How This Briefing Works
This report opens with key findings, then maps the gaps between what Olark discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Olark was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Olark
- →Audit privacy policy against Olark pre-chat tracking reality (C06, C09, C10) and conversation data monetization disclosures
- →Query Olark: provide complete list of conversational AI platforms, market research firms, and business intelligence services that receive conversation data or training datasets from customer interactions
- →Review conversation transcripts: identify instances where customer competitive intelligence, pricing discussions, or product roadmap information was disclosed during support chats
- →Assess DPA: confirm whether customer conversation content is contractually prohibited from use in AI training or third-party business intelligence products
If You're Evaluating Olark
- →Demand contractual prohibition on using customer conversation content for any purpose beyond direct support ticket resolution, with specific ban on AI training dataset inclusion
- →Require monthly certification that zero conversation data has been shared with third-party AI platforms, market research firms, or competitive intelligence services
- →Negotiate conversation data retention limits: all chat transcripts and visitor behavioral profiles must be purged within 90 days unless legally required for compliance
- →Replace with self-hosted chat infrastructure (Chatwoot, Rocket.Chat) or privacy-preserving alternatives (SimpleTexting, Crisp with data residency controls) that eliminate third-party conversation intelligence exposure
Negotiation Leverage
- →Olark behavioral biometrics collection (C06) during chat sessions likely violates state biometric privacy laws requiring explicit opt-in consent. Consent bypass (C09) captures visitor data before privacy disclosures load. Legal exposure: Our counsel requires written confirmation that Olark complies with IL BIPA, GDPR biometric data protections, and CPRA sensitive PI requirements, with independent audit demonstrating privacy policy disclosure accuracy.
- →Customer conversation content exposure to AI training datasets and market research creates competitive intelligence leakage and customer trust violations. Support chats contain feature requests, competitive mentions, and pricing discussions. Quantify impact: Provide complete list of third-party platforms and services that have received conversation data from our customer support interactions, and confirm contractual mechanisms preventing business intelligence monetization.
- →Pre-chat visitor tracking (C09, C10) captures browsing behaviors and page view patterns before users initiate conversations or see privacy disclosures. This likely violates reasonable privacy expectations and consent requirements. Demand transparency: What visitor behavioral data is collected before chat widget interaction, and what is the legal basis for processing without explicit consent?
- →If Olark refuses to eliminate conversation data sharing and implement zero-retention AI training prohibitions, demand immediate platform replacement. Customer trust damage from support conversation monetization exceeds any chat convenience value, particularly when self-hosted alternatives provide equivalent functionality with complete data control.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Modifies conversation transcripts and visitor behavioral signals before CRM capture, optimizing for Olark platform metrics rather than accurate customer interaction records
Keystroke/mouse tracking
Impact: Captures visitor typing patterns, response timing, and interaction rhythms during chat sessions to build behavioral profiles for intent prediction and fraud detection
Identity stitching
Impact: Synchronizes visitor identities and conversation histories across multiple organizational domains to create unified customer interaction tracking
Ignoring CMP signals
Impact: Initializes visitor tracking infrastructure before chat widgets load privacy disclosures, capturing browsing behaviors and page view patterns without consent
Device identification
Impact: Creates persistent visitor fingerprints enabling cross-session conversation history tracking and behavioral profile continuity across support interactions
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
49 detection signatures across scripts, domains, cookies, and network endpoints