I wanted to know what dev.to tracks. Not from a privacy policy — from the actual page.
So I pointed my AI agent at dev.to and asked it to inspect every script, cookie, tracker, beacon, and third-party request on the page. Then I did the same for Medium, Hashnode, and Stack Overflow.
The whole thing took about 30 seconds across all four sites. Here's what came back.
dev.to
| Category | Finding |
|---|---|
| Third-party script domains | 1 (Google Tag Manager only) |
| Cookies | 5 |
| Tracking pixels | 0 |
| Ad tech | None |
| Analytics | GA4 + Ahoy (first-party) |
| Error monitoring | Honeybadger |
| Consent default | ad_storage: denied, analytics_storage: denied |
| IP anonymization | Yes |
Five cookies. One third-party domain. Consent defaulted to denied before you even interact with the banner. IP anonymization enabled on GA4.
Ahoy — their main analytics — is first-party. It runs on their own servers. Your visit data doesn't leave Forem's infrastructure.
For a platform with millions of monthly visitors, this is remarkably clean.
Now compare that
Medium
| Category | Finding |
|---|---|
| Third-party script domains | 5 (Google, GTM, Cloudflare Insights, gstatic, Google accounts) |
| Cookies | 4 |
| Ad tech | No |
| Analytics | GA4 + Datadog RUM |
| Consent banner | None visible |
Medium loads Datadog Real User Monitoring, which captures detailed session data. No consent banner was presented.
Hashnode
| Category | Finding |
|---|---|
| Third-party script domains | 4 (GTM, PostHog, DoubleClick, Carbon Ads) |
| Cookies |
6 (including _gcl_au for Google ad conversion tracking) |
| Ad tech | Yes — DoubleClick + Carbon Ads |
| Analytics | GA4 + PostHog |
| Consent banner | None visible |
Hashnode loads DoubleClick (Google's ad exchange), Carbon Ads, and PostHog. The _gcl_au cookie is specifically for linking ad clicks to conversions. No consent banner.
Stack Overflow
| Category | Finding |
|---|---|
| Third-party script domains | 13 |
| Cookies | 20 |
| Ad tech | Yes — Criteo, Kargo, DoubleClick, ID5, Longitude, Optable |
| Analytics | GA4 |
| Consent banner | Yes (OneTrust / CookieLaw) |
Stack Overflow loads thirteen third-party script domains. Twenty cookies. Six separate ad tech vendors including Criteo (retargeting), Kargo (display ads), and ID5 (cross-site identity resolution). They do at least show a consent banner.
The scorecard
| Platform | 3rd-party domains | Cookies | Ad tech | Consent default |
|---|---|---|---|---|
| dev.to | 1 | 5 | None | Denied |
| Medium | 5 | 4 | No | No banner |
| Hashnode | 4 | 6 | Yes | No banner |
| Stack Overflow | 13 | 20 | Heavy | Banner (opt-out) |
What this tells you
dev.to is the only platform in this comparison that:
- Defaults consent to denied before any user interaction
- Uses first-party analytics (Ahoy) that keeps data on their servers
- Runs zero ad tech
- Loads only one external domain
- Enables IP anonymization on Google Analytics
The place where you're reading this right now is, by a wide margin, the most privacy-respecting developer platform I tested.
How this was done
No browser extensions. No Lighthouse. No third-party audit service. An AI agent with a real browser visited each site and inspected:
- Every
<script>tag and its source domain - Every cookie name and value length
- The
dataLayerfor consent configuration - The Performance API for third-party resource requests
- The DOM for tracking pixels, beacons, and iframes
- Global JavaScript objects for known analytics SDKs
Four sites. Thirty seconds. A full comparative tracking audit that would normally require installing multiple browser extensions and manually cross-referencing results.
This is what happens when an AI agent has a real browser instead of an HTTP client.
Try it on your own site
vscreen --dev --mcp-sse 0.0.0.0:8451
Pre-built Linux binaries on the releases page.
Top comments (0)