How This Briefing Works
This dossier opens with key findings, then maps the gap between what Basis discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
Briefing
Basis provides demand-side platform and marketing automation combining programmatic bidding, behavioral tracking, session recording, identity resolution, and persistent audience profiling. Deploys full surveillance stack pre-consent. Primary risks: GDPR Article 9 violations (behavioral biometrics as special category data), comprehensive campaign strategy leaked to competing advertisers via RTB data sharing, identity resolution extending liability across all historical sessions.
What This Means For You
For security teams: Comprehensive behavioral tracking and session recording create surveillance infrastructure exploitable for organizational reconnaissance. Identity resolution links visitors to employee accounts revealing org structure. For legal: Session recording creates maximum GDPR exposure - every recorded session is potential data breach requiring notification. Identity resolution extends data subject access request scope to complete interaction history requiring forensic reconstruction. Behavioral biometrics trigger GDPR Article 9 special category processing requiring documented legal basis and impact assessments. International RTB data transfers require Standard Contractual Clauses with transfer impact assessments. For marketing: Complete campaign strategy leaked via RTB bidding data - competitors see which audiences you value, how much you bid, which creative approaches work, and complete conversion funnel optimization. For sales: Identity-resolved prospect engagement data sold to competitors enables targeted outbound to your warmest leads before your team acts on intent signals.
Risk Channel Breakdown
Distorts attribution data
Basis captures complete campaign orchestration data: bidding strategies, audience valuations, conversion funnels, and marketing automation sequences. Every RTB bid reveals which audiences you value most. Session recordings show complete customer journeys. Identity-resolved profiles link anonymous engagement to known accounts. Competitors access this intelligence via shared RTB infrastructure and intent data marketplaces, enabling them to outbid on your highest-value segments and target your warmest prospects.
Expands attack surface
Session recording and behavioral biometrics without consent violate GDPR Article 6 and Article 9 (behavioral patterns as special category data). Identity resolution converts pseudonymous tracking to personal data, triggering retroactive GDPR obligations. Persistent tracking extends compliance scope across months or years of historical data. Tag manager deployment prevents technical consent enforcement. RTB data sharing across ad exchanges creates international data transfer obligations requiring Standard Contractual Clauses.
Threat Indicators
Runtime-observed (BTI-C)
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Long-lived identifiers
PII deanonymization
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Basis's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
6 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →