All Vendors
platform

Google Gemini

Google's Gemini AI platform exhibits maximum-severity data sharing and consent violations across 9 BTI threat categories, including defeat device techniques and behavioral capture.

42 IOCs269 detections6% pre-consent260 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Google Gemini discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

269 detections across 260 sites6% pre-consent activity
MEDIUM

Pre-Consent Activity

Google Gemini was observed loading and executing before user consent was obtained on 6% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

Sites deploying Gemini face maximum regulatory exposure due to 9-category BTI violations spanning consent, biometrics, and cross-domain tracking. The 100% broker score means all user interactions with AI features subsidize Google's competitive intelligence. Privacy-forward buyers will flag this as disqualifying.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You're Evaluating Google Gemini

  • Self-hosted LLM alternatives
  • Anthropic Claude API (no training on customer data)
  • OpenAI API with zero-retention configuration

Negotiation Leverage

  • Google cannot contractually limit data usage — their business model requires cross-platform profiling and advertising integration
  • Consent bypass mechanisms (C01, C09) create strict liability regardless of DPA terms
  • Behavioral biometrics and session recording trigger GDPR Article 9 special category requirements that standard agreements do not address
  • Demand signal leakage (100% broker score) subsidizes competitors using Google advertising products
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Active evasion of consent mechanisms ensures tracking proceeds regardless of user choices, creating strict liability under consent frameworks.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Interaction pattern capture with AI-powered analysis enables persistent re-identification even after identifier deletion.

BTI-C07Session Recording

Full session replay

Impact: User interactions with Gemini interfaces captured and transmitted to Google for training data and behavioral profiling.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Gemini user IDs synchronized across Google properties, enabling cross-site tracking and profile enrichment.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Data collection initiates before consent frameworks load, capturing pre-consent user behavior.

BTI-C10Fingerprinting

Device identification

Impact: Browser and device characteristics harvested to create persistent identifiers independent of cookie consent.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Multiple storage mechanisms (localStorage, indexedDB, cache) ensure identifier survival across browser sessions and clearing attempts.

BTI-C14Identity Resolution

PII deanonymization

Impact: Gemini user activity linked to Google advertising profiles, enabling deterministic cross-platform tracking.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Google Tag Manager used to load Gemini tracking outside consent scope, evading blocking attempts.

IOC Manifest

IOC Manifest

28 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

EXFIL
*apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.AKdz2vhcyW0.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_GPfyZPmTuYcbMXzJr0yr8Akk4Tw/cb=gapi.loaded_0*
Data collection endpoint
TRACK
*www.google.com/js/bg/H1SV16u4dKKjuJc2YQubhYEbJS74uJJ3AMkBw8RbP_k.js*
Tracking script
Ecosystem

Ecosystem & Supply Chain

Gemini represents Google's strategic integration of AI interfaces with surveillance infrastructure, positioning the company to capture conversational user data as the next frontier beyond traditional web tracking.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

42 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details