How This Briefing Works
This report opens with key findings, then maps the gaps between what Ortec discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Ortec was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Ortec
- →Audit privacy policy against Ortec behavioral tracking reality (C06, C07, C09, C10, C15) and marketing intelligence monetization disclosures
- →Query Ortec: provide complete list of benchmarking products, industry analytics offerings, and competitive intelligence services that utilize customer behavioral data from your campaigns
- →Review Ortec DPA: confirm whether customer campaign response data is contractually prohibited from inclusion in syndicated research or competitive benchmarking sold to third parties
- →Model competitive exposure: determine if proprietary campaign strategies and customer engagement approaches could be reverse-engineered from Ortec industry benchmark reports
If You're Evaluating Ortec
- →Demand contractual prohibition on including customer behavioral data in any Ortec benchmarking products, industry analytics, or competitive intelligence offerings regardless of aggregation
- →Require monthly transparency certification that zero customer campaign data has been used for syndicated research, consulting, or any purpose beyond direct client analytics
- →Negotiate competitive protections: marketing performance intelligence and customer response patterns must not be disclosed to industry participants even in anonymized benchmark form
- →Replace with first-party analytics and privacy-preserving attribution (server-side tracking, marketing mix modeling) that eliminate third-party marketing intelligence exposure
Negotiation Leverage
- →Ortec behavioral surveillance (C06, C07, C09, C10, C15) triggers GDPR DPIA requirements and CPRA sensitive PI protections that current implementation ignores. Privacy policies disclose marketing analytics not comprehensive customer behavioral tracking. Legal exposure: Our counsel requires written confirmation that Ortec customer tracking complies with GDPR consent requirements and CPRA opt-out mechanisms, with independent audit demonstrating privacy policy disclosure accuracy.
- →Marketing intelligence monetization through benchmarking products creates direct competitive harm. Customer response patterns, campaign effectiveness data, and channel optimization insights feed industry analytics sold to rivals. Quantify exposure: Provide complete accounting of Ortec revenue derived from benchmarking and syndicated research utilizing customer data from our campaigns, and list which competing organizations subscribe to these intelligence products.
- →Attribution methodology opacity creates measurement trust crisis. Ortec proprietary algorithms may systematically bias marketing performance reporting to conform with platform benchmarks rather than actual effectiveness. Demand transparency: Provide complete documentation of attribution modeling approaches, channel weighting factors, and algorithmic modifications applied to customer behavioral data before marketing analytics reporting.
- →If Ortec refuses to eliminate benchmarking monetization and implement transparent attribution methodology, demand complete vendor replacement. The competitive intelligence damage and measurement distortion exceed any marketing analytics value, particularly as first-party attribution and privacy-preserving measurement alternatives eliminate third-party marketing intelligence exposure entirely.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Modifies campaign performance signals and customer behavioral data before marketing analytics capture, optimizing for Ortec platform benchmarks rather than actual ROI measurement
Keystroke/mouse tracking
Impact: Captures customer interaction patterns, campaign response behaviors, and engagement rhythms to build profiles for marketing optimization and competitive benchmarking
Full session replay
Impact: Records customer interaction sessions including campaign touchpoints, conversion paths, and channel engagement sequences for marketing intelligence products
Ignoring CMP signals
Impact: Initializes tracking infrastructure before consent management platforms load, capturing customer behavioral data regardless of privacy preferences
Device identification
Impact: Creates persistent customer fingerprints enabling cross-session tracking and behavioral profile continuity across marketing touchpoints
Container/loader (neutral)
Impact: Maintains long-lived customer tracking identifiers that enable longitudinal behavioral surveillance and campaign response pattern analysis across extended timeframes
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
102 detection signatures across scripts, domains, cookies, and network endpoints