How This Briefing Works
This report opens with key findings, then maps the gaps between what Antvoice discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Disclosure Gap
37 third-party vendors detected at runtime
Pre-Consent Activity
Antvoice was observed loading and executing before user consent was obtained on 4% of sites where it was detected.
Anonymous Data Claim
Clearbit and HubSpot perform visitor identification
Consent Validity
12 vendors load before consent obtained
Undisclosed Party
Not in privacy policy
Claims vs. Observed Behavior
Disclosure Gap
“Privacy policy lists 8 partners/processors”
37 third-party vendors detected at runtime
Runtime scan of antvoice.com shows HubSpot, Clearbit, LinkedIn, YouTube, and 30+ other vendors not in privacy documentation
Anonymous Data Claim
“Claims no PII collection and anonymous-only processing”
Clearbit and HubSpot perform visitor identification
Both vendors detected pre-consent on antvoice.com; these are known identity resolution platforms
Consent Validity
“IAB TCF participant with valid consent mechanism”
12 vendors load before consent obtained
Pre-consent vendors include googleanalytics4, hubspot, clearbit, linkedin, youtube
Jurisdiction Disclosure
“Generic processor location disclosure”
Specific US data recipients not enumerated
Multiple US vendors (HubSpot, Clearbit, Doubleverify, Rockerbox) not individually disclosed
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Antvoice
- →Audit your CMP configuration to ensure all Antvoice vendor dependencies are disclosed and consent-gated on your properties
- →Review data processing agreement for scope alignment — Antvoice privacy policy describes minimal data use that contradicts 37-vendor reality
- →Verify Antvoice's no personal data claim against detected vendor behaviors on your properties
- →Request IAB TCF compliance documentation and verify it covers actual vendor relationships
If You're Evaluating Antvoice
- →Request complete vendor list and compare against the 8 disclosed before any engagement
- →Verify the no personal data claim against runtime evidence showing HubSpot, LinkedIn, and analytics vendors
- →Compare with other programmatic platforms on vendor transparency and pre-consent behavior
- →Require contractual representations matching their no personal data marketing claim
Negotiation Leverage
- →No personal data claim: Antvoice explicitly claims to never use personal data yet runs 37 vendors including HubSpot and LinkedIn — use this contradiction to negotiate enhanced data protection guarantees or contractual representations
- →IAB TCF certification gap: TCF certification coexists with undisclosed vendor practices — leverage for transparency requirements and audit rights
- →Vendor disclosure undercount: 37 vendors detected vs. 8 disclosed — nearly 5x gap; require named vendor disclosure as a contract condition
- →Pre-consent behavior: Vendors firing before consent on Antvoice properties — use this to negotiate consent compliance guarantees for your campaigns
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
60 detection signatures across scripts, domains, cookies, and network endpoints