Google Maps | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Google Maps discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

270 detections across 261 sites6% pre-consent activity

MEDIUM

Pre-Consent Activity

Google Maps was observed loading and executing before user consent was obtained on 6% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

Pending Analysis

UNKNOWN

They Claim

“Claims extraction pending”

Observed Behavior

CDT analysis required for Maps API Terms, Google Geo Data Processing Amendment, and location data disclosures

Customer Impact

What This Means For You

Sites embedding Google Maps inherit location tracking and cross-product profiling from API load. Device fingerprints link to Google advertising profiles enriched with geolocation histories. Persistent storage creates long-term location tracking liability. GTM abuse enables surveillance beyond mapping. GDPR and location privacy exposure if Maps loads before consent.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Google Maps

→Audit Google Geo Data Processing Amendment for location data retention and cross-product sharing restrictions
→Review privacy policy for Maps tracking disclosures separate from mapping functionality
→Defer Maps API load until user initiates location interaction
→Assess GTM integration for undeclared location-based tracking tags
→Map persistent storage usage and location data retention by Maps API

If You're Evaluating Google Maps

→Static map image alternatives for non-interactive location display
→Alternative mapping providers with minimal tracking (Mapbox alternatives, OpenStreetMap)
→Self-hosted tile server options to eliminate Google surveillance dependency
→Location-first consent flow gating Maps API behind explicit user authorization

Negotiation Leverage

→Google Geo Data Processing Amendment permits Google to use location data for service improvement but lacks clear limits on cross-product identity resolution
→WebGL fingerprinting and behavioral biometric capture not disclosed in Maps API documentation, discovered via scanner detection
→GTM abuse patterns suggest location-based tag injection beyond customer-configured tracking
→Persistent storage of location identifiers exceeds functional mapping requirements, indicates long-term geolocation profiling
→Cross-domain sync links Maps usage to Google advertising profiles without explicit customer authorization

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Maps API scripts employ obfuscation to conceal tracking embedded within mapping functionality.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Captures map interaction patterns, pan/zoom behavior, and location search queries for user profiling beyond mapping requirements.

BTI-C07Session Recording

Full session replay

Impact: Records map usage and surrounding page activity, linking geolocation interest to broader behavioral profiles.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Synchronizes device fingerprints and location data across Google properties and Maps API customer sites.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Fingerprinting and geolocation tracking initiate on API initialization, before map interaction or user consent.

BTI-C10Fingerprinting

Device identification

Impact: Collects browser, device, and WebGL canvas fingerprints tied to Google account identifiers and location queries.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Deploys localStorage and IndexedDB to maintain location tracking identifiers across sessions.

BTI-C14Identity Resolution

PII deanonymization

Impact: Links Maps device fingerprints to Google's identity graph, enabling persistent location tracking across web and mobile.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Exploits GTM when present to deploy location-based tracking beyond declared Maps API requirements.

IOC Manifest

214 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/m=sc2,per,mo,lp,ti,stx,ds,dwi,enr,bom,b/am=yAEAkAiA/rt=j/d=1/rs=ACT90oHS9zdiy_Uqg4jmMylYg8BS4SYB8A*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=b,bom,ds,dwi,enr,lp,mo,per,sc2,stx,ti/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=vwr,vd,a,nrw,owc,ob,mmm,sp,en,smi,sc,vlg,log,smr,SuCOhe,LsiLPd,jF2zFd,JxdeQb,cQ25Ub,uA7o6c,b8h8i,wrc*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.w.en.pNaJZfSn_Qk.*.O/am=AAAC/rt=j/d=1/rs=ACT90oHyWfjFOqFEWv4fFv4vtJOIA5Ek5A/m=wtd,b,c*

Tracking script

TRACK

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,b,b8h8i,bom,cQ25Ub,ds,dwi,en,enr,jF2zFd,log,lp,mmm,mo,nrw,ob,owc,per,sc,sc2,smi,smr,sp,stx,ti,uA7o6c,vcr,vd,vlg,vwr,wrc/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=pwd,bpw,duc,fp,rsw,rw,zm,lsw,mm,amw,cmw,mld,vm,zsv,ks,wm,pas,omm,h,pcs,rl,cls,pnt,svc,lyr,hc,omw,pm,asm,at,vim,sem,sl,rvc,rvm,idm,ml,ppa,lss*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,amw,asm,at,b,b8h8i,bom,bpw,cQ25Ub,cls,cmw,ds,duc,dwi,en,enr,fp,h,hc,idm,jF2zFd,ks,log,lp,lss,lsw,lyr,ml,mld,mm,mmm,mo,nrw,ob,obp,omm,omw,owc,pas,pcs,per,pm,pnt,ppa,pwd,rl,rsw,rvc,rvm,rw,sc,sc2,sem,sl,smi,smr,sp,stx,svc,ti,uA7o6c,vcr,vd,vim,vlg,vm,vwr,wm,wrc,zm,zsv/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=py*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,amw,asm,at,b,b8h8i,bom,bpw,cQ25Ub,cls,cmw,ds,duc,dwi,en,enr,fp,h,hc,idm,jF2zFd,ks,log,lp,lss,lsw,lyr,ml,mld,mm,mmm,mo,nrw,ob,omm,omw,owc,pas,pcs,per,pm,pnt,ppa,pwd,rl,rsw,rvc,rvm,rw,sc,sc2,sem,sl,smi,smr,sp,stx,svc,ti,uA7o6c,vcr,vd,vim,vlg,vm,vwr,wm,wrc,zm,zsv/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=obp*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,amw,asm,at,b,b8h8i,bom,bpw,cQ25Ub,cls,cmw,ds,duc,dwi,en,enr,fp,h,hc,idm,jF2zFd,ks,log,lp,lss,lsw,lyr,ml,mld,mm,mmm,mo,nrw,ob,obp,omm,omw,owc,pas,pcs,per,pm,pnt,ppa,pwd,py,rl,rsw,rvc,rvm,rw,sc,sc2,sem,sl,smi,smr,sp,stx,svc,ti,uA7o6c,vcr,vd,vim,vlg,vm,vwr,wm,wrc,zm,zsv/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=dsh*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,amw,asm,at,b,b8h8i,bom,bpw,cQ25Ub,cls,cmw,ds,dsh,duc,dwi,en,enr,fp,h,hc,idm,jF2zFd,ks,log,lp,lss,lsw,lyr,ml,mld,mm,mmm,mo,nrw,ob,obp,omm,omw,owc,pas,pcs,per,pm,pnt,ppa,pwd,py,rl,rsw,rvc,rvm,rw,sc,sc2,sem,sl,smi,smr,sp,stx,svc,ti,uA7o6c,vcr,vd,vim,vlg,vm,vwr,wm,wrc,zm,zsv/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=acp*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,acp,amw,asm,at,b,b8h8i,bom,bpw,cQ25Ub,cls,cmw,ds,dsh,duc,dwi,en,enr,fp,h,hc,idm,jF2zFd,ks,log,lp,lss,lsw,lyr,ml,mld,mm,mmm,mo,nrw,ob,obp,omm,omw,owc,pas,pcs,per,pm,pnt,ppa,pwd,py,rl,rsw,rvc,rvm,rw,sc,sc2,sem,sl,smi,smr,sp,stx,svc,ti,uA7o6c,vcr,vd,vim,vlg,vm,vwr,wm,wrc,zm,zsv/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=pw*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,acp,amw,asm,at,b,b8h8i,bom,bpw,cQ25Ub,cls,cmw,ds,dsh,duc,dwi,en,enr,fp,h,hc,idm,jF2zFd,ks,log,lp,lss,lsw,lyr,ml,mld,mm,mmm,mo,nrw,ob,obp,omm,omw,owc,pas,pcs,per,pm,pnt,ppa,pw,pwd,py,rl,rsw,rvc,rvm,rw,sc,sc2,sem,sl,smi,smr,sp,stx,svc,ti,uA7o6c,vcr,vd,vim,vlg,vm,vwr,wm,wrc,zm,zsv/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=mbg*

Tracking script

TRACK

*www.google.com/maps/_/js/k=maps.m.en.aZsxtu7Nxbg.*.O/ck=maps.m.7pEWVA2pCPs.L.W.O/am=yAEAkAiA/rt=j/d=1/exm=JxdeQb,LsiLPd,SuCOhe,a,acp,amw,asm,at,b,b8h8i,bom,bpw,cQ25Ub,cls,cmw,ds,dsh,duc,dwi,en,enr,fp,h,hc,idm,jF2zFd,ks,log,lp,lss,lsw,lyr,mbg,ml,mld,mm,mmm,mo,nrw,ob,obp,omm,omw,owc,pas,pcs,per,pm,pnt,ppa,pw,pwd,py,rl,rsw,rvc,rvm,rw,sc,sc2,sem,sl,smi,smr,sp,stx,svc,ti,uA7o6c,vcr,vd,vim,vlg,vm,vwr,wm,wrc,zm,zsv/ed=1/rs=ACT90oFmykExkCMRM5u99A610xNr2HefnQ/m=mxs*

Tracking script

TRACK

*www.google.com/js/bg/T94taNKSSsssP7x0w8bsq1bZfcqIXzBqd7gdxTpBf-w.js*

Tracking script

EXFIL

*apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.AKdz2vhcyW0.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_GPfyZPmTuYcbMXzJr0yr8Akk4Tw/cb=gapi.loaded_0*

Data collection endpoint

Ecosystem

Ecosystem & Supply Chain

Google Maps API serves millions of websites requiring location services, embedding Google's geolocation surveillance network as unavoidable dependency for interactive mapping and store locators.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

220 detection signatures across scripts, domains, cookies, and network endpoints