CoPilot AI
CoPilot AI: Massive Undisclosure of Data Processors with Pre-Consent Tracking
Parent Company: Cassia Research Inc.
Summary
CoPilot AI's website deploys 34+ third-party data processors while their GDPR-citing privacy policy discloses only 9 (26% disclosure rate). The pre-consent tracking stack includes browser fingerprinting, 3 IP deanonymization services, 14+ data broker cookie syncs, and 2 undisclosed session recorders. They use a server-side GTM proxy to obscure tracking origins. White-label offering multiplies proliferation risk.
BTSS Score Breakdown
Technical Details
Code Evidence
IP Deanonymization - ipwhois.pro with exposed API key
GET https://ipwhois.pro/?key=16jpIhWjg0BuB4PP
# Returns company name, ISP, geolocation from visitor IP
IP Deanonymization - ip-api.com with exposed API key
GET https://pro.ip-api.com/json/?key=jBo9qeFtLp00zjm
# Secondary IP lookup service
Visitor Enrichment API - expertise.ai
POST https://api.expertise.ai/v0/location/us-east-1/visitor-enrichment/waterfall
# Active visitor deanonymization via third-party AI chatbot
FingerprintJS loaded via Knorex ad platform
<script src="https://cdn.brand-display.com/sv/js/fingerprint3.min.js"></script>
// Browser fingerprinting for cross-site tracking
HubSpot Browser Fingerprint ID
GET https://track.hubspot.com/__ptq.gif?bfp=2389246449&...
# bfp = browser fingerprint parameter
Server-side GTM proxy obscuring tracking
GET https://gtm.copilotai.com/9gkhbqizklofn.js?e8scxq1u=aWQ9R1RNLVRXRzlaQkw%3D
# First-party domain proxying Google Tag Manager
# Decoded: id=GTM-TWG9ZBL
Network Evidence
https://static.hotjar.com/c/hotjar-6520913.jsUndisclosed session recording - Hotjar
https://www.clarity.ms/tag/undefinedUndisclosed session recording - Microsoft Clarity
https://idsync.rlcdn.com/708804.gif?partner_uid=...LiveRamp data broker cookie sync
https://pixel.tapad.com/idsync/ex/receive?partner_id=3021Tapad cross-device graph sync
https://ib.adnxs.com/setuid?entity=442AppNexus ad exchange cookie sync
https://match.adsrvr.org/track/cmf/generic?ttd_pid=tapadThe Trade Desk DSP sync
https://s.amazon-adsystem.com/dcm?pid=...Amazon advertising sync
Attack Parallel: Privacy Policy Fraud
Material misrepresentation of data processing activities
ReferenceFramework Mappings
Legal Touchpoints
Failure to disclose identity of data recipients at time of collection
Failure to provide information about third-party data sources
Processing without valid consent - tracking fires pre-consent
Storing cookies/fingerprints without prior informed consent
Failure to disclose categories of third parties with whom PI is shared
Collection without knowledge/consent of individual
Prevalence
- White-label partners (unknown count)
Reproduction Steps
1. Open browser DevTools Network tab 2. Navigate to https://copilotai.com 3. Do NOT interact with any consent banner 4. Observe 298+ network requests to 40+ domains 5. Filter for: ipwhois, ip-api, fingerprint, rlcdn, tapad, hotjar, clarity 6. Compare disclosed processors in /privacy-policy to actual network activity
Remediation
Remove or disclose all 34+ data processors in privacy policy
Effort: moderateImplement consent-gated tag loading (CMP integration)
Effort: significantRemove FingerprintJS and HubSpot fingerprinting
Effort: moderateAudit and remove unnecessary data broker syncs
Effort: moderateRemove server-side GTM proxy or disclose its purpose
Effort: trivial