Are online PDF tools safe? I checked the network traffic
- • iLovePDF sends your download token to Google Analytics. Google knows which file you downloaded, when, from which IP.
- • Smallpdf made 215 network requests during a single merge operation.
- • Both upload your file to their servers. The merge happens server-side, not in your browser.
- • A client-side alternative (PDF Changer) made 18 requests total, all to its own domain. Zero during processing.
I opened iLovePDF in Chrome with the network tab recording. Before the page finished rendering, it sent a request to region1.google-analytics.com.
After I merged two test PDFs and clicked download, it sent another. The URL included the download token — a unique hash iLovePDF generated for my merged file. Google Analytics now had a record that someone at my IP, with my browser fingerprint, downloaded a specific file at a specific time.
Standard analytics. Every site with GA does this. The difference is that most sites aren't processing your tax documents.
The comparison
Three tools. Same operation: merge two test PDFs. Chrome DevTools, Network tab, preserve log. Captured 18 March 2026. Raw captures are in the repo as JSON.
| Tool | Requests | Third parties | File uploaded? |
|---|---|---|---|
| iLovePDF | ~50 | Google Analytics, Cloudflare | yes — server-side processing |
| Smallpdf | 215 | Google Analytics, fonts, ads | yes — server-side processing |
| PDF Changer | 18 | none | no — browser-only |
The actual request
One URL, sent as a POST to Google's analytics endpoint. Wrapped for readability:
region1.google-analytics.com/g/collect ?tid=G-44KQ8HETWT &dl=https://www.ilovepdf.com/download/njkxblwd7fw40y... &dt=Download file | iLovePDF &en=user_engagement
dl is the full download URL with the unique file token. tid is iLovePDF's GA tracking ID. cid (not shown) is a client ID that persists across sessions.
Google doesn't have the file contents. They have the metadata: who downloaded what, when, from where.
What zero requests looks like
PDF Changer: 18 requests total, all to pdfchanger.org. The page, one CSS file, one JS bundle, a manifest, an icon. During the merge: zero network requests. The sandbox runs with connect-src 'none' in its Content Security Policy. The browser itself blocks outbound connections from the processing context.
Three monitors (CSP violation listener, PerformanceObserver, MutationObserver) watch for exfiltration attempts and hash events into an HMAC chain. The chain is verifiable after processing — tamper with one entry and the hashes diverge.
Limitations of this comparison
Network request counts change with every deployment. These numbers are a snapshot from one session on one day. iLovePDF and Smallpdf may change their analytics configuration. The comparison is specific to a merge operation — other tools may behave differently.
PDF Changer is my project. I'm comparing my own tool to competitors. The network captures are published so you can verify independently.
Raw capture data: PDF Changer repo under apps/web/public/research/data/. Three JSON files, one per tool.