How This Briefing Works
This report opens with key findings, then maps the gaps between what Ada discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Ada was observed loading and executing before user consent was obtained on 80% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Ada
- →Audit Ada consent implementation via HAR capture to verify post-rejection tracking cessation
- →Review DPA for cross-domain data sharing restrictions and enforce strict first-party boundaries
- →Implement chat analytics isolation to prevent Ada data from polluting core conversion measurement
- →Establish session recording controls to prevent chat interaction capture without explicit consent
If You're Evaluating Ada
- →Request Ada deployment in strict first-party mode with all cross-domain sync disabled
- →Require contractual prohibition on chat data sharing with demand generation networks
- →Verify chat widget does not initialize tracking libraries before user interaction
- →Assess alternative chat vendors (Intercom with privacy controls, self-hosted solutions) for comparison
Negotiation Leverage
- →VRS 80 classification requires premium DPA terms including cross-domain sync prohibition and post-rejection tracking cessation guarantees
- →85% legal tail risk demands indemnification for consent violations and GDPR Article 7 non-compliance
- →80% CAC subsidization impact justifies pricing concessions if strict first-party deployment mode is enforced
- →Request evidence that chat analytics do not feed external demand networks or require contractual data sharing restrictions
- →Require monthly attestation that defeat device mechanisms (background tracking) have been disabled in your deployment
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Chat widget continues data collection in background even when minimized or after consent rejection, violating user expectations.
Identity stitching
Impact: Chat session IDs synchronized across customer properties and Ada network, enabling cross-site behavior correlation.
Ignoring CMP signals
Impact: Maintains persistent chat analytics after explicit rejection, creating consent theater rather than genuine user control.
Device identification
Impact: Browser fingerprinting used to reconnect chat sessions across devices and visits, bypassing cookie controls.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
5 detection signatures across scripts, domains, cookies, and network endpoints