How This Briefing Works
This report opens with key findings, then maps the gaps between what Cbinsights discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Cbinsights was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Pending claims extraction via CDT”
Session recording, cross-domain sync, tag manager, behavioral tracking, and consent bypass detected—maximum surveillance profile
disclosure
“Pending privacy policy review”
Session recording during research activities observed—requires explicit disclosure verification
sharing
“Pending data sharing review”
Cross-domain sync suggests third-party data flows—requires transparency on sync partners
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Cbinsights
- →IMMEDIATE: Audit CB Insights privacy policy to verify session recording is disclosed—update policy if not
- →Implement browser extensions or network controls to block session recording during confidential research
- →Configure VPN or proxy usage for sensitive CB Insights research to prevent behavioral profiling
- →Disable CB Insights tag manager script injection via browser content security policies
- →Train employees on surveillance risks when using CB Insights for M&A due diligence or competitive analysis
- →Consider alternative research platforms without session recording for confidential intelligence gathering
- →Deploy segregated research workflows for EU/CA employees with consent-aware tools
If You're Evaluating Cbinsights
- →Request DPA with CB Insights clarifying scope of session recording and behavioral data retention
- →Verify whether CB Insights shares anonymized research patterns with technology vendors or investors
- →Demand contractual prohibition on using customer research activity for CB Insights' own market intelligence products
- →Assess whether CB Insights honors Do Not Track (DNT) or Global Privacy Control (GPC) signals
- →Require technical documentation on cross-domain synchronization partners and data flows
- →Negotiate right to opt-out from session recording and behavioral profiling while maintaining platform access
- →Request deletion of all historical session recordings and behavioral tracking data
Negotiation Leverage
- →CB Insights session recording (BTI-C07) during confidential research creates intelligence leakage risk—require technical opt-out from recording while maintaining platform functionality
- →Cross-domain synchronization (BTI-C08) enables tracking across business intelligence platforms—demand documentation on sync partners and contractual data sharing limitations
- →Tag manager (BTI-C15) enables undisclosed third-party tracking—require real-time disclosure of injected scripts and opt-out mechanism
- →Consent bypass (BTI-C09) with session recording active creates regulatory exposure—demand technical implementation of consent verification before tracking
- →Behavioral biometrics (BTI-C06) during research creates detailed interest profiles—negotiate contractual prohibition on using customer research patterns for CB Insights analytics products
- →Request documentation on data retention periods and whether anonymized research patterns are shared with technology vendors under analysis
- →Demand contractual protection preventing CB Insights from disclosing customer research activity (M&A targets, technology evaluations) to third parties
- →Negotiate maximum 30-day retention for session recordings with automated deletion and cryptographic verification
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Captures mouse movements, scroll depth, search patterns, and interaction timing during market research activities to build profiles of user interests and competitive intelligence priorities.
Full session replay
Impact: Records complete research sessions including company searches, report views, and technology queries—potentially exposing confidential M&A due diligence or competitive analysis activities.
Identity stitching
Impact: Synchronizes user identifiers and research activity across CB Insights domains and partner sites, enabling cross-platform tracking of intelligence gathering behavior.
Ignoring CMP signals
Impact: Initializes comprehensive surveillance infrastructure before consent collection, creating automatic legal violations for research platform usage.
Container/loader (neutral)
Impact: Deploys tag management infrastructure that can dynamically inject additional tracking scripts, expanding surveillance beyond disclosed monitoring.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
81 detection signatures across scripts, domains, cookies, and network endpoints