How This Briefing Works
This report opens with key findings, then maps the gaps between what Infillion discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Infillion was observed loading and executing before user consent was obtained on 4% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Infillion
- →Demand transparency on cross-device matching methodology and false positive rates in attribution
- →Require contractual limits on bid stream data sharing and audience segment resale to competing advertisers
- →Implement privacy-preserving targeting using contextual signals rather than behavioral profiles
- →Configure attribution reporting to separate deterministic versus probabilistic conversion credit
If You're Evaluating Infillion
- →Request third-party audit of cross-domain tracking and identity resolution practices
- →Evaluate alternative programmatic platforms with privacy-first architectures (e.g., contextual DSPs)
- →Consider direct publisher relationships to eliminate RTB competitive intelligence broadcast
- →Assess whether DSP/SSP conflict of interest creates advertiser disadvantage in auction dynamics
Negotiation Leverage
- →Infillion VRS 80 = Broker (100) + Counselor (70) threat. RTB bid stream = competitive intelligence broadcast. Every impression leaks targeting data.
- →Cross-domain sync (BTI-C08) + identity resolution (BTI-C14) = tracking across publishers and devices without consent. Require GDPR compliance documentation.
- →Session recording (BTI-C07) of post-click behavior creates PII exposure. Demand data retention limits and redaction practices.
- →Combined DSP/SSP model creates conflict of interest. Publisher data informs advertiser targeting; advertiser data informs publisher yield optimization. Request disclosure.
- →Behavioral biometrics (BTI-C06) for audience modeling = special category data risk. Minimize behavioral targeting to reduce exposure.
- →Ask: What user data is included in bid requests? How is cross-device identity graph constructed? What is the data retention policy? Expect evasive answers.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Mouse tracking and interaction patterns captured across ad impressions feed audience models used for cross-publisher targeting.
Full session replay
Impact: Landing page interaction capture following ad clicks enables conversion path analysis and retargeting optimization based on granular user behavior.
Identity stitching
Impact: Cookie syncing across multiple publishers enables user tracking across unrelated websites, creating comprehensive browsing profile without consent.
Ignoring CMP signals
PII deanonymization
Impact: Cross-device user linking enables persistent tracking across mobile, desktop, and CTV without explicit user consent or notification.
Container/loader (neutral)
Impact: Client-side tag deployment on publisher properties creates third-party script execution enabling comprehensive page interaction capture.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
48 detection signatures across scripts, domains, cookies, and network endpoints