They take more than you agreed to give.
Data used for purposes beyond stated scope. The vendor's DPA says they process data for analytics, but their scripts also feed identity resolution networks, retargeting platforms, and data broker syncs. The contract is a subset of reality.
How This Escalates BTI-C Findings
Escalates any BTI-C data collection finding. If the vendor is authorized for C07 (Session Recording) but also does C14 (Identity Resolution), the scope creep transforms authorized collection into unauthorized exfiltration.
Related Advisories
No published advisories reference this code yet.
Investigations are ongoing.
Blackout uses security frameworks to protect AGAINST vendors, not FOR them. We do not notify vendors. We do not provide remediation windows. If you're using a vendor flagged by this code, the advisory is your evidence.
Permanent URL: deployblackout.com/bti/codes/X08