How This Briefing Works
This report opens with key findings, then maps the gaps between what Infillion discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Infillion
- →Demand transparency on cross-device matching methodology and false positive rates in attribution
- →Require contractual limits on bid stream data sharing and audience segment resale to competing advertisers
- →Implement privacy-preserving targeting using contextual signals rather than behavioral profiles
- →Configure attribution reporting to separate deterministic versus probabilistic conversion credit
If You're Evaluating Infillion
- →Request third-party audit of cross-domain tracking and identity resolution practices
- →Evaluate alternative programmatic platforms with privacy-first architectures (e.g., contextual DSPs)
- →Consider direct publisher relationships to eliminate RTB competitive intelligence broadcast
- →Assess whether DSP/SSP conflict of interest creates advertiser disadvantage in auction dynamics
Negotiation Leverage
- →Infillion VRS 80 = Broker (100) + Counselor (70) threat. RTB bid stream = competitive intelligence broadcast. Every impression leaks targeting data.
- →Cross-domain sync (BTI-C08) + identity resolution (BTI-C14) = tracking across publishers and devices without consent. Require GDPR compliance documentation.
- →Session recording (BTI-C07) of post-click behavior creates PII exposure. Demand data retention limits and redaction practices.
- →Combined DSP/SSP model creates conflict of interest. Publisher data informs advertiser targeting; advertiser data informs publisher yield optimization. Request disclosure.
- →Behavioral biometrics (BTI-C06) for audience modeling = special category data risk. Minimize behavioral targeting to reduce exposure.
- →Ask: What user data is included in bid requests? How is cross-device identity graph constructed? What is the data retention policy? Expect evasive answers.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Mouse tracking and interaction patterns captured across ad impressions feed audience models used for cross-publisher targeting.
Full session replay
Impact: Landing page interaction capture following ad clicks enables conversion path analysis and retargeting optimization based on granular user behavior.
Identity stitching
Impact: Cookie syncing across multiple publishers enables user tracking across unrelated websites, creating comprehensive browsing profile without consent.
Ignoring CMP signals
PII deanonymization
Impact: Cross-device user linking enables persistent tracking across mobile, desktop, and CTV without explicit user consent or notification.
Container/loader (neutral)
Impact: Client-side tag deployment on publisher properties creates third-party script execution enabling comprehensive page interaction capture.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
48 detection signatures across scripts, domains, cookies, and network endpoints