How This Briefing Works
This report opens with key findings, then maps the gaps between what Inspectlet discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Inspectlet was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Unknown - requires claims extraction via CDT”
Deploys session replay + cross-domain syncing + pre-consent tracking
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Inspectlet
- →Disable Inspectlet immediately - session recording without consent is indefensible
- →Request deletion of all historical session replay data
- →Audit recorded sessions: assess whether sensitive data (passwords, emails, personal info, form inputs) was captured
If You're Evaluating Inspectlet
- →Reject any session replay vendor with pre-consent deployment or cross-domain syncing
- →Require explicit consent for session recording with clear disclosure: "We record your session including mouse movements and clicks"
- →Migrate to privacy-safe analytics: event-based tracking (no replay), consent-first session recording (Hotjar consent mode), or privacy-focused alternatives (Plausible, Fathom - no session recording)
Negotiation Leverage
- →Inspectlet session recording may capture sensitive personal data (form inputs, searches, passwords) without consent - creates maximum privacy violation liability
- →Cross-domain syncing multiplies privacy invasion across properties - creates comprehensive surveillance profile without user awareness
- →Vendor must eliminate session replay, cross-domain syncing, and pre-consent loading - or customer faces indefensible regulatory enforcement
- →User behavior insights work without recording sessions - event-based analytics provide intelligence without privacy invasion
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Full session replay
Impact: Records full user sessions including form interactions, navigation sequences, and page content. May capture sensitive personal data (emails, passwords, search queries, typed inputs) without consent or user awareness - creates GDPR Article 9 special category violation plus privacy invasion with severe reputational risk.
Identity stitching
Impact: Syncs session replay data across domains to build comprehensive visitor profiles. Creates data transfer violation under GDPR Article 44 plus privacy invasion through cross-site behavior tracking.
Ignoring CMP signals
Impact: Session recording and cross-domain syncing initialize before consent opportunity, creating per-visitor GDPR Article 7 violation. Combined with potential sensitive data capture, elevates to Article 9 special category violation with maximum regulatory priority.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
15 detection signatures across scripts, domains, cookies, and network endpoints