How This Briefing Works
This report opens with key findings, then maps the gaps between what Humansecurity discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Humansecurity was observed loading and executing before user consent was obtained on 58% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Unknown - requires claims extraction via CDT”
Deploys identity resolution + pre-consent tracking for fraud detection
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Humansecurity
- →Document legitimate interest assessment under GDPR Article 6(1)(f): fraud prevention necessity vs. privacy impact
- →Configure privacy-safe fraud detection: server-side analysis, post-consent client-side fingerprinting
- →Contact vendor: request consent-first integration documentation or liability assumption
If You're Evaluating Humansecurity
- →Assess fraud detection necessity: quantify bot traffic impact vs. consent violation risk
- →Evaluate privacy-safe alternatives: server-side bot detection, CAPTCHA (no pre-consent fingerprinting), consent-first fraud platforms
- →If pre-consent loading unavoidable: document legitimate interest assessment, implement data minimization, provide transparent disclosure
Negotiation Leverage
- →Humansecurity creates consent liability through pre-consent deployment despite legitimate security purpose
- →Legitimate interest defense possible under GDPR Article 6(1)(f) for fraud detection, but does not override ePrivacy Directive consent requirement for cookies/tracking
- →Vendor must provide consent-first architecture, accept 100% liability, or support customer legitimate interest documentation
- →Security necessity does not exempt from privacy compliance - many fraud vendors offer consent-first or server-side detection alternatives
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Ignoring CMP signals
Impact: Fraud detection tracking loads before user consent opportunity, creating per-visitor GDPR Article 7 violation. Security purpose does not exempt from consent requirements - ePrivacy Directive applies to all tracking regardless of intent.
PII deanonymization
Impact: Device fingerprinting for fraud detection creates personal data processing without consent. While legitimate interest defense possible under GDPR Article 6(1)(f) for security, pre-consent deployment still violates Article 7 consent requirements and ePrivacy cookie rules.
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
109 detection signatures across scripts, domains, cookies, and network endpoints