How This Briefing Works
This report opens with key findings, then maps the gaps between what Kitt discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Kitt was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
behavioral_surveillance
“Unknown - requires claims extraction”
C06+C09 detected - behavioral biometrics with pre-consent execution
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Kitt
- →Audit Kitt behavioral biometric scope - document interaction patterns being captured
- →Enforce consent gate before Kitt initialization to address C09 bypass
- →Verify platform functionality works with delayed post-consent loading
- →Assess if behavioral capture qualifies as biometric data under privacy regulations
If You're Evaluating Kitt
- →Request Kitt technical documentation of behavioral monitoring and consent integration
- →Evaluate platforms without behavioral biometric capabilities
- →Consider server-side fraud detection eliminating browser-based behavioral capture
- →Investigate if Kitt offers consent-aware deployment mode
Negotiation Leverage
- →Kitt deploys C06 behavioral biometrics + C09 consent bypass - vendor must explain surveillance capabilities
- →Demand complete disclosure of behavioral data collection methods and purposes
- →Require consent-aware initialization - no pre-consent behavioral monitoring
- →Negotiate opt-out of biometric features if not essential to core functionality
- →Establish liability terms for behavioral surveillance and consent violations
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Keystroke/mouse tracking
Ignoring CMP signals
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
24 detection signatures across scripts, domains, cookies, and network endpoints