All Vendors
platform

Google Cloud

Google Cloud platform scripts deploy comprehensive surveillance infrastructure when embedded, combining fingerprinting, session recording, cross-domain sync, and tag manager abuse.

60 IOCs269 detections6% pre-consent260 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Google Cloud discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

269 detections across 260 sites6% pre-consent activity
MEDIUM

Pre-Consent Activity

Google Cloud was observed loading and executing before user consent was obtained on 6% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

Pending Analysis

UNKNOWN
They Claim

Claims extraction pending

Observed Behavior

CDT analysis required for GCP Terms, Cloud Data Processing Addendum, and privacy disclosures

Customer Impact

What This Means For You

Sites embedding GCP inherit Google's cross-product tracking network from first SDK load. Identity resolution links site visitors to Google advertising profiles. Persistent storage abuse creates long-term tracking liability. GTM exploitation enables surveillance beyond declared GCP services. GDPR exposure if GCP loads before consent.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Google Cloud

  • Audit GCP Cloud Data Processing Addendum for fingerprinting restrictions and cross-product data sharing limits
  • Review privacy policy for GCP tracking disclosures separate from core service functionality
  • Assess GTM integration for undeclared tracking tags loaded via GCP libraries
  • Map persistent storage usage by GCP SDKs and retention policies

If You're Evaluating Google Cloud

  • Server-side GCP integration options to eliminate client-side surveillance SDKs
  • Alternative cloud providers with minimal tracking footprint (AWS, Azure, DigitalOcean)
  • Client-side SDK sandboxing to prevent cross-domain sync and GTM abuse
  • Consent-gated GCP loading architecture

Negotiation Leverage

  • GCP Data Processing Addendum permits Google to use customer data for service improvement but lacks clear limits on cross-product identity resolution
  • Client-side fingerprinting and behavioral tracking not disclosed in GCP service documentation, discovered via runtime detection
  • GTM abuse patterns suggest undeclared tag injection beyond customer-configured tracking
  • Persistent storage tactics exceed functional requirements for cloud services, indicate long-term profiling infrastructure
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: GCP scripts employ obfuscation and anti-detection to conceal tracking embedded within cloud service functions.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures interaction patterns and timing signatures across GCP service usage for cross-product user profiling.

BTI-C07Session Recording

Full session replay

Impact: Records page activity and cloud service interactions beyond functional requirements for platform services.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Synchronizes device fingerprints and user identifiers across Google properties and GCP customer sites.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Tracking initiates on GCP SDK initialization, before cloud service interaction or user consent signal.

BTI-C10Fingerprinting

Device identification

Impact: Collects browser, device, and behavioral fingerprints tied to Google account identifiers and GCP service usage.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Deploys localStorage, IndexedDB, and cache-based storage to maintain tracking identifiers across sessions and browser restarts.

BTI-C14Identity Resolution

PII deanonymization

Impact: Links GCP device fingerprints to Google's cross-product identity graph, enabling persistent tracking across web.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Exploits GTM infrastructure when present to deploy additional tracking beyond declared GCP service requirements.

IOC Manifest

IOC Manifest

45 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

EXFIL
*apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.AKdz2vhcyW0.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_GPfyZPmTuYcbMXzJr0yr8Akk4Tw/cb=gapi.loaded_0*
Data collection endpoint
EXFIL
*apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.AKdz2vhcyW0.O/m=client/exm=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_GPfyZPmTuYcbMXzJr0yr8Akk4Tw/cb=gapi.loaded_1*
Data collection endpoint
EXFIL
*apis.google.com/js/googleapis.proxy.js*
Data collection endpoint
EXFIL
*apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.AKdz2vhcyW0.O/m=googleapis_proxy/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_GPfyZPmTuYcbMXzJr0yr8Akk4Tw/cb=gapi.loaded_0*
Data collection endpoint
Ecosystem

Ecosystem & Supply Chain

Google Cloud Platform serves millions of websites with Firebase, Cloud Storage, and API services, embedding Google's surveillance infrastructure as unavoidable dependency for modern web development.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

60 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details