The digital privacy industry has, for years, operated on a kind of polite fiction: put up a cookie banner, tick a few compliance boxes, append a “we value your privacy” statement to your website footer, and consider the job done.
webXray exists to prove, forensically and in court, that this fiction is costing companies billions—and to arm the lawyers, regulators, and compliance teams who are making them pay for it.
Founded in 2023 and headquartered in the United States, webXray LLC is a privacy intelligence and forensics platform that gives law firms, enterprise compliance teams, adtech vendors, and defense counsel hard, court-ready evidence of what a website is actually doing with user data, as opposed to what it claims to be doing.
Their tagline—”Be the First to Know”—is more than a slogan. It’s the core competitive premise. In privacy litigation and compliance, the entity that identifies a violation first, and can document it forensically, wins.
Key Takeaways:
The Core Problem: 73% of websites with cookie banners set tracking cookies before users even grant consent.
The Solution: Forensic-grade website preservation and automated scanning that holds up in court and regulatory inquiries.
The Pedigree: Founded by Dr. Timothy Libert, a former Google Staff Privacy Engineer who conducted the largest enterprise cookie audit in history.
Where It Came From: A Decade of Pioneering Research
webXray is not a startup that stumbled onto privacy as a hot market opportunity. Its roots go back to 2012, when its founder, Dr. Timothy Libert, built the original webXray as an academic research tool while pursuing his PhD at the University of Pennsylvania. What followed was one of the most consequential careers in digital privacy research of the last decade.
Libert’s pioneering career includes several major milestones:
-
The first-ever million-site study of third-party web tracking.
-
The first peer-reviewed research on pixel tracking on medical websites—work that directly opened the door to hundreds of millions of dollars in class action settlements involving healthcare providers and tech giants.
-
Systematically comparing privacy policies against executing code, an insight that turned out to be foundational to the modern privacy litigation wave.
His research was cited in US Supreme Court briefs and featured heavily by major media outlets like NPR, ABC, the New York Times, the BBC, the Financial Times, and Wired. Over 900 peer-reviewed academic papers now cite his work.
From Big Tech to Commercial Platform
After academic roles at Oxford, Carnegie Mellon, and Central European University, Libert joined Google as a Staff Privacy Engineer. There, he was tasked with writing Google’s internal cookie and web storage policy, governing all cookies across the company’s entire global infrastructure. He led an audit of every single Google-owned cookie—an undertaking described by Google’s own Data Protection Officer as a process that defined internal guidelines for data collection and linkage.
In 2023, he left Google to commercialize a decade of academic breakthroughs and Big Tech operational experience into a single platform: webXray LLC.
The Leadership Team
The company’s executive roster combines high-stakes political tech, federal AI governance, and elite computer science academia.
-
Jim Moffet (Co-Founder & CTO): Former founding engineer at Impactive, a platform that served as the centerpiece of the Biden 2020 campaign’s $100 million remote organizing effort (later acquired by ActBlue in 2025). He later served as Director of AI Engineering for USAi.gov, sat on the President’s Interagency Policy Council on Privacy, and co-authored the first Federal Generative AI Playbook. He holds a graduate degree from Harvard.
-
Dr. Simson Garfinkel (Senior Advisor): Chief Scientist at BasisTech and a lecturer at Harvard Kennedy School. He holds seven US patents, has published more than 80 research articles in computer security, and is a fellow of AAAS, the ACM, and the IEEE.
What the Platform Does
The webXray platform is built around a single core capability: running real browsers from real locations to observe, record, and analyze exactly what data a website transmits. Unlike tools that rely on self-reported data or lightweight scans, webXray produces forensic-grade evidence that holds up in depositions and court proceedings. The platform is divided into four distinct product lines:
| Product Line | Target Audience | Key Capabilities & Benefits |
| Litigation | Plaintiff Law Firms | Searchable index of 1.2M websites; forensic website preservation (timestamped code copies); consent bypass analysis to catch illegal tracking. |
| Adtech & CMP Risk | Adtech Vendors & CMPs | Replays user journeys with Global Privacy Control (GPC) enabled; audits CMP integrations across publisher networks at scale. |
| Enterprise Privacy Ops | Fortune 100 Compliance | “Polite by design” automated site scans mimicking real users; distributed scanning across EU, California, and US residential nodes. |
| Defense | Defense Law Firms | Fast-checks plaintiff complaints in minutes; scans client properties immediately upon engagement to verify privacy tool compliance. |
The Numbers and the Press Record
The company’s data speaks to a genuinely alarming picture of the state of web privacy:
-
73% of sites with a cookie banner set advertising cookies before consent is obtained.
-
46% of US hospitals set advertising cookies immediately at page load.
-
1 in 3 websites about religion or spiritual beliefs leaks data to Meta.
-
93% of sites directed at children expose IP addresses to Google.
The 2026 California CCPA Privacy Audit
A major public milestone for the company was its California CCPA Privacy Audit, which demonstrated that Google-certified consent management platforms were not, in practice, blocking Google’s own cookies when Global Privacy Control (GPC) signals were enabled. webXray revealed what it called “an industry in crisis” and has made the dataset publicly searchable.
Since 2012, webXray has scanned over 2.4 million pages. Its underlying research has been scrutinized by more than 20 major press outlets, including The Guardian, Axios, Ars Technica, Vox, The Verge, Gizmodo, and Business Insider.
Why It Matters: The Death of “Tick-Box” Compliance
The broader context for webXray’s existence is a fundamental shift in how privacy law is being enforced. For years, compliance was treated as a documentation exercise—write the policy, deploy the banner, and hope no one looked too closely.
A wave of class-action litigation under California’s CCPA, lawsuits over healthcare pixel tracking, and increasing regulatory scrutiny in both the US and Europe have changed that calculus dramatically. Courts and regulators now want to know not what a company’s privacy policy says, but what its website’s code actually does when a real user visits it.
webXray is, in essence, a technical and forensic lie detector for privacy claims. What makes it distinctive is the unique combination of its leadership’s pedigree:
-
Foundational Academic Research: Gives the methodology unmatched scholarly credibility.
-
Operational Experience at Google: Provides practical scale and deep institutional authority.
-
Forensic Focus: Built explicitly to survive courtroom scrutiny, rather than just generating colorful compliance dashboards.
webXray is built on a singular conviction: the truth about what websites do is discoverable, documentable, and increasingly consequential—and the entities who know it first will have the decisive advantage.
If you’d like a demo of WevXray click here and if you would like to get your website compliant with a working consent management platform that respects global privacy control signals book a demo below with a Captain Compliance privacy expert.
