All Vendors
measurement

33across

33across deploys persistent identifiers and cross-site identity resolution for programmatic advertising, with 65% broker exposure creating significant demand signal leakage across DSP partners.

21 IOCs2 detections2 sites
65
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what 33across discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

2 detections across 2 sites
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

Sites deploying 33across leak 65% of user behavioral data to DSP partners and advertising exchanges, subsidizing competitor programmatic campaigns. Persistent cross-site tracking creates GDPR consent exposure, particularly for EU visitors where ePrivacy Directive enforcement is accelerating. Privacy-conscious buyers will flag identity resolution as disqualifying.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You're Evaluating 33across

  • Contextual advertising without identity matching
  • First-party data strategies (email-based targeting)
  • Google Privacy Sandbox (FLoC alternatives)
  • Remove programmatic advertising if ROI does not justify privacy trade-off

Negotiation Leverage

  • 65% broker score means user identifiers shared with DSP partners and advertising exchanges, subsidizing competitor campaigns
  • Persistent cross-site tracking creates GDPR Article 6 lawful basis gaps and ePrivacy Directive cookie consent violations
  • Identity resolution contradicts privacy commitments in most vendor agreements
  • 33across identifiers survive browser clearing attempts, creating persistent surveillance independent of user control
Runtime Detections

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Multiple storage mechanisms (cookies, localStorage, cache) ensure 33across identifiers survive browser clearing attempts and session resets.

BTI-C14Identity Resolution

PII deanonymization

Impact: Anonymous users matched to 33across identity graph spanning multiple sites, enabling deterministic cross-site tracking and profile enrichment for advertising.

IOC Manifest

IOC Manifest

7 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.33across.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1*
Tracking script
TRACK
www.33across.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

33across competes in the advertising identity resolution market alongside LiveRamp, The Trade Desk UID2, and ID5, positioning cross-site tracking as infrastructure for programmatic advertising effectiveness.
Loads (1)
Cloudflare Insights
Loaded By (2)
PubmaticAol
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

21 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details