How This Briefing Works
This report opens with key findings, then maps the gaps between what Iterable discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Iterable
- →Audit data processing agreements for broker syndication authorization clauses
- →Extract identity resolution logs showing cross-domain stitching without consent
- →Map Iterable audience segments to competitor lookalike audiences
If You're Evaluating Iterable
- →Quantify conversion attribution inflation from multi-touch claiming
- →Calculate audience data monetization revenue (your data, their profit)
- →Document GDPR Article 6 violations from purpose creep beyond marketing automation
Negotiation Leverage
- →Iterable DPA permits audience syndication to unspecified third parties—you lose control of customer data
- →100/100 CAC subsidization represents direct competitor funding through your marketing spend
- →Cross-domain identity stitching operates without user consent—GDPR Article 7 violations documented
- →Session recording (C07) captures form inputs and PII—data breach exposure multiplies with every integration
- →Email tracking pixels constitute defeat devices under browser privacy policies
- →Evidence pack includes cross-domain sync captures and data broker appearance timelines
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Email tracking pixels bypass browser privacy protections through image-based beacons
Keystroke/mouse tracking
Impact: Email engagement patterns (read time, scroll depth in email clients) captured for psychographic profiling
Full session replay
Impact: Web session replay feeds campaign optimization while creating PII exposure risk
Identity stitching
Impact: Identity stitching across email, web, and third-party domains enables comprehensive surveillance
Device identification
Impact: Device fingerprinting persists identity across cookie deletion and incognito sessions
Container/loader (neutral)
Impact: Dynamic campaign tracking code deployment enables persistent measurement infrastructure
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
144 detection signatures across scripts, domains, cookies, and network endpoints