How This Briefing Works
This report opens with key findings, then maps the gaps between what Drift discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Drift was observed loading and executing before user consent was obtained on 32% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Drift
- →Implement consent-conditional Drift widget load to prevent pre-interaction tracking initialization
- →Disable Drift cross-domain sync and require strict first-party visitor ID isolation
- →Audit Drift tracking to verify no behavioral capture occurs before chat interaction
- →Review DPA for chat data sharing restrictions and enforce conversation data isolation
- →Establish post-rejection tracking controls to ensure Drift ceases all surveillance after consent denial
If You're Evaluating Drift
- →Request Drift deployment without cross-domain visitor ID synchronization across customer network
- →Require contractual prohibition on chat engagement data sharing with demand generation networks
- →Verify Drift widget does not initialize tracking libraries before user interaction with chat interface
- →Assess alternative chat vendors (Intercom with privacy controls, self-hosted solutions) for comparison
- →Demand pricing concessions reflecting restricted deployment without cross-property tracking
Negotiation Leverage
- →VRS 80 classification with 80% CAC subsidization justifies 35% discount if cross-domain sync is permanently disabled
- →85% legal tail risk demands indemnification for consent bypass violations and post-rejection tracking
- →Require contractual guarantee that Drift visitor IDs remain property-specific and do not feed cross-customer intelligence
- →Request monthly attestation that chat engagement data does not feed external demand networks or Drift network targeting
- →Negotiate data retention limits (30 days maximum) and right to audit Drift cross-property visitor graphs
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Drift chat widget continues behavioral tracking in background even when minimized or after consent rejection.
Identity stitching
Impact: Drift visitor IDs synchronized across all customer properties using the platform, enabling cross-site chat behavior correlation.
Ignoring CMP signals
Impact: Drift tracking infrastructure loads before consent acceptance and maintains persistent visitor identification after rejection.
Device identification
Impact: Browser fingerprinting used to reconnect chat sessions across devices and visits, bypassing cookie controls.
IOC Manifest
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
31 detection signatures across scripts, domains, cookies, and network endpoints