How This Briefing Works
This report opens with key findings, then maps the gaps between what Mapbox discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Mapbox was observed loading and executing before user consent was obtained on 91% of sites where it was detected.
Claims vs. Observed Behavior
Pending Analysis
“Claims extraction pending”
CDT analysis required for privacy policy and Terms of Service review
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Mapbox
- →Defer Mapbox SDK load until user initiates map interaction
- →Review Terms of Service for behavioral data retention and cross-customer sharing provisions
- →Audit WebGL fingerprinting disclosures in privacy policy
If You're Evaluating Mapbox
- →Static map image alternatives for non-interactive location display
- →Self-hosted tile server options to eliminate third-party surveillance
- →Location-first consent flow that gates map loading behind explicit user authorization
Negotiation Leverage
- →Mapbox Terms permit device fingerprinting for analytics but lack clear limits on behavioral biometric retention
- →WebGL canvas fingerprinting not disclosed in customer-facing documentation, discovered via runtime analysis
- →Cross-domain identity resolution creates tracking liability that standard DPA does not address
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Mapbox GL JS employs obfuscation to conceal fingerprinting activity from browser privacy protections.
Keystroke/mouse tracking
Impact: Captures mouse movement patterns, scroll behavior, and interaction timing during map usage for user profiling.
Full session replay
Impact: Records map interactions and surrounding page activity beyond functional mapping requirements.
Identity stitching
Impact: Synchronizes device fingerprints across Mapbox customer base, enabling location tracking across properties.
Ignoring CMP signals
Impact: Fingerprinting and behavioral capture begin on SDK initialization, before map interaction or user consent.
Device identification
Impact: Collects browser, device, and WebGL canvas fingerprints to create persistent identifier tied to location data.
PII deanonymization
Impact: Links device fingerprints to geolocation histories, enabling long-term movement tracking across customer sites.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
38 detection signatures across scripts, domains, cookies, and network endpoints