Methodology — technical

For engineers, legal, and DPA correspondence · generated from current data

At a glance — current sites

Real numbers from the most recent trial set. Users = present in ≥3 of 5 stealth trials. Monitoring = present in production DB last 30 days. Gap = users yes, monitoring no.

Site	Total cookies	Pre-consent	Post-consent	Users	In monitoring	Gap (users \ monitoring)	Historical only	Pre-consent · non-essential
ahaonline-cz ahaonline.cz (production)	395	319	76	252	99	209	54	281
beta-labrador-ahaonline-cz beta-labrador.ahaonline.cz (beta)	340	204	136	216	25	192	0	172

"Pre-consent · non-essential" = the legally significant subset: cookies in the advertising, analytics, or unknown categories that fire before the consent click in at least one trial.

What this audit does not cover

Limitations the hardened scanner still has. Read these before drawing conclusions.

IndexedDB writes — we capture indexedDB.databases() (names only), not IDBObjectStore.put / add. Didomi, OneTrust, Permutive write into IndexedDB.
Service Worker storage and Cache Storage — not intercepted.
Fingerprinting probes — Canvas, WebGL, AudioContext, font enumeration, navigator.userAgentData not captured.
Cross-page persistence — every trial loads only the homepage. Article pages, search, login flows not exercised.
Geographic variance — all trials from one egress IP. Country-conditional ad stacks not stressed.
Consent vendor coverage — Didomi and CPEx only. OneTrust, Cookiebot, TrustArc, Sourcepoint, custom CMPs fail consent capture.
Tamper-evidence — trial JSONs and HTML reports are not cryptographically signed. The reports carry an "Evidence: unsigned" chip.

Worked examples

Real cookies pulled from the current data, one per pattern. Each example shows how the three measurements differ for one specific cookie.

A — solid ground (all three agree)

A cookie that reaches every visit, is in production monitoring, and the deep audit caught it. Both sides agree; nothing to act on.

Cookie
Gtestem
Vendor
Site internal
Category
Operational
Site
ahaonline-cz
Seen by users
yes (5/5 trials)
In monitoring
yes (13/59 runs)
Seen in audit
yes
Pre-consent
yes
First seen vs consent
+1.6s
B — monitoring gap (visitor sees it, our system does not)

A cookie that reaches every visit, the deep audit caught it, but production monitoring has no record of it. This is the under-reporting gap — most of our compliance dataset misses these.

Cookie
___nrbi
Vendor
Meiro / Newsroom AI
Category
Analytics
Site
ahaonline-cz
Seen by users
yes (5/5 trials)
In monitoring
no
Seen in audit
yes
Pre-consent
yes
First seen vs consent
−15s
C — pre-consent breach candidate

A non-essential cookie set BEFORE the user clicked Accept. The legal problem under ePrivacy 5(3). Compare what the deep audit shows vs whether monitoring caught it pre-consent.

Cookie
___nrbi
Vendor
Meiro / Newsroom AI
Category
Analytics
Site
ahaonline-cz
Seen by users
yes (5/5 trials)
In monitoring
no
Seen in audit
yes
Pre-consent
yes
First seen vs consent
−15s
D — RTB stochastic (sometimes, not in monitoring)

A cookie the deep audit caught in only some trials — different RTB bidder won that visit. Not in monitoring. Still counts under ePrivacy because it can fire pre-consent on any given visit.

Cookie
__mguid_
Vendor
Microsoft Ads
Category
Advertising
Site
ahaonline-cz
Seen by users
no (1/5 trials)
In monitoring
no
Seen in audit
yes
Pre-consent
yes
First seen vs consent
−9.8s
E — historical only (in monitoring, not in current audit)

A cookie present in our 30-day production database but our recent trials did not see it. Three possible causes: regex name normalisation (F-010) collapsed the name in the DB; ad inventory rotated; trials happened to miss it. Worth investigating but not necessarily a current problem.

Cookie
_gd1776161800510_sharedId
Vendor
Prebid
Category
Advertising
Site
ahaonline-cz
Seen by users
no (0/5 trials)
In monitoring
yes (1/59 runs)
Seen in audit
no
Pre-consent
yes
First seen vs consent
—

The four scanners

Scanner	Where it runs	Disguise	What it captures well
Production	`src/cookies-checker.ts` · nightly cron → MariaDB	Optional stealth via `--stealth`	Legacy operational dataset. Carries the 28 F-flaws (dedup races, regex name overwrite, value truncation, no SS/CS/IDB/TC-string).
Corrected	`scripts/true-scan.ts`	None	F-flaws fixed: SessionStorage + CookieStore + JAR + TC-string + name preservation. Bot-suppressed.
Hardened headless (workhorse)	`scripts/scanner-lib.ts`	`playwright-extra` + stealth plugin + `--disable-blink-features=AutomationControlled`	F-flaws fixed AND bot disguise intact. Reproducible in CI.
Hardened headed + human	Same as 3, headed mode	Same as 3 + mouse moves, scroll, 3 s dwell	Closest proxy to a real interactive session. One-run ablation only.

A fifth tier — attaching to a real Chrome via CDP — is the gold standard but cannot be automated, so it is out of scope.

The three measurements (columns on every per-site report)

Column	Inclusion rule	Answers
Seen by users	Cookie present in ≥3 of 5 hardened-headless trials	What a real visitor reliably encounters on this site.
In monitoring	Cookie name present in the production `cookies` table, last 30 days	What our operational compliance system has on record.
Seen in audit (detailed view only)	Cookie present in any of 7 trials (5 hardened + 1 headed-human + 1 baseline)	The full audit surface, including stochastic RTB winners.

Cross-measurement gaps

Gap	Meaning
Users \ Monitoring	Reliably reaches users; not in nightly DB. The compliance under-reporting gap.
Audit \ Monitoring	Caught by the deep scan at least once; not in nightly DB. Broader version of the gap above, including stochastic RTB.
Monitoring \ Audit	Only in the DB historically. Three causes: (a) regex name normalisation (F-010); (b) ad inventory rotation; (c) trials missed it.
Pre-consent · non-essential	Subset of the above with category ∈ {advertising, analytics, unknown} and first-seen before the consent click. ePrivacy 5(3) candidates.

How to reproduce

# 1. Tunnel to MariaDB
ssh -i ~/.ssh/cnc_analyticsstack -fN -L 3316:127.0.0.1:3316 cnc_user@analyticsstack.aws.cnci.tech

# 2. Run 14 trials (2 sites × 7 modes, ≈4 min)
npx ts-node --transpile-only scripts/run-trials.ts

# 3. Pull last 30 days from production DB
npx ts-node --transpile-only scripts/pull-db-cookies.ts

# 4. Aggregate per-site Users / Monitoring / Audit
npx ts-node --transpile-only scripts/aggregate-tables.ts

# 5. Generate reports
npx ts-node --transpile-only scripts/generate-canonical-report.ts ahaonline-cz
npx ts-node --transpile-only scripts/generate-canonical-report.ts beta-labrador-ahaonline-cz
npx ts-node --transpile-only scripts/generate-detailed-report.ts ahaonline-cz
npx ts-node --transpile-only scripts/generate-detailed-report.ts beta-labrador-ahaonline-cz
npx ts-node --transpile-only scripts/generate-methodology-technical.ts

Want the short version? Open the simple methodology →

At a glance — current sites

What this audit does not cover

Worked examples

A — solid ground (all three agree)

B — monitoring gap (visitor sees it, our system does not)

C — pre-consent breach candidate

D — RTB stochastic (sometimes, not in monitoring)

E — historical only (in monitoring, not in current audit)

The four scanners

The three measurements (columns on every per-site report)

Cross-measurement gaps

How to reproduce