How This Briefing Works
This report opens with key findings, then maps the gaps between what Airtable discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Airtable was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Requires claims extraction via CDT”
Live website analysis pending
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You're Evaluating Airtable
- →Self-hosted form solutions (Formik, React Hook Form)
- →Typeform with tracking disabled
- →JotForm with GDPR configuration
- →Custom forms with controlled analytics
Negotiation Leverage
- →100% broker score means all user interaction data enriches Airtable's product analytics — no contractual limitation possible
- →Behavioral biometrics capture (typing patterns, field navigation) triggers GDPR Article 9 special category requirements
- →Cross-domain synchronization enables Airtable to track individual users across your site and competitors using the platform
- →Consent bypass mechanisms create strict liability — data collection proceeds before user choice
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Airtable scripts initialize before consent frameworks, capturing pre-consent form interactions and field focus events.
Keystroke/mouse tracking
Impact: Typing patterns, field navigation timing, and interaction hesitation captured to build behavioral profiles.
Identity stitching
Impact: Airtable user IDs synchronized across embedded instances, enabling tracking of individual users across multiple customer sites.
Ignoring CMP signals
Impact: Form analytics activate regardless of consent state, collecting interaction data before user choice.
Device identification
Impact: Browser and device fingerprinting ensures persistent tracking even when cookies are blocked.
Long-lived identifiers
Impact: Multiple storage layers (cookies, localStorage, indexedDB) ensure identifier survival across sessions.
PII deanonymization
Impact: Email submissions linked to Airtable's cross-customer user graph, enabling deterministic identity matching.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
142 detection signatures across scripts, domains, cookies, and network endpoints