gate stability labels — domains with high failure rates are downgraded to provisional. Added P50/P90/P95 latency percentile tracking with P95 soft alert at 45s. Circuit breaker thresholds recalibrated: error rate 5%→20%, queue depth 100→200, avg duration 45s→60s, with minimum 10-scan sample size to prevent false positives during low-volume periods.
v1.0March 2026Initial methodology. Scoring v1.0, calibration v1.0. Freeze policy defined (manual enforcement). Prediction validation framework established with 30-day observation window and 90-day rolling accuracy.