← Back to Blogs
HN Story

The Illusion of Privacy: Lessons from 'Click Click Click'

May 20, 2026

The Illusion of Privacy: Lessons from 'Click Click Click'

The modern web browser is often described as a "sandbox"—a secure environment designed to isolate websites from the system. However, as a recent viral project called Click Click Click demonstrates, the walls of this sandbox are far more porous than most users realize. What appears to be a simple game of clicking a button to unlock achievements is, in reality, a sophisticated proof-of-concept (POC) on the ubiquity of online profiling and behavioral tracking.

The Game as a Mirror

At first glance, Click Click Click is minimalist. The user is presented with a single button and a challenge: unlock 128 achievements. However, as the user interacts with the page, the site begins to "comment" on their behavior in real-time. It doesn't just track clicks; it tracks mouse movements, window resizing, the use of developer tools, and browser specifics.

For many users, the experience is an unsettling realization. The site reveals information that feels private but is technically public to any script running in the browser. As one Hacker News user noted, the experience is "clever and a little spooky," serving as a visceral reminder of how much a website can know about a user's immediate actions.

The Technical Reality of Browser Events

From a technical perspective, the project leverages standard browser APIs and input events. For educators, this makes the site a perfect introductory tool. One user mentioned using it in an interface programming class to introduce the concept of "input as a series of discrete events," a cognitive model that experienced developers often take for granted.

However, the gap between technical capability and user perception is vast. The site's ability to detect specific actions—such as opening the console or resizing a window—highlights the disparity between what a user thinks is "private" and what the browser exposes.

The "Creepiness" Factor

This gap is where the psychological impact of tracking occurs. While the data collection is performed client-side via JavaScript, the implications are server-side. The discussion among developers reveals a tension between utility and privacy:

I've always added analytics scripts on websites I worked on... Then when I got my own start up, I didn't just add regular analytics but one that tracks mouse movements so you can watch sessions back like a video. I told a friend about my start up and she jumped on it immediately... Then I told her "oh so you opened the dev tools" She immediately ended the session. "How did you know? That's creepy."

This anecdote underscores a critical point: users rarely grasp the granularity of session recording tools. While these tools are often buried in Terms and Conditions, the actual experience of being "watched" in real-time is often perceived as an invasion of privacy.

Beyond the Browser: The Broader Threat Model

The conversation around Click Click Click extends beyond simple JavaScript events to the broader ecosystem of data collection. The project serves as a gateway to discussing how this data is bought, sold, and used to build detailed profiles of individuals.

Fingerprinting and Spoofing

Some users reported unexpected behavior, such as receiving random events that didn't match their activity. This is likely a result of browser-based privacy protections. Browsers like Brave or specific privacy extensions often employ "fingerprinting protection" by spoofing the data the browser reports to the website. When a site attempts to collect a specific hardware or browser signature, the browser provides fake data to confuse the tracking scripts, leading to the others' "random events."

The Sandbox Paradox

There is a significant critique regarding the "browser sandbox" philosophy. Some argue that the current state of the web allows for gratuitous data collection and surveillance under the guise of functionality. One critic pointed out that the site's large JavaScript bundle (approximately 14MB) and the use of various libraries demonstrate how much code can be executed in a user's browser without their explicit consent, effectively turning the browser into a platform for surveillance.

Conclusion

Click Click Click is more than a game; it is a social experiment in transparency. By turning the tracking mechanisms inward and reflecting them back to the user, it exposes the invisible infrastructure of the modern web. It reminds us that in the digital age, the act of clicking is never just a click—it is a data point in a larger, often invisible, profile.

References

HN Stories