How This Briefing Works
This report opens with key findings, then maps the gaps between what Dstillery discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Dstillery was observed loading and executing before user consent was obtained on 11% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Dstillery
- →Audit Dstillery audience segment syndication contracts and prohibit competitor access to custom audiences derived from your traffic
- →Disable Dstillery behavioral biometrics and session recording features to minimize data enrichment depth
- →Review DPA for audience data sharing restrictions and enforce strict prohibitions on competitor targeting
- →Implement consent-conditional Dstillery load to prevent pre-acceptance behavioral capture
- →Establish audience segment retention limits and require regular purging of visitor behavioral profiles
If You're Evaluating Dstillery
- →Question business necessity of Dstillery deployment given 90% CAC subsidization from audience syndication to competitors
- →Require contractual guarantee that custom audiences derived from your traffic are never sold to direct competitors
- →Verify Dstillery does not employ session recording or behavioral biometrics without explicit consent
- →Assess alternative audience targeting approaches (first-party data enrichment, contextual targeting) that do not feed competitor networks
- →Demand significant pricing concessions or consider removal given primary purpose is external data monetization
Negotiation Leverage
- →VRS 80 classification with 90% CAC subsidization justifies immediate removal or 60% discount with competitor exclusion guarantees
- →100% legal tail risk demands indemnification for session recording consent failures and behavioral biometrics processing violations
- →Require contractual guarantee that custom audiences derived from your traffic include competitor exclusion lists
- →Request quarterly reporting on which advertisers have accessed Dstillery segments derived from your visitor data
- →Negotiate audience syndication scope limits (demographic only, no behavioral) or revenue sharing from external audience monetization
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Dstillery tracking pixels fire before consent acceptance to capture maximum behavioral data for audience modeling.
Keystroke/mouse tracking
Impact: Mouse movements, scroll patterns, and interaction timing captured to build engagement scoring and audience quality models.
Full session replay
Impact: DOM capture and interaction replay used to identify high-intent visitors for custom audience segment creation.
Ignoring CMP signals
Impact: Dstillery maintains behavioral tracking after consent rejection, claiming legitimate interest for audience research.
Device identification
Impact: Browser fingerprinting used to reconnect visitors across properties for longitudinal audience segment assignment.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
78 detection signatures across scripts, domains, cookies, and network endpoints