All Vendors
dsp

Basis

DSP and marketing automation platform. Extreme liability exposure from comprehensive behavioral tracking including session recording, biometrics, identity resolution, and persistent profiling without consent. Maximum revenue impact from campaign strategy and audience intelligence leakage.

86 IOCs22 detections95% pre-consent20 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Basis discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

22 detections across 20 sites95% pre-consent activity
CRITICAL

Pre-Consent Activity

Basis was observed loading and executing before user consent was obtained on 95% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

For security teams: Comprehensive behavioral tracking and session recording create surveillance infrastructure exploitable for organizational reconnaissance. Identity resolution links visitors to employee accounts revealing org structure. For legal: Session recording creates maximum GDPR exposure - every recorded session is potential data breach requiring notification. Identity resolution extends data subject access request scope to complete interaction history requiring forensic reconstruction. Behavioral biometrics trigger GDPR Article 9 special category processing requiring documented legal basis and impact assessments. International RTB data transfers require Standard Contractual Clauses with transfer impact assessments. For marketing: Complete campaign strategy leaked via RTB bidding data - competitors see which audiences you value, how much you bid, which creative approaches work, and complete conversion funnel optimization. For sales: Identity-resolved prospect engagement data sold to competitors enables targeted outbound to your warmest leads before your team acts on intent signals.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Basis

  • Immediate contract termination - no compliant configuration possible with this threat profile
  • Engage legal counsel for joint controller liability assessment under GDPR Article 26
  • Submit GDPR data deletion request for all session recordings, behavioral profiles, and identity-resolved data
  • Conduct Data Protection Impact Assessment for any future DSP deployment
  • Audit RTB data sharing agreements to identify downstream competitive intelligence buyers
  • Calculate total cost: (Basis fees + competitive intelligence leakage + GDPR liability exposure)

If You're Evaluating Basis

  • Replace with consent-first marketing automation (HubSpot with privacy controls, Marketo with strict data governance)
  • Assess first-party intent signals vs. third-party behavioral surveillance
  • Review all historical campaign data for GDPR Article 17 deletion obligations
  • Evaluate contextual advertising vs. behavioral targeting to eliminate tracking infrastructure
  • Consider litigation risk from GDPR Article 82 private right of action for data subjects

Negotiation Leverage

  • Session recording and behavioral biometrics without consent violate GDPR Article 6 and Article 9 - contract is legally unenforceable under EU law
  • Identity resolution triggers retroactive GDPR obligations for all historical data - demand legal opinion on joint controller liability and potential regulator notification obligations
  • Tag manager deployment without consent governance makes site operator joint controller under GDPR Article 26 - require DPA amendment or contract termination
  • RTB data sharing reveals complete campaign strategy to competitors - demand full audit of ad exchange data distribution with buyer identification and pricing transparency
  • Persistent tracking extends GDPR liability window across customer lifecycle - no compliant retention policy possible without fundamental architecture changes
  • Behavioral biometrics constitute special category data under GDPR Article 9 - require Data Protection Impact Assessment showing legitimate interest override or explicit consent (neither likely achievable)
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures keystroke dynamics, mouse patterns, scroll behaviors, and engagement micro-signals for audience profiling and intent scoring. Creates GDPR Article 9 special category data processing violations requiring explicit consent and Data Protection Impact Assessment.

BTI-C07Session Recording

Full session replay

Impact: Records complete visitor sessions across marketing funnel for conversion attribution and journey optimization. Every recording creates GDPR data breach notification obligations if storage compromised and data subject access request liability requiring video reconstruction.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Executes full surveillance stack before consent collection including session recording, behavioral tracking, and identity resolution. Documented in pre-consent timeline analysis. Violates GDPR Article 6 and ePrivacy Directive creating strict liability.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Maintains cross-session audience profiles via deterministic and probabilistic matching. Persistent identifiers extend GDPR data retention and deletion obligations across entire customer lifecycle spanning months or years.

BTI-C14Identity Resolution

PII deanonymization

Impact: Links anonymous sessions to email addresses, CRM records, and third-party identity graphs. Converts pseudonymous tracking to personal data, triggering full GDPR obligations retroactively for all historical sessions tied to resolved identity.

IOC Manifest

IOC Manifest

77 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*basis.com/wp-content/plugins/bt-bb-ab/js/frontend.js*
Tracking script
TRACK
*basis.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*basis.com/wp-content/plugins/oxygen/component-framework/vendor/aos/aos.js*
Tracking script
TRACK
*basis.com/wp-content/plugins/bt-bb-ab/js/highlighter.js*
Tracking script
TRACK
*basis.com/wp-content/plugins/bt-bb-ab/js/bt_conversion.js*
Tracking script
TRACK
*gtm.basis.com/gtm.js*
Tracking script
TRACK
*basis.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*basis.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
*gtm.basis.com/gtag/js*
Tracking script
TRACK
*hello.basis.com/analytics*
Tracking script
TRACK
basis.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
basis.com/wp-content/plugins/oxygen/component-framework/vendor/aos/aos.js
Auto-extracted from scan
TRACK
basis.com/wp-content/plugins/bt-bb-ab/js/highlighter.js
Auto-extracted from scan
TRACK
basis.com/wp-content/plugins/bt-bb-ab/js/bt_conversion.js
Auto-extracted from scan
TRACK
basis.com/wp-content/plugins/bt-bb-ab/js/frontend.js
Auto-extracted from scan
TRACK
gtm.basis.com/gtm.js
Auto-extracted from scan
TRACK
basis.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
gtm.basis.com/gtag/js
Auto-extracted from scan
TRACK
basis.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/d251aa49a8a3/main.js
Auto-extracted from scan
TRACK
hello.basis.com/analytics
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Enterprise marketing automation and DSP infrastructure connected to major ad exchanges, SSPs, identity resolution platforms, and intent data marketplaces. Common co-deployments: Salesforce (CRM sync), LiveRamp (identity resolution), Google Ad Manager (publisher-side), TradeDesk (competing DSP), ad verification vendors, marketing attribution platforms. Campaign data, behavioral profiles, and identity graphs shared across programmatic ecosystem and sold to competitive intelligence platforms.
Loads (6)
HotjarOnetrustMetapixelLinkedinShopping Google6sense
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

86 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details