All Vendors
dsp

Buysellads

BuySellAds advertising network deploys comprehensive surveillance infrastructure including behavioral biometrics, session recording, identity resolution, and consent bypass. The platform demonstrates maximum-risk data broker patterns.

126 IOCs38 detections11% pre-consent37 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Buysellads discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

38 detections across 37 sites11% pre-consent activity
MEDIUM

Pre-Consent Activity

Buysellads was observed loading and executing before user consent was obtained on 11% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

2 gaps

disclosure

CRITICAL
They Claim

Pending privacy policy review

Observed Behavior

Session recording observed—explicit disclosure required to avoid wiretapping liability

Customer Impact

What This Means For You

Customers face maximum regulatory exposure from combined session recording and consent bypass—creating GDPR Article 5/6 violations, CCPA non-compliance, and potential state wiretapping liability. Identity resolution linking across sites creates Article 6(4) compatible purpose violations. Session recording may capture form data or authentication credentials on publisher sites, creating data breach notification obligations. Behavioral biometrics may violate Illinois BIPA if used for Illinois residents. Publishers face reputational risk if session recording becomes public.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Buysellads

  • IMMEDIATE: Audit BuySellAds deployments to verify session recording is disabled or explicitly disclosed in privacy policy
  • Implement strict consent-gating for ALL BuySellAds tracking across publisher sites
  • Disable behavioral biometrics and identity resolution features in BuySellAds settings
  • Configure ad placements to use privacy-preserving modes (contextual targeting only)
  • Deploy tag manager rules to block BuySellAds until explicit consent for behavioral advertising granted
  • Conduct monthly audits of session recording behavior and cross-site tracking capabilities
  • Enable data minimization controls to limit retention to active campaign periods only (30 days maximum)

If You're Evaluating Buysellads

  • Request DPA with explicit prohibitions on session recording and cross-publisher audience profiling
  • Require technical documentation on identity resolution methodology and consent signal verification
  • Verify BuySellAds honors IAB TCF consent strings and Global Privacy Control (GPC)
  • Demand contractual indemnification for GDPR fines and wiretapping liability arising from session recording
  • Assess alternative ad networks with consent-first architecture and no session recording
  • Negotiate right to audit BuySellAds consent processing logs and identity graph linkage decisions
  • Request deletion of all historical cross-site tracking data for users without explicit behavioral advertising consent

Negotiation Leverage

  • BuySellAds session recording (BTI-C07) creates wiretapping liability—require immediate technical verification that recording is disabled or demand contractual indemnification for state law violations
  • Identity resolution (BTI-C14) across publisher sites creates cross-site tracking without consent—demand explicit opt-in before any cross-domain linking
  • Consent bypass (BTI-C09) with session recording active creates maximum regulatory exposure—require technical implementation of consent verification before ANY tracking initialization
  • Behavioral biometrics (BTI-C06) enables fingerprinting that persists beyond cookie deletion—negotiate contractual prohibition or explicit user disclosure requirement
  • Request documentation on data retention periods, cross-publisher data sharing, and advertiser access to audience profiles
  • Demand prohibition on using publisher site interaction data for BuySellAds' own audience marketplace products
  • Negotiate maximum 30-day retention for behavioral data with automated deletion and right to audit retention compliance
  • Require real-time disclosure of all session recording instances with opt-out mechanism on every page where active
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures mouse movements, scroll depth, interaction timing, and engagement patterns to build unique user fingerprints for cross-site ad targeting.

BTI-C07Session Recording

Full session replay

Impact: Records user interactions during ad exposure and click-through, capturing behavioral data that can reconstruct user journeys and preferences without consent.

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Initializes comprehensive tracking infrastructure before consent collection, creating automatic legal violations across all ad placements.

BTI-C14Identity Resolution

PII deanonymization

Impact: Links user sessions across publisher sites and advertiser properties to create unified profiles, enabling cross-site tracking without explicit consent for data linking.

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

98 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*buysellads.com/hubfs/public/alpine@3.js*
Tracking script
TRACK
*www.buysellads.com/hubfs/public/alpine@3.js*
Tracking script
TRACK
*www.buysellads.com/hubfs/hub_generated/template_assets/1/*/*/template_main.js*
Tracking script
TRACK
*www.buysellads.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js*
Tracking script
TRACK
*www.buysellads.com/hs/hsstatic/content-cwv-embed/static-1.*/embed.js*
Tracking script
TRACK
*www.buysellads.com/hs/hsstatic/HubspotToolsMenu/static-1.636/js/index.js*
Tracking script
TRACK
*www.buysellads.com/_hcms/forms/v2.js*
Tracking script
TRACK
*www.buysellads.com/hs/scriptloader/*.js*
Tracking script
TRACK
buysellads.com/hubfs/public/alpine@3.min.js
Auto-extracted from scan
TRACK
www.buysellads.com/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js
Auto-extracted from scan
TRACK
www.buysellads.com/hubfs/hub_generated/template_assets/1/101261475107/1770971199405/template_main.min.js
Auto-extracted from scan
TRACK
www.buysellads.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js
Auto-extracted from scan
TRACK
www.buysellads.com/_hcms/forms/v2.js
Auto-extracted from scan
TRACK
www.buysellads.com/hs/scriptloader/410369.js
Auto-extracted from scan
TRACK
www.buysellads.com/hs/hsstatic/HubspotToolsMenu/static-1.636/js/index.js
Auto-extracted from scan
TRACK
www.buysellads.com/hubfs/public/alpine@3.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

BuySellAds operates as advertising exchange connecting thousands of publishers and advertisers. The platform integrates with ad servers, supply-side platforms (SSPs), demand-side platforms (DSPs), and identity resolution providers. Data flows bidirectionally with advertising partners for user matching, frequency capping, and campaign optimization. Cross-site tracking enables audience profiling across publisher network.
Loads (2)
Apollo IoHubspot
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

126 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details