Sarah is a paralegal at a mid-size firm in Bristol. It’s 4:47 on a Thursday, she has a 5pm deadline, and the PDF she needs to email to a client is 34 megabytes — too large to attach. She opens a browser tab, types “compress PDF free,” clicks the first result, drags the file in, and waits. Thirty seconds later, a download prompt appears. The file is 4.2 megabytes. She emails it, closes the tab, and moves on.
She doesn’t think twice about it. Why would she? The tool worked.
What she doesn’t think about is the thirty seconds in between. That PDF — containing a contract with names, addresses, financial details, and the kind of information that would make a GDPR officer nervous — has just left her machine. It traveled over the internet to a server in a data centre she’ll never visit, operated by a company she’s never heard of, under a privacy policy she’s never read. It sat in a processing queue alongside thousands of other documents. It was handled by software that may log file metadata. It may have been stored temporarily — or, depending on the terms of service, not so temporarily.
The company behind the tool has operating costs. Servers aren’t free. Bandwidth isn’t free. The engineering team that built the thing needs to be paid. And yet the product costs nothing. This is not a coincidence. It’s a business model.
The privacy policies of most free PDF tools are long documents written to protect the company, not the user. They tend to contain phrases like “we may retain uploaded files for up to 24 hours for processing purposes” and “we may use aggregated, anonymised data to improve our services.” What they rarely contain is a clear, plain-English explanation of who can access your files, under what circumstances, and for how long. What they almost never contain is a promise that your files won’t be used to train machine learning models, because that promise would be expensive to keep.
None of this is particularly nefarious. Most of these companies are just trying to build a sustainable product. But the consequence is that millions of people are routinely sending sensitive documents to infrastructure they have no visibility into, for reasons they’ve never examined, because the alternative — not compressing the PDF, or finding a better tool — feels like more friction than it’s worth.
The strange thing is that the upload was never necessary.
A modern laptop contains more raw compute than the servers that ran the entire Apollo programme. Your browser — the same application you use to watch video, run spreadsheets, and do your taxes — contains a JavaScript engine capable of running complex algorithms at near-native speed. The technology to compress a PDF locally has existed in some form for decades. Ghostscript, the compression engine that powers most server-side PDF reduction, is open source. It compiles to WebAssembly. It runs in a browser tab.
The upload happened because it was the easiest way to build the tool in 2012, when browsers were less capable and WebAssembly didn’t exist. It became a convention. Conventions become invisible. Nobody questions why PDFs need to go to a server, because that’s just how PDF tools work. Except it isn’t, anymore.
The browser is a powerful computer. The compression doesn’t require your file to go anywhere. The thirty seconds Sarah spent waiting for the server could have been thirty seconds waiting for her own CPU. Same result. Completely different set of people with access to her client’s financial documents.
Once you understand this, the calculus changes. It’s not that server-based tools are evil — it’s that they’re unnecessary for this particular job. And unnecessary risk, even small unnecessary risk, has a way of compounding over time.
fwip’s PDF compressor runs entirely in your browser. Your file never leaves your device. Try it →