CoPilot AI
CoPilot AI: Massive Undisclosure of Data Processors with Pre-Consent Tracking
Parent Company: Cassia Research Inc.
CoPilot AI's website deploys 34+ third-party data processors while their GDPR-citing privacy policy discloses only 9 (26% disclosure rate). The pre-consent tracking stack includes browser fingerprinting, 3 IP deanonymization services, 14+ data broker cookie syncs, and 2 undisclosed session recorders. They use a server-side GTM proxy to obscure tracking origins. White-label offering multiplies proliferation risk.
This advisory exists to warn companies running CoPilot AI on their sites. We do not notify vendors. We do not provide remediation windows. If you're using this vendor, this is your evidence.
- White-label partners (unknown count)
If You're Running CoPilot AI
Remove or disclose all 34+ data processors in privacy policy
Effort: moderateImplement consent-gated tag loading (CMP integration)
Effort: significantRemove FingerprintJS and HubSpot fingerprinting
Effort: moderateAudit and remove unnecessary data broker syncs
Effort: moderateRemove server-side GTM proxy or disclose its purpose
Effort: trivialWhat It Costs You
CAC Subsidization
Visitor data captured on a site can flow into data broker networks and identity graphs, eventually surfacing in competitor prospecting tools. The original company paid to acquire the traffic; competitors pay pennies to intercept the lead.
Signal Corruption
Overlapping tracking mechanisms corrupt attribution data. Multiple sources claim credit for single conversions. Pipeline metrics diverge from reality. Marketing decisions get made on numbers that can’t be trusted.
Legal Tail Risk
Pre-consent data collection, undisclosed data sharing, and consent signal violations create regulatory exposure. Class actions and regulatory fines can exceed entire annual marketing budgets. Liability sits with the site owner, not the vendor.
GTM Attack Surface
Third-party scripts execute with full privileges on every page load. Dangerous code patterns, external dependencies, and data interception turn marketing infrastructure into attack vectors. One compromised dependency compromises the entire site.
BTI-C: Behavioral Codes
Attack Parallel: Privacy Policy Fraud
Material misrepresentation of data processing activities
ReferenceBTSS Score Breakdown
Technical Evidence
Code Evidence
IP Deanonymization - ipwhois.pro with exposed API key
GET https://ipwhois.pro/?key=16jpIhWjg0BuB4PP
# Returns company name, ISP, geolocation from visitor IP
IP Deanonymization - ip-api.com with exposed API key
GET https://pro.ip-api.com/json/?key=jBo9qeFtLp00zjm
# Secondary IP lookup service
Visitor Enrichment API - expertise.ai
POST https://api.expertise.ai/v0/location/us-east-1/visitor-enrichment/waterfall
# Active visitor deanonymization via third-party AI chatbot
FingerprintJS loaded via Knorex ad platform
<script src="https://cdn.brand-display.com/sv/js/fingerprint3.min.js"></script>
// Browser fingerprinting for cross-site tracking
HubSpot Browser Fingerprint ID
GET https://track.hubspot.com/__ptq.gif?bfp=2389246449&...
# bfp = browser fingerprint parameter
Server-side GTM proxy obscuring tracking
GET https://gtm.copilotai.com/9gkhbqizklofn.js?e8scxq1u=aWQ9R1RNLVRXRzlaQkw%3D
# First-party domain proxying Google Tag Manager
# Decoded: id=GTM-TWG9ZBL
Network Evidence
https://static.hotjar.com/c/hotjar-6520913.jsUndisclosed session recording - Hotjar
https://www.clarity.ms/tag/undefinedUndisclosed session recording - Microsoft Clarity
https://idsync.rlcdn.com/708804.gif?partner_uid=...LiveRamp data broker cookie sync
https://pixel.tapad.com/idsync/ex/receive?partner_id=3021Tapad cross-device graph sync
https://ib.adnxs.com/setuid?entity=442AppNexus ad exchange cookie sync
https://match.adsrvr.org/track/cmf/generic?ttd_pid=tapadThe Trade Desk DSP sync
https://s.amazon-adsystem.com/dcm?pid=...Amazon advertising sync
Evidence Package
Reproduction Steps
1. Open browser DevTools Network tab 2. Navigate to https://copilotai.com 3. Do NOT interact with any consent banner 4. Observe 298+ network requests to 40+ domains 5. Filter for: ipwhois, ip-api, fingerprint, rlcdn, tapad, hotjar, clarity 6. Compare disclosed processors in /privacy-policy to actual network activity
Legal Touchpoints
Failure to disclose identity of data recipients at time of collection
Failure to provide information about third-party data sources
Processing without valid consent - tracking fires pre-consent
Storing cookies/fingerprints without prior informed consent
Failure to disclose categories of third parties with whom PI is shared
Collection without knowledge/consent of individual
Citation Templates
“Vendor shall not engage in behaviors classified under BTI-2025-0004 (CoPilot AI), including UNDISCLOSED_PROCESSORS (UNDISCLOSED_PROCESSORS).”“BTI Advisory BTI-2025-0004 documents CoPilot AI engaging in UNDISCLOSED_PROCESSORS (BTSS 8.2, HIGH).”“We have identified CoPilot AI as exhibiting UNDISCLOSED_PROCESSORS behavior per BTI Advisory BTI-2025-0004. Full details: deployblackout.com/bti/BTI-2025-0004”