Why convert files in your browser instead of uploading

Most "free online converter" sites work by taking your file, uploading it to their server, processing it, and giving it back. That model is convenient and, for the wrong file, dangerous. This guide explains why, what changed in the last few years to make a different model possible, and where the tradeoffs are.

Published 2026-05-26 · All guides

The default model: upload, process, download

Type "convert PDF to EPUB" into a search engine and almost every result on the first page asks you to upload your file. The site picks it up on its servers, runs a conversion library against it, and offers the result back as a download. From a usability standpoint, the model is fine — the user doesn't need anything installed, the server has plenty of CPU, and the result arrives in seconds.

The trouble is that "your file" stops being yours the moment it leaves your machine. The operator now has a copy. So do whatever logging, backup, and analytics systems they run. And so does anyone who later compromises that infrastructure. For a public-domain ebook this is meaningless. For a contract, a medical bill, a tax form, a manuscript, or a folder of personal photos, it's a stack of risks that the convenient interface doesn't surface.

The real risk isn't theoretical

In March 2025 the FBI's Denver field office issued a public warning, echoed by Malwarebytes and TechCrunch coverage, that free online file-converter sites had become a significant malware vector. The model in the wild: legitimate-looking conversion sites that did perform the conversion but also bundled malware into the downloaded result, or scraped sensitive content out of uploaded documents (cryptocurrency seed phrases, financial records, social security numbers) for follow-up scams. The FBI's specific advice was to be skeptical of any free online converter and to prefer tools that don't require uploading.

That's separate from the routine risks every honest upload-based site carries: misconfigured S3 buckets, logging that retains files past stated policies, third-party data brokers that get a sliver of metadata, and the simple reality that "deleted after one hour" is a promise nobody can independently verify.

What changed: WebAssembly and Canvas

For most of the web's history, doing real work inside a browser was impractical. JavaScript was slow, browsers couldn't read binary file formats efficiently, and the libraries that did the heavy lifting (image decoders, PDF parsers, OCR engines) were native code that ran on servers. Browser-based file conversion existed but was limited to toys and small text formats.

Two shifts changed that. The first was WebAssembly, shipped in 2017 and now supported by every modern browser. Wasm lets compiled C, C++, or Rust code run inside the browser at speeds within a couple times of native. That made it practical to compile real libraries — pdf.js (Firefox's own PDF engine), Tesseract (Google's OCR engine), libheif (the HEIC decoder), JSZip, pdf-lib — and run them client-side. The second shift was that browsers grew the APIs needed to read and write binary files locally: the File API, FileReader, Blob, the Canvas 2D context, OffscreenCanvas, and the URL.createObjectURL trick for downloads. Combined, these let you build a full conversion pipeline that never sees the network.

Performance: how it actually feels

The performance trade isn't what people expect. Server-side conversion has effectively unlimited CPU but a network round-trip; a 50 MB PDF spends most of its conversion time uploading and downloading. Browser-side conversion has zero network cost but is bounded by your device. The crossover is somewhere around "a recent laptop." On a Mac M-series or a current Windows ultrabook, browser conversion of a couple-hundred-page PDF, a batch of HEIC photos, or a moderate EPUB takes seconds — comparable to a server round-trip on a typical home connection.

On phones, browser conversion is slower than a server, mostly because mobile CPUs are conservative on Wasm and RAM is tight. A 200-page PDF that converts in 4 seconds on a laptop might take 20 seconds on an iPhone. For most users that's still acceptable, and for sensitive files the time cost is worth not handing the file to a stranger.

What you should never upload to a converter

A short list of files that should never go to an upload-based converter regardless of its reputation:

For everything in this list, browser-based conversion is the right answer — or, for irreplaceable files, a desktop tool like Calibre, ImageMagick, or pdftk that doesn't touch the network at all.

How to verify a converter doesn't upload

The benefit of browser-based conversion is that it's externally verifiable. You don't have to trust the operator's privacy promises; you can watch the network and confirm directly.

Where the browser model breaks down

Browser conversion isn't always the right answer. A few cases where the upload model is genuinely the better tool:

For everyday personal use — converting an EPUB, processing a folder of HEIC photos, getting text out of a scan — browser-based tools are now strictly better for any file that should stay private.

Where to go from here

All the converters on FreeBookConvert run in your browser using the model described above. If you'd rather start with format background, see What is an EPUB?, HEIC explained, or JPG vs PNG vs WEBP vs HEIC. For the OCR side specifically, see How OCR actually works and the tools at PDF OCR, Scanned PDF to Text, and Make PDF Searchable.