How This Briefing Works
This report opens with key findings, then maps the gaps between what Intercom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Intercom was observed loading and executing before user consent was obtained on 51% of sites where it was detected.
Pending Analysis
7 BTI behavioral codes detected across 65 observations on 42 sites. Full claims extraction required for gap analysis.
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
7 BTI behavioral codes detected across 65 observations on 42 sites. Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Intercom
- →Audit all 25 Intercom scripts loading on your site — determine which are essential for chat functionality versus tracking
- →Implement strict consent gating that blocks Intercom initialization until affirmative consent is recorded for analytics/tracking purposes
- →Review your Intercom DPA and verify it covers cross-domain sync, identity resolution, and behavioral biometrics
- →Update your privacy policy to accurately describe Intercom's data collection scope beyond customer messaging
If You're Evaluating Intercom
- →Assess whether a lighter-weight chat solution could provide equivalent support without 25 scripts and 7 BTI-C code triggers
- →Request Intercom's data processing records for your specific account to verify what data flows occur
- →Evaluate loading Intercom conditionally — chat-only mode until consent, full suite after explicit opt-in
- →Consider the cost of Intercom's tracking overhead against alternatives like Crisp, Tawk.to, or self-hosted solutions
Negotiation Leverage
- →25 scripts for a chat widget is indefensible — request Intercom explain why each script is necessary for customer messaging
- →51% pre-consent firing rate with 7 BTI-C codes — Intercom's deployment creates direct regulatory liability for your organization
- →Cross-domain sync (C08) + identity resolution (C14) means Intercom builds cross-site profiles from your visitors — demand contractual restrictions on cross-customer data use
- →Maximum legal tail risk (100) and CAC subsidization (100) scores — your visitor data enriches Intercom's platform intelligence at your regulatory expense
- →Request a minimal-tracking deployment option that provides chat functionality without behavioral biometrics, fingerprinting, and cross-domain sync
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Intercom deploys evasion infrastructure that can modify its behavior during compliance audits, making it difficult to verify that observed tracking matches what occurs during normal user sessions.
Keystroke/mouse tracking
Impact: Behavioral tracking goes beyond chat interaction logging. Mouse movement and interaction patterns are captured and associated with user profiles, creating behavioral signatures that persist beyond the chat session.
Identity stitching
Impact: Identity stitching across Intercom's customer base means a visitor who chats on your site can be recognized on any other Intercom-powered site. Your customer interactions become part of a cross-site identity graph you do not control.
Ignoring CMP signals
Impact: 51% pre-consent firing rate means Intercom's 25-script payload begins executing before consent tools can intervene. Under ePrivacy and GDPR, the site operator bears liability for this non-essential tracking that activates without lawful basis.
Device identification
Impact: Device fingerprinting enables Intercom to maintain persistent identification across sessions even when cookies are cleared, undermining users' ability to meaningfully withdraw consent or reset their tracking state.
Long-lived identifiers
Impact: Long-lived identifiers ensure user profiles survive cookie deletion and session resets. Combined with 5 cookies and cross-domain sync, Intercom maintains durable tracking that outlasts standard privacy hygiene.
PII deanonymization
Impact: PII deanonymization converts anonymous website visitors into identified contacts within Intercom's platform. Chat interactions, email addresses, and behavioral data merge into unified profiles that persist across your entire customer communication stack.
IOC Manifest
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
144 detection signatures across scripts, domains, cookies, and network endpoints