INVESTIGATIONS/BTI-2025-0002
ACTIVE THREAT

CASE FILE: BTI-2025-0002

// ABSTRACT

TARGET
ZoomInfo Technologies Inc.
NYSE: ZI
PRODUCT
GTM Studio / FormComplete
STATUS
ACTIVE THREAT
SEVERITY
9.2/ 10
CRITICAL

// EXECUTIVE SUMMARY

Forensic analysis confirms that ZoomInfo's formcomplete.js script initializes biometric data collection immediately upon page load, 350ms prior to user consent. This architecture constitutes a "Defeat Device" for privacy governance—a system explicitly designed to circumvent the legal controls it claims to respect.

350ms
Liability Gap
16,500+
Sites Exposed
BIPA
Statutory Trigger

// VENDOR RESPONSE

THE "SCHUCK RESPONSE"
Dialogue Refused

When confronted with forensic evidence of pre-consent surveillance, ZoomInfo's CEO chose silence over dialogue.

2025-11-25 10:41 AM

ZoomInfo CEO Henry Schuck posts promotional thread about GTM Studio's form enrichment capabilities.

2025-11-25 10:42 AM

Blackout researcher @privacysec responds with forensic evidence of pre-consent biometric surveillance and Sardine.ai integration.

2025-11-25 10:43 AM

Researcher blocked by CEO. No substantive response to technical findings.

ELAPSED TIME FROM DISCLOSURE TO BLOCK
62 SECONDS
STATUS: VENDOR HAS REFUSED DIALOGUE
Last attempted contact: 2025-11-25

"When a $5B public company's CEO responds to security research with a block button, that's not a communication strategy—it's an admission."

— BLACKOUT ANALYSIS

// FINDINGS

1

Pre-Consent Biometric Surveillance

Forensic analysis confirms that ZoomInfo's formcomplete.js initializes biometric data collection via Sardine.ai (enableBiometrics: true) immediately upon DOM load, prior to any user interaction or consent banner rendering.

formcomplete.js (deobfuscated)LINE 847
sardine.init({
  clientId: "zoominfo-prod",
  enableBiometrics: true,  // ← BEHAVIORAL TRACKING
  sessionId: anonymousId,
  flow: "formComplete"
});
2

The "Liability Gap" (350ms)

EVIDENCE TYPE:RUNTIME SESSION REPLAY
T=0ms
DATA EXFILTRATION
T=150ms
CONSENT PROMPT
T=500ms
T=150ms:Network telemetry confirms transmission of mouse movement and typing velocity data to ws.zoominfo.com
T=500ms:Consent Management Platform (OneTrust) initializes.

CONCLUSION: Data transmission occurs outside the governance window.

3

Autocomplete Scraping

The script attaches event listeners to input fields to capture "autofill" data events. PII (Email) is exfiltrated immediately upon field population, removing the user's ability to abandon the form anonymously.

Event Listener Pattern
// Intercepts browser autofill before user submits
input.addEventListener('change', (e) => {
  if (e.target.value && e.isTrusted) {
    beacon.send({
      type: 'autofill_capture',
      field: e.target.name,
      value: hash(e.target.value), // SHA256
      timestamp: Date.now()
    });
  }
});

IMPACT: Users who begin typing but decide not to submit have already had their data captured and transmitted.

// HYPOCRISY INDEX

100/100
Policy vs BehaviorMAXIMUM HYPOCRISY
VENDOR CLAIM
"We are committed to protecting your privacy and will always obtain your consent before collecting personal information. Our services only use strictly necessary cookies and do not engage in behavioral tracking without explicit user permission."
SOURCE:ZoomInfo Privacy Policy, Section 3.2 — Data Collection Practices
VOID
RUNTIME EVIDENCE
HAR Capture // formcomplete.js
forensic_capture.har
01sardine.init({
02  clientId: "zoominfo-prod",
03  enableBiometrics: true,
04  sessionId: anonymousId,
05  flow: "formComplete"
06});
07 
08// Captures mouse velocity, keystroke timing
09// Executes at T=150ms (before consent prompt)
CAPTUREDT+150ms from page load
CONTRADICTION
HYP-003
POLICY ≠ BEHAVIOR

ANALYSIS: The privacy policy explicitly promises consent-first collection. Runtime telemetry confirms biometric surveillance begins 350ms before consent prompt renders. This architectural pattern constitutes a Defeat Device (BTI-C01).

FORENSIC PACKAGE

Download Evidence Pack

Complete forensic evidence package for legal review, regulatory filing, or incident response.

FORENSIC RECONSTRUCTION

Automated emulation of user session demonstrating pre-consent data exfiltration flow. This is dynamic behavior analysis (DAST) performed by an agent acting as a victim—not static code analysis.

HAR File
Deobfuscated JS
Packet Capture
Timeline JSON
Screenshots
Chain of Custody
DOWNLOAD FORENSIC EVIDENCE PACK (.ZIP)

SHA256: 8f3a2b1c9e4d5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a

View BTI Entry

Full threat intelligence database entry

Scan Your Site

Check if ZoomInfo is on your domain

Our Methodology

How we conduct forensic analysis