How This Briefing Works
This report opens with key findings, then maps the gaps between what Match2one discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Match2one was observed loading and executing before user consent was obtained on 48% of sites where it was detected.
Pending Analysis
6 BTI behavioral codes detected across 40 instances on 39 sites. Full claims extraction required for gap analysis.
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
6 BTI behavioral codes detected across 40 instances on 39 sites. Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Match2one
- →Audit your CMP to verify all 29 Match2One scripts are blocked until explicit consent — a single missed script creates a consent gap
- →Review your advertising data processing agreement for identity resolution and cross-platform data sharing disclosures
- →Implement a Content Security Policy (CSP) that explicitly allowlists only the Match2One domains you have approved
- →Monitor your site for script injection beyond the Match2One scripts you intentionally deployed
If You're Evaluating Match2one
- →Assess whether 29 client-side scripts are justified for your advertising use case or if server-side integration is available
- →Request a complete inventory of Match2One's data partners and downstream data recipients
- →Evaluate alternative programmatic platforms with smaller client-side footprints and transparent data flows
- →Conduct a cost-benefit analysis: does Match2One's advertising performance justify the regulatory risk of 6 BTI behavioral codes?
Negotiation Leverage
- →29 scripts is an order of magnitude beyond standard programmatic ad tech requirements — demand technical justification for each script and what data it collects
- →48% pre-consent firing rate across 39 sites is a systemic pattern, not a deployment error — require contractual commitment to consent-before-load behavior
- →Identity resolution (C14) in programmatic advertising means your visitor data enters RTB ecosystems accessible to competitors — demand data isolation guarantees
- →6 BTI behavioral codes for an advertising platform indicates capabilities far beyond ad serving — require a complete technical audit of all data processing activities
- →Persistence mechanisms (C13) + fingerprinting (C10) create tracking that survives cookie deletion — demand documentation of all identifier types and their lifespans
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Evasion infrastructure means Match2One can modify its behavior during compliance scans or auditor visits, hiding the true scope of its 29-script data collection architecture from standard privacy assessments.
Full session replay
Impact: Session recording capabilities in a programmatic advertising platform means visitor browsing behavior on your site is captured beyond what is needed for ad serving, creating undisclosed data processing obligations.
Identity stitching
Ignoring CMP signals
Impact: Match2One fires pre-consent on 48% of deployments. With 29 scripts, even a single pre-consent load creates a cascade of unauthorized data collection events, each a separate violation under ePrivacy cookie rules.
Device identification
Impact: Device fingerprinting enables persistent visitor identification without cookies, undermining opt-out mechanisms and creating compliance gaps with regulations requiring respect for user privacy preferences.
Long-lived identifiers
Impact: Long-lived identifiers ensure Match2One maintains visitor tracking across sessions. Combined with fingerprinting, this dual persistence layer makes it nearly impossible for visitors to reset their tracking state.
PII deanonymization
Impact: PII deanonymization in an advertising context means Match2One can resolve your anonymous site visitors to real identities, feeding this data into programmatic bidding ecosystems where it is available to any buyer.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
171 detection signatures across scripts, domains, cookies, and network endpoints