How This Briefing Works
This report opens with key findings, then maps the gaps between what Hginsights discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Hginsights was observed loading and executing before user consent was obtained on 14% of sites where it was detected.
Pending Analysis
7 BTI behavioral codes detected across 28 instances on 26 sites. Full claims extraction required for gap analysis.
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
7 BTI behavioral codes detected across 28 instances on 26 sites. Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Hginsights
- →Audit which of the 40 HG Insights scripts load on your pages and verify each serves a legitimate technographic purpose
- →Review your data processing agreement with HG Insights for disclosures about behavioral biometrics, session recording, and identity resolution
- →Verify your CMP correctly manages all HG Insights scripts — the tag manager capability (C15) means new scripts may load dynamically
- →Update your privacy policy to disclose behavioral data collection and identity resolution if you continue using HG Insights
If You're Evaluating Hginsights
- →Assess whether you actually need client-side technology detection or if HG Insights' API-based products would meet your needs without the behavioral capture
- →Request HG Insights' complete data processing documentation covering all 7 detected BTI behavioral capabilities
- →Evaluate alternative technographic providers (BuiltWith, Wappalyzer) with smaller client-side footprints
- →Conduct a DPIA for HG Insights' behavioral biometrics (C06) and identity resolution (C14) capabilities — these likely trigger mandatory assessment requirements
Negotiation Leverage
- →40 scripts for technology detection is indefensible — standard technographic vendors require 1-3 scripts. Demand technical justification for each script
- →Behavioral biometrics (C06) and session recording (C07) have zero legitimate technographic purpose — demand contractual prohibition on behavioral data collection beyond technology detection
- →Identity resolution (C14) means your visitor data enriches HG Insights' commercial products sold to competitors — demand exclusion of your visitor data from resale products or negotiate data licensing revenue share
- →7 BTI behavioral codes for a technology intelligence vendor represents the widest gap between stated purpose and observed behavior in this batch — use this disclosure gap as primary negotiation leverage
- →Tag manager capability (C15) means HG Insights can expand its data collection without your knowledge — demand contractual notification requirements for any changes to deployed scripts
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Evasion infrastructure means HG Insights can modify behavior during privacy audits, hiding the full scope of its 40-script data collection from compliance assessments.
Keystroke/mouse tracking
Impact: Keystroke and mouse movement tracking from a technology intelligence vendor has no legitimate technographic purpose. This indicates behavioral profiling capabilities that extend far beyond detecting what technology a company uses.
Full session replay
Impact: Full session replay from a data enrichment vendor means your visitors' complete browsing sessions are captured to feed HG Insights' intelligence products. This transforms your site into a behavioral data collection point for a commercial database.
Ignoring CMP signals
Impact: Pre-consent firing at 14% of deployments means approximately 1 in 7 sites experience unauthorized data collection. With 40 scripts per deployment, each pre-consent load triggers extensive unauthorized behavioral capture.
Device identification
Impact: Device fingerprinting creates persistent visitor identification independent of cookies, enabling HG Insights to track and identify visitors across sessions even after they clear their browser data.
PII deanonymization
Impact: PII deanonymization from a data enrichment vendor is the most significant finding. HG Insights can resolve your anonymous visitors to real identities and companies, feeding this data into commercial intelligence products available to anyone willing to pay — including your competitors.
Container/loader (neutral)
Impact: Tag management capabilities mean HG Insights can dynamically load additional tracking scripts, expanding its data collection footprint beyond what was initially deployed or authorized.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
228 detection signatures across scripts, domains, cookies, and network endpoints