QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
deanon

ProspectDesk

ProspectDesk fires its full de-anonymization stack before consent on 67% of observed deployments — resolving your anonymous visitors to identifiable individuals before they have any opportunity to object.

25 IOCs observed5 detections80% pre-consent4 sites
85
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what ProspectDesk discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
5

across 4 sites

Pre-Consent Rate
80%

vendor fires before consent

Disclosure Gaps
1

1 HIGH

Summary

Briefing

ProspectDesk is an AI-powered visitor de-anonymization platform that identifies anonymous website visitors and resolves them to company and individual profiles. BLACKOUT detected ProspectDesk across 3 deployments on 3 sites, revealing 5 tracking domains, 5 scripts, and 2 cookies. Five behavioral threat codes were triggered including identity resolution (C14), fingerprinting (C10), and persistence mechanisms (C13). With a 67% pre-consent firing rate, ProspectDesk's entire purpose — converting anonymous visitors into identified leads — executes before consent on the majority of observed deployments. The 5 domains serving a small deanon vendor suggest reliance on external identity graph partners, meaning your visitor data flows to infrastructure beyond ProspectDesk itself.

Customer Impact

What This Means For You

If ProspectDesk is deployed on your site, your anonymous visitors are being covertly identified and resolved to named individuals — and on 67% of observed deployments, this happens before any consent is collected. You are operating a de-anonymization service on your website that most of your visitors do not know about and did not agree to. The 5 external domains mean your visitor data is flowing to identity graph infrastructure beyond ProspectDesk, expanding your data processor chain and GDPR Article 28 obligations. If a visitor exercises their right to access under GDPR Article 15, you will need to account for the identification and profiling that ProspectDesk performed — including data held by their identity graph partners. The regulatory risk is not theoretical: de-anonymization vendors are precisely the category that EU data protection authorities have signaled as enforcement priorities.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
25

ProspectDesk's identity resolution (C14) and fingerprinting (C10) create a parallel view of your site visitors that exists entirely outside your analytics stack. The identified visitor profiles ProspectDesk generates may not align with what your own systems report, distorting your understanding of who is visiting your site and why.

Broker
Control Collapse
100

5 domains for a small de-anonymization vendor indicates reliance on third-party identity graph partners. Your visitor data — resolved to individuals — flows through external identity infrastructure where it may be aggregated with data from other ProspectDesk clients, giving identity graph providers intelligence about your audience that benefits the broader network.

Reaper
Safety Collapse
0

Expands attack surface

Counselor
Legitimacy Collapse
100

De-anonymization is the highest-risk category under privacy regulations. A 67% pre-consent rate on a tool whose sole purpose is identifying anonymous visitors creates acute GDPR Article 6 and ePrivacy liability. Under GDPR, visitors have the right not to be identified without consent. ProspectDesk's default behavior directly contradicts this right on two-thirds of observed deployments.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C13
Persistence Mechanisms

Long-lived identifiers

BTI-C14
Identity Resolution

PII deanonymization

5
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

1
Gaps Observed
1 HIGH

BLACKOUT analyzed ProspectDesk's public claims against observed runtime behavior and identified 1 contradiction.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
8

4 for current users · 4 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: prospectdeskFirst Seen: 2026-01-04Last Updated: 2026-02-28