How This Briefing Works
This report opens with key findings, then maps the gaps between what Propellerads discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Propellerads was observed loading and executing before user consent was obtained on 100% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Propellerads
- →Require data processing addendum with explicit cross-site tracking disclosure
- →Demand consent framework integration that blocks tracking until user acceptance
- →Implement audience data minimization to limit behavioral profiling scope
- →Configure ad delivery to prioritize contextual over behavioral targeting
- →Establish retention limits for visitor profiles and device fingerprints
If You're Evaluating Propellerads
- →Test consent mechanism to verify tracking respects publisher consent state
- →Verify geographic data processing boundaries for GDPR compliance
- →Review fingerprinting techniques and cross-site tracking mechanisms
- →Assess data sharing across network participants and third-party enrichment
- →Request disclosure of secondary audience data use for vendor intelligence
Negotiation Leverage
- →Propellerads deploys consent bypass and cross-site tracking across publisher network—demand contractual liability protection for GDPR/CCPA violations and explicit DPA terms
- →Visitor behavioral data flows across network creating shared audience intelligence—negotiate limits on cross-site profiling and data sharing with other publishers
- →Device fingerprinting enables persistent tracking across publisher properties—require transparency into fingerprinting techniques and user deletion capabilities
- →Cross-site attribution may distort audience quality assessment and yield optimization—establish baseline measurement methodology for ad performance
- →Legal tail risk of 85% reflects network tracking architecture—evaluate whether monetization value justifies regulatory exposure or consider privacy-respecting ad networks
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Propellerads can detect ad blocking and privacy tools, altering tracking behavior during security assessments to mask data collection scope.
Keystroke/mouse tracking
Impact: Ad interaction patterns and engagement signals create behavioral profiles for audience targeting across network.
Ignoring CMP signals
Impact: Tracking initializes across publisher properties regardless of consent state, processing visitor data before or without user permission.
Device identification
Impact: Device and browser fingerprinting creates persistent identifiers for visitor recognition across publisher network.
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
89 detection signatures across scripts, domains, cookies, and network endpoints