How This Briefing Works
This report opens with key findings, then maps the gaps between what Involvedmedia discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Involvedmedia was observed loading and executing before user consent was obtained on 4% of sites where it was detected.
Claims vs. Observed Behavior
consent
“Unknown - requires claims extraction via CDT”
Deploys session replay + behavioral biometrics + pre-consent ad tracking
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Involvedmedia
- →Disable Involvedmedia session recording immediately - no ad platform justifies recording user behavior without consent
- →Request deletion of all historical session replay and behavioral data
- →Audit recorded sessions: assess privacy impact of captured user behavior
If You're Evaluating Involvedmedia
- →Reject any ad vendor combining session replay with pre-consent deployment
- →Demand contractual liability assumption: vendor pays 100% of penalties for session recording violations
- →Migrate to privacy-safe advertising: contextual targeting (no behavioral tracking), consent-first programmatic (no session replay), or direct publisher relationships
Negotiation Leverage
- →Involvedmedia combines session replay with consent bypass for ad targeting - creates privacy violation liability beyond standard ad tech risk
- →Session recording for advertising lacks clear business necessity - contextual ads perform without behavioral surveillance
- →Vendor must eliminate session replay AND behavioral biometrics AND implement consent-first architecture, or assume 100% regulatory penalty liability
- →Ad optimization works without recording user behavior - pre-consent session replay is vendor choice that transfers liability to customer
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Impact: Captures interaction patterns, scroll depth, and timing to create behavioral fingerprints for ad targeting. GDPR Article 9 classifies biometric data as special category requiring explicit consent - pre-consent capture creates heightened penalty exposure.
Full session replay
Impact: Records user sessions for ad optimization without consent. May capture navigation patterns revealing user intent, content interests, and engagement behavior. Session replay for advertising purposes creates privacy violation with reputational risk.
Ignoring CMP signals
Impact: Ad tracking and session recording initialize before consent opportunity, creating per-visitor GDPR Article 7 violation. Combined with behavioral biometrics, elevates to Article 9 special category data violation with increased regulatory priority.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
86 detection signatures across scripts, domains, cookies, and network endpoints