How This Briefing Works
This dossier opens with key findings, then maps the gap between what Mountain discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 17 sites
vendor fires before consent
1 HIGH
Briefing
MNTN (formerly SteelHouse) is a publicly traded Connected TV advertising platform (NYSE: MNTN) headquartered in Austin, TX with $226M revenue. The company provides performance TV advertising software enabling brands to run measurable CTV campaigns. Analysis reveals significant disclosure gaps: their own website deploys 52 third-party vendors including 23 that load pre-consent, while their subprocessor list discloses only 22 partners. Identity resolution vendors (Demandbase, LiveRamp, Contactout) and major advertising platforms (Criteo, Meta, LinkedIn, Reddit) are observed but not fully disclosed. As a CTV advertising platform handling advertiser data, MNTN's compliance claims (GDPR/CCPA referenced in Terms) contrast with their website's pre-consent tracking practices.
What This Means For You
If MNTN (formerly SteelHouse) handles your CTV advertising, their platform connects advertiser audience data to a programmatic ecosystem where 52 third-party vendors operate on their corporate site — 23 firing before consent. Under GDPR Art 28, you must verify subprocessor chains, but MNTN discloses 22 partners while significantly more are detected at runtime. Identity resolution vendors (Demandbase, LiveRamp, Contactout) on mountain.com mean your advertiser data and campaign strategies flow through infrastructure shared with deanonymization services. MNTN does not hold SOC2 certification, leaving you without independent verification of security controls for a platform handling campaign data and creative assets through their QuickFrame acquisition.
Risk Channel Breakdown
MNTN corrupts measurement through participation in identity resolution networks (LiveRamp, Demandbase) that enable cross-platform tracking. As a CTV advertising platform, they have visibility into advertiser campaign performance data which could be leveraged for competitive intelligence. Their Verified Visits attribution methodology relies on device graph matching that introduces measurement uncertainty.
As a CTV advertising platform with LiveRamp and Demandbase integrations, MNTN has access to advertiser audience data and campaign performance signals. The bidstream data from programmatic CTV ads reveals demand patterns. Their acquisition of QuickFrame means advertiser creative assets and campaign strategies flow through their platform.
MNTN's extensive third-party vendor deployment (52 observed) creates significant attack surface. Pre-consent loading of 23 vendors including identity resolution and behavioral tracking exposes site visitors. The company's SOC2 certification is not yet achieved (working on Type I as of Jan 2025), creating compliance risk for enterprise customers.
MNTN references GDPR/CCPA compliance in Terms & Conditions while their own website loads 23 vendors pre-consent. The gap between disclosed subprocessors (22) and observed vendors (52) creates material consent liability. No GPC support despite being in advertising technology where consent signals are increasingly required.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Mountain's public claims against observed runtime behavior and identified 4 contradictions.
"GDPR/CCPA compliance referenced in Terms & Conditions"
23 tracking vendors load pre-consent on mountain.com including identity resolution (Demandbase, Contactout) and advertising pixels (MetaPixel, LinkedIn, Criteo)
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 22, observed 22
googletagmanager, googleanalytics4, doubleclick…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
