How This Briefing Works
This report opens with key findings, then maps the gaps between what Bitly discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Bitly was observed loading and executing before user consent was obtained on 27% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Pending claims extraction via CDT”
Consent bypass on link redirection detected
disclosure
“Pending privacy policy review”
Behavioral fingerprinting observed without disclosure verification
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Bitly
- →Configure Bitly links to append consent status parameters for downstream verification
- →Disable device fingerprinting in Bitly account settings if available
- →Implement first-party link shortening to maintain control over tracking behavior
- →Review Bitly data retention settings and configure minimum retention periods
- →Conduct quarterly audits of Bitly click data sharing with third-party integrations
If You're Evaluating Bitly
- →Request DPA with explicit limitations on click data enrichment and third-party sharing
- →Verify Bitly honors Do Not Track (DNT) signals and Global Privacy Control (GPC)
- →Assess technical feasibility of consent-aware link shortening alternatives
- →Require contractual commitment that click tracking will not enable cross-customer user matching
- →Negotiate liability protection for regulatory actions arising from pre-consent click tracking
Negotiation Leverage
- →Bitly consent bypass (BTI-C09) during link redirection creates pre-consent tracking—demand technical controls to honor upstream consent signals
- →Behavioral fingerprinting (BTI-C06) on clicks enables cross-campaign tracking—require opt-out from device fingerprinting and user matching
- →Click data retention creates data minimization violations—negotiate maximum 30-day retention with automated deletion
- →Request documentation on third-party data sharing recipients and purposes
- →Demand contractual prohibition on using click data for Bitly's own analytics products or cross-customer insights
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Collects device fingerprints, geolocation data, and interaction timing on link clicks to build cross-campaign user profiles.
Ignoring CMP signals
Impact: Activates tracking during link redirection before users reach consent interfaces, creating pre-consent data collection that violates GDPR/CCPA principles.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
104 detection signatures across scripts, domains, cookies, and network endpoints