How This Briefing Works
This report opens with key findings, then maps the gaps between what Doubleverify discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Doubleverify was observed loading and executing before user consent was obtained on 47% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Doubleverify
- →Audit DoubleVerify deployment to verify fraud detection scope is limited to advertising viewability, not site-wide visitor tracking
- →Disable cross-campaign identity synchronization and require campaign-specific fraud verification isolation
- →Review DPA for behavioral data sharing restrictions and prohibit visitor authenticity signals from feeding demand networks
- →Implement consent-conditional DoubleVerify load or verify legitimate interest legal basis is properly documented
- →Establish fraud detection data retention limits to prevent long-term behavioral profile accumulation
If You're Evaluating Doubleverify
- →Request DoubleVerify deployment with strict campaign-level isolation, no cross-site visitor tracking
- →Require contractual guarantee that fraud detection data does not feed programmatic demand networks or audience targeting
- →Verify DoubleVerify behavioral biometrics are limited to bot detection, not visitor engagement scoring
- →Assess alternative fraud detection vendors with transparent data isolation and minimal behavioral capture
- →Demand pricing concessions reflecting restricted deployment without cross-campaign identity resolution
Negotiation Leverage
- →VRS 80 classification with 100% CAC subsidization justifies significant discount if cross-campaign identity sync is disabled
- →55% legal tail risk from consent bypass claims demands documented legitimate interest assessment and GDPR Article 6 compliance verification
- →Require contractual guarantee that visitor authenticity signals remain campaign-specific and do not feed external demand networks
- →Request quarterly attestation that fraud detection data does not enable cross-site visitor tracking beyond verification scope
- →Negotiate fraud detection scope limits (viewability only, no behavioral biometrics) and data retention restrictions (7 days maximum)
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Mouse movements, scroll patterns, and interaction timing captured for bot detection algorithms, creating behavioral profiles beyond fraud verification.
Full session replay
Identity stitching
Impact: Visitor authenticity IDs synchronized across advertising campaigns to track fraud patterns, enabling cross-site behavior correlation.
Ignoring CMP signals
Impact: DoubleVerify loads fraud detection infrastructure before consent acceptance, claiming operational necessity exemption.
PII deanonymization
Impact: Probabilistic identity matching used to reconnect visitors across campaigns for fraud pattern detection, creating persistent cross-site tracking.
Container/loader (neutral)
Impact: DoubleVerify tag infrastructure coordinates fraud detection pixels across advertising platforms, creating comprehensive campaign-level surveillance.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
100 detection signatures across scripts, domains, cookies, and network endpoints