How This Briefing Works
This report opens with key findings, then maps the gaps between what Jungroup discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Jungroup was observed loading and executing before user consent was obtained on 14% of sites where it was detected.
Pending Analysis
7 BTI behavioral codes detected across 28 deployments. Full claims extraction required for gap analysis.
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
7 BTI behavioral codes detected across 28 deployments. Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Jungroup
- →Audit your ad stack to confirm Jun Group's actual data collection scope vs. what your DPA covers
- →Verify your consent management platform gates Jun Group behind explicit opt-in for EU visitors
- →Request Jun Group's sub-processor list to understand downstream data flows
- →Review your privacy policy for adequate disclosure of identity resolution through advertising
If You're Evaluating Jungroup
- →Demand a technical audit of what data Jun Group collects through their ad units before signing
- →Require contractual limits on identity resolution using data collected from your properties
- →Establish pre-consent blocking as a deployment requirement in your insertion order
- →Benchmark against alternative video ad platforms that do not perform identity resolution
Negotiation Leverage
- →Jun Group fires before consent on 14% of observed deployments — request contractual guarantee of consent-gate compliance with liquidated damages
- →Identity resolution (C14) through an ad network creates undisclosed data sharing — demand explicit sub-processor disclosure and data flow mapping
- →7 detected behavioral codes exceed typical ad platform footprint — use as leverage to negotiate enhanced DPA terms with audit rights
- →Maximum legal tail risk score (100) provides justification for requiring Jun Group to carry cyber liability insurance naming you as additional insured
- →50-script IOC footprint across their network indicates significant client-side overhead — negotiate performance SLAs
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Jun Group deploys evasion infrastructure that may behave differently during audits or compliance checks, making it difficult to verify actual data collection scope during vendor assessments.
Keystroke/mouse tracking
Impact: Keystroke and mouse movement tracking through an advertising platform creates undisclosed behavioral profiling that most privacy policies do not adequately describe to end users.
Full session replay
Impact: Full session replay capability within ad units means user interactions are captured beyond simple click tracking — potentially including form inputs and navigation patterns adjacent to ad placements.
Identity stitching
Ignoring CMP signals
Impact: 14% pre-consent rate means Jun Group fires before users have the opportunity to express consent preferences, creating per-pageview GDPR violations on affected sites.
Device identification
Impact: Device fingerprinting enables persistent identification without cookies, circumventing user deletion requests and browser privacy controls. Creates compliance gaps under CCPA's right to opt-out.
PII deanonymization
Impact: PII deanonymization within an advertising network means visitor identity data resolved on your site may be leveraged across Jun Group's entire 25-site footprint — a data sharing arrangement most customers have not consented to.
Container/loader (neutral)
Impact: Tag management infrastructure serves as the delivery mechanism for Jun Group's broader behavioral collection capabilities.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
106 detection signatures across scripts, domains, cookies, and network endpoints